hxxps://www[.]mediafire[.]com/file/zv08ncvprinu5i7/Software_1[.]30[.]1[.]rar/file

Analysis

max time kernel
615s
max time network
863s
platform
windows10-1703_x64
resource
win10-20240404-es
resource tags

arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
20/04/2024, 17:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/zv08ncvprinu5i7/Software_1.30.1.rar/file

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\4272278488\2581520266.pri	SecHealthUI.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "359265444"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101773"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{41072234-FF40-11EE-ABE3-D2197877A32C} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "359265444"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "382234760"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "382234760"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101773"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31101773"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31101773"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000ea9a344404f66cfdac1048dba73cdac4ca44a95f5888dba5b9a9d6f79f81df1af245c692ef143ec4f253c26f8ce04e312695503ea886f2ddb317	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 1058af4e4d93da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "122"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{FC3858C5-6047-4D5C-890A-7A3271363F21} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "233"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mediafire.com\Total = "122"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "420400850"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mediafire.com\NumberOfSubd = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 314c4e444c93da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mediafire.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 976aaf4e4d93da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 5d403b4d4c93da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	browser_broker.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 55eef15e4c93da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete\C:\Users\Admin\AppData\Local\Packa = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mediafire.com\Total = "51"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Software_1.30.1.rar.5vinnpd.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
3048	MicrosoftEdgeCP.exe
3048	MicrosoftEdgeCP.exe
3048	MicrosoftEdgeCP.exe
3048	MicrosoftEdgeCP.exe
3660	MicrosoftEdgeCP.exe
3660	MicrosoftEdgeCP.exe
3660	MicrosoftEdgeCP.exe
3660	MicrosoftEdgeCP.exe
3660	MicrosoftEdgeCP.exe
3660	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2260	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4060	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1408	MicrosoftEdge.exe
Token: SeDebugPrivilege	1408	MicrosoftEdge.exe
Token: SeTcbPrivilege	4764	svchost.exe
Token: SeRestorePrivilege	4764	svchost.exe
Token: SeShutdownPrivilege	1488	svchost.exe
Token: SeCreatePagefilePrivilege	1488	svchost.exe
Token: SeDebugPrivilege	3344	firefox.exe
Token: SeDebugPrivilege	3344	firefox.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
3332	iexplore.exe
3344	firefox.exe
3344	firefox.exe
3344	firefox.exe
3344	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
3344	firefox.exe
3344	firefox.exe
3344	firefox.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
1408	MicrosoftEdge.exe
3048	MicrosoftEdgeCP.exe
2260	MicrosoftEdgeCP.exe
3048	MicrosoftEdgeCP.exe
2396	OpenWith.exe
2396	OpenWith.exe
2396	OpenWith.exe
2396	OpenWith.exe
2396	OpenWith.exe
3332	iexplore.exe
3332	iexplore.exe
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
2428	IEXPLORE.EXE
3344	firefox.exe
4052	MicrosoftEdge.exe
3660	MicrosoftEdgeCP.exe
768	MicrosoftEdgeCP.exe
3660	MicrosoftEdgeCP.exe
2120	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 4764 wrote to memory of 4668	4764	svchost.exe	84
PID 4764 wrote to memory of 4668	4764	svchost.exe	84
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3048 wrote to memory of 428	3048	MicrosoftEdgeCP.exe	76
PID 3332 wrote to memory of 2428	3332	iexplore.exe	94
PID 3332 wrote to memory of 2428	3332	iexplore.exe	94
PID 3332 wrote to memory of 2428	3332	iexplore.exe	94
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 4512 wrote to memory of 3344	4512	firefox.exe	102
PID 3344 wrote to memory of 4844	3344	firefox.exe	103
PID 3344 wrote to memory of 4844	3344	firefox.exe	103
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104
PID 3344 wrote to memory of 64	3344	firefox.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://www.mediafire.com/file/zv08ncvprinu5i7/Software_1.30.1.rar/file"
1⤵
PID:1960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:4480

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2260

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2244

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:64

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764
- C:\Windows\system32\dashost.exe
  dashost.exe {ca150c92-0105-4aac-9211af728777f7bc}
  2⤵
  PID:4668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:64

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4364

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s Netman
1⤵
- Modifies data under HKEY_USERS
PID:3340

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s NetSetupSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2396

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3332
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3332 CREDAT:82945 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2428

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.0.301106042\753280024" -parentBuildID 20221007134813 -prefsHandle 1748 -prefMapHandle 1724 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2792ea1f-9f5e-46d5-97e6-dd60997d1600} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 1828 1bd8cde2a58 gpu
    3⤵
    PID:4844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.1.1540287647\1496414470" -parentBuildID 20221007134813 -prefsHandle 2172 -prefMapHandle 2168 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d67825e3-08a7-4d79-9150-5dee37fb926d} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 2184 1bd8ccf9558 socket
    3⤵
    - Checks processor information in registry
    PID:64
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.2.689686616\226452718" -childID 1 -isForBrowser -prefsHandle 2900 -prefMapHandle 2848 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d07ea03-e7b3-4e00-9eaa-fb8063040946} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 2840 1bd90ff9b58 tab
    3⤵
    PID:4688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.3.1038253201\304368492" -childID 2 -isForBrowser -prefsHandle 3580 -prefMapHandle 3576 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3acc3f59-ea36-4cb1-be44-718738b440ff} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 3560 1bd81d62858 tab
    3⤵
    PID:432
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.4.1477821414\911315556" -childID 3 -isForBrowser -prefsHandle 4116 -prefMapHandle 4112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a962551-f91e-44a9-9644-795b217c8eef} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 4128 1bd924e7958 tab
    3⤵
    PID:68
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.5.27158406\1887383707" -childID 4 -isForBrowser -prefsHandle 4872 -prefMapHandle 4868 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1c0565a-5fd6-421b-99c3-fe3c3f85ac45} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 4880 1bd81d61358 tab
    3⤵
    PID:4288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.6.1820706703\1031096290" -childID 5 -isForBrowser -prefsHandle 5016 -prefMapHandle 5020 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {422068fd-3e7c-4f0a-a1ab-6492c533302e} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 5008 1bd934aa658 tab
    3⤵
    PID:3504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3344.7.863299546\1303843517" -childID 6 -isForBrowser -prefsHandle 5216 -prefMapHandle 5220 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1264 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d8ce3cf-d8cf-4065-aee7-01b2bcda883d} 3344 "\\.\pipe\gecko-crash-server-pipe.3344" 5208 1bd934a8858 tab
    3⤵
    PID:1656

