0057a052bb6292cde3fedf37882b4feb218fbc04433ebb92dbcfe700ec89581d

Resubmissions

27-04-2024 22:28

240427-2dmtbsac4y 1

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-fr
resource tags

arch:x64arch:x86image:win10v2004-20240426-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
27-04-2024 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HELLCARD_v1.0.240417.html
Size

903KB
MD5

df5355151cb608fc16044cfed37ea6ca
SHA1

c3aa763ef46fd63abea7cc250d7022682b75cfd2
SHA256

0057a052bb6292cde3fedf37882b4feb218fbc04433ebb92dbcfe700ec89581d
SHA512

68ceb14c12994e1aac69d0e55e70b1f2c12fba37147a678b3d2861ac8810f05c30cec45f8c9eec6fd9e5a70e8cf8379c66446c6b36127343a7fba0279ca49eb4
SSDEEP

24576:sBpm+cbo2wBQ+tqSxV8ThyFIpW0Rm+cbvi:K2wBDtqSxV8ThyFWW0wi

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 9 IoCs

Processes:

msedge.exemsedge.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-711569230-3659488422-571408806-1000\{74C00DDB-7F59-4ECA-A5DC-11EE5FE3FE0F}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exe

pid	process
4992	msedge.exe
4992	msedge.exe
1368	msedge.exe
1368	msedge.exe
796	identity_helper.exe
796	identity_helper.exe
212	msedge.exe
1184	msedge.exe
1184	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

Processes:

msedge.exe

pid	process
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

firefox.exe

description pid process

Token: SeDebugPrivilege 832 firefox.exe
Token: SeDebugPrivilege 832 firefox.exe

description	pid	process
Token: SeDebugPrivilege	832	firefox.exe
Token: SeDebugPrivilege	832	firefox.exe

Suspicious use of FindShellTrayWindow 30 IoCs

Processes:

msedge.exefirefox.exe

pid	process
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

Processes:

msedge.exefirefox.exe

pid	process
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

firefox.exe

pid process

832 firefox.exe
832 firefox.exe
832 firefox.exe
832 firefox.exe
832 firefox.exe
832 firefox.exe
832 firefox.exe

pid	process
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe
832	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1368 wrote to memory of 388	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 388	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 516	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4992	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4992	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 2428	1368	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\HELLCARD_v1.0.240417.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6fad46f8,0x7ffa6fad4708,0x7ffa6fad4718
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
2⤵
PID:516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:2428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
2⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=none --mojo-platform-channel-handle=5732 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
2⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
2⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
2⤵
PID:2812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
2⤵
PID:1296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
2⤵
PID:3600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
2⤵
PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=5148 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=audio --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
PID:1100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=video_capture --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
2⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
2⤵
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
2⤵
PID:4620

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6452 /prefetch:1
2⤵
PID:3356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=collections --mojo-platform-channel-handle=6636 /prefetch:8
2⤵
PID:1616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
2⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6696 /prefetch:8
2⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
2⤵
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6488 /prefetch:1
2⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6984 /prefetch:1
2⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
2⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
2⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
2⤵
PID:2176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --lang=fr --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
2⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,11921877432956124570,4317813489201406097,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6168 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4744

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:832

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.0.350922190\1652807376" -parentBuildID 20230214051806 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {66c5c047-624d-457c-86a6-32829dec9fb7} 832 "\\.\pipe\gecko-crash-server-pipe.832" 1836 1f73081e058 gpu
3⤵
PID:2236

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.1.166158743\713603236" -parentBuildID 20230214051806 -prefsHandle 2392 -prefMapHandle 2384 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8236773-112f-42c4-b0b2-197cf27a2649} 832 "\\.\pipe\gecko-crash-server-pipe.832" 2404 1f723b89f58 socket
3⤵
PID:5080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.2.2048582038\378911122" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 1348 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75d58b1e-5087-43ae-945b-975f572886e5} 832 "\\.\pipe\gecko-crash-server-pipe.832" 3024 1f7331f0758 tab
3⤵
PID:5300

