ef2983eba803cb2863ae5a52f230978f5ddaacb476f783101f2c22f19ec930a6

Analysis

max time kernel
1195s
max time network
1808s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
07-05-2024 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

طرح درس (@konkorof_vip).pdf
Size

683KB
MD5

3a4ef7ed1bae8ce9d1cab554b28172a6
SHA1

9656efa75203e4ff99c1f611829d4ba7397d4369
SHA256

ef2983eba803cb2863ae5a52f230978f5ddaacb476f783101f2c22f19ec930a6
SHA512

bef0567c310bcab315780176a246c4b8bb3dd3a4ea05d45c19af1246ed327f41a2e310817663ab0683ab0e214c72ba143882913f213a999fdd43be84ad3a838b
SSDEEP

12288:ARutJ8Is+ffipoI9pg0shPIIcjxq85ztzQaiEwXLhD2eoh5YtfnqoepKs0X79Tzp:2utJ8wipoI9pg0shPIIcjxq85ztzQQwP

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
1980	winrar-x64-701b1.exe
2828	winrar-x64-700.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\NEWS.txt	NOTEPAD.EXE

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133595820052334562"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 4a003100000000009358154e1000564c4300380009000400efbe9358134ea7583c982e000000f5a0020000000100000000000000000000000000000018d97c0056004c004300000012000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 8c00310000000000a7580197110050524f4752417e310000740009000400efbec5525961a75801972e0000003f0000000000010000000000000000004a00000000007c87bb00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	NOTEPAD.EXE
Key created	\Registry\User\S-1-5-21-891789021-684472942-1795878712-1000_Classes\NotificationData	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	NOTEPAD.EXE
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-891789021-684472942-1795878712-1000\{D6661B78-3BC9-4209-B2AD-F4B763EE14E0}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 5a003100000000009358134e1000566964656f4c414e0000420009000400efbe9358134ea7583b982e000000f4a002000000010000000000000000000000000000004662b80056006900640065006f004c0041004e00000018000000	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe110000001605b4b03c92da0198fef4b23c92da01b88628d93c92da0114000000	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	NOTEPAD.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	NOTEPAD.EXE
Key created	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	NOTEPAD.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-891789021-684472942-1795878712-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	NOTEPAD.EXE

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WinRAR.7.0.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 722905.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701b1.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 899100.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-700.exe:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2604	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
2036	chrome.exe
2036	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
1916	chrome.exe
4624	msedge.exe
4624	msedge.exe
1144	msedge.exe
1144	msedge.exe
4980	identity_helper.exe
4980	identity_helper.exe
6132	msedge.exe
6132	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
404	msedge.exe
3808	msedge.exe
3808	msedge.exe
4764	msedge.exe
4764	msedge.exe
5048	msedge.exe
5048	msedge.exe
364	msedge.exe
364	msedge.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1636	NOTEPAD.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1252	firefox.exe
Token: SeDebugPrivilege	1252	firefox.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe
Token: SeShutdownPrivilege	2036	chrome.exe
Token: SeCreatePagefilePrivilege	2036	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4040	AcroRd32.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
1252	firefox.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
2036	chrome.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
1144	msedge.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe
2032	taskmgr.exe

Suspicious use of SetWindowsHookEx 21 IoCs

pid	Process
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
4040	AcroRd32.exe
1252	firefox.exe
1152	MiniSearchHost.exe
1636	NOTEPAD.EXE
5464	64bit_Setup.exe
5464	64bit_Setup.exe
5464	64bit_Setup.exe
5684	64bit_Setup.exe
5684	64bit_Setup.exe
5684	64bit_Setup.exe
1980	winrar-x64-701b1.exe
1980	winrar-x64-701b1.exe
1980	winrar-x64-701b1.exe
2828	winrar-x64-700.exe
2828	winrar-x64-700.exe
2828	winrar-x64-700.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4040 wrote to memory of 1524	4040	AcroRd32.exe	80
PID 4040 wrote to memory of 1524	4040	AcroRd32.exe	80
PID 4040 wrote to memory of 1524	4040	AcroRd32.exe	80
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4244	1524	RdrCEF.exe	81
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82
PID 1524 wrote to memory of 4980	1524	RdrCEF.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\طرح درس (@konkorof_vip).pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4040
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=165BBBD4DA86129EFA42728D366D0C13 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4244
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=01326F5893D5F46183DA2BD4D95910AA --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=01326F5893D5F46183DA2BD4D95910AA --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:4980
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2A310E699FF6330CA9DE93B55491B0FD --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:2752
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=307F809130703AACDA8DD47EDEC6647D --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:1568
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C4F5C9BE4AA3763FBDC342C6E92404C2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C4F5C9BE4AA3763FBDC342C6E92404C2 --renderer-client-id=6 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:3996
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E80E02C3726128C62332D81D19E9E45 --mojo-platform-channel-handle=2544 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:4640

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 25459 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {78263d0a-510e-45fb-b817-b3dbec6484ae} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" gpu
    3⤵
    PID:3564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2364 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 25495 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d23dfaa-f2d3-4c1e-87cc-0bebcb559a64} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" socket
    3⤵
    - Checks processor information in registry
    PID:3916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3148 -prefMapHandle 3144 -prefsLen 25636 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82024dc2-4ab1-4085-b282-73b2a8c3801e} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:1868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=984 -childID 2 -isForBrowser -prefsHandle 3684 -prefMapHandle 2504 -prefsLen 30869 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06065ef5-ab68-46fd-b928-c954f826d4c4} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:4656
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4852 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4848 -prefMapHandle 4844 -prefsLen 30869 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {156f95e5-993a-4371-8429-12dd0a89c3bd} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" utility
    3⤵
    - Checks processor information in registry
    PID:1732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5364 -childID 3 -isForBrowser -prefsHandle 5368 -prefMapHandle 5344 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f1e0242-32fa-4c56-8002-503921617f9d} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5328 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5508 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c2a8cc4-0d6b-4ce4-b8db-7c3ccd5437ba} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:4888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 5 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce858232-6533-4fcc-8b24-c358c54a0d63} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:4620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6208 -childID 6 -isForBrowser -prefsHandle 6200 -prefMapHandle 6196 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73b8dce8-c0fc-4ad4-8662-7fa3b4453e99} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:1736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7000 -childID 7 -isForBrowser -prefsHandle 4060 -prefMapHandle 4196 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dbbb84a-5827-408a-867a-32bea108f214} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:4624
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7336 -childID 8 -isForBrowser -prefsHandle 7344 -prefMapHandle 7348 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89d1487f-f0e6-48df-b766-ed6016461d90} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:3276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2988 -childID 9 -isForBrowser -prefsHandle 2684 -prefMapHandle 4380 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddd44655-4d5f-44be-966b-1840bbe37199} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:2828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7696 -childID 10 -isForBrowser -prefsHandle 7692 -prefMapHandle 7688 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7174ec14-ddb6-4f28-a6a2-638271d7d999} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7972 -childID 11 -isForBrowser -prefsHandle 7980 -prefMapHandle 7984 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {376778ed-1823-4141-9085-3642711a89a8} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:1908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7964 -childID 12 -isForBrowser -prefsHandle 7992 -prefMapHandle 7988 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dc88cff-6d2d-4798-9277-0848e33d0daa} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:4448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8000 -childID 13 -isForBrowser -prefsHandle 7952 -prefMapHandle 7956 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f1d9d59-810c-4a48-b5ac-13659a8d84b7} 1252 "\\.\pipe\gecko-crash-server-pipe.1252" tab
    3⤵
    PID:3988