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4024

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:768

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3408

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3684

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4224

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
b1537a27ac0200c7fc0b7a857fabd617

SHA1
aabe8a42992e616fa04c8921a5d0fb05c935bd75

SHA256
4c9ee2fbaee2cb91b53a8d85cee47899ea2ff8b1523d31fd1d16a4d56c911205

SHA512
870979838bcd45fa7e4ad827e9019f61b1c608c61f7c28fdd7d7ee55b53d6d953385e27ada6cc8950071060d65de803a2f5905a98bc785b4884b70dd7ce59075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
cce5c370f1bc1157b7de004970e4d118

SHA1
377547ecd0d2074fcd86e23075d6141aae12303a

SHA256
7f5e62fa208e631b52fb38f94c2ebc3af16098be184bc2d21a0c9cedb3ce069c

SHA512
3dafff84ce9f00b54c5ef81078c382f8f95a1a833384106cf9ad72e86181be4c4eeaf65cbfa1b5a25ef00b4fdbbfc85360687bd135c04d2c41a8c41d6d5e8250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verD6EF.tmp

Filesize
15KB

MD5
1a545d0052b581fbb2ab4c52133846bc

SHA1
62f3266a9b9925cd6d98658b92adec673cbe3dd3

SHA256
557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

SHA512
bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BLQDLNEB\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PCFIPNY8\js[2].js

Filesize
185KB

MD5
274767c1733f3ce25e38f5cdba8c7536

SHA1
a946f8046f52d832b50c88ebf73ba7f3f152ffb2

SHA256
70018cd73c9add3914f18d3e22323bf35c23000ef82d444e2df29ecd6c5b681f

SHA512
bec6c30296ba4675d89a2e7601bf0264562a1d14b0358550637aff17295e64768ec12cde73091af7d7c963ee5045e3eaf3379a31a75e586adda6a82df64d9a96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\89BTRDLZ\www.mediafire[1].xml

Filesize
1KB

MD5
6308a67945b0c3fc21c226df8aab9e64

SHA1
bfdc56d21be725f4420ac38c83e02652c9ef51a2

SHA256
038a4efcac08cee666828a1d851193f0bf89568489c30277c27d8f8b88bf9c1a

SHA512
f68e94afa780b7d86e77a024f08783c78fc2f4164004bdce34cac6be3dac642c54960936e03a7d7802cdbc8846dd6d1a9932da32428e9d4a78a2f2714d42f160

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\8SHGAAGL\suggestions[1].es-ES

Filesize
18KB

MD5
e2749896090665aeb9b29bce1a591a75

SHA1
59e05283e04c6c0252d2b75d5141ba62d73e9df9

SHA256
d428ea8ca335c7cccf1e1564554d81b52fb5a1f20617aa99136cacf73354e0b7

SHA512
c750e9ccb30c45e2c4844df384ee9b02b81aa4c8e576197c0811910a63376a7d60e68f964dad858ff0e46a8fd0952ddaf19c8f79f3fd05cefd7dbf2c043d52c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KQLR01GW\favicon[1].ico

Filesize
10KB

MD5
a301c91c118c9e041739ad0c85dfe8c5

SHA1
039962373b35960ef2bb5fbbe3856c0859306bf7

SHA256
cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

SHA512
3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
023472fb42655d71d61994de687869bc

SHA1
acfd9e99d839fc99d440ad72d57bc5946de97756

SHA256
90913baa8b63fc75ea7e1500089b6e6a7ffbda0ff9a4f893ec6cf443531b4666

SHA512
72edb5f089f61d20b2be22405a0f75681e70c05d58feb18dec2ca8927739f4c332385f8bb08ca9066b945658e278fd583fdc83c957f492038cc4ec2fadb9f49c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF36BE35BCFFD2B251.TMP

Filesize
16KB

MD5
ce2dfefe5168916671da66ea606f6eaf

SHA1
39aa7133fc5ae481aee1ba2cf03498788b68330a

SHA256
e0821bf460cd5ff6c21d08be7c53994ff1eace23e18fe54a3766882433651909

SHA512
a97a1079e7867f792039b5fe1e6a4f59c4a3293230011c4d0bd264fcdd873545c8862c24ed7b910de325bb008e82be8448e612b7b61b7ff1927dd02c0f0327a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Software_1.30.1.rar.5vinnpd.partial

Filesize
11.2MB

MD5
0d303622e5d2c991feced07847c29713

SHA1
a03904b75d7064f1774baa9cf3611d6b26b93c8a

SHA256
c2f6d477c2676af513c9b29a49029a6fb0bb91a9d392fbed4c38c77bfe34595e

SHA512
f464506cd8a436e1beeeb342df5f817f38bd0e89f83e5ef10b880888f7467610b1042f47c9b77e57e8a47a5ec19a6e776d879b25be69fc1c7cb8a3d30d7c4be3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\4VL0Y4T9\Software_1.30.1[1].rar

Filesize
80KB

MD5
38e45a41365cbe1f08ab67b42aa6eb96

SHA1
846421c61d1ec8c4c9d5e2365fcce1dda3daf601

SHA256
17d764158dbf81b7ce5753238747cff806d4e6442c1911eb7d8b4833c1874112

SHA512
17d3e27542182f5c4fb6479b864e1ced2b1fd12555cc1b4352bf0dda09abc640993fb97e27d4c744b1695dd37a0fc6df35ad413124a6b34901025f4ccb5051e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
2KB

MD5
6349edae9ef7f2234c9c41e96f8fb977

SHA1
7a780eea3c0a261b4c86d38d0bb0a38eacb950a7

SHA256
da0b4ef2758f8fc7606aa4cddf51ce2e5bbbc68bd14c95a97e19c7569ba2bf2c

SHA512
7b6dc2689c5833155b7ff6d9cf6108d3bc1411ac34b01895a71903868a7c0fc93d9047b3de7d55032cd82b0b158268ad2cf7bfe8adf21b62c38041d4633dc79d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
edb785b84be440cbf8e617a3d489fa58