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.3.122230477\1704047074" -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1348 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {13db934c-8435-4b5a-a1d0-fb50370c24ec} 832 "\\.\pipe\gecko-crash-server-pipe.832" 4144 1f735ccbc58 tab
3⤵
PID:5564

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.4.574133633\588043443" -childID 3 -isForBrowser -prefsHandle 5008 -prefMapHandle 5020 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1348 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {072f287e-9164-46e7-af9b-c37c3aea5f84} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5032 1f737e8ce58 tab
3⤵
PID:5940

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.5.216722313\1638054330" -childID 4 -isForBrowser -prefsHandle 5176 -prefMapHandle 5180 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1348 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f27d7f4e-6f43-4316-a4a5-d187ea7762ac} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5168 1f737ed0058 tab
3⤵
PID:5948

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.6.1763789238\32031027" -childID 5 -isForBrowser -prefsHandle 5396 -prefMapHandle 5400 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1348 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ead2dd59-56a7-494b-b7a0-0f891958cbbf} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5388 1f737ed0c58 tab
3⤵
PID:5960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="832.7.397540965\1460368159" -childID 6 -isForBrowser -prefsHandle 5888 -prefMapHandle 5864 -prefsLen 27885 -prefMapSize 235121 -jsInitHandle 1348 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {617c5d39-1dd7-4a36-928c-08adea3a00c6} 832 "\\.\pipe\gecko-crash-server-pipe.832" 5876 1f732492658 tab
3⤵
PID:5868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
26KB

MD5
191cd87d59bcfbb734fca7bb92bbc245

SHA1
30514c4b000361fe9319ebbb84d5cf93b9b0a82f

SHA256
cf07e157a37761abad2d2ccf9385f5023fca4dad5a3594c6832274a1b5823c9b

SHA512
a72b2bfe8e6ba1fb307f4d89c1a38070261d315d36f12726c22b77fa90171fb28d6f62b112dcaad521aa09e89990ff810c363fa79e2e75b48329ddded879dc4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
1ad69887ae03a2dee7d78d5197b551c4

SHA1
0b145df4f321fcfcd4280eead62fa10c5528cd1f

SHA256
8e7a578fd7245bfc15a6a52986131a424fe0af43eea4558a65a253a8fdd2a50e

SHA512
53050834489aed2fba6fb236e96d5ce239cef02264f99c0bbcc757ca9cc0c1c88a4180ff3c20f8c169d37ecc5f59879960f2716c980a4582b6c138da8c7584cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_megaup.net_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
bae80a3d5321658026fe9369c3ce58e4

SHA1
6bf11d17d06e3b9f73805d84568be2e463c4709a

SHA256
8544fef7eb57a182591948383376b8449ab8e8a87aec09e940a8b015ac107387

SHA512
b9e9a1de2a28594b0cbbf4bf2b647b62cd627b7458a68269f8657437244df78bdf76b640ec44304c3ffb3f5418e9c1899070c57afc453e4e6a3c10a11f0a7747

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
4KB

MD5
a817c263e381b87107c6d2fa522fcdb9

SHA1
3917254ccdcba92574da70883f817b6a6db06b04

SHA256
23a64fbefa7597400f99e32a9a076f6ec4c728147a610f29a44881868bd93040

SHA512
8fd222762f697a46a237e6895501c61b5c7e2a3653eceea3f9d0ec1deefecabaa9bf0ef14f254386644a8110eb919ca8592a867e97bd4441d0c50d55ea2913b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
98fc618316cb5701ff15cf25b8e6ab7b

SHA1
dc730757828b7623529d5560b04617f7a33b2bb2

SHA256
5b259c77e9704d5c79c6c57a88c37b7b658159473684f00771a3d7f28c177e19

SHA512
a6b2d807b19a9eec03831bd7245c95b97a56eb510de74e0a33897898bd124398ee5a2a5d299b57ea190145895f073c522018a4736ccef508de10ef336d81325b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
b423bba1fd8939ac676bbbc58147dd68