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe030acc40,0x7ffe030acc4c,0x7ffe030acc58
  2⤵
  PID:2752
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1780 /prefetch:2
  2⤵
  PID:5488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=2196 /prefetch:8
  2⤵
  PID:884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3056,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3232,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-chrome-cart --no-appcompat-clear --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3500,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4412 /prefetch:1
  2⤵
  PID:616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4584,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4572 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4668,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4696,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4644,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=4544 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4824,i,11887661962027383610,8010651955174333841,262144 --variations-seed-version=20240418-180204.077000 --mojo-platform-channel-handle=1132 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1916

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:848

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3044

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1152

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\NEWS.txt
1⤵
PID:5524

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\VideoLAN\VLC\NEWS.txt
1⤵
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe02f63cb8,0x7ffe02f63cc8,0x7ffe02f63cd8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:2088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4504 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5368 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:6012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3476 /prefetch:8
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1040 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=1724 /prefetch:8
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1948 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1384 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7216 /prefetch:8
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7260 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7032 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5048
- C:\Users\Admin\Downloads\winrar-x64-701b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-701b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:5952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7240 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4492 /prefetch:8
  2⤵
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7480 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:364
- C:\Users\Admin\Downloads\winrar-x64-700.exe
  "C:\Users\Admin\Downloads\winrar-x64-700.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1732,14320061558622634173,6978988129262177307,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7676 /prefetch:8
  2⤵
  PID:4768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6008

C:\Users\Admin\AppData\Local\Temp\Temp1_WinRAR.7.0.zip\WinRAR.7.0\64bit_Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_WinRAR.7.0.zip\WinRAR.7.0\64bit_Setup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5464

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\b682f612df344ffe83f7962862e89fc6 /t 5460 /p 5464
1⤵
PID:3044

C:\Users\Admin\Downloads\WinRAR.7.0\WinRAR.7.0\64bit_Setup.exe
"C:\Users\Admin\Downloads\WinRAR.7.0\WinRAR.7.0\64bit_Setup.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5684

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\cf022099125e477b94e17b834e1487ce /t 1096 /p 5684
1⤵
PID:6108

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\c8f543f3903548bd8babb91e4467b8b0 /t 2108 /p 1980
1⤵
PID:1392

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:2032

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Bomb\NEWS.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
5e1baaa00fd7a8a0bf548858e1bf7b15

SHA1
77e36f8b5b30e0df1c827856e8e0fd4a2969aa83

SHA256
31fb2b2f5f580bb05df2bed0dca130fe368405c66d127e8db73e48b2726683b5

SHA512
ccb344c8ffdd9711b21d1406b196987eb4a1b505d761d5c2b5438d9b6eb3ca67293887439726053b228ec351b0b890830e9db8ca9bfc2e831efd5273c0529dae

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ecb4ba564744ebc3b93035c82fda8563

SHA1
4a4ea0f2705ec064dbb02f3ff5ae7f1d1acdbe9d

SHA256
c42e39d94a83eef907b79ad8c1062e764e65844d63d62ff4908b990fe2eef475

SHA512
f48e5574d7b099163c5c6a98a34d5f013d6e9d16c97d17686acd71a1ead59d8c4262974531f0068ba51628a2d8cec489e8155ba8f140714f394c400e87238a02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e0e0bbcb6e471e6ce937ecb7f567b065

SHA1
3349a0d2d4ccdb4daa6778fc3cb63ffaa73948bd

SHA256
7897981f762ca598c941ad8c0023b5738fd75a24f4516b18e3d761961057f635

SHA512
25f3dc4d800875264a17c543d022fe6997419c1062154fe3fc25f0d41be1a1132c127f5da8322b5aa001f3e081cf8461936c848b30cb85791059307245e070b7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
9348480182753cf1d2c2d8ba73d2d3d2

SHA1
5217f67672be6225e9570315faf06e3f2261dfa4

SHA256
934a35f8f55886443bf46fc13b8b67b1d74db3583305db9903064c98372e2fd0

SHA512
b32e987b2ad7cf0c187ec3535651855026973ee66a09905b6f4c4de7e37c1dddc467bb006b6e108e472e85d0762bd777667a8702bf60c13df485d89581d9e43e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d835f8296e6f6323d78c17efe4e5f2ae

SHA1
9e2d41f29bb878c6ec69ce69d8af86fc6611b264

SHA256
f3268fe9482d6d8655fd1482b572cdcc766d9b1916ef7bff8a2c49af7e14b723

SHA512
be59864ce26ca3cf1ee409700e70dfc206473f50063d6f658fd29cc910ff74206a699e930e2b7cdcd521f4cbfcf1163c4fffb19b6eb41bb4212eac01a52d9c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
00902712a91a4107f5154c98155b0d23

SHA1
1826b1abcf75a65f1b06bf254022a955fca85c5f

SHA256
94509f71334aff19a15aaa7c5fff7992bc0fc33bf3284f20721b2adf912a1a21

SHA512
ac765e383c40b52d1c3a0d0b70c3df0006a24463fcf40a31e34da6a0ea71b74954eb491937f5950506e404b9bfa7b9b32eb03263c40ee55117b9cf179def4dd2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e099a65e3c469d237737323cb7f189b8

SHA1
c3af46539562784e303b2aac18e4238488ee2de6

SHA256
e4b546aad0d8983ec6c694bbbd22605463bab1ec47a4511fb19c942b12a37c00

SHA512
a51a677c1364a668f3bc24857f9eaac9f66b51a62feeaedda49a805416bfc5e9796a974859cb6ce9fc310596610b88ed63c24e39b93b94363c1b2e3a09a5db3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a479bf2ca7fa5b82e68d0a9cc4c37ef4

SHA1
8ef9115e1b540ad3599d4ac7e3f2d794e67dbed1

SHA256
10364b911233f66ea3ef629f6c37be2bc7b5f4a1d6fc90edce6557bc5451a278

SHA512
f68e63587915089e761a11cc64db999dc7ca73e242b8c27364ed211492302157e27a85889cc960efae5bc0bd8ee83036b1e76f506dcfa013869e321db0fb00e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
edc766b73c6bad722a038c3f63a88d07