SHA1
8ecf91e56ffc7a9719aefe4e998ac3134ad4c266

SHA256
ee483338d637e9b5694205d24776d32960155a1b471c69497b4904249156fc7a

SHA512
27ba12417bc960d1bca3c70a5dbc5913d7e5609eaf7cb12e78ba062fa65cd5945782232a3858a5f43eb2a3733a198a6ed8bea22834b9364ab3b643da8d8abfaf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_287645BCBA32F35B745B436FF45A6C8B

Filesize
472B

MD5
48682756dc124ea682db1edf471d11e4

SHA1
b67b2deb816a8bd937f3730863cf8d4b530fba67

SHA256
fae802de008a4c5128e842800b4b497c9752fce42110ede5f52d4a276f234e15

SHA512
39392741185df4798b7a9bd62acf88e63f97b6544b6b89b7821be9838bfaa1b20860419a181d77c7b4c5ff44b48a58a1d8f9cd75480436f99eaf76d3af445fde

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_F035812844FEE93DCDCC1CD3A7F24400

Filesize
472B

MD5
017cfdfe6786930c90c5801d8e0cb2f8

SHA1
9d797ea49994910d659973b672a6c6059d87057f

SHA256
6ab7a7283f9686c896b47e045eb3439da60da04c8d8d309582603907563138c9

SHA512
c399e64f6f6ca5e193d91d3e8ee13aec0fe467afc526e4f8b7680b0c8cfe32360eae906e6289043782e005e23f24f8e445c737a058dce1c2bd3c6b00ed6ed095

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
488B

MD5
14d48484e95b22f0cc0d1f8cc706222d

SHA1
ea34cee03435aab3d2294fb164a1aebe0ee8fb36

SHA256
8f7788b9526442704492d1c13074b105276378b38b4038d1813c924eb2568aa2

SHA512
376438c33824b301cf9e7645e22109fbceeb203c63acf90c4c268179ad978f95be60723de475215457aabd4c04d0062021a3ae839d9d0cd2d83f96c9c348b494

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
4e6d494bd6d5dcfccab5787921d8280b

SHA1
661c0386155b4994f8331290422af66aca949460

SHA256
ae86f710115a253177625aa752f17790af3a6b9293d3eeea224b9a4f6fa63e5b

SHA512
5db04639921ed64d1dba8a07ae88dc0879b5ad322433ab477ec3084fd4dbdd03c61cf95dac3210c942ad019e34fcc46bbaf01789ac9c56e1edcdb769d027cf0b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_287645BCBA32F35B745B436FF45A6C8B

Filesize
402B

MD5
498a1eb0413d7668b3b1a264213e7b2d

SHA1
d051507cefaaa45099a61ad4caf3269edcc5306a

SHA256
aeb482903786b741bd0f2f79b5dd79104e5f40d15931296fa74009dadc63687a

SHA512
a7f6b9794cdf0bd545c6d69adc409d3b209a91821741cc6c486f1e376d6f7926c4341469878d22ec52b693c2f30aca9dda90bb81395011511ac8418ae8658e09

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_F035812844FEE93DCDCC1CD3A7F24400

Filesize
402B

MD5
75856d56444c89187ba3e2d1f788ae5f

SHA1
6e8b7d2a22f9c6603f6fe9a82fdccb33b872cc07

SHA256
b5a18e750c90d14a129441db7072377e4cf669b7c5eed6e8742e8fb2d000fb6f

SHA512
fd403934583b358616a07e0b9af98442ed8126462001bbb0b07dc1935c36a85da6a72c206b75b2b82f4da566f50380811e6e22436dc8f563786199a54c94e4fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
50ec8c7522483a5d404bea7a0f6b3c61

SHA1
d1cf6e3ffb07f3cef98741b614b21ce6bdefd666

SHA256
8473d4b51882900c8c68331cd1df8fe28755f910c7c82adc3f86f540157d4d1d

SHA512
e540c7f39dc7af7fcf7564ff1e7ab3ed9d9283eaa137df0a65300d1279fa631f4ad1b4ed0f98f4d0fc72db8b6c197759e36b6b7887a23e03a5ad0a2973881b3e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
36deeb13a113de6de547616a4b6cbfc3

SHA1
b8580438864284eab6b3da097553aa055c1688c7

SHA256
481fcb4170d4337c291e000c823b7391bba8c638364ece999967b432e3af9a8c

SHA512
78180707cee5d8a12b8da913918aaf1d8b63fd96970119c4f144e083aae475130ec0b53c8ffc6ab5428e8734947087c7af779b5496e9ba6d49c47c246f3d9d78

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
cdbea5092e3a8bd9a21ba522c29e01c8

SHA1
40cd59592d3709cf88c384f2505fbbee82c32c40

SHA256
b040877068b6efe8fb686a115c58b0542804e4dd7087d7fdcdc4068e7a94828f

SHA512
38d48b06ff8f92a1f64894d5e7720683c5545b47612aff380879611adf8b0022a56ff7e4ab87974e4c77b1fff5fd09da266af59efd06bd63cb148ab8bcb9a2ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
4365665dbd3be84e1add214ac92832cd

SHA1
6eb6c5c88b977848e04a8d0aa0f559164093c238

SHA256
fe2aa972f355d95ea175a3121634420aa51022b7b5df01968a7a84c0f1e82e72

SHA512
f67e514fd194bcf9eba816d2acc4cbb98dc04bd84bc48d99d8072184f2e9e4b1df159d5247404b6137111ac6cab7925215d2f8f317b907f50d924b817398fb67

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
32af4c08a3493331906e490249310220

SHA1
f2cf5add06ca778f2b8f87fc10a5f2754eb57261

SHA256
d83d2635185c0b5cda39ea0441554649f4ac1096097b28377a68bc317656f490

SHA512
b38946c9b886ae0be39d6eed1775587208074c05b043288b3cadbbef1382fb01f0076f2ae69d652f10e5e948acc04350a5d4533aa9ec25f723949ce77538c66c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
a0fec1bea5f04fb1a42b6478e4f35753

