hxxps://github[.]com/pankoza2-pl/MalwareDatabase-6/blob/main/Trojans/Windows%2011[.]zip

Resubmissions

13/10/2024, 17:27

241013-v1fj7stajn 8

13/10/2024, 17:23

241013-vx5d6asgqj 8

13/10/2024, 17:21

241013-vw7swsybmd 3

13/10/2024, 17:03

241013-vkn7easaqp 6

Analysis

max time kernel
1048s
max time network
1053s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
13/10/2024, 17:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/pankoza2-pl/MalwareDatabase-6/blob/main/Trojans/Windows%2011.zip

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
122	raw.githubusercontent.com
124	raw.githubusercontent.com
126	raw.githubusercontent.com
3	raw.githubusercontent.com
8	raw.githubusercontent.com
26	raw.githubusercontent.com
27	raw.githubusercontent.com
123	raw.githubusercontent.com
138	camo.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\NodeSlot = "5"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Applications\7z.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Applications	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Applications\7z.exe	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\NodeSlot = "6"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 8c0031000000000047595065110050524f4752417e310000740009000400efbec5525961475950652e0000003f0000000000010000000000000000004a0000000000bbbcd900500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 5000310000000000475978621000372d5a6970003c0009000400efbe47597862475978622e000000d49e020000000400000000000000000000000000000045f2b60037002d005a0069007000000014000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Applications\7z.exe\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	OpenWith.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Windows 11.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\YouAreAnIdiot.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoSleep.part01.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\666.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\LogonFuck.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3964	msedge.exe
3964	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
1572	identity_helper.exe
1572	identity_helper.exe
4744	msedge.exe
4744	msedge.exe
1196	msedge.exe
1196	msedge.exe
4956	msedge.exe
4956	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
5000	msedge.exe
5000	msedge.exe
3272	msedge.exe
3272	msedge.exe
6108	msedge.exe
6108	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
4624	OpenWith.exe
1520	7zFM.exe
4348	OpenWith.exe
3596	OpenWith.exe
1488	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	884	7z.exe
Token: 35	884	7z.exe
Token: SeRestorePrivilege	1520	7zFM.exe
Token: 35	1520	7zFM.exe
Token: SeRestorePrivilege	2588	7z.exe
Token: 35	2588	7z.exe
Token: SeRestorePrivilege	4824	7z.exe
Token: 35	4824	7z.exe
Token: SeRestorePrivilege	3720	7z.exe
Token: 35	3720	7z.exe
Token: SeRestorePrivilege	4456	7z.exe
Token: 35	4456	7z.exe
Token: SeRestorePrivilege	4172	7z.exe
Token: 35	4172	7z.exe
Token: SeRestorePrivilege	1888	7z.exe
Token: 35	1888	7z.exe
Token: SeRestorePrivilege	704	7z.exe
Token: 35	704	7z.exe
Token: SeRestorePrivilege	1684	7z.exe
Token: 35	1684	7z.exe
Token: SeRestorePrivilege	4064	7z.exe
Token: 35	4064	7z.exe
Token: SeRestorePrivilege	900	7z.exe
Token: 35	900	7z.exe
Token: SeRestorePrivilege	3632	7z.exe
Token: 35	3632	7z.exe
Token: SeDebugPrivilege	4176	firefox.exe
Token: SeDebugPrivilege	4176	firefox.exe
Token: SeDebugPrivilege	4176	firefox.exe
Token: SeRestorePrivilege	5296	7z.exe
Token: 35	5296	7z.exe
Token: SeRestorePrivilege	5280	7z.exe
Token: 35	5280	7z.exe
Token: SeRestorePrivilege	5828	7z.exe
Token: 35	5828	7z.exe
Token: SeSecurityPrivilege	1520	7zFM.exe
Token: SeDebugPrivilege	4176	firefox.exe
Token: SeDebugPrivilege	4176	firefox.exe
Token: SeDebugPrivilege	4176	firefox.exe
Token: SeSecurityPrivilege	1520	7zFM.exe
Token: SeSecurityPrivilege	1520	7zFM.exe
Token: SeSecurityPrivilege	1520	7zFM.exe
Token: SeDebugPrivilege	4176	firefox.exe
Token: SeDebugPrivilege	4176	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4624	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe
4348	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4524 wrote to memory of 4340	4524	msedge.exe	80
PID 4524 wrote to memory of 4340	4524	msedge.exe	80
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3372	4524	msedge.exe	82
PID 4524 wrote to memory of 3964	4524	msedge.exe	83
PID 4524 wrote to memory of 3964	4524	msedge.exe	83
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84
PID 4524 wrote to memory of 2296	4524	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/pankoza2-pl/MalwareDatabase-6/blob/main/Trojans/Windows%2011.zip
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff858863cb8,0x7ff858863cc8,0x7ff858863cd8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4976 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6360 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4824
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3720
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:2260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6508 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,7229503886974087215,14861798930552216416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6596 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1696

