5513812584a5ba7810b812db7ceec2d0e9cb214cef95a2580e29927cf4fe9921

Resubmissions

02/11/2024, 19:04

241102-xremnaskgy 7

02/11/2024, 19:04

241102-xqyddaskfs 8

Analysis

max time kernel
714s
max time network
706s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
02/11/2024, 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/LangDLL.dll
Size

5KB
MD5

50016010fb0d8db2bc4cd258ceb43be5
SHA1

44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256

32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512

ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233
SSDEEP

48:S46+/pTKYKxbWsptIp5tCZ0iVEAWyMEv9v/ft2O2B8m/ofjLl:zbuPbO5tCZBVEAWyMEFv2CmCL

Score

8^/10

bootkit defense_evasion discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Executes dropped EXE 14 IoCs

pid	Process
2392	MEMZ.exe
2440	MEMZ.exe
1176	MEMZ.exe
1244	MEMZ.exe
1264	MEMZ.exe
4492	MEMZ.exe
4396	MEMZ.exe
3940	MEMZ.exe
4924	MEMZ.exe
448	MEMZ.exe
5004	MEMZ.exe
5576	MEMZ.exe
644	MEMZ.exe
4608	MEMZ.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
265	raw.githubusercontent.com
266	raw.githubusercontent.com
267	raw.githubusercontent.com
268	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241102191520.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e067b6cb-006d-41d9-b6d8-f896f013269c.tmp	setup.exe

Drops file in Windows directory 55 IoCs

description	ioc	Process
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4936	3428	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 23 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	MEMZ.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\MEMZ.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2440	MEMZ.exe
2440	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
2440	MEMZ.exe
2440	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
2440	MEMZ.exe
2440	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
1264	MEMZ.exe
1264	MEMZ.exe
4492	MEMZ.exe
4492	MEMZ.exe
1264	MEMZ.exe
1264	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
2440	MEMZ.exe
2440	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
2440	MEMZ.exe
2440	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
1264	MEMZ.exe
1264	MEMZ.exe
4492	MEMZ.exe
4492	MEMZ.exe
1264	MEMZ.exe
1264	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
2440	MEMZ.exe
2440	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
2440	MEMZ.exe
2440	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
1264	MEMZ.exe
1264	MEMZ.exe
4492	MEMZ.exe
4492	MEMZ.exe
4492	MEMZ.exe
4492	MEMZ.exe
1264	MEMZ.exe
1264	MEMZ.exe
1244	MEMZ.exe
1244	MEMZ.exe
2440	MEMZ.exe
2440	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
1176	MEMZ.exe
2440	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
712	Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 32 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
5716	msedge.exe
5716	msedge.exe
5716	msedge.exe
5716	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe
656	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	4260	firefox.exe
Token: SeDebugPrivilege	4260	firefox.exe
Token: SeDebugPrivilege	5208	whoami.exe
Token: SeDebugPrivilege	4260	firefox.exe
Token: SeDebugPrivilege	4260	firefox.exe
Token: SeDebugPrivilege	4260	firefox.exe
Token: 33	6000	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6000	AUDIODG.EXE
Token: SeDebugPrivilege	712	Taskmgr.exe
Token: SeSystemProfilePrivilege	712	Taskmgr.exe
Token: SeCreateGlobalPrivilege	712	Taskmgr.exe
Token: 33	5508	mmc.exe
Token: SeIncBasePriorityPrivilege	5508	mmc.exe
Token: 33	5508	mmc.exe
Token: SeIncBasePriorityPrivilege	5508	mmc.exe
Token: SeDebugPrivilege	1944	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
5716	msedge.exe
5716	msedge.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe
712	Taskmgr.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4260	firefox.exe
4608	MEMZ.exe
2604	mmc.exe
5508	mmc.exe
5508	mmc.exe
4608	MEMZ.exe
4608	MEMZ.exe
4608	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 3428	4452	rundll32.exe	84
PID 4452 wrote to memory of 3428	4452	rundll32.exe	84
PID 4452 wrote to memory of 3428	4452	rundll32.exe	84
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 2544 wrote to memory of 4260	2544	firefox.exe	105
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 2904	4260	firefox.exe	106
PID 4260 wrote to memory of 1968	4260	firefox.exe	107
PID 4260 wrote to memory of 1968	4260	firefox.exe	107
PID 4260 wrote to memory of 1968	4260	firefox.exe	107
PID 4260 wrote to memory of 1968	4260	firefox.exe	107
PID 4260 wrote to memory of 1968	4260	firefox.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3428
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3428 -s 600
    3⤵
    - Program crash
    PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3428 -ip 3428
1⤵
PID:3816