SHA1
94572c229333d6cdfb3db6e97b422fdebb481dd5

SHA256
62a7c72ed45add6c281376876d5408c8939943102491ce9c931051d4fcb6c40c

SHA512
58fd18348ae6b1808a985adbdd263acf0177599d1ee73b06dff858c186320fe50dfda5aef1031c14c7dd3422e010b0cc157d834782185d9c364bb7f009c18091

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
0647994c757f7c253ae3535f4708ae0c

SHA1
b34e2e8a90d986b1f7a8d9301f0d3d5ef79f3041

SHA256
b85b4db4040f1ade1307399217d59b4ad3be3f104de8c9c19f0a35a92f66ddd3

SHA512
5f35d6f72a331830764f630cef3eda9c39257a8f314f5f2715f61dbbc73b7fa332f11f90a6bf281eea38ab5b9d1e35145008aabdc4201d7c96acd60dff7dbeb1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\4fdjpfg\imagestore.dat

Filesize
11KB

MD5
396ff2702780946e9739ce43742f2739

SHA1
db8fd7ec32bac6983373acb8072b8c15959e3089

SHA256
0adc2c3f4e14c39713b321de67114fa7a37390dd9aa6086efa72c9eab93a4b20

SHA512
cf14efcfbd6e70ba24b680336a6d20c9a04a89af69a5e9d0556aa615222591cccae88bf15bac21872a2e8e6c6a68a6d6d5595d4aba7e8874a9e17b75f2b03065

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{AFF98989-94FB-4E31-9BF3-9A112F5BA1F9}.dat

Filesize
4KB

MD5
a449300c68cd053afd871f94b9960511

SHA1
00afc4bec6a1e127f059c3cc2881035ebfb0a2d8

SHA256
f8df89ff12e811cc40f52dc6dd91625d2530edc0d23eff992c3f16280a51ca32

SHA512
826020c04415037c225508d496ba52f71accb64ddf49d8eedd79d6977a88354d5626d4b7ac2cef04fc269e64d2d28870e167a994497d0bbf37d2fe5c513cb825

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{187A108F-283F-47DC-9E1E-CCF2373AF997}.dat

Filesize
8KB

MD5
03cbb698b3805c3c4956d34368116011

SHA1
c356ea9f6842082e744431fdb27533b8fa035f60

SHA256
dfc69df8ab4e539f4452ac0082575760fd5acd101eae0a46598771f382d6a747

SHA512
9c058a38ab7e733ae5ff1bc4b4d007cee837344d41f144f75f7e8b90725ae76be54876bcbfe65f2cadbeb1612833f7d4432304fd173199b71cf709aba5424505

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{3D7B5739-0DD1-4BAF-9169-89102F0D7F8C}.dat

Filesize
11KB

MD5
54d55f784f79c4f66369f43202b181a5

SHA1
dc4659d71aeb0ac4240276d0229f8b095c3a9c75

SHA256
f98212a9e4208ea1e2534f3eee005d2032b80a3fed2feb80a4ef74fb74265028

SHA512
c76810a7f95b604c67ff76fb25aa89e5ed9c25b011352fc40b092230c7f5891bdd277429170072a7c9464fa7ef0a2d55cbae16690ed81200675f36cc75312106

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{4CFC67D8-3DAB-4E79-A480-5865BC7EDF42}.dat

Filesize
4KB

MD5
e89d1a86c66a8575c784b39c5084c3cd

SHA1
6dbe09c852920daea7a042e65b39115552fc5bb6

SHA256
cffe3fa5838b9835f3aaa1deb190c005afa6c960f5bc3ee10092465e2a1444d4

SHA512
a5cb3bae45030ba1701b205a3e322e571111f8e0a26db5120c4aa726b9ac975fd44d67033475264c7f1ab811606e5131fab3fff613a543bd1e7386478a9fd0f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{5B8B8766-41DD-4789-B513-500E4D961969}.dat

Filesize
18KB

MD5
b7c070fcb980c8f9851f9318a2d7724e

SHA1
1eac6ebccc7e883ff7e527bc29439391de98d929

SHA256
e24928489b981ed939aa9400c37d4ab017eb261615dc330bdea59b026241e27d

SHA512
274a8baba0f0a0eaea7a2184fa5645ee66c17e8ac0d150b351bc5684650f270fa5aacd23a552d98a54d9dd5ab8619b4f6e35d48a9da2be50b7fea9fd196ad48b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{ECEAFBFD-410D-4305-8D3E-798A008DE751}.dat

Filesize
5KB

MD5
0549ca391c3bafce56007d2e3435a4fe

SHA1
cee0cfaaec0a95e6ec1fc8caea4018e0bb5f92ae

SHA256
a489227b63fb46c79a62e35e72eeb1aec5119771cfbde98f82caa08b64f76a6b

SHA512
0686d6efc76448cbb62df1c8f31aa7a540cd4a37b13e6b122c3c7146e64eedcb2e439c583c2c941e8a744298afffe46e921b8be75877fee8c5e82207d73b870b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
b129e7ddb3dc55f4a18a3f6ad90bb5fc

SHA1
69a8fb65a0ad838f113689958534235c78bf6c75

SHA256
0b46d6eb0642cccd4fb6f70caa1a627ef5b571027ba3a36bdf6578a62047a8e1

SHA512
99c2ffae415f9ca38563553992e4327939f14c187f4d60fb2bb2f41ef42a992dfbd1bbc53aa0c5354a4be7d664376b253374d72fd94b293a96ece3f705c5935a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\6d665c26-2d8b-4a1a-9d27-fb1d1c2658b7

Filesize
9KB

MD5
ccd56a73d8cb89480a1788f37deaf0d5

SHA1
17a33dce82389c5bf78ff1306177be60fb520c02

SHA256
bf54c65bc12e753aded6f3bf779bcf8647a1a366aefceca2f9cb122ca7bb8fea

SHA512
c7cd8ef05b3e757bf8ee793d0748f440fbca50a9d5368e741786965304106711218bacb3c091cfcc7bb6dc0baa7ab6a9ae58f17df168f9b9ea013fc1e4aa6860

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\99836a01-6ad1-4b1d-b23e-f07243a02909