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5068

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4624
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:884

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1520

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1676

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:796

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4172

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1684

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_NoSleep.part01.zip\NoSleep.part01.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_NoSleep.part01.zip\NoSleep.part01.rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4348
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\NoSleep.part01.rar"
  2⤵
  PID:1028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\NoSleep.part01.rar
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:4176
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1708 -prefMapHandle 1868 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a625e87-d460-46df-b602-4ffed6ce106f} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" gpu
      4⤵
      PID:200
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2384 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb32e559-e60c-4273-95f5-78e03bba5c61} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" socket
      4⤵
      PID:124
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3172 -childID 1 -isForBrowser -prefsHandle 3256 -prefMapHandle 3048 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7def078e-7208-4531-9e38-92fad77254be} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" tab
      4⤵
      PID:4800
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2632 -childID 2 -isForBrowser -prefsHandle 3616 -prefMapHandle 3608 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c410b09c-1d58-40b4-9f47-354ca478a786} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" tab
      4⤵
      PID:2644
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4204 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4200 -prefMapHandle 4248 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6a982745-f1cf-4ce9-8035-79cf42703846} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" utility
      4⤵
      Checks processor information in registry
      PID:5256
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5636 -childID 3 -isForBrowser -prefsHandle 5624 -prefMapHandle 5620 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5cca0f6c-a888-4a81-bec0-a6a48eb4bad1} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" tab
      4⤵
      PID:5868
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5652 -childID 4 -isForBrowser -prefsHandle 5792 -prefMapHandle 5796 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {62f81ab8-e398-43e9-9145-10016bfd562c} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" tab
      4⤵
      PID:5880
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5968 -childID 5 -isForBrowser -prefsHandle 5976 -prefMapHandle 5980 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1212 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ea4a502-cddc-4096-859d-8c596181a3c0} 4176 "\\.\pipe\gecko-crash-server-pipe.4176" tab
      4⤵
      PID:5892

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01(1).rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3596
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01(1).rar"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1488
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\NoSleep.part01(1).rar"
  2⤵
  PID:2700
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\NoSleep.part01(1).rar
    3⤵
    - Checks processor information in registry
    PID:5684

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\NoSleep.part01(1).rar"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5828

C:\Users\Admin\AppData\Local\Temp\Temp1_LogonFuck.zip\LogonFuck.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_LogonFuck.zip\LogonFuck.exe"
1⤵
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
1.8MB

MD5
175b805d24e229058c08e061df361c2a

SHA1
e50b65f12f507a871878440e39a088184d9bab18

SHA256
d0dd111aae59797b6d5b58954426818e6c837b1534f4012ab963e249b134453c

SHA512
61cdcd7f389f0a43a8eca8319d304c496b025b5b4977973720cdcdc70f77c9723b56b55a6a2f0b37e1593f400ad46ec63d963c9fc8c311be5f95150023c1f9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
8.1MB

MD5
a2444f7dec45365dfa277ee47db79e0a

SHA1
d5edea9aae89e5831ec1a36afeddbb71f774a4a9

SHA256
7236f49aa234066854570520a1473a55d0c9698a859008d38c13859502c88201

SHA512
686d182b15224b66bc2509633479ba86f2e59bf5679f7bae2fd897decbd28fbaa7ff1d546468e1f195f78ee46d4b023b8d7f32690f8464504e635d62742111a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
148250cbc61c47a86e818811566d6ca0

SHA1
4cf9f7586b048a4878c89b7940645aee18b052e3

SHA256
10deed58089c7f53eb685eda355c58ffb73babc850901b5d75b1ee675ed6999b

SHA512
da0fbc956bef35f6f8002c7cba055137da45a137ffd3a34c8922a1797b8d7c2148c7085049044373aa931731395daec17244824953b134263d41f441ba166d6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
492B