SHA1
dbd7a3b48980ff3f5c8279d2dad8c5ee611e93b6

SHA256
6b8019ceabf66d11c28cbd1b85dcc9e6b84932cd7ec725d8361e1c13ba5e1c63

SHA512
60463a36e426cfdcd99b890e6ed12d90c735e13c643a650a1fc7ff8d3123baa4a39a0fbcac1c7e8c753cf7bb27c5fba4aecb43f89fabb16fa4c746f4a3c69da5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46bcf25cbc1b5c612fee18aabf5fd8bf

SHA1
f0a023ef969943198fe1f132ed988e596db277eb

SHA256
b05eb8cb5029059474d6aa704b8c1ebe5edad952048c02859f533ea9f2ff7c84

SHA512
cdc7eb3a9548b309801b1e3dd27997b7d1a37fad511f4b014055f0b267ed504835bce2996a2c678a2f2b9925add945f60f6526547b85e5a0e1a286d5958b84f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
39cd4d4a7830b52862799f388ff2855e

SHA1
93d18e3261cccaf2bc18cf01eb82c4d91bff461e

SHA256
286fd0a5a3be4e36a6cd3887b1618fddf6a8b908ace73698e086354ed72e473f

SHA512
47fc167ffdbaf90a6c022567b2f8ccf2fb7d10380e4d68f0e9e216f81167505db6c839905304b90c65f555cd36a6221cc64b26c38ef759c3f9ee216385e30e88

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e73c4e09d84fef59fe4deb6f2e5d22d7

SHA1
26af11d45c37fb53afdfbae9b34cc4bd118784f8

SHA256
1c168ddb0a349c1253fc29454129ab23f1cd53d4843cd915319537c905560f3a

SHA512
837115d3d934d60e1d67aa2f4603df965a4ce5d58f031fe840129fc90d2dd105ebc8335902d94a3e94b47489a6fdec630a89eab992ed77642cae939b2781bb31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11c50112ca5c6e8c4ff64a831555ea64

SHA1
be3773c76c530ac8bbed7cdf0b131bfdbe6f29c9

SHA256
e22553acb66cad3886fc23be9ab42ca3b64528f409f56b1d1d8b19b5a997d2d5

SHA512
8100b4ad7b3615f8c6a6bf0867881e0abc6fd89e599b8b1055340026d4115c82767ab2146158f8e8ae29988a48b4b1abdc49a14bc4c4e72e5c5fecc4ba6bd97b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3930b3c18cc02ee6dc814e5e77bfa0ab

SHA1
db8a4061cb3d9839a4ba0fbea5a130a552415e6d

SHA256
92c9ec4320f4c80d0e912b1b999cb86bb2277f0bb0a7119808822f191a325e1a

SHA512
baa688916f9b9369e0158a15d3313a4df646fbae327825d55eedbfac1e6a580201b7e696b84ef885e22fe8b7c66c6086a04b93d235219a9f976db4040523ccfd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7edfeb1fe1c7cb68459638bb5ac4369

SHA1
2ef633f395a4398f9482e6fc24f8dcc7a9c4e6eb

SHA256
8ab46bed86a372ae34d087d08de154aa686675ae64704c603b67acb08d806dde

SHA512
a706a8f0f04bb61296a4ac19f30ef01ab854bdcb83568b6267b387430dca25db92a791ec27a6718166d072906bbbec7e691fdf0b882ef16f709cb67e0f593703

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
df536291c8255e184edea0cf4d56ca5c

SHA1
fc6c31d5d7583fb07ed28a8bbeb53a9a435b51ec

SHA256
58dee775014000b8a98531b701632d5600a60019aeb0cafd4e6fdb9f9550c74e

SHA512
5a6146f44dbde0481ecfda34b252f1cc1293fcc9ea3f67038bc47f512639e375c32bc5cdf8b45c6662b7c463f0d272e9c241dd70f4aa3584990522cc8a24d135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
a3e165669d734d09939881f9247263d1

SHA1
e45c2222c827fe1cce52a98db4e3ced2dbe491d3

SHA256
7dbf8e4424b1300eebfa27fc636d8edf24b3a4b0a31e98d60f7e0de85e271570

SHA512
870a294b04d1f666d383e351df8f3772156ce118b49a0ca8a7709aed3cb04de1df2aa19ff1e32a26381bddfc39a69d5d2e13c41a4327af16b481507563bb253d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
9c1d4bf095fb2d268aa5e63fe0184d15

SHA1
e186a4a358bcf17c6160497e6834bb3e21cecd5e

SHA256
52e60d8729795bf54f73645cda34e4805bfb125db959f2b510652e36e4026b93

SHA512
46551d38bb1a7cf0b7aaf19a0170293efdd428950502957f0713ca4132bf77bb54b6c7795691c9926d32f263c85d9da7d20a199b75a3a2c8f04fcdcee30a4ac0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
152KB

MD5
c54a7e4223f668c3e66a40d4e9dc4a19

SHA1
5641b71512071ca10a6916ff529054fe8f5ae7b8

SHA256
7114ee54c380150789e8e8605adbcc832499567ff1d43674048533cf746929c5

SHA512
3e8e5e8e220619925d011a861648326405d8655ec9ae8b1cb933ea3155da21d4ccfb32f79f1900597e814775a49a6708a63b3f1660ad27a3215f977a4a68b863

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
42cb331ab8fd3091b880ae55cd3204ba

SHA1
346eac94a5a143381160ea869d7f878b3ed9846e

SHA256
ddcf0d377eab9bf848fd385aa20cc5dc45bee7107cd41bb35142d58c5e1890bc

SHA512
8bd39c6b1526d0020d56cb4ac518bba12cc688fbc7af1763a9fb560bb8a43b70808531e09660280837e0aab3b72047767ef56bc00f2c44d9f2cdca04a67557ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8b53ef336be1e3589ad68ef93bbe3a7

SHA1
dec5c310225cab7d871fe036a6ed0e7fc323cf56

SHA256
fe5c2fb328310d7621d8f5af5af142c9ce10c80f127c4ab63171738ad34749e1

SHA512
a9081a5a909d9608adfc2177d304950b700b654e397cf648ed90ecac8ac44b860b2cf55a6d65e4dfa84ef79811543abf7cb7f6368fd3914e138dfdd7a9c09537

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6e498afe43878690d3c18fab2dd375a5

SHA1
b53f3ccbfe03a300e6b76a7c453bacb8ca9e13bd

SHA256
beb39e9a246495e9dd2971224d23c511b565a72a6f02315c9f9bf1dcfae7df78

SHA512
3bf8a2dd797e7f41377267ad26bde717b5b3839b835fe7b196e748fec775ffd39346dba154bb5d8bda4e6568133daaa7fefa3a0d2a05e035c7210bb3c60041a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
204KB

