9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26

Resubmissions

21-09-2024 02:03

240921-cgz6dszfpl 8

21-09-2024 01:42

21-09-2024 01:37

21-09-2024 01:13

21-09-2024 01:00

21-09-2024 00:55

Analysis

max time kernel
676s
max time network
678s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
21-09-2024 01:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EZFNLauncher.msi
Size

8.8MB
MD5

c094ae439f4a97409d752fa64f6eab86
SHA1

e607d4616a2262bb245c43269d7c3f769269e5d0
SHA256

9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26
SHA512

df8bd4db2130cdf94493caa170801cfc1e273aa22253d33b066db3be56b164c904f54172bb6f60afd131f9459a8e9895d718bb905420f067936862d86ed9506e
SSDEEP

196608:hwrQNEqoCdzOx618QNSi2lfVc6VpvPH62RM7tBIbK1/JuhC:hgcOxvQgllfjXtr8/kh

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\desktop.ini	msiexec.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\desktop.ini	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season15.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\favicon.ico	msiexec.exe
File created	C:\Program Files\EZFN Launcher\Uninstall EZFN Launcher.lnk	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season10.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\favicon.ico	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\Uninstall EZFN Launcher.lnk	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season1.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\vercel.svg	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season15.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\BricolageGrotesque-VariableFont_opsz,wdth,wght.ttf	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season3.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\EZFN Launcher.exe	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season7.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season15.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\FiraCode-VariableFont_wght.ttf	msiexec.exe
File created	C:\Program Files\EZFN Launcher\Uninstall EZFN Launcher.lnk	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season2.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season11.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\vercel.svg	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\desktop.ini	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season6.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season10.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season4.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season3.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\BricolageGrotesque-VariableFont_opsz,wdth,wght.ttf	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\next.svg	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season3.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season11.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season4.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\BricolageGrotesque-VariableFont_opsz,wdth,wght.ttf	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\next.svg	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season2.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\EZFN Launcher.exe	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season2.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season6.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\default_skin.png	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\favicon.ico	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season4.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\FiraCode-VariableFont_wght.ttf	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\default_skin.png	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\FiraCode-VariableFont_wght.ttf	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\Inter-VariableFont_slnt,wght.ttf	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season8.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\vercel.svg	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season5.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season9.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season7.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\EZFN Launcher.exe	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\Inter-VariableFont_slnt,wght.ttf	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\Inter-VariableFont_slnt,wght.ttf	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season1.webp	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\season_images\Season10.webp	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\default_skin.png	msiexec.exe
File created	C:\Program Files\EZFN Launcher\_up_\public\next.svg	msiexec.exe
File opened for modification	C:\Program Files\EZFN Launcher\_up_\public\favicon.ico	msiexec.exe

Drops file in Windows directory 34 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\~DFD1C2772383081B07.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF7427A6A5B07DC1DD.TMP	msiexec.exe
File created	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DF423B58CB9B0FC7CF.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e0da.msi	msiexec.exe
File created	C:\Windows\Installer\e57e0dc.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF46B7D91196238CF6.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF016DB872F9400E4A.TMP	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Installer\MSICAC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCBFD5C464DE2FAB0.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2FEC3D27A75F22A9.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF04B2993935504500.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\SystemTemp\~DF62E7EA6B1C1C84E7.TMP	msiexec.exe
File created	C:\Windows\Installer\e61cb1a.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}	msiexec.exe
File opened for modification	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e61cb18.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAED.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e0da.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\ProductIcon	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\SystemTemp\~DFAF9CC46E33B3EB2C.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e61cb18.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCB7AE7098CBEEF83.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE196.tmp	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
5036	EZFN Launcher.exe
2020	EZFN Launcher.exe
3652	EZFN Launcher.exe
1180	EZFN Launcher.exe
3116	EZFN Launcher.exe

Loads dropped DLL 4 IoCs

pid	Process
3024	MsiExec.exe
3024	MsiExec.exe
5272	MsiExec.exe
5272	MsiExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1180	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 15 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3572	msedgewebview2.exe
1756	msedgewebview2.exe
2228	msedgewebview2.exe
3152	msedgewebview2.exe
4892	msedgewebview2.exe
4580	msedgewebview2.exe
784	msedgewebview2.exe
2656	msedgewebview2.exe
5980	msedgewebview2.exe
3092	msedgewebview2.exe
2248	msedgewebview2.exe
4264	msedgewebview2.exe
4940	msedgewebview2.exe
3916	msedgewebview2.exe
4468	msedgewebview2.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000004fbc8ede2bb95e8f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800004fbc8ede0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809004fbc8ede000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d4fbc8ede000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004fbc8ede00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133713550161689845"	chrome.exe

