44caliber | hxxps://gofile[.]io/d/isQlJa

Analysis

max time kernel
110s
max time network
112s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
19-10-2024 03:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/isQlJa

Score

10^/10

44caliber defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

44caliber

https://discord.com/api/webhooks/1260516031957307504/YxTbuaTfk5-SZ8kqw2e5ZCV342Z-iNpbB7h710b1oSZ3QvFkW7-9zMXHwB2d7LAz-Iri

Signatures

44Caliber
An open source infostealer written in C#.
stealer 44caliber
Downloads MZ/PE file
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 8 IoCs

Processes:

7z2408-x64.exe7zG.exeNEVERLOSE.exeNEVERLOSE crack.exeNEVERLOSE crack.exeNEVERLOSE.exeNEVERLOSE crack.exeNEVERLOSE.exe

pid	process
5048	7z2408-x64.exe
4128	7zG.exe
5056	NEVERLOSE.exe
3908	NEVERLOSE crack.exe
1496	NEVERLOSE crack.exe
3076	NEVERLOSE.exe
1332	NEVERLOSE crack.exe
4212	NEVERLOSE.exe

Loads dropped DLL 1 IoCs

Processes:

7zG.exe

pid process

4128 7zG.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 7 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

59 freegeoip.app
1 freegeoip.app
42 freegeoip.app
44 freegeoip.app
45 freegeoip.app
46 freegeoip.app
47 freegeoip.app

pid	process
4128	7zG.exe

flow	ioc
59	freegeoip.app
1	freegeoip.app
42	freegeoip.app
44	freegeoip.app
45	freegeoip.app
46	freegeoip.app
47	freegeoip.app

Drops file in Program Files directory 64 IoCs

Processes:

7z2408-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng2.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ky.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eo.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pa-in.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll.tmp	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\readme.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spc.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	7z2408-x64.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\lij.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs
When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.
defense_evasion

SIP and Trust Provider Hijacking
T1553.003

Processes:

firefox.exe

description ioc process

File created C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier firefox.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7z2408-x64.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2408-x64.exe

description	ioc	process
File created	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exefirefox.exefirefox.exefirefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 26 IoCs

Processes:

msedge.exe7z2408-x64.exeOpenWith.exeOpenWith.exeOpenWith.exefirefox.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip.dll"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	firefox.exe

NTFS ADS 3 IoCs

Processes:

msedge.exemsedge.exefirefox.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\NEVERLOSE crack upd.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NEVERLOSE crack upd (1).rar:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exeNEVERLOSE.exeNEVERLOSE crack.exeNEVERLOSE crack.exeNEVERLOSE.exeNEVERLOSE crack.exeNEVERLOSE.exe

pid	process
2324	msedge.exe
2324	msedge.exe
4652	msedge.exe
4652	msedge.exe
2308	msedge.exe
2308	msedge.exe
536	msedge.exe
536	msedge.exe
4600	identity_helper.exe
4600	identity_helper.exe
4788	msedge.exe
4788	msedge.exe
5056	NEVERLOSE.exe
5056	NEVERLOSE.exe
5056	NEVERLOSE.exe
3908	NEVERLOSE crack.exe
3908	NEVERLOSE crack.exe
3908	NEVERLOSE crack.exe
1496	NEVERLOSE crack.exe
1496	NEVERLOSE crack.exe
1496	NEVERLOSE crack.exe
3076	NEVERLOSE.exe
3076	NEVERLOSE.exe
3076	NEVERLOSE.exe
1332	NEVERLOSE crack.exe
1332	NEVERLOSE crack.exe
1332	NEVERLOSE crack.exe
4212	NEVERLOSE.exe
4212	NEVERLOSE.exe
4212	NEVERLOSE.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exeOpenWith.exe

pid process

876 OpenWith.exe
1976 OpenWith.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4652 msedge.exe
4652 msedge.exe
4652 msedge.exe
4652 msedge.exe
4652 msedge.exe
4652 msedge.exe

pid	process
876	OpenWith.exe
1976	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

firefox.exe7z2408-x64.exe7zG.exeNEVERLOSE.exeNEVERLOSE crack.exeNEVERLOSE crack.exeNEVERLOSE.exeNEVERLOSE crack.exefirefox.exeNEVERLOSE.exe

description	pid	process
Token: SeDebugPrivilege	3176	firefox.exe
Token: SeDebugPrivilege	3176	firefox.exe
Token: SeDebugPrivilege	5048	7z2408-x64.exe
Token: SeDebugPrivilege	5048	7z2408-x64.exe
Token: SeDebugPrivilege	5048	7z2408-x64.exe
Token: SeDebugPrivilege	5048	7z2408-x64.exe
Token: SeDebugPrivilege	5048	7z2408-x64.exe
Token: SeRestorePrivilege	4128	7zG.exe
Token: 35	4128	7zG.exe
Token: SeSecurityPrivilege	4128	7zG.exe
Token: SeSecurityPrivilege	4128	7zG.exe
Token: SeDebugPrivilege	5056	NEVERLOSE.exe
Token: SeDebugPrivilege	3908	NEVERLOSE crack.exe
Token: SeDebugPrivilege	1496	NEVERLOSE crack.exe
Token: SeDebugPrivilege	3076	NEVERLOSE.exe
Token: SeDebugPrivilege	1332	NEVERLOSE crack.exe
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	4592	firefox.exe
Token: SeDebugPrivilege	4212	NEVERLOSE.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exefirefox.exe7zG.exe

pid	process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
4128	7zG.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe
4652	msedge.exe