MD5
32fa33c38ed3776465da75b15af90fd5

SHA1
aa298d1084f0a482631200e113821bee3e2a7e0f

SHA256
bfc8e664e22a5a3e0927731d968173b142d8a7533a97812a80e4025ea1c59e80

SHA512
b1677bfff168daeebe41188131a69166bb0c054a28529308d15524a4d3e773630edbac07b331f756932721e260ab521dc429fff376ed2e0496b26ef081c452b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
37KB

MD5
c912655c8d691e1a190dbec03d14e653

SHA1
a90a6ea007e121441a0d9c48ea4073a635085f6b

SHA256
35e5f055ba3fc9eb6c89884d533f5484fcb335d0e226145d7ea7a6a1e2da6fae

SHA512
c606bf2711a2be266c69a702d60bbc0d66dc6655c88dd669932f9c3954941a44d6a09e25bf60272ba5e0ba09ee65f4a3d8bd33a215ed2eb76ed601f06fa984d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000055

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
1.2MB

MD5
25a7f8dea0207366b4b9d77569ff6f78

SHA1
57a20ac66704e6b2766c6946fafdec22f47ee79d

SHA256
502a9f82d39ef6fca4b4fc1bfd046b9736d8e232c8b1562eed0ca62d149bbfed

SHA512
db300662a1a49ae8417fb013462fc62ab20351c9c458cb60b0b22ec89c1cba410ae03301cefa6464dc58ed332ceb8a2d67eb6b8078c7f2127729594126133024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
0a30222f483e1ee3cdbdaff2696c9852

SHA1
55fc1f4115e31a0bec0397a56ae0d257b00f19a6

SHA256
37c4d43ca8f5917ebb6c9773a34766c0c4a77530bd169b501568f023972a8c1a

SHA512
6bbb638b10217c485d8ff86543b7b9ce49f93697a1c992e16df43b81b3c5c13e35a2a8cc3e6356eb7949892aa7d7c7a9768b635cb808631e8c6b455eeefb22ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
04201e92785da644ff5d6ef2aac64c71

SHA1
7fb44fe3a341a5d2f2f1e4caa25e3e72e6037833

SHA256
59bf97446db1c6e9b61845f52d91b551daa8f7311613f23363f05e7d47d45583

SHA512
327a4c3e4f24b6d904aa1c3ec3a8fd29006e3d50a6f11c8a146d044ae14c895009cff77a8ca93c4de1f1f804c443efb685858f5335cc2f38574333e70b2761ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
19685775160da1a9f7d65e108f87330c

SHA1
6b41dbd1607801393421e763742c555eff8f8708

SHA256
899cb49bb4d57fc4bbdb2551ef56c5a63ea715e95fd128895254b7b06eb8ed0c

SHA512
28baaebcacba49f13de0f9fbdad7db09da0cbb9ada803c85a3ecbe83d2523c20a5e6a7096b68144d7c3329ec93f9c7f4dd3f1369d6856c95c16b69f799b583f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
896c794bd58dad9fae406afaef61993b

SHA1
193519b97e7aa2d54cc82c348baca324a1201132

SHA256
9239e99e4b57f8431e1e89f5e1da11602bd35479616db4775b0ed47ee240a23c

SHA512
92db92ffc7081c4788e17437acd374e57557f6d9b5220ca27f12babb9d946be584f8be92553a1cc5d257594482d94cec8e1f8325f770b8d44571c8f9c3bebd8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
7e7af00c8fa0ee37b25037ef511e90aa

SHA1
e634d7bf8db3d5daed55f4f76738b31dba05271a

SHA256
fd1ae2a794216e8d2961552977c6a98f0324b869cbaf71f79ad91019e8e81611

SHA512
cb552c3200ba9fd430ede7c52541413bcc4b34fad07d53c6476b27826500a09c6907ee1b4235890370614f165a2e1726f975b9a103ba3de8cf3c726951838168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a030c5b8a07c189734801d9e659c8aea

SHA1
bb772f9672c128c27a3cc3f07221210a32a89660

SHA256
675102fd77dbb1a5757fc11595ba6942a4bc8a3060cd339fef7738f09f111402

SHA512
4960596bff99643811c9c2b98dfa957b1da6a402e1b789f8d50ae013ef042c004c59edaab1c0eeca80c3ee644e71327280571303d6b6283f7bb7d70301d84db9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d6497fb538bd02d47aa447e58fdfdf8a

SHA1
8e98e3509898271bf8ffd7d91ee18b52c5759a74

SHA256
64e7b45438a5338898c39ed07d9f5bb3b2407e10ef98294e9dbea87c844b170c

SHA512
96682366ed3c04f5251bb2abf0ab08a6aaa6c6602a46190c50b13f84829d4adb98bfc4d30e11ae58c94833fb0a8bd4191bbc1d9dfffc752fccf295158d0260c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
12c2b3725cfaff25549089085d993cd9

SHA1
2d828a92de0bf262303db369a745ee18e2b6ffb4

SHA256
cca1e18b112e6d4233ef9dfbf4f6eb90f151f59ac2e9cf0cb0646258b6e44cc3

SHA512
63a41ec12ad96cca642a1b01eee8e75a5f1b71694449763248efac02aa3093314f57ef2c3144ba2319b2cfdef96be55aa14a2bab44712173c3e6443e6549c18c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5f3e9815b4281514e637db304d9d118e

SHA1
14366c42ade5e06dadb3ecb330112153e325a3a6

SHA256
d371be6b53cb6b58e401541a224539557d4e8d23e1d6428887e10784d415bec4

SHA512
2e21cd6aee982225574bf9594d35fbf6cfd6c0291f7a1e669c9dc9e793eb918693edab6f0a3191bc6c5815ef8bd7b0ccc72d17194ae35c042c1922554cff7b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
03e141c065b5a9546ef1e2a3cce9c5bf

SHA1
7923b91096e0723040cf33b2f38af052a3bca17b

SHA256
b0b314f1b52e59253ae9202c850d17b96df084e687775cee7821be5906db0ab9

SHA512
27a88b11f2ad99fe6e2ee26932b36559ae8886026fe2c25293c7474016a6446715828a952b6e72d555ea8836c53da4c939a5d899c4033722a693d9dc8a1420c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fe65b6630722e24dc334aa815076860f

SHA1
0ed4248b42e0534907d128697fa4335bf53d4f2e

SHA256
f95a4207894a7a7277b1adf4fd426e6feeba9dd972df5f82bfc7f3ddca21c858

SHA512
5f9b9e03ec6fc8c8827fb7e8eeea997dbf4791c2ede4094cdccaff8223800618b7e2522457bfb0240022960a995be9cd71664635dfe1408ac64310a470e1046f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
90aa457dac1f3accb52ec83049d11d4c

SHA1
0b99d408f58f6706cceeb0ea81998a2ed9f0068a

SHA256
2a76b9f6ad424b961f12e7296798097896c8bddc59394c5c13e523a13a256fb1

SHA512
06f9dc32d26ef1ccc4cd7647e6196a1a7478f3679a31aec4dd573de8215a8647138f038d9be5208aef960c7fef4cedb9c4aaefca1deaa002a0b8a69e43274c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aae8c8a6c1c15af5e0fef00d937f0d52