Modifies registry class 61 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductName = "EZFN Launcher"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\Environment = "MainProgram"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductIcon = "C:\\Windows\\Installer\\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\\ProductIcon"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductName = "EZFN Launcher"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\PackageCode = "902E236029C1087479870FBC7034677D"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\ShortcutsFeature = "MainProgram"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\External	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\External	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\PackageCode = "902E236029C1087479870FBC7034677D"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Version = "16908292"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Version = "16908292"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\MainProgram	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\Environment = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Language = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\EE6130624F4A70E4E8E28D99BF4EC03A\ShortcutsFeature = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Language = "0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	firefox.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\ProductIcon = "C:\\Windows\\Installer\\{260316EE-A4F4-4E07-8E2E-D899FBE40CA3}\\ProductIcon"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\PackageName = "EZFNLauncher.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\AdvertiseFlags = "388"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\148EDAE345EAC3E54B1170CBD502D298	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\PackageName = "EZFNLauncher.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\EE6130624F4A70E4E8E28D99BF4EC03A\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
680	msiexec.exe
680	msiexec.exe
1260	msedgewebview2.exe
1260	msedgewebview2.exe
2724	msedgewebview2.exe
2724	msedgewebview2.exe
2224	msedgewebview2.exe
2224	msedgewebview2.exe
1932	chrome.exe
1932	chrome.exe
1516	msedgewebview2.exe
1516	msedgewebview2.exe
2944	chrome.exe
2944	chrome.exe
5724	msiexec.exe
5724	msiexec.exe
5724	msiexec.exe
5724	msiexec.exe
5988	msedgewebview2.exe
5988	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
4980	msedgewebview2.exe
1260	msedgewebview2.exe
2924	msedgewebview2.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1264	msedgewebview2.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
3056	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1180	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1180	msiexec.exe
Token: SeSecurityPrivilege	680	msiexec.exe
Token: SeCreateTokenPrivilege	1180	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1180	msiexec.exe
Token: SeLockMemoryPrivilege	1180	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1180	msiexec.exe
Token: SeMachineAccountPrivilege	1180	msiexec.exe
Token: SeTcbPrivilege	1180	msiexec.exe
Token: SeSecurityPrivilege	1180	msiexec.exe
Token: SeTakeOwnershipPrivilege	1180	msiexec.exe
Token: SeLoadDriverPrivilege	1180	msiexec.exe
Token: SeSystemProfilePrivilege	1180	msiexec.exe
Token: SeSystemtimePrivilege	1180	msiexec.exe
Token: SeProfSingleProcessPrivilege	1180	msiexec.exe
Token: SeIncBasePriorityPrivilege	1180	msiexec.exe
Token: SeCreatePagefilePrivilege	1180	msiexec.exe
Token: SeCreatePermanentPrivilege	1180	msiexec.exe
Token: SeBackupPrivilege	1180	msiexec.exe
Token: SeRestorePrivilege	1180	msiexec.exe
Token: SeShutdownPrivilege	1180	msiexec.exe
Token: SeDebugPrivilege	1180	msiexec.exe
Token: SeAuditPrivilege	1180	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1180	msiexec.exe
Token: SeChangeNotifyPrivilege	1180	msiexec.exe
Token: SeRemoteShutdownPrivilege	1180	msiexec.exe
Token: SeUndockPrivilege	1180	msiexec.exe
Token: SeSyncAgentPrivilege	1180	msiexec.exe
Token: SeEnableDelegationPrivilege	1180	msiexec.exe
Token: SeManageVolumePrivilege	1180	msiexec.exe
Token: SeImpersonatePrivilege	1180	msiexec.exe
Token: SeCreateGlobalPrivilege	1180	msiexec.exe
Token: SeCreateTokenPrivilege	1180	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1180	msiexec.exe
Token: SeLockMemoryPrivilege	1180	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1180	msiexec.exe
Token: SeMachineAccountPrivilege	1180	msiexec.exe
Token: SeTcbPrivilege	1180	msiexec.exe
Token: SeSecurityPrivilege	1180	msiexec.exe
Token: SeTakeOwnershipPrivilege	1180	msiexec.exe
Token: SeLoadDriverPrivilege	1180	msiexec.exe
Token: SeSystemProfilePrivilege	1180	msiexec.exe
Token: SeSystemtimePrivilege	1180	msiexec.exe
Token: SeProfSingleProcessPrivilege	1180	msiexec.exe
Token: SeIncBasePriorityPrivilege	1180	msiexec.exe
Token: SeCreatePagefilePrivilege	1180	msiexec.exe
Token: SeCreatePermanentPrivilege	1180	msiexec.exe
Token: SeBackupPrivilege	1180	msiexec.exe
Token: SeRestorePrivilege	1180	msiexec.exe
Token: SeShutdownPrivilege	1180	msiexec.exe
Token: SeDebugPrivilege	1180	msiexec.exe
Token: SeAuditPrivilege	1180	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1180	msiexec.exe
Token: SeChangeNotifyPrivilege	1180	msiexec.exe
Token: SeRemoteShutdownPrivilege	1180	msiexec.exe
Token: SeUndockPrivilege	1180	msiexec.exe
Token: SeSyncAgentPrivilege	1180	msiexec.exe
Token: SeEnableDelegationPrivilege	1180	msiexec.exe
Token: SeManageVolumePrivilege	1180	msiexec.exe
Token: SeImpersonatePrivilege	1180	msiexec.exe
Token: SeCreateGlobalPrivilege	1180	msiexec.exe
Token: SeCreateTokenPrivilege	1180	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1180	msiexec.exe
Token: SeLockMemoryPrivilege	1180	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1180	msiexec.exe
5036	EZFN Launcher.exe
1180	msiexec.exe
4980	msedgewebview2.exe
4980	msedgewebview2.exe
2020	EZFN Launcher.exe
1260	msedgewebview2.exe
1260	msedgewebview2.exe
3652	EZFN Launcher.exe
2924	msedgewebview2.exe
2924	msedgewebview2.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1180	EZFN Launcher.exe
1264	msedgewebview2.exe
1264	msedgewebview2.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
1932	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe
2944	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1344	MiniSearchHost.exe
4396	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 3024	680	msiexec.exe	82
PID 680 wrote to memory of 3024	680	msiexec.exe	82
PID 680 wrote to memory of 3024	680	msiexec.exe	82
PID 680 wrote to memory of 1432	680	msiexec.exe	86
PID 680 wrote to memory of 1432	680	msiexec.exe	86
PID 3024 wrote to memory of 5036	3024	MsiExec.exe	89
PID 3024 wrote to memory of 5036	3024	MsiExec.exe	89
PID 5036 wrote to memory of 4980	5036	EZFN Launcher.exe	90
PID 5036 wrote to memory of 4980	5036	EZFN Launcher.exe	90
PID 4980 wrote to memory of 4340	4980	msedgewebview2.exe	91
PID 4980 wrote to memory of 4340	4980	msedgewebview2.exe	91
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 3092	4980	msedgewebview2.exe	92
PID 4980 wrote to memory of 1260	4980	msedgewebview2.exe	93
PID 4980 wrote to memory of 1260	4980	msedgewebview2.exe	93
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94
PID 4980 wrote to memory of 2248	4980	msedgewebview2.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\EZFNLauncher.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1180

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9E8C52459FA3316AEB1BB3A7403E23F3 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Program Files\EZFN Launcher\EZFN Launcher.exe
    "C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=5036.4796.13326177146662037251
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:4980
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x104,0x108,0x10c,0xe0,0x1b8,0x7ffe432b3cb8,0x7ffe432b3cc8,0x7ffe432b3cd8
        5⤵
        
        PID:4340
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1936,7089382063923768711,10618175067207087591,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3092
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,7089382063923768711,10618175067207087591,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2192 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1260
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,7089382063923768711,10618175067207087591,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2480 /prefetch:8
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2248
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1936,7089382063923768711,10618175067207087591,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1756
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1432

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3036

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Program Files\EZFN Launcher\EZFN Launcher.exe
"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:2020
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=2020.3092.11059618759518937393
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:1260
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x1d4,0x7ffe432b3cb8,0x7ffe432b3cc8,0x7ffe432b3cd8
    3⤵
    PID:3520
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1832,13971610079036607235,10946831147720986717,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2228
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,13971610079036607235,10946831147720986717,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2076 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,13971610079036607235,10946831147720986717,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2556 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3152
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1832,13971610079036607235,10946831147720986717,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1248

C:\Program Files\EZFN Launcher\EZFN Launcher.exe
"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:3652
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=3652.4928.15188892094342819669
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2924
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xa0,0x1b8,0x7ffe432b3cb8,0x7ffe432b3cc8,0x7ffe432b3cd8
    3⤵
    PID:5024
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1848,1197039465702934882,8064762307638673272,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3916
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,1197039465702934882,8064762307638673272,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2296 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2224
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,1197039465702934882,8064762307638673272,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2648 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4940
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1848,1197039465702934882,8064762307638673272,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1196

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe515bcc40,0x7ffe515bcc4c,0x7ffe515bcc58
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1912,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1756,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2036 /prefetch:3
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2000 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3240,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4424,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4432 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4936,i,5345954264868770849,12588021674487735132,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1160

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3324

C:\Program Files\EZFN Launcher\EZFN Launcher.exe
"C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
PID:1180
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=1180.3200.83096625279877450
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:1264
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1ac,0x7ffe432b3cb8,0x7ffe432b3cc8,0x7ffe432b3cd8
    3⤵
    PID:384
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1812,17893610101473455646,10989836925739613650,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1820 /prefetch:2
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4892
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,17893610101473455646,10989836925739613650,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2316 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1516
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,17893610101473455646,10989836925739613650,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2776 /prefetch:8
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4580
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1812,17893610101473455646,10989836925739613650,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe515bcc40,0x7ffe515bcc4c,0x7ffe515bcc58
  2⤵
  PID:1248
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2016,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=2012 /prefetch:2
  2⤵
  PID:1000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1736,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=2384 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3224,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4456,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=4452 /prefetch:1
  2⤵
  PID:540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4740,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4752,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5112,i,11647850207270582647,7910534520049469215,262144 --variations-seed-version=20240920-130106.786000 --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:3040