SHA1
2cade9a51bf2f459f0646a2611e752a7d29225a6

SHA256
fbff7f967c2d7900c6ce22560903d914d36dfed478c8654d4df1b5cb8b61253e

SHA512
8086ebdbd08f745161c5ad312d4edaa2d7295487dee803d9b7b2846f02500633b232256cb26cc1da45217ecc1eda033e93095c9df224546a57a8d7cd13add7ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
77815c188cd860d1ddf67eb35d077e70

SHA1
66f5f767c5908083e1eab11840d75d5f8d923eeb

SHA256
753f5c79d6b7fee125469bec80b6e76f5e12f93b3b024c037ba58c5d39ba7133

SHA512
8c0b6ecf34f1fcb7f17e139afcf4fb842abf410987ff971b1adc389aa356336c2354144e948402717c6e0824e98aa27c12c66c6af16266c0de584879880d2268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
72e488b2ca4f5ac9ffac66e9b80a258c

SHA1
f439a1765a5224973429edcf67f3be0ac455c8b5

SHA256
39c781507a57685de0d703f8f44c70b041c6233a5eb151eb160a31c5b65bd399

SHA512
aaea63606920f96df2aa3482bd92c63c9a64a348a607b20a80f3f9bbd25c6bfb4867cd627e61ea281440609b1b0e23390e4e0a0a99ae0deb74c35479a14309f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
b204b470b594f1f89a6a08533bf650dd

SHA1
f5471e3356a66e52687798f325237192ac099945

SHA256
8d778cb80761b4e64dc078f300730b9f16856f1a8283770c2103acf1ae1ec04e

SHA512
aad993025e6811688533229afe5fdc8df8eab41543b51ac67aa75c7bab63135580022b967fb8ea89780f693c7540cde107d530dc9376bd8e9086df5b9a67ed0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a1be55313918c85f2cd4ecf16e7867f0

SHA1
a16af498b75077e5903791a2ce4618b0c4f65fbb

SHA256
0d022716b0a4c4216979fd55c16ab50c376d2efe802bab91cc742495f6797dfa

SHA512
2bc9f5d614ea456efd61c8a4550fc25939701db3d8411a6a813498a999c20f20a5fa193f815bd54d9377687966a20860a1238d391159100447ebb5318f9310f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
13bc32d053e0df4de392e81878d9593d

SHA1
74803c67bc9bd6ffd11ca2053e07a12b7864b5f9

SHA256
67cb3ca7723408d929fb3d9e356c582c264cc6f0a1b5e2c640d6ab5289c16cca

SHA512
076e5dbfb60c435399a16225547e8155f8011abd02f77bb3597a58de9e7b82b501e5d177825d1680c73f7b1f93c221826a766d7afb73ed078c265016cdf303f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5853f7.TMP
Filesize
48B

MD5
9e1c78d9be6b76eaf6b5654634ceec9c

SHA1
d9a251c26e28e899fb60b471c8d6ba48a20389ca

SHA256
391ec4c56a6ef817be2bcfff05d9702b685200ca543b0cf85a398e58fc1e4912

SHA512
efaec7899ab70ef686627196c06782a603be065a422b2170c17f3a0dc079cd2ff24f4d0ba7abd10559160876893b8c18684c94e436230dacfb33f67c205cbf0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
2beca43a4065bf7cdb2b777b2260b0c8

SHA1
0cba0b3192c9a3ac47ee1b69481598bec430dea1

SHA256
b1b64f02d0534fe69a3062c7181e95cd13e17df634e82a4d2c4eb50580010aca

SHA512
f435c260fa3ebf07d3a8768a21a1440db4efd6a6a6878fc18aecc0bebe7f70a9caf3bf5bbd2f556605e8963707a0383cef3c784cc01e5e2d57760a90443837ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
5f7d7bca3280db113fbbbc3bdfd58240