Filesize
746B

MD5
41dbb98a5840a3d80ec483f294f8a836

SHA1
2b0e9eb75c967132c35917b4c583eb6774240524

SHA256
f905c8fd5e84afb735fa518c9acfeab87661651f58bffd31b2f7a67b6209c40f

SHA512
ab5a0001951b682ad3029443dfac70e377505b8da9584667331cfd00e97f39b7ab38eb7c91c67c4676cd0b703815097c709117d6ff0576a23953ad085fb3b90b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js

Filesize
6KB

MD5
05b01734028ff0d0dc70134e058120ab

SHA1
e0ef59af22b4c6dd4d34c31e7c71e18e9d6c4dee

SHA256
10690215f04a09194c84371e67af88d631b50592a1f4969d77aec9b59ef314d0

SHA512
f3ebfa6161a3aeaae0b09570ec8a6843c8a609784d1c4b4cc6335b41111f2d325b2ddea7c52b0751d3da7edb5a0a2cb30b6a7401a03ad2f5a1b2b1abdbe20f43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4

Filesize
882B

MD5
7fba4b060739554b1fb5ced71a2d6540

SHA1
0858ff9eb76e3f187391310d6b83861d9c2d4c44

SHA256
c2879ffa99c183102fa6fd2b3a86aa52d235a0019d3431de48c0899495969b3f

SHA512
589ac893cc39b53bead107c6afc65943b03cd582f2bb12b3a9b02e4202fb49ce7afc099e13e2a47862f7b1fb9249a2f96c45c2435ce5618eb4b1aaa4e6ced530

Download Submit
C:\Users\Admin\Downloads\AddOpen.txt

Filesize
430KB

MD5
1252b6bec1d5814bf422223a2cd3ad88

SHA1
f6639f8238ce604c75942653eeef44d1dd1f99ce

SHA256
a313ffdc137640012032fc301f58bfdbad1d56ec12c9227fd0be00fffd064ac8

SHA512
8fa3bdf2bc12163f6a624683d5f6efedfe3e85725fc0c308993ca44823ad856088569d709ca673b6be7f4790de16edd6f0d8c4dde2dfb7add04e26f7b0ae4595

Download Submit
C:\Users\Admin\Downloads\ClearInvoke.odp

Filesize
1.0MB

MD5
1ca86819d9e214c91058b676bc73150e

SHA1
309a5a2fb832f6fc70272ea174f8e3f187ba2bc1

SHA256
e7ce771e6a7d5cc285d9d3d64c390a5e74b74c7ea9367d213d8e2f3a795bee26

SHA512
ab3c343a9f592db5cd24e21b19ac133278eb446d959ea8ba6cf8d655b1ab5d3255b4bca70fbc31a6b64e0a7a99262f6737d79e81f75d805773b175e629f17a69

Download Submit
C:\Users\Admin\Downloads\ClearSuspend.png

Filesize
701KB

MD5
a2b91e35966d5b5bfc6b3f03167a2092

SHA1
4b7c01448c6ef2510f139944c91c7123d668ea42

SHA256
db76157d07cb25bafa88d8c3a8ccfaeb77219bc02c5354f4bad488e4692efb13

SHA512
3ffbff8734586524eab6d2af398648d25cef756c53fa77b7a900ed3f3ab6f36271f53d50a78f11571b4d378953b9754977bbbd4d47256bfb15d223d774cd0ab9

Download Submit
C:\Users\Admin\Downloads\CompleteResume.wax

Filesize
717KB

MD5
f17e2f1a4dd22c3a6d764f3e2dfe9b0a

SHA1
5f256c7e15a7419ce69f3f3b931237b50f8e0feb

SHA256
410e1e89d32ff8242767872dde77a52b1cee7f57ed9256b5785f3b8bd7762d02

SHA512
8852ab2fcd45fd0c9caf737f5a6b72e8c82fb9a52b7d31886b8edb21b17a2f84936a7c7959877f62fea49d89d2a1e41c259f3a40eec0ef04d58fe05f3f017048

Download Submit
C:\Users\Admin\Downloads\ConvertFromRename.avi

Filesize
446KB

MD5
eab5d071ae134aceb9afac50579a2144

SHA1
986d05d6c6d67db11455a26c5f64a5cc14abcbee

SHA256
f56f0e4f3a82d2165834a5fffbfd478c3a19834ca4951f9299b3f72d2c859819

SHA512
f17c478761a1423af1f65765e0d4709d1f37e8451c5bd05be8af51ecd18f104cba770427037409fbd5c5f2bb89d4f0db9deda4a9320227755cebdff687f29798

Download Submit
C:\Users\Admin\Downloads\CopyPing.mp4

Filesize
542KB

MD5
9ab82f0e456a401e0551bdef566759ef

SHA1
3e18b6c2638af0e907a2b42142c06bc7c67f1175

SHA256
f5f84b8bd64e3991a91d205b19aac4f110704b19ba8023c4a5b0a3b135620e14

SHA512
089c0a7df88908418d0053269f3cedb8cc3e216e6e1911af98b090ce02fc9cad7c724432ae6f343cb7ac465a99b3577fb395665d1dab519ecffea24825178e58

Download Submit
C:\Users\Admin\Downloads\DisableConnect.ods

Filesize
271KB

MD5
7d4cf40eb317a9e9816ea060d1a3d744

SHA1
c5c8c0c1393804cb168add530889c5f8dd7e070e

SHA256
ce699e79988e37bf7a6a6009514a38930b22033386bb7775ee7ec72d7deae77b

SHA512
9bd8b03f72c3615a4cbf68a0e87096ff9ba0e514608e158e96f5529b1512b8fde1c7163806ade2e6fa44f5ff27b2481fe4900c926b5c2587276e7482dd3d2d52

Download Submit
C:\Users\Admin\Downloads\ExpandExit.jpeg

Filesize
749KB

MD5
709c17de784f520f462dd4e6705c9aee

SHA1
56d0fb0443ea9bca5326de0d6ad2e035313ff6b8

SHA256
45b8fbd1ec76de05e6dc1c5d25916baba4f2333f9fdcc94c6d62d8eb6dfcf90c

SHA512
4e058e647fab5c445dcd03023fce0b50211b0757eed1997c12248c6f5ee02d877caac720bd7f609cba931e98902b8ddd76b04623f07d8e15a7c8ac7327c11153