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2544
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2004 -parentBuildID 20240401114208 -prefsHandle 1932 -prefMapHandle 1924 -prefsLen 23681 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f8016ce-529e-4d84-8ca5-913b8299fa42} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" gpu
    3⤵
    PID:2904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2400 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f94cfec9-7e74-48e2-8b7d-1c47c3beb07f} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" socket
    3⤵
    - Checks processor information in registry
    PID:1968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3028 -childID 1 -isForBrowser -prefsHandle 3020 -prefMapHandle 3016 -prefsLen 23858 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9ad15cd-ab2a-4fa8-ae38-1cf89b95a54e} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:2084
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4276 -childID 2 -isForBrowser -prefsHandle 4268 -prefMapHandle 4264 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9a9fff19-9382-4bc7-9daf-cf998391a79b} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:2496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4980 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4736 -prefMapHandle 4760 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9e422ca1-0058-4d1c-b60e-6ca62244007d} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" utility
    3⤵
    - Checks processor information in registry
    PID:4996
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 5308 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6851351-ed07-4c4c-a8c8-95bc1edbaf32} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:5444
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5532 -childID 4 -isForBrowser -prefsHandle 5540 -prefMapHandle 5544 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {82493b72-b38d-4cc8-94cb-f2b23f08536e} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5740 -prefMapHandle 5748 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d1267f7-95b2-48a2-9a87-f2d73dfcc8d4} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:5468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 6 -isForBrowser -prefsHandle 5588 -prefMapHandle 5612 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9cb93d12-d148-4225-9b2f-11d50b43a1d0} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:6100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6500 -childID 7 -isForBrowser -prefsHandle 6492 -prefMapHandle 6440 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6ec69ec9-1e4e-43a8-bdf7-58aa32014462} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:5384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4556 -childID 8 -isForBrowser -prefsHandle 6776 -prefMapHandle 6624 -prefsLen 28242 -prefMapSize 244658 -jsInitHandle 1264 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1a14da6-c413-46d0-add3-312aa9ead996} 4260 "\\.\pipe\gecko-crash-server-pipe.4260" tab
    3⤵
    PID:1512
- - C:\Users\Admin\Downloads\MEMZ.exe
    "C:\Users\Admin\Downloads\MEMZ.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2392
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:2440
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1176
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1244
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:1264
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      PID:4492
  - - C:\Users\Admin\Downloads\MEMZ.exe
      "C:\Users\Admin\Downloads\MEMZ.exe" /main
      4⤵
      Executes dropped EXE
      Writes to the Master Boot Record (MBR)
      System Location Discovery: System Language Discovery
      PID:4396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:1036

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1352
- C:\Windows\system32\whoami.exe
  whoami
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5208