SHA1
b9ad4013695a54580faa2ba5978090c0d8caa582

SHA256
27c2b081c08cb35038af7bf84b459e21cb893c98f6e29de4f444a565a56d8c5a

SHA512
8f2ed3c0c177a0af8ead1a988a1a40d0c8fac754ad3955706e8a03e0d72b98a8719ed5240f95dc7f3b4f26e2fc82c8848ddd7137b2c80cf3ddb906cc1fe858bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
d4b57a865776353b4a8019f7ddb57a74

SHA1
284a91647ae5c38d5d8aae2e94e4ca957cfd8df7

SHA256
b6527bc7532ca6acfdee3cdb25f5c388323a52d338709adfcd6f7c2b5eb6ead7

SHA512
0bf96a80082654fb5e04f79d2fc5323d066ae037cee5d44e220e09f67d7fc7dc022b68795eb2696472825c3311ae8d9e1cd3de60b134c26f39df67f4d65518d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5801ef.TMP
Filesize
705B

MD5
da4faee00f45bd9b603910daaffcb2ad

SHA1
d8102e331b97450ae607a924ecda2677d30f829f

SHA256
34261fd0d665c824df854e04b2f60546c9f179b2f9dec99081dadcc6e7fdbf71

SHA512
a60e405704a99b7358ff6d52e7c0d5b8ea70caaca729201cc90f497c209c382534885e694629256c10d4a3c872ef37ba177f09ee17cc5af512f98826b0197c07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
794569300621fef91e2a6a94a1e35282

SHA1
155b6c96fc6d197cc4ef91ea26cf860fc9c558f0

SHA256
740e9cd05851bd77bd05bd27649a86c22721055fdd83eb65689907198a0fcad4

SHA512
ccd2bae7b4077e1c1c2a83d2c0d0eaa1763da149aa867f018f597420bad5fdfc216212672850e5423cac8aa928bbd293e5023cf88a26514ffb51760ef601e9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
a2e6ba95ebd3c94aea53e6df9c17c4e8

SHA1
fb53b6518d8ca3b33026c0bfd3af1ff97f58ed03

SHA256
515ad2e3cd0d14ed69ebd84c48385db837813077c466023c5776dd7270edf94f

SHA512
cb4ead55974f1c33debb783b25c5cf24ec9897a37c96893500dd17f387a3efc8d1afa71da1ad92eeb44077f978418b851bea74110c6a4543ff41bdabc174f795

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
ef20e2d4bc4378fef0c60fb00e3ab7ba

SHA1
144e0f819a6caa18ad22d01b4ee7c1f53b827f5a

SHA256
d30d8796ba35a0e6d3977117b7994f350e39761a079e477caa1bca42e52657bf

SHA512
c5f7276a03b86542243c8972a45fbb9211106872853bf4b38ef6541c4b91372cbf6c807c3f13f288c5a6edd84d22011d291df3366cb75248accafc59761a6263

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\activity-stream.discovery_stream.json.tmp
Filesize
26KB

MD5
3059775e03d553ccec42943a5da8c824

SHA1
059bd57bc4f3a1858ecb56f64dcaf256728136e6

SHA256
5a863ce3976b6ee7f4b299fe447fd6378065029eb8e3b04a93b8f39b44c75424

SHA512
ff7993f038cf96bbf81569740c46a1b551ec7c82ff482e03cbf16cc69bce71e28062b6f4bf74c5e864eb85403d749209886ee81e071f819a8c63b28ebeca5fef

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\47kntzet.default-release\cache2\entries\E0D3A67C52092ED0CE3BB268B761767AF0A818C6
Filesize
30KB

MD5
385b3d8fd54eed7912e7d493c17b50ed

SHA1
54649ac929b966bfe9e23667e4aa19b331464b94

SHA256
0bd7c1d99c5e238f05df6325f430f3e4547d915f207bcad05b651139295ff228

SHA512
ec624c7becd2521e0f037d0b54efb57ca92cb50e821aa4dc5003d08b825d3fae0dfe92435a4ec58de02b4d01c66984d73ad52248a44cea3800877caeda07d6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp-jil.xpi
Filesize
3.7MB