Download Submit
C:\Users\Admin\Downloads\GetTrace.vstm

Filesize
573KB

MD5
9ac025d59c02a11cb2883d26913473a6

SHA1
06f7aada2db719b04f804e97fe03a6181f97841d

SHA256
0cbf4a8a0890381e1666a792a7c4e760224cddb352f7cb9a7e7a3c642e721dc4

SHA512
591a175a1dd3e854f86d0b0ec55d9527c34c769e6ae16e9bfc95e58d9b7bbbc4aab61e9404e3a49ff9cba402c99ffd806a6e039895353be52f384658c59eec0c

Download Submit
C:\Users\Admin\Downloads\InstallWrite.eps

Filesize
494KB

MD5
8b80796842ae55ca0ec7383784915ed5

SHA1
eabac6b5a976e0ef3e1d2dd38490296f9b1e6b28

SHA256
819c94e008c131dd42c4186e8b546fbdfbd8a525bf3fcd3df9cbe257cc9bb759

SHA512
9b42b4b901256965144c7bb8b68880b77fb19df242fab48534682ef238ea7523b528bf46613541b24dc954a188d1103f77ddea7e55633dca95ba62ff4a638da8

Download Submit
C:\Users\Admin\Downloads\LockSearch.jpeg

Filesize
637KB

MD5
b7c8e1f1be4e77d24041dc606cbe9fdc

SHA1
89ec4e50622659ce478c1d6540c087785d42c921

SHA256
fd2d88cedd813694ba166ce635d8faabd36b908cfb46793467856eeb88078305

SHA512
e763b16e7cb34277396c1eacb176b9afe1f6c556574540b69d3314ae52a3d7ad56bb08437df89f9898e7f923238ee2b5ca82a43aa2eb59cc4103f0851a6b15ce

Download Submit
C:\Users\Admin\Downloads\NewInstall.search-ms

Filesize
558KB

MD5
6f4d95d9b3a9c2b29c8dcbb951268ab0

SHA1
0c70983fe01da8466b58b286417e914395527426

SHA256
fbb822b3869e3430fbc73a0d936176602ad0c1e10f8621b4e11f3eeb6231ff9f

SHA512
92e9180eb6e91c7a6d1ee870d1809796c710a8c40612aec63b9d0c243d2034c16d66aeb7e177154e54ab4109dea6e3a0b5caab8925d10a8fb86266d76511e711

Download Submit
C:\Users\Admin\Downloads\PingRepair.mid

Filesize
526KB

MD5
723e70c567dd6cd96d3a23955cabcefb

SHA1
3ddf0534f9e8ad2dc4b34bb9e7cff7502b5cf760

SHA256
4d80c22d1688e7454336813021c8f6c555636ca381c4dd0bd0a0e5852c53c277

SHA512
ee804d3af5807f245920566c43e0bf14e3626a11aec7f80629ff087d6a21b219b71bcfd49561c00b9d9962ac0742281af9368ba796232d98ae5e2f148b474487

Download Submit
C:\Users\Admin\Downloads\PingStep.gif

Filesize
669KB

MD5
6384adb35cc77928d3382c607d81a2e1

SHA1
b552cc963491a6b7d0d95beb5b11d6ff197e4b2a

SHA256
e9c4b32bc4e5f754d1e2f3f833cba1e727ec38bd245af55202c986404e548ce3

SHA512
703bb46110acc69417428e2dba1e98402d2abc310ac065593d6a24ae404d7ad5b0f73a2c7676b6352bf0cb3a1c47ff09c6111a3715cc2220a94535fe197290d3

Download Submit
C:\Users\Admin\Downloads\PingSubmit.wvx

Filesize
765KB

MD5
813710f72c2462e6664ac5c0fa8b73da

SHA1
a817012a2153dd6da7176d673be87728257ffdfb

SHA256
5b1c7383b3fa51362e9bd1ced563345d757a9fba7bf499782187a5c2287deca8

SHA512
f6482b8e961c1cb3e34402200ba367b9ab278c123a26f98a63d97aa50b1d07bd7bb6ee340737d51997cea27365d23e38c169470686f21924c44048df94c32ba3

Download Submit
C:\Users\Admin\Downloads\ReadHide.ps1

Filesize
462KB

MD5
8dea2bb40a07ceb5e40408e537993db0

SHA1
0059ee6d091c92354d2e5b125a744012d5c447bf

SHA256
594f7f72adfae9998e67b16395d1534071c6b94bc3f077541fd3f0afb3c77100

SHA512
d60ae0d6c5ed6b1c4b4109aeaef2687444d1eab56a582eec42028029aedb1cd0a574fd6f1718db05712545fd4f3de614e8e92e9cffa94c9970b5163f8950a3b2

Download Submit
C:\Users\Admin\Downloads\RedoDisable.wvx

Filesize
350KB

MD5
725b019c95843ef55aafbf4ec1592735

SHA1
537133153021d870c7aea90dc3092fbe5f9719a3

SHA256
fc1e2ece6254c7d518df4c1615d72caf36d403ed43e7500a666d7ef9ccd73daf

SHA512
224ad371754425c39e1562cefa70b089de95ce794be68663dbc308fed9142b4b01545b2989efe3cb6793716792a1e83d906ae9d72150e76a2232c4ee0b1228be

Download Submit
C:\Users\Admin\Downloads\RegisterRemove.pot

Filesize
286KB

MD5
62101addacf3776f9995aa7eb1a932e0

SHA1
c7f175073aa2f0a95e1ce8ba6e297466b3d23e17

SHA256
1cfeb2ad9848e1d3e76f7fbac16d0b0449206e7e23bf8879acfa86a2d317ebda

SHA512
8ff60feaa4cd742cb3647bd7b11b64caf6db73e7148103e5cd9df170c69a85e99f9596586a2af3babaa7ee0a87366b0a2492965659f883d8cf6f235f3e38a985

Download Submit
C:\Users\Admin\Downloads\RenameImport.tmp

Filesize
414KB

MD5
228370d50f4ec6932a5c08f41d159c1b

SHA1
08d23589dfe7fac06c8c3b74e5d80a7bebc5666b

SHA256
3e70007b24d0f2a0c08545f691ca0d46b3512965de2f96396abbe793294928fa

SHA512
21191fd6ea402300564e87a64583560405af095530fdaf95e94adbd96f2c3c6bea5c67b01a142288561f3c428721f7b8600bed049c4b81a4e9c70c5d5bd05010