MD5
b6a9f3329ecad77565cd79d1ef208a99

SHA1
0f7af4c86ee34829722979b347253d50df244ecb

SHA256
6bf8bea21bf63b329cc8076395d924bd4b84d66be429edcb51e50d5ac68df075

SHA512
f1eb3f0ac3c77b65862215d749801f00ca44c2e5aeb2033c1cc06276ca3f39ba413d032c937d4cb1db7e074c41a04a123b05fecff5ef8a6bdb8cc2f0068136cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c4f604181722c8f11f64e54b09909b4b

SHA1
53b3109da281c2e5700967f4e9dd054152931805

SHA256
dee1c4503759077ade979b47630200e71079327a42df0cec06304994fa21ea13

SHA512
ffb74ce29ee0e40b61991e2633c05a1ac46f74f9c52d8ce9e42944513250f4dc1ed681218930c18a8b0fa111941c12bb097caff69abd1554d173ea7703413611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
243a01ab1ea3be88596ddf0ff45c92b6

SHA1
6095febe769c7cb38dc09eb815355be2caef9cbc

SHA256
9febc5b638de46b757aff327d90feaf9a694f3c350e7e94aee5b71b6ae8bc8f7

SHA512
70206a71e79583005e1a9f3bd6fb7951531bc44c37c08ea253078f02485ecbfab65aa1cace697191968b58279d237a6ec66539b0d5cf5440f79c08c7c938a08a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37d667e8169fbde4afb3f853410fc114

SHA1
e757a6cc9d0474a5f8cf467aecc0f671ef517f9c

SHA256
7acddb9a46ae3b1198feb619e5f67a94706b504da8aee369dc3f2b640222467b

SHA512
594d5fbe74bc607a67dfcddce947f58b5aa845574c08922479112d18a8e306a016d5b58a03102084b99f94885e13b0fdd7f2f1927b78bf038c3d320318277acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
6181c08ea62b8b98be852efbdd7ccac5

SHA1
0a8644cd8fa3cb428ba7764ad370681e28d81ac7

SHA256
d895c30d98738a902f72a2fa25e54fa7c610acae5ae9c0b0fa182f42e41c11ab

SHA512
58f72e396f742f1a253acd77792a618aed44974ad4abeebbbf907629485ca1b20f7db7b198267a396a4a94eae9e4d9434cf3a40f87a82dec1330808de657c5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
6b44ffe50c03146c3a08369a04897433

SHA1
f2126d1feb395d1c2bb6ae458422ea996d92512a

SHA256
4cebfb752aa12fe8a38a99535ab29d4ea9095d3fa4228961c7fe483f9861297c

SHA512
2c3a3c6cdbbf57532245a1b727a2a5f1b8ea4b1cd44b3fca19896a81ed54d7bf748731544d02c9ba00b748384f97a88cb19455ea2051323c0550a0be40c87996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
005296b6dfed007369ddcb5ea53df263

SHA1
6f6644d78785c503968fda444c8bdbf7be8b42f8

SHA256
78a8d57bdb0a6bfbdb310668518f148d99cf5f1ee39183afc003112aa09bb0af

SHA512
1bd7971bbe21d1d31927e4b09d567652557bfa9fc094b7e6f0df6b01a561d7cefa97331bb59186229e188f0469fb771a96236185fb6dfc2034fe2732cfd9b817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
bb51eacd8da65adc560e5942cb9b5fa2

SHA1
4f0096f56604614e6fc5911f889741b59e07cdc5

SHA256
99d3f164e187bc6b31e3f096e7b7990c3629c8eb16edf5d917e07e368c84ce80

SHA512
3618ec9a6f919b81681398e516b7ec723d581f88ac566712f9d50d774de91d6ab12fe1469876659a1e0dba34c6f598e3bbcf6a3dd83f93f248477a26c557135b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
969ef64ffe3b04c236f16b4a41506117

SHA1
a3451321f4e71d342cb5cd5004aa47bfcea74854

SHA256
7764f4c5780623156d9fe377a3f5b165fd6cb80a8d6d35609735061f3d18bd97

SHA512
051833701eabdd606cefd799843bc185554d2c55e28aa7a8fbfec4d7a83e8b0f328906defb638970066171838904171f6f6d246a007611a2d62b6911379cb1d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
862B