MD5
b1d88bcc5787c5b9e471b8f005ba7c51

SHA1
1419ed5e0ff5183ed94ef5f4d768d31f1da4eb2f

SHA256
9928e79a52cecf7cfa231fdb0699c7d7a427660d94eb10d711ed5a2f10d2eb89

SHA512
1d80d44c6c9fe965c3f6bdc9355b577339669e992c2d2b46340c8beb7c84834e132d722567abdd667817a6508410ee7badb9f9f5f72a4b418839de7fc51af54c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\addonStartup.json.lz4.tmp
Filesize
5KB

MD5
f6457350dc7d79f65cfca6d56badfee8

SHA1
05f03936062ed80f4d684ebf47b5e6915799fb31

SHA256
3e4b4bcbaa1a6a8066fd05375e3a60b0d56af82edc41dbfbc1e1cad989de3b92

SHA512
1bd91a72a48685a2e024a5dd8de438f21fb631c1b9d9c6406f390c6c5f9a403d5fc11ca6e8592ec4604938ec7c7f27db3f0f75c09a649f5128f6021688c15cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\extensions.json.tmp
Filesize
61KB

MD5
a43fdf1a9da313ab80f07addd598b61b

SHA1
c7202332f8c85d406fcb7ba0419ce8e00d89fdb9

SHA256
9912e71f217754940e0153d477ae628c1de0bce630725259f5b139c9687c1246

SHA512
14739125f4ce54a6af183a8a3d72b118dcbdf367f3e607912e9ea979f9e7c04b514c768a010778e31c70035eb17959867d44999531e0289d5f4f888700030b71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js
Filesize
7KB

MD5
52823c8b9133cfe7ff78aecd650f9c2f

SHA1
ab2e69ed2b81c5fd3ebd9bc753990573991babaf

SHA256
ffc1e5a6050165fa0315cc749e0aa041aea6df1d2a33bf037bda5b2db11fe084

SHA512
1eb601e5ea10e9932df9db9997e4c0407e8ad89bf7300889d9e33ee8140ed633f1ebf1eef5a0535e78e8174a6c54c2aa9010b076172c1bcafb5b7319ac897f86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js
Filesize
7KB

MD5
d49c3eb836807b0e104e317aba2c608c

SHA1
f179c07701b13c74623f1cefccb94a3ca098cab1

SHA256
5b56d283ec3325688903cca371797a6cc7f09058cfb85e7e76d580760a313c97

SHA512
68a0397a6d8b32e8d5ed3185158dc6c3bef6549e5ec719ff6e72c25bfb13669dc80d31aa658b3361db42faf1b3006cfa75602d49780a7acfff435ea0dce559d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\prefs-1.js
Filesize
7KB

MD5
cee34c2906ceec1fdeb8e5f13ed4ecd9

SHA1
8fd8d4d78adeeb3bc959988b6f7613ee3a900eef

SHA256
0a0cfb181a9bb42d6d8d24951ba4114acafb62816cb288f46179141ca17ad624

SHA512
9b2f18d6554303602e96a05018430ceb4314cfdec168def03eb62dd716cda0ffa0b3abd0baf764be850b301650f6523ce1af30182c3936725eba39a5f037fd5d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
1017B

MD5
15d62966aaa30564e6a3f3d78a8c69ff

SHA1
498e0e797d66ecb6cb1dfc144dc3c7c8123a9292

SHA256
f1528b4ab51575868256ed9f59f6bf32a3fb54f9b71c209b66c2f940c09471b3

SHA512
ead286c7fcee04092a6f33df07bf319946c1ffb7042581c589639d2c0662b9b644bfb68a9ce9a92d9d461e79456a85c83e50b95a8747568c44b49fcb70caaa3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
3c3e21104eafdf09627ae3a9392e5466