Download Submit
C:\Users\Admin\Downloads\ResizeMount.vbe

Filesize
478KB

MD5
b9b48e6e440a22f9048c4ef79381af79

SHA1
02e2db41ba1bbba9485d7027b72fe6d9d7ff3fdd

SHA256
a09d6fe0c4bfa1d92e243baefe193b670cdb66f7a4cbc5e9e2e7823f2e28e89c

SHA512
10b216c615aff8e885b9d40344d418ab981631047480de7f07ed91cd4da80dfb028b2ef50acdf3a6bdddda0990e7107723f39201ff9a9382b0e3cf4db7ced98d

Download Submit
C:\Users\Admin\Downloads\RestartSearch.vdw

Filesize
653KB

MD5
f3352f17d5e7cb28c3aae6948420526f

SHA1
2f959435ef88bfc8e0b497897abd7551713efc12

SHA256
b8cc4774a7043bbfd27dde531abbb424f98d2b26b8c2fdcf41e2fab409bf64e1

SHA512
e19339224cdb81cacd9ac71518316c64a6070ccccb793654d1c595e79c225fe6271d1cc73314e2f735322116b5a621767bd804ca4cac1cc7f6b5564ec96a1d01

Download Submit
C:\Users\Admin\Downloads\SendSync.i64

Filesize
605KB

MD5
434133ed363c96c3aa7c6e4bbbd09867

SHA1
7ab2416a541c6a5b662a86a021a7df3751664193

SHA256
7b16d6feba5fee78862397c069cd9c230f00851c3772b8a4425d0ebbcd598b6f

SHA512
5e5e77b94d8434de2d79e8baa02b821bbfa19bdba6ae754b174d595a4073d008c08590412c22ba45b534027d89a504d2d3e31fa0c714af91077fc8cafab57890

Download Submit
C:\Users\Admin\Downloads\ShowUpdate.3g2

Filesize
621KB

MD5
d19fb603822bb6204a788e021b3dc481

SHA1
e855e70bd4d3b8f89fe06365ef5e914c6acb602a

SHA256
fe9cc9fd261f56b9072ffa663466edca7a2812053dce9efc6786303bebb3a959

SHA512
f164c7b4aed4572ffa8d0a25f16b1ef8bbb2211bef2428c3f50b8caa1aeb880ef1a63314abb628d3329da3a3bfa4f9e06ea3f45208beb0039a1a80cbc5b228b9

Download Submit
C:\Users\Admin\Downloads\SkipImport.csv

Filesize
733KB

MD5
358dd275b38b35e47c193aeb3d58e331

SHA1
ebd88a29433d13ca828a3f34592262cb24207771

SHA256
d6c0a0d5285a7ce65e6d5226d5fd29291c72964abf5ff2c395cb1bc28b4c56af

SHA512
686973ea9bd1355cf8db7cea1a16c403785a4fc1cfc1530c5ed038cc61f198f684f4ac309e9a764de21550db8e22562d1baf9928040bed23cbbd937180e78be5

Download Submit
C:\Users\Admin\Downloads\SkipJoin.hta

Filesize
685KB

MD5
ed9b315a18523743c92d62ff28564123

SHA1
b4f74b053888fbdd091c3855e287acaaafbb653a

SHA256
069e33ec3635ed25b1c35eadfcbf5b888f1bfb88c3d0bc4c03278f4661709193

SHA512
d3166c7b409fdadb5e2b9dd998be39f0974cfd2143826c3b6ee32d2c830186f51c018f7afd628e2ab0932ae92ac0fda133a84a846903acfb8991aefad6e0f806

Download Submit
C:\Users\Admin\Downloads\StepCopy.inf

Filesize
589KB

MD5
0335017ae30cae31dcce3e83a8f4c7f7

SHA1
20e9099c4498f352bec496a95662966f4a542241

SHA256
281c1a9fbf180f0a6094939e4713ceaefdd6bd17fdb3b7069e63d4170c282175

SHA512
0314ef79154a2e5c9bf0820e4b332811134b2dcfe838c13ddd5ff9bc8599ba1e5feb8e37ad97da67a842189f0518083a1bb74a51908661d0d7b26af5e69dcf89

Download Submit
C:\Users\Admin\Downloads\StopEnable.nfo

Filesize
510KB

MD5
d9a6de54d0f8b2354e9a4002fcbb1740

SHA1
8123f6296ae7e5fe3b67c6f78bf7cd2febf6b916

SHA256
b409c8a1f55cd57dd9c13f423dcd3ffca1682185960153f4167dbbf3fc74ae50

SHA512
97d43cfed428519a3c8bfe23d1682295ff6d5dd7c1f73d34b282a9c7827abf074d6b3e7cae333ba7f760a35fc877b7fb8ab520c72d30fe5000eb7ece2e570df2

Download Submit
C:\Users\Admin\Downloads\SuspendUnblock.mpa

Filesize
398KB

MD5
1ce21d446be75e559ace2c3314a23afd

SHA1
5b6e0f2dd49f3f8d1c6306b58cd2b389a0425cf7

SHA256
ae25010d2ab29e2db9ec58b05380b7a18355a46e3612a856ad28afdab8e46386

SHA512
207b3d51bc192333daa76c45816e243aca201eb4958b5ee0858338e25c21a44ee2f26c5d68e95328a938843a053af3ed57a5ff32a6f709fcb6d920c286c2e2d5

Download Submit
C:\Users\Admin\Downloads\SwitchRestore.doc

Filesize
382KB

MD5
e5541e81de2a564f7eb1bb3fbd130c1e

SHA1
c451c0c5e6d35fc00f39ea63284e23218c2fc1e4

SHA256
778fe56a19fe387b83ebe184c7cc39b1a8713b38d7199231666be235eae28c5c

SHA512
960df99b26fa05c1c470eabfe4523c446806d6c478efb6ebdd5667ea1e25b3eaf58a31f63a8a62a241e67abadecb3041b8e20a52d47093093223a10a5eb60c96