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3120

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:776

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:788
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4396
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1916 -parentBuildID 20240401114208 -prefsHandle 1832 -prefMapHandle 1828 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87c45105-3e37-4188-ab07-a712618f3aa0} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" gpu
    3⤵
    PID:4952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2316 -parentBuildID 20240401114208 -prefsHandle 2292 -prefMapHandle 2280 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {982374bc-2029-4fd0-b013-438a32268dbd} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" socket
    3⤵
    - Checks processor information in registry
    PID:1352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3184 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 2764 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3d24b337-d82d-4d86-b3d6-b9b409fec856} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" tab
    3⤵
    PID:568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3536 -childID 2 -isForBrowser -prefsHandle 3608 -prefMapHandle 3648 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ad1e8f6-f70f-44a1-a9d6-abb2a4e3c71c} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" tab
    3⤵
    PID:3796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4308 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4300 -prefMapHandle 4296 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d3ee872b-0448-459b-ace6-1c28f95b1d82} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" utility
    3⤵
    - Checks processor information in registry
    PID:5496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 4996 -prefMapHandle 5412 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d15ca64b-af9c-4345-8d77-28f59a198ba7} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" tab
    3⤵
    PID:3440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5540 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5552 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a0bb25b-279c-48be-a8e1-72ac6d13bf2e} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" tab
    3⤵
    PID:1400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5724 -childID 5 -isForBrowser -prefsHandle 5732 -prefMapHandle 5736 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa8ac1e6-8e9f-4c4f-9b54-356ff06cc0bb} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" tab
    3⤵
    PID:4776
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6236 -childID 6 -isForBrowser -prefsHandle 6252 -prefMapHandle 6244 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1284 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e07b3205-31d2-47ed-a008-03f4a1b0d55a} 4396 "\\.\pipe\gecko-crash-server-pipe.4396" tab
    3⤵
    PID:5424

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\EZFNLauncher.msi"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
PID:5660

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:5724
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5FAE132D486B2356F65AFE5F07FDA9E2 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5272
- - C:\Program Files\EZFN Launcher\EZFN Launcher.exe
    "C:\Program Files\EZFN Launcher\EZFN Launcher.exe"
    3⤵
    - Executes dropped EXE
    PID:3116
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --no-default-browser-check --disable-component-extensions-with-background-pages --no-first-run --disable-default-apps --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --disable-popup-blocking --internet-explorer-integration=none --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --no-proxy-server --lang=en-US --mojo-named-platform-channel-pipe=3116.3872.16959004273689374397
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:3056
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad --metrics-dir=C:\Users\Admin\AppData\Local\org.ezfn\EBWebView --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x1b8,0x7ffe432b3cb8,0x7ffe432b3cc8,0x7ffe432b3cd8
        5⤵
        
        PID:1908
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=gpu-process --field-trial-handle=1812,11954890118535927375,10505005686996885850,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5980
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1812,11954890118535927375,10505005686996885850,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2284 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5988
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1812,11954890118535927375,10505005686996885850,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --service-sandbox-type=utility --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --mojo-platform-channel-handle=2812 /prefetch:8
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2656
    - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\90.0.818.66\msedgewebview2.exe" --type=renderer --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc" --field-trial-handle=1812,11954890118535927375,10505005686996885850,131072 --enable-features=ForwardMemoryPressureEventsToGpuProcess,UseSwapChainsInSoftware --disable-features=FilterAdsOnAbusiveSites,SpareRendererForSitePerProcess,WebPayments,msApplicationGuard,msAutomaticTabFreeze,msBrowserSettingsSupported,msEdgeFaviconService,msEdgeLinkDoctor,msEdgeMGPFrev1,msEdgeOnRampFRE,msEdgeOnRampImport,msEdgeReadingView,msEdgeSettingsImport,msEdgeSettingsImportV2,msEdgeShoppingUI,msEdgeTranslate,msEdgeUseCaptivePortalService,msImplicitSignin,msPasswordBreachDetection,msReadAloud,msRevokeExtensions,msSendClientDataHeader,msSendClientDataHeaderToEdgeServices,msSyncEdgeCollections,msUseLabelingService,msWebAssistHistorySearch --lang=en-US --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\org.ezfn\EBWebView" --webview-exe-name="EZFN Launcher.exe" --webview-exe-version=1.2.4 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3104 /prefetch:1
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3572

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\EZFNLauncher.msi"
1⤵
- Enumerates connected drives
PID:2896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e0db.rbs

Filesize
21KB

MD5
74a7aafb0150a18653db995a2e780e4a

SHA1
e1f4502a5a89d68ee1217b263487282f8a681591

SHA256
ae94b54cd5ce6c5495b3ea0ef9f3f509db5ece6088325bee7ce232e570c16d30

SHA512
1346b68b087de005e7c086940e938560e4c0e6ec25abe05f8cd3fc8aaa2aa39900a7ec8451bb8a45cc3d8843183ee67370a90a2759db3d90eba735243145ae3c

Download Submit
C:\Config.Msi\e61cb00.rbs

Filesize
25KB

MD5
e2c3a7fcdeca9ea980e35485fd042c37

SHA1
ef793b85e2ab8295aee4822729e18e5509f58f38

SHA256
783f0ee18afa6b8e1300b9c54d729fb80a0a42a05a6148d27a4c34bfd7dd99f5

SHA512
b34589c2edf68d35bb4256397ed80a372e4a0716ce9e5877d506a1df0aa6c62124cea2c86fd31e4377c6799f0cc33b14e8d1432700183cb86e285a09558eebd6

Download Submit
C:\Config.Msi\e61cb02.rbf

Filesize
1KB

MD5
f73fe9b8bbe352e3a7be5a934a51f454

SHA1
790022799d7454ba4199833214409ad4ceeb6f81

SHA256
cc477f07c93329261dfe4af7e6eadb191609921b797e79e6a45e612888fb194a

SHA512
62cd0dea13b0a2109ac3e6f319adcaf2629d4c0d96c5ec72b97d2b48b43ec487086abdbccfa0a6571a7442b600eb7a0e167520bb01916dbba116706a99f2f39b

Download Submit
C:\Config.Msi\e61cb03.rbf

Filesize
966B

MD5
2db76a2403edfbde086bd90d8e1b4b46

SHA1
aac32cc987282b5be75df1f9c5b9fc7dd4c641f4

SHA256
6a88fe50c4151be70652aca07fbfb39ad5e20f361b461fafffe9094645a41220

SHA512
c08c791afb7e6591952aa67eb708b39db3129db7b604a2ce75fa12957f6679daa5b0af6793f2d99d0d42a019df6af44317dc7cc9f6643a01ee0c75316cb1f826

Download Submit
C:\Config.Msi\e61cb19.rbs

Filesize
21KB

MD5
412eed19bec305fa43ce876ee32ee567

SHA1
80978953ef4be7314ae9b0d6a2105097a8207ffd

SHA256
95ba69877a75ba703d44f80cfa241ffe3aebe54521dbc68c42595855518dff4b

SHA512
4eb665fda47ab6307d450728e60bde581568925085fb21cd56ad956b0c88c4c5ebaa3491696988beaf67b05469465723cfddfaef750aae91c0a3b2ed4d3d142f

Download Submit
C:\Program Files\EZFN Launcher\EZFN Launcher.exe

Filesize
9.4MB

MD5
4f33ce3ea36ef1f99b6825a86b2470ff

SHA1
baca999aadc039799d779088276704b14b5c665b

SHA256
5f05babffaded0eae013bcea5de6821cb51c82acbb6889c4b01ebde41b3dafa8

SHA512
a96e86906b195d035a824f48f89db9455208dda2ca7ad1d7dc88881cbf6b0649bafea39fa384254aebc23f6a903cd18cf7dda375194390119c0111d901fbc0b6

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk

Filesize
2KB

MD5
ece428dffc326bec2bed86d734b8949f

SHA1
6971ae43a21116a06499085f4c09797481e432c4

SHA256
b0a63c5afdbf7f39c26769e22afd8510e85b5f404bb4c946f88e722fbe593611

SHA512
7d18914a336cdc6fe349b392a6109398cfc5498a28a54f7707d316fc750a962f27f6893836e31749645878a9134dc353c115aa31bba18cf402044ba99f468ee4