Suspicious use of SetWindowsHookEx 41 IoCs

Processes:

OpenWith.exeOpenWith.exefirefox.exe7z2408-x64.exeOpenWith.exefirefox.exe

pid	process
2432	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
876	OpenWith.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
3176	firefox.exe
5048	7z2408-x64.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
1976	OpenWith.exe
4592	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4652 wrote to memory of 2632	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2632	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2868	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2324	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 2324	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe
PID 4652 wrote to memory of 3404	4652	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/isQlJa
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa3c4a3cb8,0x7ffa3c4a3cc8,0x7ffa3c4a3cd8
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2356 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1824,14492386328319636504,14504635021013672731,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4004 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2296

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1448

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:876

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5048
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:3176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1996 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1748 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0234c18b-2730-4b9f-9baf-d0bacce2d758} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" gpu
    3⤵
    PID:3196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2396 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67796c0e-7a00-4ba4-91a7-5c9da7225ec3} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" socket
    3⤵
    - Checks processor information in registry
    PID:3204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3120 -childID 1 -isForBrowser -prefsHandle 3224 -prefMapHandle 3228 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d20bf691-5fa6-494c-ba08-bf0168ddaaa6} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
    3⤵
    PID:5064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3688 -childID 2 -isForBrowser -prefsHandle 3468 -prefMapHandle 3464 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {616a0b08-008f-46a0-b560-3d398a13719a} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
    3⤵
    PID:3228
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4848 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4704 -prefMapHandle 4700 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dac2cc5a-e817-4662-9d1e-2d7bcb93ab02} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" utility
    3⤵
    - Checks processor information in registry
    PID:2288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4748 -childID 3 -isForBrowser -prefsHandle 5448 -prefMapHandle 4724 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdb75332-675c-44d6-a38b-886dbbe07fc2} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
    3⤵
    PID:1872
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4620 -childID 4 -isForBrowser -prefsHandle 5596 -prefMapHandle 5600 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f929695-fdf5-4e4b-aa25-852f13370cc9} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
    3⤵
    PID:2320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5744 -childID 5 -isForBrowser -prefsHandle 5752 -prefMapHandle 5756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6046fc60-d6e9-47a8-bffa-41d678739654} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
    3⤵
    PID:3412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5832 -childID 6 -isForBrowser -prefsHandle 5116 -prefMapHandle 3928 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a62172f8-b6f4-41d7-b8b8-f13a5fea04ef} 3176 "\\.\pipe\gecko-crash-server-pipe.3176" tab
    3⤵
    PID:1600
- - C:\Users\Admin\Downloads\7z2408-x64.exe
    "C:\Users\Admin\Downloads\7z2408-x64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:5048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\NEVERLOSE crack upd\" -spe -an -ai#7zMap27083:100:7zEvent1937
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4128

C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE.exe
"C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5056

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\NEVERLOSE crack upd\Прочти перед открытием.txt
1⤵
PID:4708

C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE crack.exe
"C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE crack.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE crack.exe
"C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE crack.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE.exe
"C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE crack.exe
"C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE crack.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1332

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1976
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\tmpE6A9.tmp"
  2⤵
  PID:4840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\tmpE6A9.tmp
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1840 -parentBuildID 20240401114208 -prefsHandle 1756 -prefMapHandle 1748 -prefsLen 23678 -prefMapSize 244694 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1c964376-fac2-42e4-8694-554979fd7016} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" gpu
      4⤵
      PID:3204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20240401114208 -prefsHandle 2176 -prefMapHandle 2172 -prefsLen 23678 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e0025a62-8bcc-41c7-931b-b364bebc569b} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" socket
      4⤵
      Checks processor information in registry
      PID:3112
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3432 -prefMapHandle 2712 -prefsLen 25061 -prefMapSize 244694 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cd68dc0f-06bb-46f7-bf09-a6503a1732d9} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
      4⤵
      PID:4496
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3984 -childID 2 -isForBrowser -prefsHandle 3736 -prefMapHandle 3788 -prefsLen 29410 -prefMapSize 244694 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2058fe5-fd5b-4f7d-80b6-7a91f9b26954} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
      4⤵
      PID:3076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4628 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4500 -prefMapHandle 4636 -prefsLen 29464 -prefMapSize 244694 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {99b76d6d-fe5b-41f2-8a50-99ab8ec6a953} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" utility
      4⤵
      Checks processor information in registry
      PID:2524
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4884 -childID 3 -isForBrowser -prefsHandle 4876 -prefMapHandle 4872 -prefsLen 27320 -prefMapSize 244694 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a51a14b1-9484-48b0-8e86-7b66ca2bfd1b} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
      4⤵
      PID:2796
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 4 -isForBrowser -prefsHandle 5300 -prefMapHandle 4752 -prefsLen 27320 -prefMapSize 244694 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01bde2fb-2e56-40a7-b1a2-a6e56c4916be} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
      4⤵
      PID:5592
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4932 -childID 5 -isForBrowser -prefsHandle 5596 -prefMapHandle 4952 -prefsLen 27320 -prefMapSize 244694 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1a87bfbd-8bbf-4843-986c-6d8fb6e9661b} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
      4⤵
      PID:5784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 6 -isForBrowser -prefsHandle 5748 -prefMapHandle 5744 -prefsLen 27320 -prefMapSize 244694 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbf2954f-b4b8-4cdf-bb71-4a37394c31fa} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
      4⤵
      PID:5804
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5924 -childID 7 -isForBrowser -prefsHandle 5844 -prefMapHandle 5848 -prefsLen 27320 -prefMapSize 244694 -jsInitHandle 1292 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c26d58de-7ac7-417e-b270-f67d4362d156} 4592 "\\.\pipe\gecko-crash-server-pipe.4592" tab
      4⤵
      PID:5816