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2024

C:\Users\Admin\Downloads\MEMZ.exe
"C:\Users\Admin\Downloads\MEMZ.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3940
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:4924
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:448
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:5576
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /watchdog
  2⤵
  - Executes dropped EXE
  PID:644
- C:\Users\Admin\Downloads\MEMZ.exe
  "C:\Users\Admin\Downloads\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4608
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:4480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x134,0x138,0x13c,0x110,0x140,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:2312
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
      4⤵
      PID:3672
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
      4⤵
      PID:3780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:1356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
      4⤵
      PID:4088
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
      4⤵
      PID:4668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
      4⤵
      PID:328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
      4⤵
      PID:5512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
      4⤵
      PID:3752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
      4⤵
      PID:3676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
      4⤵
      PID:2628
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:1404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff733ea5460,0x7ff733ea5470,0x7ff733ea5480
        5⤵
        
        PID:3252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5540 /prefetch:8
      4⤵
      PID:4636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
      4⤵
      PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
      4⤵
      PID:3508
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
      4⤵
      PID:4076
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
      4⤵
      PID:4752
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
      4⤵
      PID:4908
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
      4⤵
      PID:2028
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
      4⤵
      PID:860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,3346633194000884709,2527633271388706402,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
      4⤵
      PID:5268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
    3⤵
    PID:884
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:4280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
    3⤵
    PID:3308
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:1572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=montage+parody+making+program+2016
    3⤵
    PID:1876
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:4932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=half+life+3+release+date
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:5716
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:1772
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,5023832172964110701,8931620295032154804,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2
      4⤵
      PID:3516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,5023832172964110701,8931620295032154804,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
      4⤵
      PID:228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,5023832172964110701,8931620295032154804,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
      4⤵
      PID:1116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,5023832172964110701,8931620295032154804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:2060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,5023832172964110701,8931620295032154804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:3452
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,5023832172964110701,8931620295032154804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
      4⤵
      PID:2432
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,5023832172964110701,8931620295032154804,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
      4⤵
      PID:4532
- - C:\Windows\SysWOW64\Taskmgr.exe
    "C:\Windows\System32\Taskmgr.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Checks SCSI registry key(s)
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:712
- - C:\Windows\SysWOW64\mmc.exe
    "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2604
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
      4⤵
      Drops file in System32 directory
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    PID:656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:3780
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
      4⤵
      PID:5948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
      4⤵
      PID:5800
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:8
      4⤵
      PID:968
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
      4⤵
      PID:1524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
      4⤵
      PID:5140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4340 /prefetch:1
      4⤵
      PID:2504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
      4⤵
      PID:3944
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:8
      4⤵
      PID:1160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4508 /prefetch:8
      4⤵
      PID:1696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
      4⤵
      PID:3760
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
      4⤵
      PID:4436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
      4⤵
      PID:2816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
      4⤵
      PID:4540
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
      4⤵
      PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
      4⤵
      PID:5480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3820 /prefetch:1
      4⤵
      PID:2816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
      4⤵
      PID:4356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
      4⤵
      PID:4816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,5658523726008654069,7207462901505640840,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1872 /prefetch:1
      4⤵
      PID:3008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself
    3⤵
    PID:2656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:6132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
    3⤵
    PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:1700
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=what+happens+if+you+delete+system32
    3⤵
    PID:5212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7fff25cb46f8,0x7fff25cb4708,0x7fff25cb4718
      4⤵
      PID:4136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5956

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x320 0x4ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4296

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a134f1844e0964bb17172c44ded4030f

SHA1
853de9d2c79d58138933a0b8cf76738e4b951d7e

SHA256
50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589

SHA512
c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99273f03a5f58a70702412e746d88776

SHA1
df2de508c944c83801fd297fea000706f05a0dfa

SHA256
f19ffc899a80fbd6cbd4abc1f7b6331c48487249efc9af06d2a04920b1fd81df

SHA512
e9856868f1e8915a448e0efe64f0eee0a5124fa772ffbab8fac728a032b72f68ee719642af699f0952e6540472bcae35804928b5ff8f6fbd85ebbc481c2cb7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1e9c520945b22b2da8354818b80727e