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk

Filesize
2KB

MD5
64383917ab4e5ab924c110362ee68684

SHA1
5d84b032ccfca376d8d98a584996ff2526788981

SHA256
6b9afaf41991aa175ba120de12268d45c4a8cecc07ab6caa95a9eac1d6f541f9

SHA512
31b5287df0d70f5799f765115f6276fb62dead1bd69cf5519d14341d0e70e6bdf35eef7a5e733901847792fa6ed6ef36432a3008a0ba57325e24fda7ffbb0557

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk~RFe57e2af.TMP

Filesize
1KB

MD5
3a3fe2198cb43f90f353538f33824c5d

SHA1
c497c2b4642105c38b0b02eb8dadfb1ad6b6b194

SHA256
86e07e01e7e1fef6ee1ac83729db9babbcc33a8e607533f053492d2f3e4255f1

SHA512
d9c7a342ed96dc0e9da925dc96288a81d3705a5f78ad183ab13d2ecf7650ae388cc29cade30ee30a2481f5471c7d298e5aa26c15a507edf0235473b21fefe216

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EZFN Launcher\EZFN Launcher.lnk~RFe61edab.TMP

Filesize
1KB

MD5
8420e1208eea4fc544f1c1a48cdebd10

SHA1
d69037203eb44a41a4b453eb52970bf2702a0f96

SHA256
2a326c3d90ebb166ed0ce6245aaa1b87fdf93a2890663161be0ae496ec20f09b

SHA512
4412e13a21defb7573df25ef69eae81b923c9a04f78893cea4f7f433b0b4e07f6ddcd7b2f9c2437d01f82d89daffb129db765cd95e5841b7c7e5e2371cce70fc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
719b5a19c4d86a1f1c8a69b0c3ca1a86

SHA1
8d10a71dd51e5982dad6ead4c44d8e9de2bbab9a

SHA256
9d760ffb787d9e03cc6528d9d501ee0eb380cadbb1483215c9f9336739ee841d

SHA512
30a2bf66eefcf8843aac4d0647d4acae8c530671798d1c88737d91be40b9fd8667c335cb3a105f7135b5ff016da435e7aaf27c7843acfb7689f328cf2afcd5db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
00a5bead0ba535aaf89d6c46598bbc8a

SHA1
677134e3f2338f42b076dca2e18d42dae5752f41

SHA256
214b16e489319ca893adfb4f4ac8787d93b02020fe040365db834f651d9c0a75

SHA512
9eed99009f38d5c14cf8118cf1d687c29b4ff8ff0983fcfd312e237e12a414ac32212665eb0f90cdb59272fb075a609708742d08760b50d84e8d99b7f8d365da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
11344b2249ea98eef8ac84376b425834

SHA1
a8398f9c5aa7a1a677adbfd9dd86b883b86fa850

SHA256
98f5242baa1531c41086537abbd565df77e0aa5b5b8a7b2ba1f4fdeacfb5c00b

SHA512
a3a9b93476ab765a6b0e5586bed1e2be979e0642d9a1b957ebffc41c684be3b25592cfe16a36755bd53b667d7e4f0ae6ed2c6e1607196a360cc4f12be1e57098

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
72abe6154ade95957ed739e5bf6be61c

SHA1
f98586be7b82a43211138ea19db4794c78eb8b9a

SHA256
733e991cc45a3557f8f9816292a681088ef87b17839987dc60c32be29e1145e4

SHA512
bb25f60f3112d137d7825b9345554a5a2ac9cb56b544b6c6d44abc9d3b11f2ed39cd23bd99605a5fb52502c8bce0dc0485285b6ff31a2e182e5d8d149040d54d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
0efd183a377dbbcffb4bab2fd26b90d1

SHA1
68d184eb9ee3388853548871ec44841413803b2f

SHA256
35ae5a2557f22bf85a95dff93490d9b98dd3e5b7083b946a8f7840a6acc6e2cf

SHA512
4b6fd3c37e1d5a9e8042a548e8529115a7fe720f756f732a4e799aa20792ad5a9048f58abf690d1d7d54bc58c23647bae05d7840e8000a286e5aa2ee3ce7e498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bd020d99906f3c71750ef89a079b9f5b

SHA1
bf74300cb3a654d93137d4b8081e052db34bdbc6

SHA256
9487214b627e1146b47ea3d09c5af27fd40aa47147ab9403235a0cc492ccf6a3

SHA512
f6f19036c9188eddfd16edd1c4384f7ce676742cd571aadf5e9405e78eca777097fbad1a7d35d2d374d8f5c5e1bc899545f3628a2d5d4e02cb6f1914e6c8ac3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
8142b4f5a926cad6cf8eb65021b4f6fd

SHA1
269e50f9543e84a47936a0ce9286d1933620cc00

SHA256
a893661a6a132e52bc02776e4a8499797ba8aa6ccb6826ab778c291f13002606

SHA512
56ee3d038d0461d10346fdfd15ddce6831f938b5c613b0eca71f41cc6a5f1ddd71e0406fadbe5474e2c8e17dcba54f293862653c36847efa0e1bb64d952e3982

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
e23e02bcef0b6c9d239a753e714d42c9

SHA1
1a2e984dbfa65173cf3ab095becd3e0b9ae28bcd

SHA256
ddb16e2da717446925e77a860db2bece96774b0cf05e5502aaf511820bb8a3cc

SHA512
2587043732e815293915a040de8417f065363355dee66b31debb4bbba28346708abe59c3360d80dfd4a710b5d75dcf47fd6252a34bcd245fe7fd3a1ab984e9ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
5de2d291df64200384ceb13604a9b254

SHA1
906549c75c3791b7e1af7b5c1eeb7a5e6c4cbedc

SHA256
6c64dd6f1e5c30638627d3d3e173243d44e980801043b77ec95f4b3629b6e988

SHA512
b4656dfaa870ec08bd92c5b6c83c71ec75f7eb2859716ce28e5b686dbc02e87ccac16882a06946153324dff1962424422d4de1017e809fc7a52ee65c3425679c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d8368693d01005b7968f0b840a3d6398

SHA1
c6bb508bcecf591779d35f7c23cafca8d8f51c4a

SHA256
9fc84cccd395965c68869ed8f29367ad4025aeff093baa7c2bbda89fe9b90bab

SHA512
b18b225ad307ace3d10a0c860869025cc33052e10a3b0e652eb259c4e6f6f885b5a289a69ebcae228dcb465c84b8a1d5b4d3f90bdc1ce958865b714f32deeb3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
13283b7ba957103972b233eb05e6b360

SHA1
60a564f9dba7453115828d073c30436c67e467d2

SHA256
069f5b15edbd2c5ae67a82875e61e5bad2f015a769cc03361572c0a91a0eb529

SHA512
cddc85869e2e9cbf59537b2a3fad2f955ab6306be9f3c23b5aeff333c02cd73053c65b2816a73b6efae5156380332f28d0770cf3ef5018ea15b9651d04180ebb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9db57aac9fa6ba334b464c84e775ca1f

SHA1
9cb1988a11b0fbe1da768a82e3f2f7d1c4bad1e2

SHA256
c94845618dc3a858d13521d2b7559ae7b244a9c673e1227bae0632507e6c8e34

SHA512
05f6a6dc403f39354b26c7166fec4363c2928950474a25a46d31071aaca4ec1f6983c20efe6fe82c442826ef57b0b9af29a50974a574690ff0f8548c51b20678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f1fb2760f08a140f17f3845b653bb23