SHA1
5cb12fbac14f1f7f9d63dd4c235400975780da67

SHA256
348de2594f8433b8da8a38c1d14c5767c65475c81dd8a317655fe6c8de82501e

SHA512
f50edb80fd6886d80d10ac6a59f0fa204d24ca3a73daaac7c394c48efa4cd847325eb0cc56db9d3468127ff76d707b026da34355eb209be3b9a3f95dcb823855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
85d83e1ffe4329128511aecd4ab95ce9

SHA1
1b94d9c7e3a773c92ba7eb05db8275f91081f324

SHA256
b803c41ca5c01a59b68fd0e87b06d10afd71e35bba2d7ea5b78f51238f5f183f

SHA512
a52e05ba668877180a730eba17192a5109f8edfeec269f38d55529ba1577983eb739726a9e5f7d2c176f9a7bbe49f0d28b736a66f5e9d29460b3f3daa41c8933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
197fd4e0790e7cb76b34c55434b9db24

SHA1
2da05cee844296835ea77d125877cf812046f844

SHA256
5592fcc46b850d6c3fbb1d0d9fd4cd9fa5b88740601798651002848e783eb296

SHA512
a495bafd38d5b5de9161b9c23ccc87517823f7cc4756e018d7c01a3a6f298fa53ed7be72ca6bf87e21d09bf890acd210f68effa19fa482e45577c2a5d751682f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a415876be3a056057660af48d312bfe8

SHA1
224b6ce2cffffd97ed0d07d0d95b2d95b4ace409

SHA256
83bfd85f35ac8cc17266eb0531dfb9dff8148c3aca629d8dfb5a77952c1467ca

SHA512
39020bb563db91f74fde9934c2f51f053844c7478cf7cc0acadfc861db99d28abac5368b1589448ef0e90fa1421b6e992797a1a282115832f1487166a34ba54e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ed5da03076da59846c96ff367fedee53

SHA1
f619dfcc50fcd70b10ecd10baa15a2bfedab6110

SHA256
b68d3b568e18f3ac0c66f9724a280a4570c6516d98eceaacfddb0a9d9a6cb16c

SHA512
c9c2356a71f930c0e5ad4ba09b68a6e06fd9f1f842aef26ffb0422fdee20ebc94d29eaddca44a373e957a701b8d02f11fff30fd7abb365fcef4d0e7c76f3c8de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
aacfd4fecd4d5b72ad3369879e904625

SHA1
6659da45556b09bedeb268225602dc8bb926ccc7

SHA256
c3332073a8dfe9f0f16f9dc9b7bd560d02517a1d6325ecc9a0a255dc43ea7c0a

SHA512
5c3e2b81fe76e8ed3845d26abc678fb2f6dbddc1e310928c10194a14c0676d2769d4ea1eb6a6594f28138992687ee6c27f1ea05d129677cb819710f5143436ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
efc45778bacd363b7fbb14d0052fadc8

SHA1
6d31fe4da9ce7e35823bb5e6d6026cb00aade907

SHA256
b9b2b9fa6aa23acde2b787c03cc3c8d899dafc22837c511389b077c1123a9f94

SHA512
34f9ca8a99bf822ff1e7406c079af20ab710b1b879e7f6be22b7b11e0fe7720a642e16280491b0a58ab756115ae8e57013f16e36c6a1a867e2f08f604898d522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fd21049dc68bfa5aa081f85d6159083c

SHA1
344ee994d1d38a7f9343610c23f9db8d634b66e8

SHA256
279a0591e69fcaa50ce8937c41b9298680057cc046c81d8b24ea9714ce577d8e

SHA512
1c8096d965cc279dbf19f8a0fa8f1f08aad42c3171c97398415708ebc149c830a9a5bc98f4dc03cd7c1273902314f3ffb443694bdaae90c4a5be8a0002dd6843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a4de5596cb10141e7bf20aaebfb3dc4

SHA1
7eb306d3d6ec4942420df60909971fb0922b5285

SHA256
0f8135fce90bb033a39322c56c095ecc7fc05b2aaad5fa245505a238c6c86e29

SHA512
b7a777844a61d833b6ebe4d986697f499aad1fd108fb121d694579067fc89b97a5f194f447d2f7e41573558d8210a22400b6772873c2f56968056e5a26d05b9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
89fc09b43db24d2d0b18446e83d4ada8

SHA1
75a8f916fc38b535cd6906a45f643937a6b9fe3d

SHA256
32947a80adbc1ee9286a9e3feac06a37c22c084659fd615b2a5bc93bc8ffa412

SHA512
cccd5b01ac1297106c6c2cc7494f8fb16b551106a8304e4b74b29529255a5f1484c55a4d35cc09b802c308229497bf62a5c9705ce727fa57967a6d1212c1e513

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f3dc814497a181b360af3b4abea88a6f

SHA1
ff2d4171dda67a72bafcd2a6a4a6abac59925cd2

SHA256
736e550d4a3cf0d9dfd5e18aa8275cc90b6d755854686835a81580b12c3c0bb4

SHA512
842176e59c0633e9ccfdab0a5c67adde0bf5138360a3face69beb658eb6e9a5103eba44023e031081fa0f70a896e7cbef554c03d3b168d8bce0859256fe48c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
f8b7e9502308b65ce9f94913071f277a

SHA1
de48d5583bd2626707157846c585b9de1d582b3b

SHA256
4c61955ad1ea07db2d80123607f2dfaf899f04cf7c44d269ac88e1d785f97cdd

SHA512
361422486d87fb2f596026033b081e1ebf138d92d1b5f62ba2431209e6333d004d5babe2b7f66d8715f1bede8a82a93b73891ae8af3a3784c9e1fa4089594372

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
269e77d2dd4ea05185a6d71a74c91957

SHA1
710b0138072f00654c174bdaaea291008f307ff4

SHA256
d46cb8df8c01e320b4591e96b9c694d509c7ee2e940ffe4623470b8cfac510ae

SHA512
d5f6f95aea2426dbc651baa0e80d3478243adf1656c10d3d3b14eddcef668fcd78957916a15cf0e491daadf137e99e4fa506e2697288bf2b02735dcb38e7a0f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
94fa5de31c8c2f1486d9b68091e65263

SHA1
dbc096f47e6cd5a4609b7daaa88580d8ee57f42c

SHA256
7d0a4b9ae13445ff70e631d9fb1b6e38a2c979e969a4feb78a794c5c995336e5

SHA512
a462b8d2f2d277d692fd83656c8c68f7cced8350fc6c228fd27e74fccfc350d0d129f4dd1b944b418bd7851d0cd9700c746125a47596f25348d132ac329872a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b5445a086fe6f73cfeea67bb9a386f0