MD5
58939fcfaba2f0a668e77b292e2d3788

SHA1
5c214feddd482f040cdd1fe3b2b8aedcae216013

SHA256
60279f5c7447fea09729711f7d1461aa3665354a74cf244717bd974c17890fb7

SHA512
c05af9de42ed87a09969eba4819ed9995905b15a02ba43001dc2c7e37e55fb0d4a79c90cba9c33b91fb161805eacc9384c25989dc05d0a0dbf99c5cb53cdea7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2275986f50afca51fded0862fe3f35fd

SHA1
2931a68ff879c338a17a0c95ecf6c390358deb1a

SHA256
7ca429c15560a10ae053b57812b5ef7c200d9e0e7d5fc41bda080e2b9f54ae51

SHA512
f7c93575a6b86797ea2319aa5f9b330016b958e30bb22ac7c46a4a14365fce9a965dca245d01dd4acc275dc396f0981a4382c828db6a02bbeee7e3fef00e392e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
858B

MD5
6fa492d535baf4da3d1e98f9202dd406

SHA1
ca433590f5ec5b1c00929bb7e85e513d4754e911

SHA256
5608a113036cb0af77e23578ae3db5277ab4d57b960cc67601afdd07f10574ba

SHA512
d8349fb481c7484c56a2db40666dec1667668fbeabc45f4915b3cd13ed2d740bc3db6a0fece7f217429910e874836e6cf6f8f6b5701a72dc528df9c3acff54f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
209634e656f4cf185b35b0d4d33efa50

SHA1
062cdcf9f02d911fd29c4298ccd432def8b3f74e

SHA256
a029f08848366e6836aa692f1b00832fc6631847cb9c7d929e37a3c29d2e635a

SHA512
0ce9eaa99de7393caecd5543f1f786c6debc9860b3dad0710c5b8d571358330ee4da15048d722e83f7aba8668ae961fb702b3df32175e556d1646b4c811b8178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
868B

MD5
5f474d01b3b8d9f1b38bc7a2faf2cb00

SHA1
837591930c008dfbbe2065989b60d1e6a717014c

SHA256
39f7df7d4d3a21f384c79a1dbe137bc4d9e32f78632c6680e41e32c07785b305

SHA512
bf364241a2563b80cf4d3f1a3c8ea90a3d41333d81bc2e1375407e124a8c73a9457a995b223c06fa8a1c9430b14091b94231efd2641f7119142045b13993bcb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
860B

MD5
8ee7d472db8d236443ea75da94be6410

SHA1
f7115fb797a3788a3572bc15492e981b90ab358b

SHA256
2e5a383acd6f0956cf496ef86666954717fab0a4da7893bbf41d6db6ba81c716

SHA512
1f34d0ed8300be144b164490b7b911116d085869929e15a1f9be8c6dc318e1fd1eeadd25a251f93a408ddf277b5ccae684cefb347e7d20e6cb506a132d5c6001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
866B

MD5
f0e39bcc3a5e634e15d5c744af2d333e

SHA1
aa70e7976ef3eafd722fc3861e70a70927915ff2

SHA256
c2504f094e63e50d5eb10d42dcf7d0193d389cd6a2f8aaf6ced6bdddc74b8c21

SHA512
6c42e11529fe8cb89198c009735e1e4b3d84ed7d7f40d3b1e2abec1e8adf69d8f827f233269a6ddadc11c3250319ffa70c881296faeaaea415dc51dd2075f3ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57da14.TMP

Filesize
706B

MD5
ad626b2fa722720d8b7704828a1c3f81

SHA1
136168d386efe3f6bd8234f9ced8b6bf1b96d8f4

SHA256
1592990890bd62bacd6e1dd0e115f4f54d7b9548ed2522a5606f850090990c4d

SHA512
6f90d45880ff84f91ecd8c1c018e1e88bb0e1fa89c1ce8dc132efb07895f9306e36d26f6e91fc9cc54b12fccfcdc594aab69ed3397ac1efb9f9d8ed8aa922f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7b9e829775d45eb33f7a5b82ea49cf23

SHA1
d22c30f660c1bc03a2e6587d038b328aa716d8a7

SHA256
be23abb63b89b55599ce673b3dccbebdece768c51aa79ea2813554fe4428cc10

SHA512
50ea4245ff69d45b39c4a522336356f36206c64dc5c81fa7203df9572b17d87ba68ae41ce7044389dc918d85b64495dce69ad4261a885ce00dc55a43faa89c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b2683ce283c78820fb5b39444a773f26