C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE.exe
"C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.dll

Filesize
1.8MB

MD5
1143c4905bba16d8cc02c6ba8f37f365

SHA1
db38ac221275acd087cf87ebad393ef7f6e04656

SHA256
e79ddfb6319dbf9bac6382035d23597dad979db5e71a605d81a61ee817c1e812

SHA512
b918ae107c179d0b96c8fb14c2d5f019cad381ba4dcdc760c918dfcd5429d1c9fb6ce23f4648823a0449cb8a842af47f25ede425a4e37a7b67eb291ce8cce894

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
692KB

MD5
4159ff3f09b72e504e25a5f3c7ed3a5b

SHA1
b79ab2c83803e1d6da1dcd902f41e45d6cd26346

SHA256
0163ec83208b4902a2846de998a915de1b9e72aba33d98d5c8a14a8fbf0f6101

SHA512
48f54f0ab96be620db392b4c459a49a0fa8fbe95b1c1b7df932de565cf5f77adfaae98ef1e5998f326172b5ae4ffa9896aeac0f7b98568fcde6f7b1480df4e2d

Download Submit
C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt

Filesize
105B

MD5
2e9d094dda5cdc3ce6519f75943a4ff4

SHA1
5d989b4ac8b699781681fe75ed9ef98191a5096c

SHA256
c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

SHA512
d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Cookies_Edge(17).txt

Filesize
73B

MD5
dfaa089d933cb39f20506dbce80b9536

SHA1
4534b43ea481730b89403606fcd6031621380a9e

SHA256
8570c9cfd997e7ed2ab0fa25d343ace4aa968dbbf32d85d8f5fd8d0d4496de02

SHA512
3d208ac6a0f7be3d128c676d9be916ebd192518f618b6101c6a5d7b913dcf3d34d0e6321c4e8a4462e2b1155cefb70d692f7a0d9f0271e727bcd0b20137b0c97

Download Submit
C:\Users\Admin\AppData\Local\44\Browsers\Firefox\Bookmarks.txt

Filesize
210B

MD5
1267f4be35fbe5510886cf08ddee9fdd

SHA1
04e714a1c8a9d76e860c7cbbe7ebf62c71dea6b9

SHA256
ab038447adbfd1faf46f0d3bf6dc387621dc8435ab552696ec8d9bbe7a6a9ab3

SHA512
6f1bc0ad9eb850f37cddc2422e738f0cbbfe8a7a7e064c0c989cafbf0f7d5ae5bdfced4b3f93952688de3bfa338ff5a8c7258aff8397cdaccb36b23b5d16686b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
405KB

MD5
89e0201f338d2d2cd1c9f3255e0ca9e1

SHA1
460f6b6744b470b42b719fd5890e0f53c4fde715

SHA256
014ab39eec78023f91c5fcb513732745d4ec379c859ce04dd7eb8db75c212cb7

SHA512
57fbc3dd924391bd33b9a726f48c6036d01e28e2cf3a1f8927a31403895b5652c932bc646f3c7c4d889e484466c77fb0d4cbf4d5aa3eb3464ee0a5702b332b00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
0d0446cdd83e6ad4be7c0ca4b91a5f0a

SHA1
e000a1a962473ec2084f07e9c57e4bb00247dbcb

SHA256
1311c4f9f40ef2324682e0f3751c24f7e3edad2ac761cb4ce6fd804e77faa518

SHA512
33a580283bc147d5e3a398845e948313ebfb922d6b674bedd4877b4b56e0416e16b1aaefa61c1474fe0a15b1fe1e40109ed81fd62b9d41b8e4e0f183ec575973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
ba3394d83f47b4407dd5d86ea8d61a40

SHA1
20a810ccb020356929a522e4b1564255cc39d153

SHA256
98d6a30fcfa91d4b36d0184bc59e074433bf7af3edc45955ca2c78ac502164da

SHA512
19fe67963fdcf611cfd9d8e266b53de53710efeefda6ee89ccfdb9d5752901ffe71a856a3a91cd45cfcc4b2c57a8f8dea0b34fa84190f3617f0ebbe077f4cd58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
a0eb2ea9f256535ddde6c960e96f8872

SHA1
e6f13449ffce0834281c80d688c3ee873c86f8b7

SHA256
296abe3c4bb1cd799453d0780b3f995ca271f6e5a10d7531607e2f78acfcf997

SHA512
9333690f5d8c446266bb52bcbaffce2334656a55f8424726944162a0f123808cc2ad185e094b9c32122ef762663366b77128579468c2d4e26d68147b109d75ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73364dfdce66d2ece850cf2c04926455

SHA1
54b8fd2c317a662a265e8d8249badf8dd1bc90ab

SHA256
63fc64887bff006144c8b6f5206cb88c14e79eaf6c8a10e1ef5acf1f854c9205

SHA512
d78b7a9aae90135ea83d4923f612bb2606249ff740887a941fbb039700e2ebd59e64a4315c35cbf06c0e4161b8869fb3b5f6f1c6741f12f30d6016aafb05c660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
72d3e1301126ec95c7fa0e871aac3593