SHA1
dd41649f79dc603a40d40724d659f1ef57d46410

SHA256
50c4d9bd0d680bfbc4fef2a97ca7d38b08d75abb76a113bc1c8301d4a3465215

SHA512
12352c071ae60ccdbbec5399e5a991934cbfbc312b8225047d8c35bc88ed4064ac9e8a953e538551341d410448f12cee4162e5ec6a55d17de9f4e2888575fdce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5b270d3751166bb1136235c2618abc64

SHA1
31199e508347b1ccf197c168a27c0631996f1a90

SHA256
3c3e42a691c7a5aa07b82b9bb25f149e948a77ddf0f23a5437d01590462c18c5

SHA512
8ebd1679affb001f43899d0b279a4cb350c3f033455c58c92825e71e2715fd69bc72db8916bb78a10303f0b92b99e61bdccee53174fc5730ad74bd591744b00b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78bc0ec5146f28b496567487b9233baf

SHA1
4b1794d6cbe18501a7745d9559aa91d0cb2a19c1

SHA256
f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109

SHA512
0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4eccdd11-e64c-43a9-b5cb-d19f6cd76486.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
0f7ade032d0e724b57f52b7f28dcaa84

SHA1
9ea3ecd54cda06de100d808a4aba704c8c022500

SHA256
2f3afcebb2485e65f4969f4b50ed08524ca4e71b8b2fab337474a82906ebd273

SHA512
afe92db56a55ddfe2c5209dbaecaae7aecac480ad500bc00d1eb0e9dfb4d609e5fcd4edb54339db4418871b43fbcd62ad9650350c34b522ee3ae8f72b50d2dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b373425cf0f899a26a08a9fc91e6289b

SHA1
d6f8f06af1a47289d1e27bf6dc1922902cd9f2af

SHA256
a534ce39ef19f8c4b11d4af8f1eaccc6b1f24c15500d1ebc60522ce1284040f9

SHA512
db3e06f1b84457b471bd80724a617b4743b5f388ed0544db2c4f5f6e1b2574811d3c4943cc96182b1a884eaebe2c196847515eab94bd9c601d15030a4a0f5de0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
87dbcbacc3e9c5cbf0d574aa314b264e

SHA1
7a852ecc07a17a2e3dfab15804a1c053d3ea587f

SHA256
63b8bbbb61b89924b592389554bd508243455c206e163feb593041a44f2a0eed

SHA512
bdd9e8bc8b7ac3b316e93a709b552c2358c549ea647b8619cc8b06cd6e2e0d6afe0425b867cb024ec12e2e5c33933ed30dbfcf6221ad229a1cde175038bb3c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
b6e48596269a1adb7deb8492199ecfc2

SHA1
d54fea49b6ff2418cb305043872264601272ab6e

SHA256
615c5522d99cdcb484f6a0bcd06a3d5df72b9d762ada7b15556439e8c7fe09d4

SHA512
cdebd37c420eb9a9e4f6097fdb042f22cdd76ac514664e0b804d67477da86b01a0a23af6466842edafbf924b7c43e8d311eaef38fd0254dd603e0ddc063257f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
a1c6e55057a5cd74b7af372d837a453a

SHA1
421cbfe7e31029062769cfef625151f019c69ecc

SHA256
94e7641be6e03e0b3354601e12587172df6877ac72e62c05d23419bbcd188e13

SHA512
0b8215186d2ed39d233b1904e605f96b95dc8f9486e7a0ee1f960671c472749fc1f3a253b24e6fda01285d36221340f45254aca52f56cf329759c8224fbd040d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
8b4b1dab11cced442aad93b5d98559ab

SHA1
f5e8c12edf788aeb5fc5db1776d76afcfcb9306e

SHA256
2991c8e0b9f5e58da90aa88b7bf42d84ce1b3c0ffaadce59c3e7f021c269d6f8

SHA512
b7ec6f82e6cd89939c78261983cd60c5f2124765ea17f9debffa16b44d3ab9678708913fc2f847be6dbfb439d8fd2fed797a7df69dad26d1f21add7df25f8354