SHA1
a60254863490cad41bdaece4aeef5aa291cd7084

SHA256
886a61013f4313a69086049f3fd738e4a64679985b22cf1b54c355b9991aef18

SHA512
81820086cc16e4e6368b81c98b1ebcc367312772ae8134b6b964b729e6cb6cb15d2c3e6227ddb0d7cb4139e29a2ff74a70cde51ec1a657ba71163c477d9b7fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
867B

MD5
66302bf300137c2ae2d7c42f453badaa

SHA1
baa417384b1d9c3816cad8cc1bb36185b7b5168c

SHA256
9c81c94c4af5f3ee867f25a5e55e5dcc0b4e5d1527eb2ac6a9981bab6237d57c

SHA512
2fe94f5a50108cced7d1d365478744965f69a312f5cc45f94c7a68f71c02c7c16f3cc20bbd672f0c58617d618c7d73402d37f67068e312ae7022dba2a20f3e14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
34fdab3c1e3aacffe359644cfd8c82ce

SHA1
eaef84062c000893034b2daf84bb273ab3205216

SHA256
ceada1afa3572d27204ba3794b8200023d651c563cb4876647d9a89298b269fd

SHA512
8336bac450957caa5543be605774bceb7e807902854fa0aeea7cf1004f3bcf427857035525e846dbb72a2d44d4a868b436cb2638ff971a3fca245ff4e5a5d17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe61fced.TMP

Filesize
865B

MD5
d298c95acdf086d24ae900fbcfea8901

SHA1
5b9ab41163da7228feea023b34b6bef9856d0d42

SHA256
51aa29e38ae897395aa756ec91f1a0d295da246fadefadcc5bc7fc6eb5ada3a1

SHA512
a32ca6768a641258f03b0dba3608578a7d7f392deb4af75b0ea3b4dfa0a0a436a2bcd3c24a66c4d833a41fb6263500c71de9f2d99da2a01df2eee068a224c789

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f4f10f662f4994d683d33fb359670bfa

SHA1
165227fc6d5f0faba423e6512d7fc97e4b9292fa

SHA256
e1f1961023b517d6f3998b767447b5a11b852425d903cf547099680216b0ff81

SHA512
80805a056ed225a9e1a2af3fb4d2a052eb19364e1d51c55bcdaea95d2db1838b1a38a25bdb2980802df7537f00442cc6d78b14ad915c72ad5c1a95ea6642c042

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8aed1bc680f023ae27c9463371a4ca7e

SHA1
fb607acb125fc67816f8d52560ef326d7f04bd60

SHA256
9dba54d47b3fd82a16c8807158553e11ec3981f817fc66467d037bd8024ca15e

SHA512
128f89d026debe4c44c8a50e24834b2192e06ce07f9b6fe6a35661fa0ef8331fdf3ebb96fddef8aea67955b0a5acccbdf0121b5a4a50fe8ef6d8aff12fd2bbba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f69c2e935b3b5e82f6a60ab69a0912e7

SHA1
11f9c3b04173379e953f579ad3c1c5335dc65bc0

SHA256
c77db250792458112e08714f9eef62fee468e3b1c32364669e0f293968e352ed

SHA512
02864f50a00346b0f4a3b2c2f8a712d0170bbd266cf3ba48f4254fbea44b8a26403e02bdd6ce4e7c9898a261abf4bc9a0274029887b19cb6e13ebddff368d803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
492a9cbb8625b027d74e4f90c5076053

SHA1
6cc7858e017d034d20dcea7008edaaa2508fc474

SHA256
1b7a9f757bf72154f465a60f137c5ef5eab0e1fdc87a31fc7b3e085b8b30eaa0

SHA512
c105e81d7432d72743e4631487f62fa8b830f7de93682d942215604baf00dbc351cfd833cd95fccdb942754fd1f043001c823d87f2583d31db15a786ac9f0644

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4b0c5b5ba10725082937cd3965bba368

SHA1
fcb43fdec28539249e037f1380032e0bb8ca5e56

SHA256
dc436abf0e9d3f42eb3fea32b1b1f71087596437206eea36694d3fe9b2065aa1

SHA512
fcb885fbc3653acd7414466b25569e2999091f6fbe69fb665e591b928dc3272de800092bbcd0f78b66fced2ce6f95e61c761fc9d3792516fcda7d0f29b36a9c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1617120697c6588b8283bcc1f213e440

SHA1
53ab1dac6f2ef2b913f72d8350acd09d81555e1a

SHA256
19cd7bf2b6032bdd0d78f319ed36012dbfa997d5abb684fb26e8849b5c87a63e

SHA512
70f578f7da1dfff0295e4ec5e6902d9b9d1971b19b6e632c660b77b7d7a4da942d72ac26e3885fe2002510580b448e28075ae6c28d3e207242939e06616cd143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
060bc7c38ee48ccc775286acca5fd945

SHA1
53ccb5247f285078b44f182c7a3a6c944d4ff0ef

SHA256
1532b3aa145052732b750c3fa0b814479aab3b6110fb438e6a70590d3d719b96

SHA512
6ecce3f7af471443ff7364f8ac09380e22dd1adcec14db04186567e4499b8152bb64c61b7e7a4a6eabed3a1b970d6910622b9d630778f18a2d02db4bbfeb78a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
7c53df2ba6d7f7e7344482b1b4db4c6a

SHA1
d872efa5ff4bbba825ee45f50d1131b50d2f88f7

SHA256
2dca0d35c6e8b3ba7df7f827c56df7e549b570bda7bdbc36fecdcafa7eca0e24

SHA512
16126cdc0fbc6aa98a591b3830501fab968e512da56b73da2fa702c13ab557ce8e84ef684a3322cb6815327aad68496faca90b7f458c6f04c3347b9eb930cf2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
df9497d21a02ac71dd0dcd89dcf2593e

SHA1
fcb8f83b57243c8f3fc8fb2675dffaabe4ca81a9

SHA256
a715a1cd0340ae43056b4f2465c7c6cc7bec7cf06ca3c728345e5f06072936e9

SHA512
cb36b2a94207d5466a7eb6602a56721d853d4a9b6775d40e4e33cbca54a394081e4fe1a946f142d10456a62b839bdb51031fc8142f77a8c03bc2bfba71792749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
c2f994bbd9020f1c469fb303dadc4ac0

SHA1
ae69768d36faa862e2e125b2d9f77966eb74ec5d

SHA256
3c8ff7e9cb5cdaea869a5969a471977733827335d5037b546e979752a5039308

SHA512
693088c56332ae805cd0b5a4e8cddcb2a74cc0f345db77645cdd5153bd4f045c9214aedbd64e290f07dc4faf2a5288fb97836e31b8c8631ccc578745aca75687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
be81a21f2acb409d2e062d380041a95c