SHA1
c42672aef1c77cd9e795cef7cc1756bf89b43825

SHA256
783d6c03452e14494d2db4f399431a38cd16a8ad20a4eb1874d6f7be78b07e76

SHA512
22800b12d018fd56478f932dd51910fbf3e5a65d759d82ef3101d3ec2ea81919c20ecd66392fce451ddaf7fe0ec6d0bd4530ef0ccc0e430fdb8703c7c4b6ad74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10c5e20e6e2592d7bff412753539401a

SHA1
664b00e14dec692e5d9edb88e2f34a98438810ad

SHA256
58ca8fa1527f14f34961c279fc3da313115112b24d717feb650013f0be35f917

SHA512
eb5e27f972b68242553c970d7195da5ebb45203a99f9653ed69320dde35dc52996d32fc3dad2c2108eb0017af4518ee147147c2d9235f618e54070dcd8efbc90

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\activity-stream.discovery_stream.json

Filesize
30KB

MD5
999ac1c684ccf957c83dbae65e70394f

SHA1
26827ad040bad7cc672a0297ea3a44728e7bce1b

SHA256
571a77e8a4abf960966beb8b72680e4918741c886dd7b79dc340df4627c9f903

SHA512
b1e024827f1944f589c9f481c9e950db2d4bdb1f74a0e570b7880751e54ecda0df330025634cab9096df5b491105f5a6b91cccbffbd502e4ae77b3d4e2c9012b

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\0305BF7FE660AF5F32B4319E4C7EF7A7B70257A3

Filesize
13KB

MD5
cd0a96493cb85647081d95f9aec15305

SHA1
a9fc27a0766ab9cf5acdc71eee874ade9596d2af

SHA256
45acfacc20d341e4a3ef71b45728a5c695f1bd65005ad6964fec2f062c5f8c9c

SHA512
8791ff93e17d086d8bed40b91617b719195520a06493118eb3a5041ac44a55d732edb1439633ca3035802a0a588556db675b9451941daa014e39a76f1d52114a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\254256B27E0C48CF9B80B695F0B3B8CA84610495

Filesize
9KB

MD5
81d519b6ba2afa0a9836e27b77391d5a

SHA1
eb1231815a8d338225882801cd711dc0b587f3a1

SHA256
3abc6b228868fc988ba35eb7408d1e2e522f20f31daf12bf6aef19a769b42608

SHA512
e9ab72338d0efa5ee398421ba6f6c10aa6e57703a701bb32b73ed7e1d1a39b9406e4ac3f503f08be59462784742877bbe940db397144f416077caeeb855c928a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\6D89348819C8881868053197CA0754F36784BF5F

Filesize
15KB

MD5
d4ddf49846ffcd3309b0098d87bfa674

SHA1
a970b9f30f3b66c0c1ba5510f92e56d118320a3b

SHA256
93f80f71ffc11c598dc1f7b1fb3f681c28d54f297e7aaf3adc1685d8a0985980

SHA512
063cc43879debde9e8a93bd72b7239ba318b5a9d3a74732247e0d828cbf29996245985c490b95a786816d429adaa22f0cf7dff9a89f0f445c4924eedece53384

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cache2\entries\D0F48A0632B6C451791F4257697E861961F06A6F

Filesize
141KB

MD5
0ea8b1685e915e67491fadff18315e84

SHA1
585454e622f78e03620dc75fc759cfa2d0e9a498

SHA256
1d2f38ced583517e8511426a3e04943ecbf97f7570f73255d0b3fdabf05e1836

SHA512
b9b782e69debbfb9a7c73799e8a0e3058de53dcc47e8e25e993a14e957b201be10cbd144c29d610986abe04a6a1e590c8e3ae0f778bfcd513ee51d9538a005d7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\startupCache\scriptCache-child.bin

Filesize
469KB

MD5
15405b40b11396456243a08ab4c1f30d

SHA1
eda1aaf4281a3f6ac05af57ae91e37f6faf3048f

SHA256
2aa3c813af62320d33d79d971fe48ef775ff66a716658e428b043e2425e721b1

SHA512
e7aadce7de8ac6ca2243cfba8ab242ee6b7e7590445c4d8bee16d39cbfc2b74f0095230ba2bf70db70eede4a3cf1be98372bf79c3bb0db2826608a5da4520618

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\startupCache\scriptCache.bin

Filesize
8.8MB

MD5
1a7952a85a1d2c46a78bfb7f817e83f8

SHA1
2ffedc7d4f8cd0d7d6db9f75a22e567900f2aa5f

SHA256
67ad50a0f1e196c45ee5206a0fb39bd71e0aeebfc064589f2e2fb9fda739ebbc

SHA512
8f65b8b22b3234eb657e130e8473daf23f2744d2f3c474550042650a30cc575b33f221139833283756b6e7bf72cb3696db530b7450ec43b97ea3e14b26f050d1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\startupCache\urlCache.bin

Filesize
2KB

MD5
9a7938fd73b4a9a2dfc16eba5179c5a6

SHA1
0cc4417dc5c93523670954a2ea486df42d261931

SHA256
44c65d5c35966ed2fa4727c19ae1c3c08bd040c839c93929a3b6b83c0edc5d21

SHA512
ed77c17a242569883f868e0bf7dba999d9975a2a9f62b4caefe8a37ffc6939a8c9bfdf073050b04465c283b10e51820cf4291f8758b3d0299c8f28ed85ec1d67

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\dfn8djy7.default-release\startupCache\webext.sc.lz4

Filesize
107KB

MD5
2c7f20389315565ba532c91ceda57668

SHA1
e174329b28a048e2d4459dfe5bca474d9357292a

SHA256
0e31235ff7053f949fffef94d1c8c378d7d2c00e2c850123a6c6a7f42201326d

SHA512
ac92c90d10e0ef7cdfeb45946e135b138245c21d230638c838544a6a3ce4f5ee7655c438662b446023d509f6fca22b31d00a2197a57d15526f5d1e8d804be45b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8C25.tmp.tmpdb

Filesize
5.0MB

MD5
7cbab55d97dd7111bbc0ac5d342d2a13

SHA1
f74da982fc1e7e01658d0996f7310843596fb1f3

SHA256
1f17f4bc0cbd644d76dacce66ac6ca85d39a3ff2e5405ecfcab7c5c0b85110a0

SHA512
dd00f0ab53ca4063bd4ef272575d35976440fd6935cc3e3a5ad938630f1e0541c12e069557a1887bf4155507ce45bd5fada7ef60abd72181ecd8676e297451f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7B5.tmp.dat

Filesize
114KB

MD5
afa91d0e885d8134404af3c064a6a0ec

SHA1
66d953b18606bc7cda08c696c63dba55a42b96f1

SHA256
f31b695e180fdf8c23a1d053a067d66b38399aca4bd4cc7693844b895e819545

SHA512
5d9cb1c6c6af903f951c5aef98fcda48c7f12a5d484289dbf57745134323595462a7ad3b5d711dd2988a12efdb03e3f77b46d6be7c4232ac3ff1e41fb82bb2ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA7C8.tmp.dat

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6D9.tmp.dat

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6EC.tmp.dat

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB6FF.tmp.tmpdb

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\AlternateServices.bin

Filesize
6KB

MD5
4a6a446ee241964fd930fdea0677883f

SHA1
3d9eeac506c310f6cc83a4056df60a607df36884

SHA256
de6d6ce9037f45e82b9dbcd26495d4d16dedd93720b6a6db20d766d39fe0d489

SHA512
1ece98a465cfe48dc6bac7986aac2ab9559012113f1bef6efe1ca9ce51782a2a684c283b8e7504a2fb63b7fbd482ce7b3afc1b442a046f1dfd1ee263d7519048

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\SiteSecurityServiceState.bin

Filesize
1KB

MD5
3fc2db77ff9ae820e14450f2df11bd95

SHA1
db1e2332f7d049a41b7a33c5540eb5f4df852028

SHA256
60e41618deecf08dacaeae486b7eb4279ad080d9a53dcdb843dcbed32a6a23ed

SHA512
60f2092855c0e3f7fd09995aaa35dcb8d37ece41f578f036b3572556085785531182a71b7f12f68e1417c388a8838dcbab09fffb8f56eb8c6d00669be7ed6bdd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\cert9.db

Filesize
224KB

MD5
71719fbfb1f9a3557a06c08c4b954cc4

SHA1
a75fd65a98495ba976bbd8102ae1f927ef4acf4b

SHA256
b6f06b9051624262afcd458675e719b9f694f757ba29e332cf644b28e5c63824

SHA512
ec46b9edf3f5254851cc55c2a04c2506b3e9f0f91efe0cc56719e93340fee4fa3f4f201c40e3e2c10afbdc874e32dc92d7eb3b451c9881e0e97ed68b0e160a27

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.bin

Filesize
28KB

MD5
146827b6c9e7aeb83ca6499090ed4772

SHA1
e116eb34c28113640fd8660e58c0a6741ee04f7f

SHA256
7eef6660562fef9072ad4b28ee41b46ebf1c40ccaf0e2cca7cdffaa449004b6c

SHA512
589397611b456f44fc70f8ac987010f76359c179070a8fcde9bfab6f5bf33d6ec5df96eec0ba50923a67f8350084cea89a596f42c7ce5040146d5c972008446d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
0cbc9cf04e5353996dcf3a36610f6470

SHA1
40594cf1ed2623b1cdf496b0a876941182acfeb6

SHA256
b38b1dbabaf04abd381353b5f1c40a99c78720b8f4ef157faeeec063f410eec9

SHA512
f85e94be74b9a4eb3c93c6403274f60a43de2206895a0aa785e39c4091806761edcc418676f24ce4832d0bf7a4f2d42ce46b5e728492bfac19aa2aeb1b8b8e2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
28KB

MD5
1b5baccfce0897cdca74be92d986fca8

SHA1
d9bd5340ac0608a95bd7548138c47e3c484ce3a0

SHA256
89817f3e29fb12c2b472fb7e243cc0e8c29fb1e817f7f9c0213f29bbf5f5d738

SHA512
03c7de11631c72f1d877f9fb4d6773b86d3f877e3d3f8d8bfe538938d8c61f575b043002285848a6c710540db31c6e53852185218e798d3b730e1b819255ceab

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
27KB

MD5
b2281584b0bfb4a206eaac6498a9c884

SHA1
47289d85487194b20b9c6dd3f8205bc5c48864a3

SHA256
7d605ff58a02a4e0bebceaafe57d4f5eb9eaa51ec6fd1133476077abcbad05a3

SHA512
91e17346e0133849b7f8600cd6e81c2d9129a303e0ce5d4e8e314ae0939007ea15ad885b5d691c031f121bca2905a8344b492168767c562994cfd3097ebe8344

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
ce3d0a7a4017c1a736bd70650a2070e9

SHA1
f468bd760309d64f7c22bc3d58d353392c6e1287

SHA256
c006fbb7a049284437c0f9e2d337ce6fd31446c730da8fab709e81db201a1e45

SHA512
806eb8541a8754dec92807b03f1fc6663235c669b8696f732330d206009a33258d79940f355d11a53dbd4b9fe61a9fcb48b6aedfdd831ddb4f5b6c3587286d5b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
47c696ebf92609ee1ae736b97f448e06

SHA1
1205107a59bc599cd6b69b4ef53c46c529cbc8ca

SHA256
24e2201d14ae5c949274d1251db3adf34d5521dbbb53934b48ffcfb1ea8997d8

SHA512
86185a5c70f15f9d7102d0befbc471a42d0c40fd118b9ab3e377cbdab20ce4dd60b8328259751f0ab30be89e9599e7f3be28b9948e4cb28677793418749ba358

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
9509a43c5c78e9cf72d161b180973a39

SHA1
a19a2ddb2f1e26975037653680286b4937027a69

SHA256
cfffcca463f1c3bb5a0bfc458d1d10f0e451ed60bb8f2c0969bcb497a0a2383a

SHA512
48939dc5c1c636feb750933a8be2b7f12be0103fd198b54a5646412e6850d694aefdf85e4258a26146ebb06331683da71f45b856f27138d1ca89757cb683b006

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\events\events

Filesize
511B

MD5
1712fb7cc3e0926fb0ebf12c1294d10d

SHA1
13b4778e317cd157bec6d209ca7b0f2e696b3403

SHA256
fdfaed3898b1f9d5aee6f657311930fd4d73e05307a9bbc57e958a7b643f3e1a

SHA512
a895bcafd716e5001d1d365a7327e3b81ef8c1509856410b610d31ecaf9252b5625317af90befdf80bdcb0d3171da11087d328afa3c98f6fb6087cac031e4e8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\events\pageload

Filesize
337B

MD5
24b63b97d0aaf2e2db12a220c8379abd

SHA1
1981cf3461b5a2af27570c45556e42a727fb9b16

SHA256
5b54799c6004cf961bf25112ff1f0a90e02fe0dba51859b61da56bc728ec197a

SHA512
5f69f19d26f0a852d35f2bd030b9f6e9c7df265c8098d53fcc0619def825a0e771676a50324bdde5741ee08c4b18e8355a536c02eeedb0ccc675272d706bf7ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\41645c6f-6c07-408c-a686-05a8de714009

Filesize
659B

MD5
d7e54f71bab57970aaeb8f7e41c8e1c1

SHA1
a2221794619878ba7a3863e8fe0bdcff5ab9937f

SHA256
5bd8a60bf87122f362fb69cc39012795abbd8a6ead8c8d4949ca5bba1f10dbdb

SHA512
249f04ef1c07020d27c933a8c954dddaa808e6d1dc7bb656f66a3ccb69c0eccda5437e1b98518f05f17217141432dcd20af2a50b73f148f466f7001f962c38c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\63765653-a68e-4fdd-a822-088c0ee2533d

Filesize
1KB

MD5
bad0d954ab0782d4234b8d63ec8a0b8b

SHA1
3893baf521216851ed6108444f6e0407eae9eef4

SHA256
e81691cbfcb8c9149d4d2bcf22205befe156760dfeba36fd70dacb2ca69f4100

SHA512
e9972e01551c305a5861ebc4a449124b2b74f550ce42df13f046571873b6feb2600d9b7ce73df735b58554b86dd068e6e2f62d3db06ef07aac93a357018f8a17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\664b68b2-1e29-472d-8736-3de8b3f28ce5

Filesize
982B

MD5
f338cf288a8702f001eb1c60c31f726c

SHA1
9c7d337a16d6799a4b0c4022ada417413f7bc675

SHA256
b041187c6225b6f520b0998ce4c1f279b6c43f248776566daf07f5d6c04557b1

SHA512
3871bea1c248ac28b84113106edd58ebdbc47026c26b41cb20d562e6d62428b05bc17f654c2a9ac3b4a4acb1c6ed6ee1d36da3bca31751f27a374c58a71b3665

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\7b84d044-1cea-4562-9b28-0101a3f08850

Filesize
734B

MD5
ae560c249b7a681df2198b91742f4bef

SHA1
8b5317bb7b1e170b68399214186bcc3e20d6de28

SHA256
7a3768d9b160b49b27f7ce5bd3594f6d93fcabcb2b7a3df6f3aacd7744b9abf5

SHA512
053391eef2a50545f606fecb632c132a09b9c780227e3e78e751406e152435118eec4b246656017945cdf53b5d8c381b6e316d92e7bb3edbb410440d1bdcefba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\dacd1a6a-8a38-45ea-8f3b-fdf12ce987a9

Filesize
727B

MD5
43a07c9436000608e10f1090d3536f63

SHA1
3b7d5af563215b3100acdd50a0aba0e103a91562

SHA256
3ce17bb7c5ae2aac78c6997d161dd72c2e8634d60775cc83f6ece2e1fe460b6c

SHA512
538c232efd0c8679709dcf961df7819225791aae77117b55b5a9f4dc6730e44d67c71b5076be2641bb627dab6f8c7f4be788baaf7ff3804f80c01222cffd81c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\datareporting\glean\pending_pings\e2b7b98c-cd5c-4e0c-a47a-c1da650d3cfd