SHA1
e8fa99b1c1ac7612865a566a3d533553ad652f5f

SHA256
a67407d8fe3b503b438dd82a95babd2d68d6734c0bedb17712279d7724e1a3ee

SHA512
5b05b3f83edb8bfc66af5e70d5dcf0db6ad926d2d94e81ae6d31ce6f511dd979a81e033c6021285ced1ef4901fd464a08b0f75220b52f56b45a59741583dd32a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
27997fae97b05182802dfeaf933cef2f

SHA1
e2df1fe2fbb6bf37c2f130776c8b093c4db16bf9

SHA256
77de644d34bae7c72bf4db6cf6c621805b5bad1bd5b08dd03c90351f4b459b9a

SHA512
79e84a3369db18552ccc2529315b9c4a00eed493cbe1efca5ca4f4ed4976131565144bdb47983b0ba8465a8c9355075be647b7717db06713fdcdedc729fa0223

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53895cb8cf0e6f176bafd6ed7b5890e7

SHA1
5ca57f8b7c19059008ec14739b2dd54bad78312c

SHA256
473c2e876178a381546fdd49c9b552d673a0b8e411ff0f9fc299488773b98747

SHA512
86355e8105b461fd25f5fa87c177773576c4e07fcdd2445bdec1efe3cbad8fdd8c35ea9bd4dfd9927f9882a2447a79c46d4aa946f5fb4ba721e7556b26175627

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
76513d41c4a13760f427c4ffdf994570

SHA1
03bf35aa418e910cf264205120041ce182caf0c3

SHA256
406d931e92bfa1fc498ac8a7112cb97344225e7111abe68d05283416f6f6b37c

SHA512
ec92a01d3120f3e303e8b1ec857708a18c43b241fe065d8a82f4a5deef52eadc478bf5df39bed36ec68a4a7da50d7a2f68a257d3ce294e82e5333bbd39b8f3c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
f9e6787fffa8d7d58c15a0c5d38f5cd6

SHA1
9603b6f231625b142ffc566e60b52b032c46b6cf

SHA256
09d0aec2cb89d8d7f51809616153fbab4aaa07df37d364780ad562e094e28028

SHA512
b8f895049ae0521ece1b48f15eeed8ae1a0cb3824c66c7e0d02a377f09597969dad42b80fa325a12d6e91aee268eec472931c419dcf0acea542af7ec3192695e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
20ecb02e0fa2140855728d1e8254ab8b

SHA1
19c1c40db4fcb1ad1e3f57df1f7d0ba19262a09e

SHA256
754434b2835e11480e18834af064c76c79908a4bca115a7a86d1a28fc82b37c5

SHA512
e41e3cb8d78f530df8e42e4965c8985ebd6d55b2f551bf41919b02c9088b4ed0d2c7962461289429a18cb190da8ca2aa9acc2a73c03b9f2bfceef5683d11d788

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
ca2f972fefe16a3f3cc26a4f34dbe17d

SHA1
9ae20a3ba874d14a4192f45c3a7d1748e4fd200a

SHA256
05d4792ad65de059034a2257e3fce1dd9345686f04c7d4f60a61aa44756ee30b

SHA512
87c179918834c2338c945e7a84596ca77f1ef64a3dc2c0460003bf8c0a9c10bbed7e4c3abd9f61afee8b3541d4c9c89fe96559c811944667e4af923e537a9b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
ef6512479643cc689cacedcf91eb4da0

SHA1
fce5aefb361ac91a19886e1a6204d04951bbef14

SHA256
6ad704b88e9cbd6635e16a220ff054b5ae49e54424b4570bb9856868ccdaa048

SHA512
ba0377fc238a1de43ce839ea0551946b524edf2d7af4edd548458e9857423d88c5879cc65f20f4754d3a2709cf4e882d9ed1d1a64e109db2fdfb4a645c8339f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d59e5891576421b7462c1d070392d9fa

SHA1
0088a5519351b3fbe021c291ad11915d655a6d39

SHA256
65433092b12ed61402b2f249ee5f7b15ea6098d26fb41e3f0f905477f4d8dc0d

SHA512
02b3dff57ff3ff0fe5b47a7f031c9662faaa1bac45a1412da0f3ae28eac3ca76b19a1aa7c5f53d2da4a37d0e14bdb2b164eef78e387a86c852b75eb209207125

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
76b7b88b51064e42307f5aff7d88273e

SHA1
bbb3045a5815ae4efe1db43696474da275c9e200

SHA256
edfc564a28510ddbf80570712b2a208334cedbcb3c1b74ee92fa64f3d56e489c

SHA512
e52d4e1d1c657fc6597f1138b8db966dbf6061094f0d040562f21f35a8c444f88c8fcdb85d94fb545d95feab7a041c7dfc282f0fe41e9e32016c2e4d7e34f6c1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\adahrqhl.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
bf0bfde9146f87bdde99667d0b051c24

SHA1
a3b29732b37bd9393666d10f8ab1d2e3852163ca

SHA256
d105a39b5dc6fc5e8003ff28b6ec47b17e435aeefd16183a998768c6c7ea7269

SHA512
a238ff6860f498eecba54442c7284142c097548345640c8af42154438ba3ad1b106b185f505df22858cc885f56debf1eab09b612a1d774a35ad99870bb14c6dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC4A8.tmp

Filesize
113KB

MD5
4fdd16752561cf585fed1506914d73e0

SHA1
f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424

SHA256
aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7

SHA512
3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF0AA.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
1ddaaf803bf646ce0a741d366e4052be

SHA1
d6d3bf14d988f5d4dc91a8a165ebdeaff9dec6cc

SHA256
f6b2adcb75bde9b8acd45204f556a8eb72c6c8cd1810b416987191231f8ab7bf

SHA512
1cf8d810191fb9ad51032a458b0ed79d143991ffaa61b7aebffacd6ed0f8fc176ef185f5e7e0c8c5be3faf064c667f4990e2bf3c0c4c0615695280d0f1a11d94

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
4a5af7304655699ca0cb6f2fe26bf59f

SHA1
9194ae7ee1a67a40d2a30643b97ae71f505ba2b0

SHA256
aa923b5a85d7a6e6af7e1fbc0a5cb6c7b4614a50f0628043f5a1972f58f39d70

SHA512
a9a51f14a67e058da59e3de75ed985517161a6d842b187fd344ebe1193c6f648fb0423de0ba1a3c546303183739f5cbd3209325a72b5c6d8ef56707c11cfb222

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\settings.dat

Filesize
152B

MD5
915fd0db630a3afd63a7d1554740e31c

SHA1
fbbd91444311fcb954caed0aa5a148e92e9f175e

SHA256
215670a6397180b786c15e3eb76eb2fbe41f727edccef8d1c5d03e10f83127e0

SHA512
b2e2a52d70d821e77ade035ed5a60e9a671405812be3ba51d0ed53e34363ffcd3c6a7c15aab4bf77fc635e385f459d7dcdc7e737abdccd1a9c50118d0d33013b

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Crashpad\throttle_store.dat

Filesize
20B

MD5
9e4e94633b73f4a7680240a0ffd6cd2c

SHA1
e68e02453ce22736169a56fdb59043d33668368f

SHA256
41c91a9c93d76295746a149dce7ebb3b9ee2cb551d84365fff108e59a61cc304

SHA512
193011a756b2368956c71a9a3ae8bc9537d99f52218f124b2e64545eeb5227861d372639052b74d0dd956cb33ca72a9107e069f1ef332b9645044849d14af337

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\6ab0f9f5-6557-473c-bfa1-251ecd3761d7.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Code Cache\js\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Code Cache\wasm\index-dir\the-real-index