SHA1
a8602bfe22afe79eac8ab21ca8082136f4e2f5b8

SHA256
794df0b3c6c9825b9e192b177061adb47ac1397d25cf5a166e2bcec7d52ab7ed

SHA512
e999513be18d51b4e21ee7e3842f0d35dec155ae5ccbec3e13fdc903c956ba5e7bb2d793bf05e1969636e54cc424a2127ed8f9cf40053c4d79f0d91d3dfb1f0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
027aa936025d78fa921bd498169b06b3

SHA1
a3740a7611f6cde5006e8495cf38b2306573c408

SHA256
6518fe8a0b1ed1752e3bf4dc60907d9f4a9a8b815f4dd4e97f0a1dadcbec80ce

SHA512
34ce5c6e22149fd89f09f8caed6673800a5c5538a940b33edf66c41c53c5ce095ba3453c7a1dd1e05348fd9c61dc8f932b5648eb97d43d8f7fec546020b14f4c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qfgaykt1.default-release\cache2\doomed\10006

Filesize
8.0MB

MD5
bb29483603d430a0790d4e0ffa5a2765

SHA1
8f7235afd66a6cb22a83a7dc0cd43349a8a839f9

SHA256
df01c872dc7f89764af5dac1e699dd4059d554dcfc8f627915e8ba937a7924ee

SHA512
5b1b689234da759291b9ef8ccd0f913051ae8b593b8cfa0fa92edf4f16b789c09a42b231510fc55b40a88c1043dfaab826efaae8b19be4cae85cc2a21a91766d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qfgaykt1.default-release\cache2\entries\2C4F681C73E87B77000735EB4F0E1D54555AFBE8

Filesize
123KB

MD5
46c44a45d5b5f35d2d0a38b0e2ae2dea

SHA1
c05e935ea4fc9efd6aafed53550a300248753e2f

SHA256
471b1fce3ac831759f5ccde16880ebe3f911023a0a4249f2ebf083119147b710

SHA512
6749c56af86b0b3aa7a6c05a401895691352e223cdf25ce40977ace326134b80e3002f6b9c29094d88a8c35a504036443840677498453d71ece8400377eb5975

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qfgaykt1.default-release\cache2\entries\677B80A25A006EDCC273545819E7C8B9A97E5201

Filesize
41KB

MD5
1a28b82a7ad1a0ac539975af2f799c45

SHA1
7c6dbc0d258b0449d91d3f30b1b5e00ffa03aebd

SHA256
2eb25e8529e914ee1bfcc77fc6239e1f351e2a956c1309db79e132f1d962b22f

SHA512
4c3af77c3e22128b0e799e79a557f4a1204dc57bb05c97ed1a7793da57c431d363288501f06046a0be0ae8837310122c9480cbd8fc25c4449575b49971eb78d8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\qfgaykt1.default-release\cache2\entries\7D3068195A30D049CC263CE0A0641E65E92E39CF

Filesize
1.1MB

MD5
36a69e9af4f0efc744a470debc3daa0e

SHA1
a7fb65ede553517b17529a38f637b1c4670caad0

SHA256
0b002b16458ee46496c14a204dc7ba9f7fd612c6c52678c8ed54833ed8e36f53

SHA512
dee0e901b4bf6c5bdda9395cf78fd5805b246867750b9caf656e25250d4e2493a2b981a9df872b8f416702d823bc2009295d0fb1a57323b5dfe7f24b12da7b72

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\AlternateServices.bin

Filesize
7KB

MD5
0ac2c920b06658e413dcb7c4b562eba6

SHA1
d859d9c1eb4e884834f9873c276f68e63c43821b

SHA256
2780d3832e3841e2009c0af9ca485bf1ba95311570b76a3d08333369222f9ac0

SHA512
568c6643646285c3629dc241e8137eda2d0610c21a1aa454ee90b8610687278165bdd749add8d6dc7bd9dab2deea6f5575b7f6e73b1c7f681e931fc4cf89e02a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
8247c96f8ade388daa5a02cb34775682

SHA1
6238b7816d13cec2a08d3b2e5b1dc9cd4051b63d

SHA256
bacd604b042b8bf27c279283602b9335e5171cad22ef68a411d6e32ee07fe28a

SHA512
9354a394ad5a5962e78ef3566faf61b0cdfada3c3be5508f0c46c8d954ec8e7d109eb4ad3b838ff534ac769d55f05a2a4b7a4c0b3478966e77ad3d310c90f4a1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b6ee8870c1dafd6dab687b22ee0c2b82

SHA1
0339f0bb425b48e2118a0d249bf945206bfc7fc2

SHA256
86452b737ac02032e490b2d112d0b2543222b0681b7e00f6d7733efa3a1d7ee3

SHA512
8eaa1b5cdc23b70df319ea9b0fa5805898b48d7a944ce9fb16487ba8af4c307c345b32855404adb045caf96c3d714a4e9ff31f25f96bc6ce8f316e1094032ce9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
18KB

MD5
1cffb7455fcabd0973f2a3565b818eb3

SHA1
469c457564ecf3bc26a64bc08abcbdec2f1122da

SHA256
d6bc3fd0c87859636c7b9271ca23e94ab758195c9fb67f53c8d0e171a6ddd045

SHA512
b7ed7acf7438849144dd0141d94471763cbc7c8bb85476c2edec5e575ea07a6e97bc64f88319bd82ba8e3fe616fc48ebbaaf3692cf7d0bab5080d0b768ededae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
4ce18e62cc7e1fd7e43285c2a06d2de2

SHA1
f958795b36eb6be9b78b2cc69d082920c655e2e2

SHA256
62dbff8115ce732ff231fd53f1d8facfb3801e1dfd94da0e8d48743cf37a22cd

SHA512
83be4416e1268c445d75eaaf49d3894b8994c2ca402bfd1c9ffb71aad3eb7b01d77be79f57f65fb305a930251bd478f87e25fb5390ed3d32c5b65a2eb42858e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\2cd341d9-d1a7-4800-be04-55ef0671a946

Filesize
671B

MD5
a231fd4482705f237d4b07f10adaaa41

SHA1
00e8ff583218cbcf4a0914cdb16992a34d3f44dd

SHA256
c98d637d7365ee6659a6fef48b0170b81d0a8f2146a23fe6749ef62a62ee3c1e

SHA512
519b27c0297e3dfc43587387ac0b18b6cadd7eaaacf6671bbb6ba35b6de5b53311697f85935d30b840931568778fe8c314d6c55165dc5a0f03a230d3005d8765

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\eba2c242-33e9-4933-bea7-f2f2ca029af4

Filesize
982B

MD5
a1db2c6500783976784e8e91e2624b36

SHA1
9a9b9c3b4d146eb111af4113e79a08865d39eb06

SHA256
0c6e2a93d5e9d347d2090757cf512308cf7807393f97a7ca616e51cb75e7aa13

SHA512
d23d0c357f6408e2b33e225be5e6fc35b23f32f5c9d142aecb05c32182dbaa2dc6988e3ac60448e364e7e0a091151ccc6433bb17b424a089aff380466f3fe62e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\datareporting\glean\pending_pings\ee1d8365-b0db-4652-a79f-3e3218dc88e1