SHA1
1259ba7200e39ea150dc9b596171132864766a30

SHA256
7b401d79e7496ac96fbaab8a7e1a80694a7e827d7908deb42ec5ae84c5f27104

SHA512
e48fc433fbfc9367dbcac5a24dc09e781f221640b7be7fb411ed3b4e24a7872b90206243051fc7eec7229aff8970fbf0e1d1763b5ac1b0fff0f64135f11db738

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
9c0216143fb1697a8e9cc6527da6dadb

SHA1
45cd511a55e51eb899e5d1aefc2c59594c3d4181

SHA256
c1bf506d9479d9156cdf72f44189c7fb662f9bda770cf465db408ecd84eb9d93

SHA512
a827f742cdc852d89cc34a370a30473b9d7ffdcf14c4f60a369148af8c22ebe13f26aa166f5ff94af261835195f451889998513596768c1d2a8a6b204ef3a297

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
2f053f10ede4ebc15727acf668f9d5a6

SHA1
0767469244ff17814eabcd3958ff2c2155967065

SHA256
af7a1ecfce0074f2502c8601b94c5ecf5138ec04362ac5ae083879c10a88781d

SHA512
c9a38636ce42259f8bf7371ad40b75f43c08a7b8b36efeb1a8d38f0363c2d6c23302cd505b9282419714eca79ec17f497d92d7cc1acc0e042ac6ae5552e14d5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\sessionstore-backups\recovery.jsonlz4
Filesize
4KB

MD5
a7d2e10aecc4a96c0c7fa1d08b960b0a

SHA1
3373d4168a50e3e2970fa3bbce26aa27bff9e331

SHA256
2a0c1a0f1cfb286629092776281b1befb11f86c1dd584b6a783b48426051f910

SHA512
737996ed5467db3ad2e6e1e0ccb6a41a02eaf7551f85386bd0960f51b48fd70da9a3efde016919f8cefb68f504d85a14d0bd2414d6f0c01468da5304b5539055

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\storage\default\moz-extension+++6450b375-eae9-4a14-a1d2-aacf148ed162^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.files\4
Filesize
1.4MB

MD5
08897197afd30d8fd41238107973d3ed

SHA1
d3d3c9e5417c75bde0bbeba8e439e382871cd126

SHA256
da164f467016b5214b4a07ebd040d3f66ebe05260bc05a770dfa5a945c5f5f07

SHA512
8953385f2351bfa31e700dd5534be77558fa001982b7c64c394465e1b363bce61adca09179d7d1dcb27ec88db9eeb8a2d78c014bfebb53075414a4b5be551f9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\storage\default\moz-extension+++6450b375-eae9-4a14-a1d2-aacf148ed162^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.files\5
Filesize
1.3MB

MD5
f2e2ba441fc02f2e7a61fa4dc87fa701

SHA1
dcc14b49a97022b74902da6a72ddd3e431fbeb3e

SHA256
16333444dc15903053150493118195c89e3b762cf6d337727d5abb9b0f4dc576

SHA512
33a4f675f73b3ae6e4359f10caf0589fa13a21251ec836a46562963a50b835cab9924df6ce3c1d9aae92c48b3d17cceb4971ac3abd61ff49e3f836db9f1d6921

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\47kntzet.default-release\storage\default\moz-extension+++6450b375-eae9-4a14-a1d2-aacf148ed162^userContextId=4294967295\idb\3647222921wleabcEoxlt-eengsairo.files\6
Filesize
2.1MB

MD5
e322c5487058a560d21b7540dc361aab

SHA1
c0d6f05a10231b414b84e3473bce807f9020d818

SHA256
867092dab41b2d19f81c42232f3803c5c8dc000e1ff90689ae86085b94d74650

SHA512
ec9122c97ab510886599dbf97c1bcf101dfc539120190c7c22eeef0d25f3f1e195800574dbdf7bef0de96bed0c0c5f13b5852c72d98378b7188f1680b0dc22d3

Download Submit
\??\pipe\LOCAL\crashpad_1368_DJEUCBWJHAWRKHPU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit