hxxps://drive[.]google[.]com/uc?id=1AF0EAarbbbWm-dVra1jtNcHOfok3sam9&export=download&authuser=0

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1AF0EAarbbbWm-dVra1jtNcHOfok3sam9&export=download&authuser=0

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1264	msedge.exe
1264	msedge.exe
3460	msedge.exe
3460	msedge.exe
4084	identity_helper.exe
4084	identity_helper.exe
2524	msedge.exe
2524	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4664	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	firefox.exe
Token: SeDebugPrivilege	3412	firefox.exe
Token: SeDebugPrivilege	3412	firefox.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3460	msedge.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
4664	OpenWith.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3460 wrote to memory of 4072	3460	msedge.exe	82
PID 3460 wrote to memory of 4072	3460	msedge.exe	82
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 3112	3460	msedge.exe	83
PID 3460 wrote to memory of 1264	3460	msedge.exe	84
PID 3460 wrote to memory of 1264	3460	msedge.exe	84
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85
PID 3460 wrote to memory of 1648	3460	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/uc?id=1AF0EAarbbbWm-dVra1jtNcHOfok3sam9&export=download&authuser=0
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff93cf746f8,0x7ff93cf74708,0x7ff93cf74718
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5336 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:6396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:6576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:6976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:5864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,11437481078503002666,9598543569352475513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:5508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4664
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf.rar"
  2⤵
  PID:3556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf.rar"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:3412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1908 -prefMapHandle 1900 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {75173486-e301-4398-8f89-a7ac716e0c2d} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" gpu
      4⤵
      PID:4560
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2468 -parentBuildID 20240401114208 -prefsHandle 2460 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {678de11b-6dd7-450b-8d6f-22201e76fd3a} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" socket
      4⤵
      PID:3040
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 1 -isForBrowser -prefsHandle 3328 -prefMapHandle 3056 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b71f16c-4487-4324-8da3-13a5d2e43642} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:5368
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3676 -childID 2 -isForBrowser -prefsHandle 3632 -prefMapHandle 3280 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82794980-97cf-4836-ac7c-1f1e995e60f6} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:5528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4476 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4468 -prefMapHandle 4464 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fb75df68-3a28-4c2d-9875-3a20768a60e5} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" utility
      4⤵
      Checks processor information in registry
      PID:2980
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5452 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 5464 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {034e6631-c946-401a-9d02-16d320826e87} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:6756
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5416 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b06b22b-4d92-4988-9bd2-7956cc476013} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:6764
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5860 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {987051a0-c5cc-49f9-b9a4-d57ebaedafdf} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:6780
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1688 -childID 6 -isForBrowser -prefsHandle 1384 -prefMapHandle 2716 -prefsLen 30493 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f520d4d7-8de9-4553-ba35-97a84f138954} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:6980
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6220 -childID 7 -isForBrowser -prefsHandle 6280 -prefMapHandle 6276 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21fb4f41-0ea5-4f5e-be6d-261f0c76e2a6} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:5848
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6372 -childID 8 -isForBrowser -prefsHandle 6648 -prefMapHandle 6652 -prefsLen 28038 -prefMapSize 244658 -jsInitHandle 1096 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0a23105-8462-4f7b-b422-809e2b4c465b} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
      4⤵
      PID:5104

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf(1).rar"
1⤵
PID:7068
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf(1).rar"
  2⤵
  - Checks processor information in registry
  PID:7084

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf(1).rar"
1⤵
PID:5756
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf(1).rar"
  2⤵
  - Checks processor information in registry
  PID:5736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf(1).rar"
1⤵
PID:5908
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\DOCUMENTO DE COBRO PRE-JURIDICO_RELACIÓN SALDOS.pdf(1).rar"
  2⤵
  - Checks processor information in registry
  PID:5928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53bc70ecb115bdbabe67620c416fe9b3

SHA1
af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

SHA256
b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

SHA512
cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c2f98e0739a43f57337cfcf6c39fc82f

SHA1
09b2e9cb6c70530a03fc7cc012c21fcc245bf870

SHA256
2fd9da9745e00ad04a36635f101e53a875d5c954e8c382c3c5af5c7694810525

SHA512
da1ae5abac2bf6dccf512dbea10f234b28f02cb17634316a897c4efb8a3eae26f2a94d0a940b7f85c5679ec871882266311b2f02c770c3b66d6adcd25f7fecd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
66494bc7e269250a5af33579c94faa08