SHA1
511290e48d43d290e72ce6a054af47e0ccacdd06

SHA256
22a33c2fc54ec5fd31dc731a5825aef0af7d4174d64c1db0c2303e9afbaad61b

SHA512
3e4ef56405dac3840195037759faeec00bfb2b53214aaf6c88efed1081c62019f6bd8db2249babe6bd7023e8541f65ae7cda33b25d6e1df7bafe9cf2946e87ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
af4469ef8aa40533f415df9c4ffa0e85

SHA1
8089ae97d0f6998c8c64d970acf8dfe5f02c4f43

SHA256
0ab0412870b18e51896279694bdd4716ce76a6d8045e861e856510d1cccdfd82

SHA512
d7c849f086cf754cc0016029d0b4ff9a543c9e17aa4d270edc0179500e527d34420e25702f102c4c82efcd0176dbb8f97a23af662828827afc192b9ee280d2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d69f42b3039e07e8359cd8e4dccf35e

SHA1
6d4f6993871bca934070d0801d2f6db054f4eb2b

SHA256
18423776c0e4f56b6421787438d4ad6f29b455cf475b2c27ba926298736905b9

SHA512
551bffcd2f074acc499c1dd5985dbe64dbc66f701c64cc473823a34503826cf59573fd79543ad34c535a1a2f9df9ee31c32a9cb4b068959e696985ddf300b1ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
059fdc645cc8c4aaca2284b0d21266ef

SHA1
40e92eabc9029c7cd21046fcb385bad8d5590334

SHA256
b14a1eabcdcef77f63a73353b707b1035317500a7e12ebac46003793a9b8e041

SHA512
d4547149a8631e700898ca9ac3c3325d556079897f4be20c6d3a9787f96ec1ac00d472eb3481686c5a07692971b820aa406c4cece67523615b7229649306cbc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7e95c38f9ece7f76cdfb62e57dbb63b4

SHA1
14c58f41501eee74e30bbbb02cb8202052cedb97

SHA256
b85095b1115e2bc1baffed3c0c693d43409363a237d1f7068ce0cd100bafa721

SHA512
24d914ac147c04a2af77d6d2c2a57b7f1124b458f0fd555a08b4b2611a76c9dc61651b3c2eff5a076448e78729d175655462b319ab98035130276883cdcfb717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8474c67017f28a7ca6b277838d1dffbe

SHA1
8684ea8c1fd702c43146827da9af46ee473bf187

SHA256
f1378ad1509292da3c20aad89991fed0edb9d6756547ae16b5d37c9d8e88af23

SHA512
0f52ffc13762f792251c219f59dcfcf82eb0c668ac7800ab5af5a9f86107b888605a1fbc0fc2b32c3346a6b5d81790de5fb676c10eba298826f4d4a69a8f9e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3aee03ff9ad64765fa93904286d1a950

SHA1
62176bd179b08d4ec442dc19d17a963c4393b60d

SHA256
79877f1105b8b9d1d69d722e2a68b8494f1733875e174fb2cb55e979ed809fb6

SHA512
0380e88f70d0c66844b8695eb33607ad69a0c9d44a7cd68a629b9911b60c4eb74c1fe28c01f8929b3da48de1adce90f90239b7795223623f7a28c43f45b3c97b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e4c45a1991a3192c5ab0b88f5deb329

SHA1
1c878fbd7548b5a0e219f17f0c75b67bebbd7bb9

SHA256
776404f3de2bcde546ff99fded51ab3b56ac249cc54cd7db066db18abe5890b8

SHA512
629f76e84126768cb19fc6a21762ba6698fafe5096f180658cb2161ff5643b24e60d26077f4abd9247edef49447ea71a04f9ed2f02db2d493a97b0a8cd21bfc0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\odgo8eah.default-release\activity-stream.discovery_stream.json.tmp

Filesize
19KB

MD5
c1f89b59ed38d92301650a2bee7b509c

SHA1
d19632282ae1788ed8fd622346b7c9c2b9e50429

SHA256
a0c5a1124abfa036df9ea344083be63138eed220a5506e45b56db7317a1b7eb7

SHA512
a261e12983d57071f630d41896968f63ec2f7ecb3bfd3e1b0fc967bc078c2f697b845983cf314555c544eb3382aa0924bd6366b6e14b1cc7e92bbdc6615a925e