Filesize
48B

MD5
a81bd616d018d66753789270551cb908

SHA1
a58eace3297ad706249183e082714127bd5018b9

SHA256
cd9e0733564a213e2f59560485ea4681c6f3bae1f19d2bcca3cd65ec7a94b439

SHA512
529d6ee5b38b68db34fbc1475a275f82744ba79dda40189c8ccab7f405cb1bdfbc49b0505542f8f75de157c7c479957c4e38cc6ebbeb0f0e904cf5dd01d54450

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Favicons

Filesize
20KB

MD5
5688ce73407154729a65e71e4123ab21

SHA1
9a2bb4125d44f996af3ed51a71ee6f8ecd296bd7

SHA256
be1b822e970dfe1a120d248db7000eaf799bd6531929a1308676c70fe1608d60

SHA512
eb6452b23ea36c39d03ead154185616c13583f12f382cb2456beeb1ba6e5febdfd2a6f1064283cf115ad1c517dbf409777cdacb128e00c9d3f401335db355537

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\GPUCache\index

Filesize
256KB

MD5
3ce1e16d1ddff16b9f1ef964cfe99952

SHA1
b8df0727b66629b65bfbf9a62d9f38086e726870

SHA256
dffa0397dbaad912af0fb58d242ae9733207298392760bc3236b285610611f7f

SHA512
ef0b6a6cf69972188a2c3c02cdc218fa9fb531ffe56a9a13a04cf7d411eb7bdfe039248105548593aa804817900a0e6dce3a96c8480079f683a2fc72015ca2fb

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\History

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Local Storage\leveldb\LOG

Filesize
279B

MD5
6724ddcab8c0ce40353b49dba790a207

SHA1
4edaef23ddd014691e7919f271cd3813a1f8cc9b

SHA256
4847670c8881adfbb737135231e2059398db6abd1899f61363014eb12ab6ecdf

SHA512
efedb494685a0b9fe569e504bdf90479f9b3cd62035a92a0d45b513d11b7686d097a12ad7ba57dc324b00d0b3f378a66ba59d4b43db143917a717f07c70895b0

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Login Data

Filesize
40KB

MD5
b608d407fc15adea97c26936bc6f03f6

SHA1
953e7420801c76393902c0d6bb56148947e41571

SHA256
b281ce54125d4250a80f48fcc02a8eea53f2c35c3b726e2512c3d493da0013bf

SHA512
cc96ddf4bf90d6aaa9d86803cb2aa30cd8e9b295aee1bd5544b88aeab63dc60bb1d4641e846c9771bab51aabbfbcd984c6d3ee83b96f5b65d09c0841d464b9e4

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Media History

Filesize
76KB

MD5
cf7ac318453f6b64b6dc186489ff4593

SHA1
b405c8e0737be8e16a08556757dc817bd02af025

SHA256
634434e865f1ba1b90039bd5afd8f01bad6d278377106022ea2a9c2d8778d31a

SHA512
b64e484d16222d8de31f53cd60b719b7d855bbc552a7d052e202382bc3013e0edaceb31e3a287f2ea6b7117ccfdb8a56ea9d7da78535d2c606183072ecd084e4

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
47e8ecfd924042c1cb915a2a764fb66b

SHA1
e06b0c4e6c7c3e17193a0965b7332d6b4caeebac

SHA256
6e8e182928bfd84376d624ac9ff894deed4c208fbf3a807f31cea3f1450ccd89

SHA512
594c2ab8c399f77d89f1ae124312a60e2aa96679a969631e99cf968fc1953cd803734c8ed6915bf2a6691f8e2b444331b4d708f5533ae0f10349ba8fd2127212

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
f49d2a3bf8ad8acaf41e14b4dba6408b

SHA1
3676b83f930f53ac301c25b5e9877b4c11c736bf

SHA256
8e58023b45612eea8043f2987afa22ef70363b4a55bd61c6d421af8e72bfe245

SHA512
7cf8654157fb59ab61c57be66f08e29bde63ed8b105125d83b04397a6ad3bc2b145fecd3764a137c8175f6c75fa76b664fc2ee86295dee1b6c249bf21b6d2fa8

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
b387ec6619ec65597387481bb27fb99c

SHA1
6267060e5656b433e9d4fd93895b39603c1c53b5

SHA256
cada51fe99e0c519c745e56cacda43349a394fef66c2f3f485066bbb39420ad2

SHA512
1d147a8c194a31bd0fbf2f2dcad337e816a1eff5abb4ce188169216651b4bac5242fea373a35a64450e19869d9a344cf627ae3b24e44e37e3f74ffe7f6f40643

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
212bdb22013b78b4cd8ba849a00ff995

SHA1
b7151db0259b11e9436528aac7e0d2e3d4294419

SHA256
e2d6ac5cd56d91e055c196f07df139d6e6d2d83eef903d19a320b4976cd5b288

SHA512
2330be43064327c6132aa3e72b5c4bacd120f7cb7f1ccf3d22e1fda990b409cc8228a3d418bb1c058c9ffdc936e41b525527dabc7ca61f501eed92df25be268a

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Preferences

Filesize
4KB

MD5
05c4b669dc8d7a643a6a274a63904a78

SHA1
7317226a01fa2c2b6a87791f990ec9154bbaaac9

SHA256
36d53dc973c91fc110aeb49bff83d5362ba0a4e40b4595bbcfaa507b5af34b1e

SHA512
521af488b4ab6e2ebf761aa173d832152cd70e7a85893e28cf9c5b3ba07d42697e535893cf0a60524daeae1aa0440bc013ef7824e5431b8f3763880bdc219c9e

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Secure Preferences

Filesize
8KB

MD5
ac6759d63072e5777e9cf3dffcc45631

SHA1
b8e395f18a0a74b4656c05dd897a9a7e47860267

SHA256
eea6d9a642002b064909b064f254043b2da2f8f7a88b88baaa09402d7acea903

SHA512
53ee6f9f325cacda828f054828cbc6d3a798496a68a8449c1e05edab242ffcf0399afab93c317e9cecb27bb69de714e973d1fca9040a9b6a3ddf528a7b6872db

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Site Characteristics Database\000003.log

Filesize
40B

MD5
148079685e25097536785f4536af014b

SHA1
c5ff5b1b69487a9dd4d244d11bbafa91708c1a41

SHA256
f096bc366a931fba656bdcd77b24af15a5f29fc53281a727c79f82c608ecfab8

SHA512
c2556034ea51abfbc172eb62ff11f5ac45c317f84f39d4b9e3ddbd0190da6ef7fa03fe63631b97ab806430442974a07f8e81b5f7dc52d9f2fcdc669adca8d91f

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Site Characteristics Database\LOG

Filesize
295B

MD5
407be4989ca6ee46a3a7d9bdc706f85b

SHA1
5fe0de02a404d89f6a6582471233433c44363fd8

SHA256
c1b371bd8a5d97f37dda8c5ef16d89e8a81d9999d1be3302fea1f6089edd71c3

SHA512
0fe934ee10cac1c4f07515ca7a7324d533b73cea17c99e8cdf769f75385e03ccd0c9dac27a816a01f5e17fd3d7cb02379a636fc45ee19d1ce56c27200ea7f8a4

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Sync Data\LevelDB\000003.log

Filesize
46B

MD5
90881c9c26f29fca29815a08ba858544

SHA1
06fee974987b91d82c2839a4bb12991fa99e1bdd

SHA256
a2ca52e34b6138624ac2dd20349cde28482143b837db40a7f0fbda023077c26a

SHA512
15f7f8197b4fc46c4c5c2570fb1f6dd73cb125f9ee53dfa67f5a0d944543c5347bdab5cce95e91dd6c948c9023e23c7f9d76cff990e623178c92f8d49150a625