Download Submit
C:\Users\Admin\Downloads\TraceSuspend.DVR

Filesize
302KB

MD5
d013cfd6f04636b0ca902ad1ab60c04d

SHA1
aa35fca5c1feec6ee5cf9d912e9daa5b810f34dc

SHA256
8877c598bf3b13edcb9012ca16d7a1eff142f13b39660810d8a53a673a25ec17

SHA512
67a8a8d853826b621fab20c39b68b96c02ed5dd7d638316a265c07225c311478b1c5ad51350ae2b7f102dd7f77b5d1774bb89093c56c1506ef6cb379c463965e

Download Submit
C:\Users\Admin\Downloads\UnblockStep.docm

Filesize
318KB

MD5
ac0c325b63f3d482ede83f8253310fd0

SHA1
9b8b339c8a610c29cc39f3855fa755024f16935d

SHA256
dd68986645fd8ee01294e45e62d4906d396deb2d1d0089534391b9d74eb1ef48

SHA512
f518216d0c41ae7b6aea7ab7ae6e7b89b9d57d5a550c2b74a548310d35f4137559132d114ddebbbfc13221281246112b81bfa0e7a91cb688dba73eb50b683a18

Download Submit
C:\Users\Admin\Downloads\UndoPop.wmf

Filesize
366KB

MD5
e3f113a464003c87163784c758af107b

SHA1
edf3447c2a088eb1450759d8de70ca530a1b143a

SHA256
1b916fcd377e1685d61c361286d2a0d22901095c671082626a1b19d11d6412e4

SHA512
0b0e3fc4fc44bb98711cce7747ba56dc7a9e55084f346996d248d56f0fcfcf2be7e5952c87fe17b6bb0c52c1a0187d3c59fc8ddba0a8ea86c5815c8bb7e4d045

Download Submit
C:\Users\Admin\Downloads\UnregisterPing.ico

Filesize
334KB

MD5
d9ead8650fc663fff5ab5b57da8b80ee

SHA1
2f4f2c26630c22ceff9b10dc50e822709225213f

SHA256
fa8e645da5e37d1bc9328da3aab0554095b2bff6772094e6c766747f1b27b7c5

SHA512
b6825b19ca144fca838eefb11875671b71dc308e54251bc1b94615d3f998c7fb6a423963a0cf6187e7cac3cb00a06d5e5ed74d62c4c7cdebc5d244ecbcabf80c

Download Submit
C:\Users\Admin\Downloads\WriteSend.odt

Filesize
781KB

MD5
5ecbfcf59660fe6572692f32784cbee5

SHA1
505d3998ce9ce05356e61e5b0f913e6018c503ed

SHA256
534d6df98ad64950aea91af3b712362ca2e4f9de593fd75ff00edeb31584c5c9

SHA512
03f8ae420466583d252ce45074398e830a0ef0011644788f81a8cc80ca2d70dd86c475c9c756a3fa622eba46c3de09a5dc946d5f8ccb15bd7ead18b4f86caffa

Download Submit
memory/428-523-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-275-0x0000011AE28B0000-0x0000011AE29B0000-memory.dmp

Filesize
1024KB

Download
memory/428-530-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-529-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-528-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-527-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-526-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-525-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-74-0x0000011ACED20000-0x0000011ACED22000-memory.dmp

Filesize
8KB

Download
memory/428-524-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-518-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-508-0x0000011AE3DE0000-0x0000011AE3EE0000-memory.dmp

Filesize
1024KB

Download
memory/428-484-0x0000011ACEB50000-0x0000011ACEB52000-memory.dmp

Filesize
8KB

Download
memory/428-362-0x0000011AE18D0000-0x0000011AE18D2000-memory.dmp

Filesize
8KB

Download
memory/428-343-0x0000011AE3A80000-0x0000011AE3B80000-memory.dmp

Filesize
1024KB

Download
memory/428-321-0x0000011AE32E0000-0x0000011AE3300000-memory.dmp

Filesize
128KB

Download
memory/428-302-0x0000011AE28B0000-0x0000011AE29B0000-memory.dmp

Filesize
1024KB

Download
memory/428-531-0x0000011ACEA00000-0x0000011ACEA10000-memory.dmp

Filesize
64KB

Download
memory/428-222-0x0000011AE1E00000-0x0000011AE1F00000-memory.dmp

Filesize
1024KB

Download
memory/428-138-0x0000011AE10D0000-0x0000011AE10D2000-memory.dmp

Filesize
8KB

Download
memory/428-130-0x0000011AE0FA0000-0x0000011AE0FA2000-memory.dmp

Filesize
8KB

Download
memory/428-133-0x0000011AE1090000-0x0000011AE1092000-memory.dmp

Filesize
8KB

Download
memory/428-127-0x0000011AE0F80000-0x0000011AE0F82000-memory.dmp

Filesize
8KB

Download
memory/428-124-0x0000011AE0F60000-0x0000011AE0F62000-memory.dmp

Filesize
8KB

Download
memory/428-120-0x0000011AE0F40000-0x0000011AE0F42000-memory.dmp

Filesize
8KB

Download
memory/428-117-0x0000011AE0F20000-0x0000011AE0F22000-memory.dmp

Filesize
8KB

Download
memory/428-113-0x0000011AE0DD0000-0x0000011AE0DD2000-memory.dmp

Filesize
8KB

Download
memory/428-114-0x0000011AE0A40000-0x0000011AE0A60000-memory.dmp

Filesize
128KB

Download
memory/428-108-0x0000011AE0D70000-0x0000011AE0D72000-memory.dmp

Filesize
8KB

Download
memory/428-78-0x0000011ACED60000-0x0000011ACED62000-memory.dmp

Filesize
8KB

Download
memory/428-76-0x0000011ACED40000-0x0000011ACED42000-memory.dmp

Filesize
8KB

Download
memory/1408-0-0x000001FF29B20000-0x000001FF29B30000-memory.dmp

Filesize
64KB

Download
memory/1408-35-0x000001FF2A1A0000-0x000001FF2A1A2000-memory.dmp

Filesize
8KB

Download
memory/1408-16-0x000001FF29F00000-0x000001FF29F10000-memory.dmp

Filesize
64KB

Download