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\f1d4f79b-63dc-4b84-b8ee-638b8d771e28.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0F5F60E2\NoSleep.exe

Filesize
39.9MB

MD5
5fc9a4404bf341be9e9bb8eb94fc9788

SHA1
829b5a3e1783343168ffadb3989ede41565b1920

SHA256
b4645e337130b34e73ab16e44b21e7c18adb0e87d07a3f662110b9f56534941f

SHA512
4a01cfc925975dd152d70388c9f53c90fe745053d63d7d6dbf0b79b25651d59c73878b089e579c45493b045eadc5276b0b1f934a0884c7c642b142dae1dfa058

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N4D48GLPT7VK8R9MTF8L.temp

Filesize
7KB

MD5
7c76ab7a36bf53dd309d494ff37115c3

SHA1
ca5fe2fa7c1f61b79091902291122418148d17ab

SHA256
95f7308c6dd30be4c31deb3ef7057bcadd43748670b08d108eb7a45810e54f59

SHA512
c4088f8002ddaf8e6d625d946f76701053bc4621272bb287280294139899e75b6077620935c9f7a594fd4fdc67e94622172973e51d3570ef0448c5ed44d1b6d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\AlternateServices.bin

Filesize
8KB

MD5
329ff8468cd98df536778379747b1a8b

SHA1
874d1bc92efa2fe33f325f9275e0b935398dec0b

SHA256
5c57ef146844b2a60db0acb6a19e63b45082a53ff81a6c112d847f1edafda578

SHA512
a886f31d777900f26cf54a161e0b3609a2e052b03608bd0f4d5ee2bc774df618fe8e8891f8aa73a316065743accb012ee40c64e279215768071d1cde72de8087

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2dd1151477ef280921a151ca932006b9

SHA1
e89be003873d891b3f43c34edfaffc3abcda5d7d

SHA256
4dbaf9ab0314b6c1934c5ea4c32d90d5b6d93712af6c3a6188ba847f0f8aedfa

SHA512
7399e5145820095b91a0d8f1ced202544426f8b706da2c18c0303ee5df4c145d92f230546d685f9d93e70d5ecfa89ff51d8b3b4c1a0cc1250bceb64fad4cddec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
299c9313e31422d71ecdd671d40f1165

SHA1
8f270badeb96182b49738d6e69620d0703f645aa

SHA256
a7aebdb6e86e0786ea52fd3c3331b29a8a117e7e09f119775019d4100fc62d9f

SHA512
e3467581bfb9c0e7cca5e04f26bda3f63694ba9e499430dfd679d729427375dd35ae67cd9434a8ca8d8647e03fef4de903e048119b5b5a6928c6ee81dfdcba9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
82c8c2afadac62a3e6c53a0c47e47a4a

SHA1
0b2bd4778b39934c4e18731515ddeee103c36222

SHA256
d3c973519645530f94098eee2792a19dc95eca43a548b64c4451efb2da2acdfa

SHA512
7658d64a8336eefee2bfcc017fdffab4849cba8e2a9b8293949d2282b17879aa8dcadef2cd152e08ce20ffffd9dd192a32b55cc1a66cd81c808eb9a92d64cc27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\5d7ce766-3bcc-4e00-8c9e-8b17f8939489

Filesize
982B

MD5
dbd414dd7a9ba8f9f0d5597148070ba7

SHA1
672242c93c8afcbf05ac7973757029f007773b43

SHA256
e6908d5fbfb7f0937a6577a0b386ed93b7d74003de2628a742153050f28cb361

SHA512
67ab8399dcc3ba85b9bb7f269c167861c58ce86bcc9bafc794b7b7783f91bededfaf849be0ab71e588810a8509501105127c327394e8a4c232a26584f290a741

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\895bda0e-77b6-43a9-83d7-f1a736bda680

Filesize
24KB

MD5
3d3cacf823f702c1b196b02ebed0c797

SHA1
33ff90a8dfc0f305248a73790e2fd35335983cd5

SHA256
fad997cac056aaca8f2f0b5889fd3d71ded8b27e49111eb929425f96ee8569ef

SHA512
6567bcbb8e8c5500d3f0e58c5ea4b99533ee4e47c55854c2ee039a9cfdc2a6a599c843c8f15ef2c6d0369627088fec768ed6463f6ff5c79645e7581ca9764df9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\datareporting\glean\pending_pings\8ed4af0c-8be1-4492-9dd4-bfb7b2fef0e4