SHA1
e9927421bd76924c53f40c4172317997ee7f027d

SHA256
66c4615f2120627c9bb418f3cdbd2848d715cf9513c3e7ee70b32c6b215c4952

SHA512
6e056ff9650e958ca231487abd647a609eadd60de28f17ae6a478fbc435ded25ec17b0fead969c73b36fdd69959096001e2d9d86de73fb01bd2701db4300790c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c3d78121dbda7c5a6d986a8b8b1d1943

SHA1
f979b5c91aebb9b8053ac7ec7f6c91e9822cb8f4

SHA256
2ee17b56dd7a3370ac441b9bf11d8ec69a509eda3c56781d64f1407b43eb87ab

SHA512
ee71442655575ff8ae20bb5548caea16d225bedc55f97bd29ee1ce43728d8f87cb2ba6e84c1885cf00173ab20b9fb7e5694c3b5ad8323aaa85ca5e442adbbd61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ca9dd8fdf92991a4c5f986d32260725

SHA1
432b681d176385817d49e5e4bb4012e08ac37603

SHA256
de81a9d46686811ba9264bc579884b7afe720ab9e3f5c468f70007ceecb3b527

SHA512
0dc3ce82ef3dc46b76152f738a6ae2513a5e1679e199ef75292058f836cdd921a977a07e65d42638aca106c23639e26adbb7b4137c37c46de236285cb41a4a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cb671a0fa410ccc4e07086cf4b423878

SHA1
7758768dc736fbda6d9544c17e1d9477844bce3f

SHA256
52d9edecd232c59256c491d157406c3228451d7eb77b09f9230b9f3b1b114450

SHA512
ee7213bd199001cd1655ecb5a12b7a94c5dd2282ce3aba2714109bad220d6f9ed0501bd1b5d26ef3069d0655d0b0e61d541efabdc94e997f7db971d93e289bad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0dd919b63743cde1da87a965035f205d

SHA1
a17f6513bf2058498f881add7298c78919273d22

SHA256
2b1c70aaf7ee00995279d2655a20a3c8bbe04be15a833e1250b7cccd9e4d86d7

SHA512
c8edb902a9ed7013d0a78174ba8b74671fe3ad9e5db63f138d0738460373e4f9a9cb7505b09c623e10ae309813f25b7ea36bec7939b3622062121f85cfdff5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
f0ac909ceab7842858e8c4ff8e891c35

SHA1
e604f72f3fd7d989cccee6486c00e7919b900af9

SHA256
0ef6ab96dc519b177b51b4055584bcb3c06f2dd75951aee15f52d2ef9a9de241

SHA512
8b2509d76e430986ab7b131388845eafeb399f1b9282bb2eae18a897ffd66da9eb9b334c5fa7c18963c5eb904f074c2c924349fdc61f46f9eee6269420562f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a1a5.TMP

Filesize
204B

MD5
57e5edf340e985849ba8fe3982793b53

SHA1
cac63a7b7f24d4c07c95391edcb5defc573ba505

SHA256
054c8c77716e670ec41bf10a38bee6891c48a41574e11fc6ac2c3596b7235c66

SHA512
02714547b01e6da60926c07d9f9c5409cf80e2d01442c2b1886cdeacd5a5736fa66cb43cbfc30e374fda9e5841bdf5b7061cc7fb6b8cd9c3b581e4d927fa5835

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9c0c43a6854bb90e49cf09589ae859df

SHA1
0815be2013b2e5d847f849c8816afe50eac343f9

SHA256
8644b5da58f5e2e115fe4e68ad13563b018fc7381e1c65b9011529c348351e31

SHA512
6e50f8b7f18941dbc11622106cce713dc6253de014f1cd17f40f137285ae71a238e194a71f3dc648850c24f33649912fd09ee5804128fa3aa086f390b7cafc93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
50dfefbbf131ff2c727e697ec0f1328b

SHA1
9e7d54db574b34299545271392089b8745a61751

SHA256
3fb3e289e9b2134f6f095f60509739755df3727d93463f1a2d587f9e78f13a09

SHA512
a915aa2b4c1eb654f18f49cefd19c1520215b953b2690e359b27497dbf898de834f3e407aa92f7a12f6ca4c90ff2a64eb979ba42c243c71fde07c0a50d848b7e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
0e47f47e45f1d1ec077a350ce767866a