Filesize
24KB

MD5
d9d23744ff73b95bda63f611688ebdb9

SHA1
919f3281f641ae7bb7451a8b48e8520dd2577a59

SHA256
874c74daf7cf87eb6a79590214ea0fc0e2d0366efb373380b981d1a662ccc6fb

SHA512
20e17d166802869273e5d50ad37f5965112a45fe9aa85972ddd13f4914407a7e171eabc9d624460480bbb7af4dd78028f6b6a109a099fda5e829bb75d871727b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs-1.js

Filesize
9KB

MD5
cbf7ff36ef2033847dc01fd1df83d2fa

SHA1
9263327aae32b335f4a4a0d47ec347cc22f5e5b6

SHA256
7c176f092d268eb1f03107ebac7e09a113a971fa32de99f7cf4ece25b6e254bd

SHA512
32ede9ef18a4c46c5d441ca3531ee71a193b1bf9e3531acd9845b848d0e110d4fddc22857eeb5536c999652052334d1e36c08f8f2dc93af8ae761720ea04af05

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs-1.js

Filesize
9KB

MD5
7fe95848b8e2dab5c6d968ca75652321

SHA1
73629bef1ec8104c538f1b5dcaa54b09718bc938

SHA256
6e1a5ba578537e45a33745bc208048dbf61e896f458af171ca6433154e2a2781

SHA512
bdadacaada6f93b694b105cc7e1db303df783dd9373324eaab116bef1ae763cc9dd1200c2b33eeae13b8c1d7206608985edd8a7768ebe5c092afdfce1c09c6f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs.js

Filesize
8KB

MD5
0279b133e50433978fc161900e713036

SHA1
6e709dae62b82a4c2f8d19d0adaa77bf04ff21fd

SHA256
89661f5c3f5728a325adcdaba3c50e39d4e49ac4b5133314f267067a61c519a3

SHA512
80686850970f1c1f41aca2f81015da057f8ac93fab2c2eac9dcb5fc19a065cf65a89831b38efc6c0ac4a2d1a1b83cac6b89e43d425e8db0ecddc816e62e5679e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs.js

Filesize
8KB

MD5
34dab9978aeccd5454c0e2a70960ce63

SHA1
895e8aee9e9e400364895586fd42f7e55e99ce71

SHA256
5fe0ca7403b1a1f2a1a091f412bb3a8e0a5de9e3006493582201cb87db6ba17e

SHA512
2649659d4f1ec0281e2f7e6fcb6667539be16c30950f8919f52a0130e3c332e667baece4bfbf5bfa3bfce0f8f8987b031d1ef1627bd1ebb269abd90986645b9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\prefs.js

Filesize
8KB

MD5
a5f55f264221241d7f308f37ac34358f

SHA1
d2a9ec06d0913465d57adfc65c188df61f951891

SHA256
721bd36549d398b10882ce3708ee555557a9f80578b17db6c0d1efeb5661033f

SHA512
0bd3dbed2dfdf9f9d0a710dbf564a0abfa2d9f78482b57689b09e801f06c4685e007d3cb151bc413d797bc98d03c6373680116567275e9e85c3b43f18780fd27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\sessionstore-backups\recovery.baklz4

Filesize
2KB

MD5
84c741ec8b54b69ea0e121acd45423d3

SHA1
0997f30646664ada1dad4a8886fa1a01b7b2e883

SHA256
d08bce8956bcbcf04566ef698799324c5019dd5d04eae21baab03bc4cea0cd69

SHA512
0bea633b4e32dfd3d2f4fcbcaf37b459bd3481bfc005b664360bd6310bd554170f751f5f5b61d48fc00bf59c13a5f4f72afb1da702117eb938026febbe1b2a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
6d98e83e04cfdb5504f42d06aef6e48e

SHA1
79940cf741f819adde29db793db7b0ea55a7ed80

SHA256
0730b2ed0445c77a6c760fc67d3fd04fead61a14c419ac72501fc86636733719

SHA512
d91fbae6c2cd79fcc68208f1ad2c5572579279621cc9497e7c9bb5e72d31f0b051fc38c607ac3abfb2328d2f5189f31f799fb13c99c9acd148b219e4c7f0f095

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\qfgaykt1.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
9ec6dcdc9fffe03e93c3d2e202c5a623

SHA1
b044f704f700a446b3e0fe898467b299df25372b

SHA256
579371ce0a4f763e7b691353630c976ce10e983db941fbf03f6d38eb7bec5292

SHA512
dc0d68d33aaa5087cbdfc517abfbb8030d7d236d0998b8e9bea50174da2d4429c84f9000842485681c982fa283aaf7dbbcabeeab70dee9bde5867e84eec86f4d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 899100.crdownload

Filesize
3.8MB

MD5
48deabfacb5c8e88b81c7165ed4e3b0b

SHA1
de3dab0e9258f9ff3c93ab6738818c6ec399e6a4

SHA256
ff309d1430fc97fccaa9cb82ddf3d23ce9afdf62dcf8c69512de40820df15e24

SHA512
d1d30f6267349bb23334f72376fe3384ac14d202bc8e12c16773231f5f4a3f02b76563f05b11d89d5ef6c05d4acaacc79f72f1d617ee6d1b6eddab2b866426af

Download Submit
C:\Users\Admin\Downloads\WinRAR.7.0.zip

Filesize
6.8MB

MD5
ec167ce29b0a16eec513d6377437ad1c

SHA1
c036ec49fdc7024fdb16cdc815c187d7dabd2215

SHA256
c839460ef12289fed5ded2cf270935ceb3fa2ad6e416ede30c233898dcc10322

SHA512
99735ebf12f55b306e52cd308a73e353ef032ad3e0a651f3fc18ec2bd4ce636f0004f64c73d81723134621af01e225d65b5aec54c907dc82b888e1479d5e6d7f

Download Submit
C:\Users\Admin\Downloads\WinRAR.7.0.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701b1.exe

Filesize
3.7MB

MD5
8c80e9a6c80f878dbbbb84c0eeb06841

SHA1
776c1ebfefd195cdd974c7da149fd9335ef03684

SHA256
8249444b8ec33512027cde2bd6edb51bea9e9b4f35c4b261319d7a52d3befffc

SHA512
2032fcb28818c44e478ce4d73b76454ff50bd7ff67371b6de3b60978a3474f5dbf135d37b92f4d960c7a9bb95b594590f5beb385fddd0d49aeeca4e817028863

Download Submit
memory/2032-2627-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2626-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2633-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2638-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2637-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2636-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2635-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2634-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2632-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download
memory/2032-2628-0x000001FE0F180000-0x000001FE0F181000-memory.dmp

Filesize
4KB

Download