Filesize
671B

MD5
e99a8183587ecd3645fb62bd5a46a741

SHA1
5ed99f4ad291b66bfd7737f0d4ba5654dfd4db95

SHA256
4d6c59644533dd35b879a9c8be6b2d9e5496f6be7778a9d3a1a65d805e1a8a7d

SHA512
8a4dfaf56c1d93fa605568c3064b2349f089c1337eebbbdb6e52a55d47d135fdcb71593823e1c2cf24ee6b16a3e29d21dd90920aa409c317233413711c33013c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
10KB

MD5
2ea43efa8d3b52a630ddf07224f55258

SHA1
136c25b074d7078f18be1eedb7894e6d80490812

SHA256
79ce03c3ba5b3cc91af9286f727d8dad3b393c39c22b633be57d6e2f641912f9

SHA512
5f311847ef985c1504691ce83e6c469baa8596ec0e9fa1321e573b6dc3fd2994bfa725b0ff83b27907e20beb2593d579326e90c4e8ec8fece8dec2171e22f447

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
11KB

MD5
6ec4dd0655c7d7c3031c569f443ef26a

SHA1
05b7fa894b4fb1314348b50629e070f5be1d5bce

SHA256
b2877bd1686206b6753e2db6fa869536ccbefae7b7fa07f784af80de7ec0df5d

SHA512
55c43a8fea130ec5995ec7a74d4046aa62585d948fbc399a408a6c7219d39b4431a6b2e53f59d44960f1a29bc683b1da669a12930790a265a55f15396cf99ebe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
12KB

MD5
c7e6692ceff398b34658ee73726d2b5a

SHA1
bc3bf5816c2b63ad2e02ec8a8541b041ede5861e

SHA256
995a385379be859aa6fd6e89f06b275e15a1f4512f48cb1a3354df8f0e43be7f

SHA512
5144e6501e6b4192db7eb231145566493108368552fcb41b45c26e0f52576000792f1b497b984c99dfc64c6dc50a73b6876b3a57324713f2aaf180de649642d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs-1.js

Filesize
11KB

MD5
18534c73db6e049bf798dedf5603897f

SHA1
d5fb8a7325d453033385cd8e0d30244eabe0819d

SHA256
4531733805b014bc08588e089b3b831c83e68fcc5d48f2c087e0cf26f1ad0eeb

SHA512
7f80d7069aacb95d4aaebe66692be51068428fef4e037132102be6b90259ba1bead8199015d00454151d675e9f337ff8fe9bb273c7d8ff48734a18291889a815

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
10KB

MD5
4547088e1e1587babf9a20250d35c336

SHA1
22e69220bc55c84c1bcb83588ce12ea7343ac770

SHA256
32f55145dc27ba96b650a82593a829700829775af0e99389c15162ed1ea44806

SHA512
b2914787f4dab274fa03b66f1d5ff95c704cd6c6b30575cc7b24599691d1f681d9991964d0b7a254d1d7b7eebcbca50ab53ec62b191491c7e14c0048ed448d01

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
11KB

MD5
12a9d1f3987fed3ca4c664ab3120d1f9

SHA1
6951fe2b7413ddcb247c0a8b9c2b7b5e676b3fc4

SHA256
fe71081834558104f6a5c1c116643bedb3f3b5ff7e2db48f52df638fb3bd7be0

SHA512
781e0b795390b6b9fdc923cc776a62f3300fc94a237cced9d70b82bf0f4e5a23acc7dde7a85222e3357fc168337db4ff66f0edd1b8b080af06a51fdae3109da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\prefs.js

Filesize
10KB

MD5
46cfa7906e94f5c3351b5a4ec2cbe469

SHA1
0b9ff124edcf95a56feca201c86739a727558e35

SHA256
6f5f9bfbd26cc462598bc537955c5765f9e18ac202c924b46f284c4bbc84133b

SHA512
fe167fdec63dbda850bfe6eb7c2b78c0f299473f5873096072ec7048fa5ce6e56c622023ef590053d3ef27d7d1844a8b382fe10f8355b962a51f27c37654d723

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
35160af687d984661831ef898ba778f7

SHA1
2687b757fc56dc81db9c8050a18fea75d5b1b005

SHA256
135c43603a2048132c3acb21bd4380e74cec663710d5d873dcf17c37c387de8a

SHA512
c4834e632eac0f8bc4ef1bee23ff546e7c4671587c8f5e2b74b202b1184da252a59ab09179fea969feda3793ff727100176b11921dffbfdbbb75998aac5a4b59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\odgo8eah.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
4344157f339d12f454b0558d033dfeb1