Filesize
1KB

MD5
298fb2831376b28ece93110d87d8022e

SHA1
774c21c0d450c67c53531bf923d7c703a3c2f566

SHA256
bb23dc77df6553c395cfd9bf72f41edcf0bda6012781de220a413c22e6c43d5e

SHA512
362e2d9ce2c6ab6773c6e5fb0860001e4a5391df5b70fd6272ec0385ff2a2d1afd2fb463c5496c7390c28985f114c4717d4d0409884be20caffe7f1c99f40273

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\favicons.sqlite

Filesize
5.0MB

MD5
635fbcc5b34cefc29fc5ec1d98a85e31

SHA1
daa03403aed46b734f4abf8dc380e637b44572e0

SHA256
7202559bdf0ad6548c70c5aea2791126b987ae5306f610efea7c3dfebd738be2

SHA512
f5dc6f999d2c9e1a4690d741ad2840e443b17a635128580d153b210afa7a13d1a1ed1ee67c57554214ee9020d4a349d0831381723ba4d88fa75ebfe8fe710eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\permissions.sqlite

Filesize
96KB

MD5
50f483b8d63c133b6f1649027408745d

SHA1
fdeedfadb6a28c397dfaeebdef820782c2abb907

SHA256
9e13655144e8a1ad650ef9c20988a5ebe3b36d22c862f3321f02100cba3f1cb7

SHA512
80302981a8604b0b90235e3810f7c2e20818165d56cb6ffc7b9fa0693cc2b97cdf398505d4107c19b06c90adbefcc215c370680d39db8d31e70f29fcf10fd4dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
11KB

MD5
e1440d8514d87864ebc662d9e43642f5

SHA1
b163744be26ad2da3c356d2e042b029eb77bd042

SHA256
a0fa9e45d61b04deaa8a117cf022ca6bc69fcea751096c5709de921799c6ec9e

SHA512
928ac1e32043867bb9c8a4ac5bfb92608c94b1e8b2840e53ae0ea263e9591797e28d2092a693097a345617186009347f3ae0452b45c252cf360c8634514c2948

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs-1.js

Filesize
11KB

MD5
44944575665c43a306a088aec8c50946

SHA1
87135c4bdb8e3f7096ffa32e18de87800e6d391d

SHA256
746dc4a1b1cf0e7d14f547d764be9dc623c33562de4add03d2c917abda004325

SHA512
fccfc8153bbb4091e993a7e60cf34f1ff193cdf040f68e7659d0ec9b2463dec2caeb71492776f2ba41dc46748fb1b356e02e7298e254369ac4330c96f728e8b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\prefs.js

Filesize
11KB

MD5
c72b58d131d960ef5f5d2c89c47e270c

SHA1
8bbba1a7a3d86cf3af5428eaff658f47ec3d255f

SHA256
9d8ccd5891d82386764eb141b42452ba6fc3137f86b2cfe6fc96651b35942997

SHA512
019060d2047fa6517cf4d94befe29174cfc2e44f87f95e91e4fb05461d02e0ad26e4ed40ae46a6807e691b229ee23ce712d00226783c5ddfc6154db7e662d0da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\protections.sqlite

Filesize
64KB

MD5
76786a4c0dd19d88d6d3ed95a293bf2f

SHA1
b0d6d676127a7694fc6e71ee57fcc2ffaa621ff7

SHA256
1a2564c1ba20b8038d35c2319258d94dc15d97914dcf753b31c48b79940dfd31

SHA512
8cd3298e2ebba763d3c80ac4b17e44af7eb63b46304967d0c6316d314baf8611c05f7b9979c2c5c329ac167aea0246e8c9f057ffbb272481c13fd5e4b4bcb2d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json

Filesize
181B

MD5
2d87ba02e79c11351c1d478b06ca9b29

SHA1
4b0fb1927ca869256e9e2e2d480c3feb8e67e6f1

SHA256
16b7be97c92e0b75b9f8a3c22e90177941c7e6e3fbb97c8d46432554429f3524

SHA512
be7e128c140a88348c3676afc49a143227c013056007406c66a3cae16aae170543ca8a0749136702411f502f2c933891d7dcdde0db81c5733415c818f1668185

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json

Filesize
122B

MD5
99601438ae1349b653fcd00278943f90

SHA1
8958d05e9362f6f0f3b616f7bfd0aeb5d37967c9

SHA256
72d74b596f7fc079d15431b51ce565a6465a40f5897682a94a3f1dd19b07959a

SHA512
ffa863d5d6af4a48aadc5c92df4781d3aacbf5d91b43b5e68569952ffec513ff95655b3e54c2161fe27d2274dd4778bad517c7a3972f206381ef292808628c55

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json.tmp

Filesize
53B

MD5
ea8b62857dfdbd3d0be7d7e4a954ec9a

SHA1
b43bc4b3ea206a02ef8f63d5bfad0c96bf2a3b2a

SHA256
792955295ae9c382986222c6731c5870bd0e921e7f7e34cc4615f5cd67f225da

SHA512
076ee83534f42563046d25086166f82e1a3ec61840c113aec67abe2d8195daa247d827d0c54e7e8f8a1bbf2d082a3763577587e84342ec160ff97905243e6d19

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
362985746d24dbb2b166089f30cd1bb7

SHA1
6520fc33381879a120165ede6a0f8aadf9013d3b

SHA256
b779351c8c6b04cf1d260c5e76fb4ecf4b74454cc6215a43ea15a223bf5bdd7e

SHA512
0e85cd132c895b3bffce653aeac0b5645e9d1200eb21e23f4e574b079821a44514c1d4b036d29a7d2ea500065c7131aef81cfc38ff1750dbb0e8e0c57fdc2a61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\sessionstore.jsonlz4