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Sync Data\LevelDB\LOG

Filesize
271B

MD5
4bf99e1f54fae98169c03b4a4fef4435

SHA1
08a0d55368e69c7192b26ba3570c2d448f487a95

SHA256
b590ec5bcedbadbb062f0009078f40ecc6f7d08ff92fd7dcd2433454957e7cb5

SHA512
548978ed6b26c8b65d8462f5e1e8d98ab3466240b2d314c94acca04bde00602721966f4da6eac3060e0380b545df3a9bdcb2ef53ea872cdd998ee317ed22d4f6

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Top Sites

Filesize
20KB

MD5
325ddf165383376a8e530a8288a9fb73

SHA1
f451204bb6f3de9de42f27bd887576b083026e87

SHA256
53eb4fcb3cbcaacd4d94036c9379715990f86185b8ef7fd18cb27665193da6c8

SHA512
edb9c49956741560f40df102b81c3b558b1ae9ce902040f89cecb2fbbf60277dcb73f68d8b7c60340a92c46915828b7a204420292d0a4906ac0e9082943ad528

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Visited Links

Filesize
128KB

MD5
4c3e56a1b820345c6718f0f6a658a7b9

SHA1
220d001bcc79269b9cb861758f400da012b47540

SHA256
92fae35daa87a4158055bc421153c6ed9deb7f8de48ea93079d6f3119f8b898d

SHA512
19a0292667c792047b588b74cb80eb9c35944d3c0e4ec016bf21ae0cecc211666533aa4c956c540794761d293c88110998d323f3c1cdc3a91282ff14e3fc395b

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\Web Data

Filesize
110KB

MD5
12aff5c24b1e165da94cc9ddef6d752a

SHA1
345a57b067d6c7561b149b6a7de1d0cf53e42cc9

SHA256
b49ee954c97289b707fcaed55266f7c49720d1c24f4a8872038384155081aabf

SHA512
fd584f3d7e3a5603ff2699e1b4930d6594b0ea09c0a194b7329f44d3d4d2e1e985a42ab512afc1b6a0f35412ef839d35f27fab1f6506e871d74c648c3adb0ae6

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Default\load_statistics.db

Filesize
44KB

MD5
144dfaaa82df72858197f4ef7ddd34f2

SHA1
e6bbbc5593c1d782e2d23c6ba6a5f5468e7548fa

SHA256
fe2844d9713e3f49ff6e5c6d5e9f3b7af671fe9165cafe01ebbaf61bb1ae84b9

SHA512
5a53b1dfd4729dd2cf7c5fb45b4b15e3b1729c7c7dca1a029b39964a6e0f9435bde61ba5c8e7b859254798fa135264c9814533409e5980159e52cdca2b1a5793

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
6e2580ca4b213becc31757902b544d69

SHA1
1518c9d7a483de9455dd44ec27a3dfc4098e7517

SHA256
8b5a14d576ddaecd2f5096d23226837169434dd8618860d2f22037d1fdae78ac

SHA512
3c51c2fc381042c02b306fe2c935f4b080d937f1fdf5f04a73b8692fd718b0ffdf7a567c5281ec369be6cd7a6c587ce412c3bf6baf0fc21ddb3d52386fcf5e46

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
014e6e9f9e21d71ff54045791f15cfa3

SHA1
de9831b83fbbd90b2fbcdcc16435b85deec0773c

SHA256
23240399e886336831c95ece166ca5ec5d30f89b8a3af274ee86144b39c5f2a7

SHA512
91e642daa946d15bb06be87e46c799bc177e277dcc1dae0acf15106f7e14210d41ae82101484f34d2cfb9db269f5dbb75794e5ff4344e268c6892b2d5b8ac7ef

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
8a0e8222037efead7452b23183102376

SHA1
c8f2dc2a2c73628086c297c5a8f08a2bfdfd30a9

SHA256
7e83cdb1899a55cb21a9349e89af39980c4be0dddcf2123eea2ea4e6c7526b07

SHA512
531983303093c524dcd9ca92a68cf7dc735f1ed68313807b584741b8596d67b1e72384b62b703704d57d0fb8fb07fe458725462ad271f6c9a15c42d60a6b3686

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
a2314684f81e4f9e40c3889289c0689b

SHA1
7e2557b6a514170bb5f390b8224a45b8cd2d6104

SHA256
5c790b8978f28f055e0cef032354ee6742c745d132737217fb2f110648393ee3

SHA512
1962f0815fcfe751b7abb1012ae9c04ab03b0800e7b21cdabb935fe2f7d9d4e06071a2ed9195b12d21ca8c528019ea989b501aa881ee9c795e032069d6236c64

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\GrShaderCache\GPUCache\index

Filesize
256KB

MD5
0c772546a3fd14ccfd6150dcd471f139

SHA1
3a5153f61d3dd937aaca68a27e16594cb6a9d306

SHA256
209fcaad8808eef95156ce50e04be99c2e1cdcc32ff58cf72ab722176d684a89

SHA512
7271bc9f84b0e2d273d8b59995157d76c1de01b5e644e1d27e939f5e9375ec7f4a1db6bda785204036c3b06675501e3cb53127b833d600e8e174ceea342fe9ba

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\ShaderCache\GPUCache\index

Filesize
256KB

MD5
8d8d983a5a849b651edcb82a707b1515

SHA1
0c1e8fb898030a0e6b0240ad759b63ed320dc8bd

SHA256
b0661ae47a858634311fdd4fe4c6fc2d0eeadb121d83ad353dcdf78222e789ea

SHA512
cedb6b1b56970af5279747ce3f00d2feb7e4e21d320d7c0320f22ac7ab44e97ac0de3292916dcf5d53aabc6ca1f363ffe1a578f46d744af6f63a749dfbe9a6b8

Download Submit
C:\Users\Admin\AppData\Local\org.ezfn\EBWebView\ff02c36b-9a8f-4c2d-95a0-244379d7aaaf.tmp

Filesize
8KB

MD5
48186affe0d4c1df081df69fbc32ebc9

SHA1
037ff130fde904ad8ba5c5932981e4dae2e4ee17

SHA256
44cd6f0cf6f50c77d234b1ce5891fe86fb635c586f1b2eee9fe6ad2512dc2064

SHA512
dac9f6ebb14d3e9de274f8d9a848301a76ffd5eae44724ea34017edd291b6a83207773846a81c98b2027e5a76dc2b57e2036895e5f73ad9446ad264155e13ca6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\AlternateServices.bin

Filesize
8KB

MD5
cf6e2fb144557aaf166034351be53f0b

SHA1
ce5608ea3382f131f9c1486cbe28013e215289aa

SHA256
9f7473f123e9e6b5938925c11462caf02963ed74b889d2918424d8ce24f6b475

SHA512
a2c0fda661c155027b9e7208abe0cc14705a87122c7ecd9d9bd0c811de4bfa355d0955a400d6811209423c6a65c7fbfa94e0e625a9d1eccd34127d1a0d80068c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
45KB

MD5
5e88894b6eb6b622bd5dc99ff210e491

SHA1
54f19b3229a1db0307ae986fc894cda3f53df9aa

SHA256
0764194f99604e75fc7baa680a1cfa5f4d76213fdf8278a9a4315d4f6c99a849

SHA512
c1ea7f26c5e13e653edbd93a44c750046a40c133489bb7bef2a285a4b86c9e4dd4d2b173e6325b4550673e30eacc1af0cc60760467fd8696132bff668211c251

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
44854f404c39cb149b3eb85e635abc30