SHA1
7233fe5d10a46482e0d6a47a88c721a788235eff

SHA256
a4267a65e58a5e9377d6dac65e9d88ff7744dd2bba861177a7c9a941b23980b8

SHA512
7aaf538328369ea4cd47eb1b65a6b0d2d09fa394c51da3173e1bce7549f7300795f2d74aa4f0b969838c6ab23f12c3953c97f0190e16c42b11d42f70b3247fd2

Download Submit
C:\Users\Admin\Downloads\666.zip:Zone.Identifier

Filesize
114B

MD5
ea601f5e91d755222b8e7e69c91a4d8b

SHA1
56251446d989084de71bcb3565e9da2a06612cd0

SHA256
36b38f46750e98d3bb91c1d02aa56772c1080f2adb977e7eaeedab9e4c709f5f

SHA512
c92e4647ad66bd830d0c7ec856ff4cb4b3995bc055b13e2402afc7c0b79014567158b9076a7da40f8ffeb60bafa0c3f8fa1988ac99dfdc1319c96a9745565a71

Download Submit
C:\Users\Admin\Downloads\NoSleep.part01.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 358508.crdownload

Filesize
25.0MB

MD5
2d17b13ee5bbc6eb85904b6f3588695d

SHA1
a203a3f5b7e0d608c9ec8c3d706fced117923283

SHA256
5a7b5fc21b0b14ac40a5af08aac9cceff62207279dd1416c04de18c5790c36ac

SHA512
d5f4e2876422ed17dac7b07c24adad96f0eed2f8224f4e8979f31f978d14b4d1eef115680144f4ed68c49645e6c3c14ab68eabdf05c40b8a7d664d2d5a3c32b2

Download Submit
C:\Users\Admin\Downloads\Windows 11.zip

Filesize
7KB

MD5
b34c0ea3fd9c793d51325aba504f82f1

SHA1
bc894b772a14f35ed3d7b4b2e41dba1976032090

SHA256
15510eb9fa777c47d9ad769fa3e9d3fc7da04593afedeafbeb473c4be8a3adfd

SHA512
2e8f646e52606423bc945c18e277783c8001d1e34ebc456886bc1817f6f4171e21cc212e4c41f2bb79aeb04e924abc3f6c0ba289c0814614f6f4c9a8db7b7223

Download Submit
C:\Users\Admin\Downloads\Windows 11.zip:Zone.Identifier

Filesize
237B

MD5
0350f2f9fa4e33a0b25f21cd8bf0366d

SHA1
5f919bf1b5efed8640ca9f50b74122e935927a39

SHA256
093e2525ded204754dfe7df8e607599f09572f7d8a61dd3e909e279a38ca4895

SHA512
ac31af46c1014972c689f73ea1e4ec2de231e54f1095ad2481fb8d65b718fb7808e9ca6c07fb860214241821e9b29a1444a39793b0ed925db2ea43376ce23105

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.zip

Filesize
231KB

MD5
34fb11a58e98844ce32eb6fb0ce83b06

SHA1
fa57006ec8f3e578fd9d87c020856efad61ee28f

SHA256
51415279991d44c40a5fc55801e918e2a829e11c575688ad40f150013fa9ea35

SHA512
c7eaec38c209c19b680c15bc180972701b0039213fb717cb42ed507808b9422a94831003754d4487120690d67da1c82b383d84622175573b13e854969e515b5a

Download Submit
C:\Users\Admin\Downloads\YouAreAnIdiot.zip:Zone.Identifier

Filesize
239B

MD5
3bc7c156ec36ddcef3b336635803515f

SHA1
d9284fd97840f3c5aadc55c15cc6e7548e1ea80e

SHA256
212ec44a95d1df49bcd7cad5d07304741d5e0fdbb29c458e3f33f5e7ce424675

SHA512
0f224385c59e78593a6e6afff76c4f57ba516fdcad7a0733aaa96cb0744f7b241a47d4b95e201808c35341580618aa12c16c7007525b3be035e752d4929ec9b5

Download Submit
memory/1696-1232-0x0000018A5E100000-0x0000018A5EA74000-memory.dmp

Filesize
9.5MB

Download