Filesize
1KB

MD5
defb6217c6e9b262b4bf71a9d0a08bcf

SHA1
5472552c849b247d228c07a332971d2bd0894375

SHA256
e4268b36116dfb48d375735eb0e2b7c1481e87965115535b7ead436ab9b620b6

SHA512
0dd5baeba35cfc4a4af3705f77e6a09ea7ab3a07c1c8d0e098db634541be673f47622c84b81aea4819332e2efe4e80417b02bcd32d9b168e4dc0ce4aa1e77d3d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage.sqlite

Filesize
4KB

MD5
23605e20ec7b9c605b210ac3996e7a62

SHA1
e01d89d33f05c4e7ef9eb63d1487b297b420ac86

SHA256
1387ad3f14749464f83e64bff542db5bdb73d1ec9a6556bbf3041d943a7e3003

SHA512
63f6a0102efd24da5fd50b0fc6ff00da33baf2cf3cd2fb1596e6293aaf551ec41b2ddda9b868f606c3c7269132e282d06d3c815b75d71ed9c2e46354ce588450

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
2d879dac6113caf13b6ce3c5faba334b

SHA1
af336a1eff68c55ef74a1bce6f4d4e03219298a2

SHA256
3480430d414565a6b7854b568b882c528a745b0e38671e430b3375dd67027596

SHA512
499c9a6807826adc104927cb98a053b0ad257ea53535685017d861e1c28b9f2da913c49d2b00219a7adfa3ddbd3acff6700bbcff81127197eec628ea287d92c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
560KB

MD5
03cabb80023aea9c264155297823cdb8

SHA1
ac96d79b28762817854ab7dcff79c1a38c43ed02

SHA256
cf028a1faf85419e9b45b5b57d72c70a1012ae981beead9bd848f071c050c566

SHA512
18d140ebc30c982859a1fcdebcdb49926e78d0f6a2e7f26c76e75ea7e52b54c6965569939533b1ea38b565da489ff614f792b369e0f57ce58c468823090fbc77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\dfn8djy7.default-release\xulstore.json

Filesize
217B

MD5
4cbdfc4880bec82d84bce21747789706

SHA1
e11d96dba2f23684d3c47e915103fde230293a23

SHA256
09df9aeebf64843204519e11c0c2d42816576965866bac84aa1b0cb58945a910

SHA512
21ba56a3558b1f2e6dc2c2e6f7589d3d2d8371c924e066da961eed61b8423f520c5d1eb0aec3a00fb0032fa398d3cd3051d2f27976fbe5dc2a18777d8c71b456

Download Submit
C:\Users\Admin\Desktop\NEVERLOSE crack upd\NEVERLOSE.exe

Filesize
303KB

MD5
e587da55e036f24b327b1636161d766b

SHA1
1c1a97b24502caa261ceb38b18fe2867b5fe322a

SHA256
26afd3410155750259ecaa7a75f68f11ad35619e2481fdc1e8ff9b0c1dc79a67

SHA512
37d71e3e6e97b3b4aad9f8471d4770c3d5f0331009b832d15f56ceb8509c37a6cbe938c303fec30a7bc05d4c84f8eab55ad72876f87a10df79cc8a3393098af0

Download Submit
C:\Users\Admin\Desktop\NEVERLOSE crack upd\Прочти перед открытием.txt

Filesize
254B

MD5
a2e05538e63499d255fcde82c4049021

SHA1
bee9ea4f77a54a053a0049586db18745b41684c1

SHA256
76365cf7f088ae250b361902cb0b6e0f3cb0e5a2421a01bfaea32ee1abfdad13

SHA512
8aea6912d096e24b2b611d5431328b94c1cd87ebd229a2b5f7abff3cba3a647cc4f3cb3b87058a4e58deb4d2ca0acb1e37f350de8af42b7de25897f9c0319200

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.dK-UkRsn.exe.part

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier

Filesize
579B

MD5
909b1e81ce6fefbe476665dd6308dc66

SHA1
c9bb9e1e6a85182bb44a6bfcb076c655ddc76fd6

SHA256
bd23a0ab43ab5e40349b3c0d9c20883247359752a725a976a4255b236d1ffb28

SHA512
a3ba1f821cc0e3947815f20f131396651fe319b69101288c4826727f0be87244d3ff4b643105cc57a0180e8637b2979ec2b46e3331fb85499f5b1c750d535ea5

Download Submit
C:\Users\Admin\Downloads\NEVERLOSE crack upd (1).rar:Zone.Identifier

Filesize
58B

MD5
f328e184c322cba91dc3c014fe2ef3e9

SHA1
2aab1f0a70009051dcc87350e0f3b079da02fbb2

SHA256
fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d

SHA512
e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e

Download Submit
C:\Users\Admin\Downloads\NEVERLOSE crack upd.rar:Zone.Identifier

Filesize
170B

MD5
d595f954abc42cac34aa02c286e53655

SHA1
9a0ee917f3a38a933e703f6b6a7ee0e986732874

SHA256
50e6130b6f4b4b7f728b42725e359cd274fd448cb684914c9be0115c9967b16d

SHA512
7fa22f12817ff5d71be9908824bf7052b0d2f5873d7a9363619f228a7832a6fe3497fd449e8929d26ffd0db67a58e65e9bbbb66748d76aab4699963166633a77

Download Submit
\??\pipe\LOCAL\crashpad_4652_NCXSNUGKBPPMYYUH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5056-843-0x0000023526020000-0x0000023526072000-memory.dmp

Filesize
328KB

Download