SHA1
fabe6be18db0516feb5a3fb4d8a7839d6bc35002

SHA256
275e354925de7ffca6ff9d1c8069f6663f9ba9e304d15924eb0f110e35567461

SHA512
fccac4756e5d6947d24da89f2ced796bbdf8ec22126c6f627dd77c8ecea22cd4693191ff1bcfec1534383a05c5b9b250ba2c1446bb5062d86e9c9ed47ed52018

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
7345f110e4201c581ce929f63d55ca72

SHA1
5698e3c67f28a43a214dd4a8575431181926e9d5

SHA256
ef14f129355d1e7039e3c969440aec71096ea12655605b6c67b6766bab3a6ae2

SHA512
cea1367166a30e5c36bf012f69bc2238ce189f55e1cd8c3448e822ffd4b74be2e8c8cec13f194d3f1d3029aa45d64b776f270d1134138607799e6d9c6320f43c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
fd7c122c7852eb371e0e3e59c476613a

SHA1
0c6848b0af1918f6de8185bb56629fea5251acc9

SHA256
c6f1599bff46ded3cc66efcf5b0da2605e03a233b35a5e4d7432b86acad7270c

SHA512
d45396fce25b00980ce9a1444c4d0360a0fb5d3ee7ddd80302b499c65e2878b1f913adbc32f972333a99aed15af2849d22e19ec7323585eafa064465b53c191b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\0a55d00d-9aee-41d1-9171-4d59b5563bcd

Filesize
659B

MD5
e753fb074cfca37979b0cb510e9a0cd2

SHA1
9d9eb25272fe9051d869c42cc88184f3d0f1e0dd

SHA256
188072db83d2cc2823bd59fd6009ebae33d219f8c2ccdbfda563a27ce0bdb455

SHA512
a74ad85feb29f251d3c7310a3cac55c51a9e64d1f817d38b67ed46adf901a61f4dc136d0624ba999a744a48e7c58c73bbc9504b10847ab0e480a41cc25367d03

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\datareporting\glean\pending_pings\6529d643-c9ae-4536-ab35-4f53de784d68

Filesize
982B

MD5
c4511a18c4d9e3cfd51c6bbe31641b09

SHA1
e3676a1bec39b8517bfaed8ca80707f4cb7dbf9f

SHA256
1535e8109ca9534e9654ea10062704ea85ed9520de2a880ac813b3240b60012f

SHA512
71bb65693b9190065ac9e25015507f0df90a0a89be90c21cff442c3fbba32ce56cfac93582931277653fd09db9518a3c629b79008178fa585c2f29a1070f10e1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs-1.js

Filesize
11KB

MD5
29278ea698519b5bc5a24f49e82e80b8

SHA1
511857be468156bcc66c538847bf688c13baf6a7

SHA256
d02d5450ea4ea2ebdad6cfadc171ed1b6379cff6118cad9dd9226b758e98e379

SHA512
67025e50890ebdabd209fccc73047e83501aba07e97aee2e1fe1952a6ff30cb4aee4d91681df6ea66836f7d8aeaaf7e786cbe8bad1219dc6ed95bd76c1e65ddc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\prefs.js

Filesize
10KB

MD5
37301e31b2a9dad91b511c88810e1df9

SHA1
329c24f21b11de4b68322be2a16ea41218b83722

SHA256
7c98042aca4560d3b6c6574e030f93e8a206f44b690993882ef52db890f57a9b

SHA512
a725b4708d1c92a748df177104a9dd967ca63934d0c08517af2e15e794fe1b9ae3b16cf5be0292ed3ffb2b4933a0b39cd3757cee1c1aa1c1641cd2aca1eebb5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\adahrqhl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
576KB

MD5
99a35dc3d0a12ad2789eb2b4d2678060

SHA1
547cca7407a429666c298bcf962dfa38535386d6

SHA256
5924624fdbb4532bc492ebcd18eeea68c58d41abddc87d0aa0ba8fbe1a9823b6

SHA512
852d157013ed63a3b849571b0fa56c2286298dfbb83ad8445abd8d82203e0bdacf3f834bed84836308f07f7f9ebe6ef17b061086ad7003f5bb6c098dfdd0c406

Download Submit
C:\Windows\Installer\e57e0da.msi

Filesize
8.8MB

MD5
c094ae439f4a97409d752fa64f6eab86

SHA1
e607d4616a2262bb245c43269d7c3f769269e5d0

SHA256
9ab1f0f955d23c0a2a0e3727a9f778bef9057d4b615df3f6194906dac49e2c26

SHA512
df8bd4db2130cdf94493caa170801cfc1e273aa22253d33b066db3be56b164c904f54172bb6f60afd131f9459a8e9895d718bb905420f067936862d86ed9506e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
0f4de0da3b0ba50c3443d4792fb48d6f

SHA1
768df15890c8bfc123c325c1cfade7675d3b5897

SHA256
3a965859f3a5985635a6b1561d5255d53c7c5604f77f3b4ee91e280c8d267f82

SHA512
71cc15191b3f6a039e9f8e90a386c565a704481172545d8cfbd8ad9e1efd1770b21bb0fb19529337fafa8c2137c5987edc2020277efee1f8bdecea0d1140f8e9

Download Submit
\??\Volume{de8ebc4f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bdea8e06-ae5d-4091-9f19-84d71ddbfd3c}_OnDiskSnapshotProp

Filesize
6KB

MD5
fee02323fedb0a47be590e506940a093

SHA1
842091f367ab21d3178f54d7feed6bbf0f8f6b32

SHA256
3afaaafdd106d2aab873b3dce3fccd06c0fd9362d600a40520d3161780f3a1ba

SHA512
68cb6d0137709b5eaffc7aa9fc1aea794f181e88b3485eef6ceec51867ac200c8140f9ed9aac23d96a5da7cd0b63775f4f9bf83daa98d663726a394e2ce7f4c2

Download Submit
memory/784-642-0x0000023DC0340000-0x0000023DC06B8000-memory.dmp

Filesize
3.5MB

Download
memory/1756-182-0x000001344D340000-0x000001344D6B8000-memory.dmp

Filesize
3.5MB

Download
memory/2228-359-0x0000026180010000-0x0000026180388000-memory.dmp

Filesize
3.5MB

Download
memory/2248-234-0x00000201AC6D0000-0x00000201ACA48000-memory.dmp

Filesize
3.5MB

Download
memory/2656-1539-0x000001A3B89D0000-0x000001A3B8D48000-memory.dmp

Filesize
3.5MB

Download
memory/3092-235-0x000001A0204E0000-0x000001A020858000-memory.dmp

Filesize
3.5MB

Download
memory/3092-86-0x00007FFE65720000-0x00007FFE65721000-memory.dmp

Filesize
4KB

Download
memory/3152-357-0x0000024F34A10000-0x0000024F34D88000-memory.dmp

Filesize
3.5MB

Download
memory/3572-1541-0x000001D995B40000-0x000001D995EB8000-memory.dmp

Filesize
3.5MB

Download
memory/3916-433-0x000002043B4E0000-0x000002043B858000-memory.dmp

Filesize
3.5MB

Download
memory/4264-338-0x000002E780010000-0x000002E780388000-memory.dmp

Filesize
3.5MB

Download
memory/4468-434-0x0000023FAE940000-0x0000023FAECB8000-memory.dmp

Filesize
3.5MB

Download
memory/4580-640-0x000001E737010000-0x000001E737388000-memory.dmp

Filesize
3.5MB

Download
memory/4892-641-0x0000027F3C2E0000-0x0000027F3C658000-memory.dmp

Filesize
3.5MB

Download
memory/4940-432-0x0000024B26FA0000-0x0000024B27318000-memory.dmp

Filesize
3.5MB

Download
memory/5980-1540-0x000001D1C2150000-0x000001D1C24C8000-memory.dmp

Filesize
3.5MB

Download