SHA1
dd5f5420d14c12a123799cc7d0a60c5719077b32

SHA256
09edb29fa3f8423e8e72d9bffa8c00519ed8b0500ad97934ffd398b912fc100b

SHA512
ecdfda7e7a3cc0fa98500ffb60c5da5c97456bb075c4185c26a5550e8a3e3ae2d44cca658877154892a4699df692005b853a8883297665020492e05a4c7c45f9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bxumog7h.default-release\cache2\entries\62C514A3D9BDF3FCB31C6A5B8A4FF2FC8BEF667E

Filesize
221KB

MD5
a06eb1406d58b6b87c8cc60bec797562

SHA1
f5b65049e9d14c7bf9a4542357b402fbe34e3fe3

SHA256
59d7b2be54f07e1b488f98bf3ae78ac6ec8d757df60104edb340687cbdc97f0d

SHA512
cc46921713d61173582fde4662f58c5fee13eed4f005fa77f25f1f04b3ca289ea29cc9bd92791dd50b563e02c86b156c4918c8a878eb6db02ad480d0fbea481d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
6KB

MD5
d429eddcb1466d28506c34a501f2dbd7

SHA1
89f788fadf8cbf08315af17087e32a7ecaef0b54

SHA256
6c647dcdf14e0cef226eaed35cf5b99f8976bc80711aa5962acfb13423411f7e

SHA512
2e5047a3ad0e54d6b1582042473fed3c455e932e4d3c2705d6599751226fba4b3b6c803dd641ebecf8cb57de594d8c411ccb9dac98a37eb98ed057284e1fb6e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\AlternateServices.bin

Filesize
8KB

MD5
945eef2d8e2d00a0dfee0566208f3ce6

SHA1
477d1f6bd45f2ca729040e4324e01f1afeba001a

SHA256
cf6978ea7e2cd5fbd390f5c5d345b68c1e793116f9ca35e98229b1ca1b974ffa

SHA512
fc6a2701296d8ba9659aac723f9e0a5af26d70e80dfa7a3d7a829ba0afd95f3007cbac0348f234b27678bdd3338ed87c02a70f51b18d87ab6a3db252c06eb764

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1d30f25a0c8c4a0c66b38e9cf3f8af9e

SHA1
a1ab47c8b912a3d4120e81e06db18d7db9cbd385

SHA256
91e75a60df68e580325ef30ab851c302c0c4566cd0c8ac0b539d2cbcdfed43ac

SHA512
308e515cd387216eb5525c70cc4487b80ee4e366cfeb20697f4b4f869e68cfdfc24bd9e2b3fae92db5c3b62156b50046ac62221b30058734f924bc4b69b9805f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
15KB

MD5
1646c114f9aaf0919796fb7f58830ced

SHA1
1c5fe639ad3ace58eedaab9f5d309ec7f3622bff

SHA256
200f08369b8b7facad1f29853912db0df4cbc6d4620aa7dc0262d0084fbf8f2c

SHA512
3d746145d1799a849c3636dc063a94d4927204130da893b1f6c056e4e5ba3f702fc475a3309a1b86fd49ff414afcc8f77285c50a9f03121b16e3c00152b9f019

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\20ab2cd2-e63c-4e41-a658-61c153039fe4

Filesize
982B

MD5
dddc350e77b6f019f85804d364f764f6

SHA1
4ff67db074ba4deef52b764caffafd5748c25df5

SHA256
8b58ea3c857f6a76ab20a4aefd1e111a557a69cfb38619b32d1c78fed806629c

SHA512
c98b4c211a990e033a7e403098a6c333e3f2a4a765c803bc84c503cfd865242bcc2d7c39a50e192110bb44e6cdddb1f51b131fda937657d8b79128276de46036

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\572b3609-32f2-42ab-8405-4ab29f120e2b

Filesize
26KB

MD5
8e5a746b8f17a7b5563761cffedfe629

SHA1
45328dc8f5b909a1b7fbc3340f89dcfae3b21f62

SHA256
2350a11c41026ce164cf5be5a7ef1d338e9e132dde86ae0e9dfa600ac5e5ea0a

SHA512
29a458e7bf787772547bdeb0eafa0468441b3c5e5589a9ed8e6847489c319beb1c7f8595bcc1d0d04f305e19beeee51d0e2039cc11339d79384573c71347ed8a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\datareporting\glean\pending_pings\d6048242-5c16-4d67-90ab-06b16f2a9380

Filesize
671B

MD5
c24d4f440af8bae1c213bcbf716390a0

SHA1
a22e49a1a0f26556e26c6dddfcf90deffeeff918

SHA256
7504418c90f2864fc6f4575eeb009e10d76e1ecd31c6af84d5e968edd243e0c7

SHA512
9e083941adf8db0b02cf263a015b1518cd24af7d27f25d983aa1390c60dfbffdd6a64faaa69accffa72cbd0fc9acba7f26a91a95825828756242a58d9730fad1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs-1.js

Filesize
11KB

MD5
42e0a0d2a3dc46b9ed0b528fc7ca34c7

SHA1
56dfa5bf4fcb058c95f506487e089e4dfedcab6c

SHA256
e443227ab98c9b8b565136880adc4ba7c327df8ccc98b724df7e5474da753ccf

SHA512
fcce347ca6742c5c62d2d08b893e321d4208ee45fa0aea8e9cc907b8ea08a941d5f7e8cf882a6e6d94a06d7723ff06a079a985b67c947d06370853d1fb476e93

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\prefs.js

Filesize
11KB

MD5
699006d1999b17ed4d590047dbdb2ae1

SHA1
9896c4105ff069ea7eb3f3e3fdb4b18f99dc56e0

SHA256
704ebdcebe37320a5e7d3371bbf2888414f697174caba1117bd734caeaa0cf1c

SHA512
c6a9426db57e51d104eebefe64fba5344810eae013ae5fc742ff0856bbf516107c3ca103f242a1f25b5d6ae62c469c894bcbce0ac0a7dfc4d781712ab64872f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
069be70fc2e71e354b9d4e04972770c6

SHA1
5a68e684428fb4986cde2beadab910023fc28d78

SHA256
8d973e856a67918746e76e2e17613945ee90440982a25412956ca42510d14287

SHA512
b48dc9867f93d85630eab9a7b01ea606f05f0ccb88d2cfe9b800909e5390afa5b142559a6afe45d3f3c4e1d66a5ec427bed82ae8869a7b22ac1b89cdc1f25319

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
14d6973217cb99181a3624f321ee0382

SHA1
73db1884347f18c3eec43295c9e8e789e2d21d1e

SHA256
98d5fa5460839fa45084503b84698c536f2456f67ed9d71089e1f880b0c36815

SHA512
20cbe2819fc13883085bde77799506945757595a9200ba548ad9f419bb023b72e69bc32a16e6b9952529e12135d66cc3c16f32692a912daa01ff5dc4b16b70ec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
b5168423df14b2f3e42cd039fc8518b1

SHA1
b2d5b32cb996e6370cf8ffe50e8d5e1174b9f363

SHA256
7039284a11a138ed1a22a968e0424fba7eeaa5f49f04a59afe7ec0fdface2e52

SHA512
0a5e80b958f21b6cc63b7b96821bf303f12524e3ce13ac24493e79d05b886773cf1c41788a798607e2e0cf0bd3bf697b249de634ed7b8b14ee60d2e6f029ebc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
2cff73d0a904753d14614b21c2618c32

SHA1
6c4bd40c2d15c36f9a868e9025ce1e07f3190460

SHA256
d044d5bd8b22b6d70814f11620c7105b4ef2d819dec5ad05e4a20aa3531306b0

SHA512
5f9ae27c3b55c42267c1668230d96e83dcd6590fa5851ceea8b28a68e350647d2aee299e41919fc46ba24d5f749ba5e4387d9c9578cdc3301c0c3e8b998c7ead

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bxumog7h.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
384KB

MD5
370b873dddcdeabeeefb103d9c174ef8

SHA1
a8cc0536b22697b46ab47cb6ec6b02370329f669

SHA256
c4245cb68366d5f340e20f61ec737a45d84346701d1741a675f67a45a731904a

SHA512
917e211dba8ec71def9eb2b69f5583296373aecd03abbc914a55f69f80fa77c04bcf754d9a20f7d7a7c669b35ca8e495037e327f4c6df2a477a2dd11aadee575

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 974965.crdownload

Filesize
896KB

MD5
dd2fbadc7a259dc3cd3dba056be012a2

SHA1
87264900512c15d8a8fdc72558a01b1db98ae3c6

SHA256
ccc3d262e1ad605b0d90d9ee7f6a98e531da32add182cf6e980b8869219049bc

SHA512
d912f993dff546afd26546b36e6e94518c614fccbf12c30243233d9f6a47b355b645c03ab0c74b4496d5acd43f25d1de879eda2d11c5b4b5ecebac6647b420fc

Download Submit