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
7e2db21d83c2b67c49472833a0486a6e

SHA1
a52261e03e666172bc919a0bb9c7a07023afa464

SHA256
4fadcc0d853c24d6dab299830401606e5bad963801dbcb9fe3192914ff7e8e42

SHA512
8ed009a768badd46b9876a5480bcd5208dbf2cd710ca246d5918cc7b3d68a1a229d7344daf8e8c73b93aac64321d24ede621339362ee3ae305e44a2a8c88446b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
dd2f43429e55e21ae128dbf875ffb89f

SHA1
8eeb170ceaf6d94420cc141d52c81f538405c283

SHA256
8c9a38a00e24878aba7e406e422071f8c5c6414470fdd4998473877ce1c8dc9b

SHA512
8bc4c830c8be0fdf1455aeb201dea0ce6d3e3e5849befe9a80512068196d128ecafe9c451adefe653f4da413247606564c2525f169bace27814085df3959a48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
00832d91c892d0948f709f3ef28cfebb

SHA1
b07473bd8fe4eb9655b072045f2dbf06742be0e3

SHA256
4f5ee9dcf8a03c858f20ec80c3cc0cc83dc899e1cb55cfaaf4e63372d22b7e3a

SHA512
e933658b7778fec7f29d36c1c5e8c21883336ffde014fc1792d9581d869262ad8d5b0e88cd1006420809f2bec66dd41718b5fc393e0792fa5a3fc85fd4c15c89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d0f66602c746feaf4ff9f417ace35b43

SHA1
81e3ac1615ec9914c2741f299619c3dbdc136106

SHA256
2a8e2d336828768b7958a63a0a153ddfe5b6353adbb8d1cdcec5dc1ce8570d4f

SHA512
1b56abcddda78695c143d30429ee6b6c4ccdb8b01b38acfcc5465257ba13d911be5d07ccfc72d508829251be69df69d95e9964a7fd90cb1e185d75213e5c9427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
b1999e2c36a0b04a8a283d9016991884

SHA1
42e80a46f2f26aa28e54545c18c818ce8f3ea647

SHA256
baec917d52ce9f8b8969c0e000b1bf5eca65d31d71d9497c6130e7c0fe477be5

SHA512
9788146dfdc708144b29a9153477d654613a95f1716bba628de85279bca8384d63ad1b2a75a4a86246d518f74e3352c7f2a0598221660ddc2f094d1865b370ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
815B

MD5
d933ec9d991d7b1cebc2720f530bec5d

SHA1
8b1ee407897eaea7561b8250cd9ecfc511ac2dd3

SHA256
020bbb7e4d82a19976cf7a6e56867a8bac6442b2d597ae08c21e4ba4fe09bbb5

SHA512
93eb863babd28bb4f09ced1c77dc93572646bd15de6bdd713abe3bba739345224670679cc2c661d51506e0e15f70aeefcc53ffbb938343c8ea77ba0c5bd6c114

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
909B

MD5
20e986b7e53013cb620e8ff6f48937ee

SHA1
bf07ce19786e4b444f886de9852533999292aa1a

SHA256
e97c1153850f5be608848d5679df3461d8014ef4c5f063cdb9b3c22f4c48f266

SHA512
a70ad3288e5080943bef6158843135aa3a3322701acff8280139a906f3284bd2b51162c035b7577451bb041a4050ce3aab6708f2acf927156fbb662a774c3aea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
909B

MD5
8de6f1e4fecef7da06e882f0220ae831

SHA1
97584ac3b949ee9ca6a8d1f4047ee891fdaf1577

SHA256
ba85b9b5a7f804a2f2abe95b10364914a98bd2c2e978283b045b73fd53420a65

SHA512
606b6ad752e3d59f3ff9ffc55e38a99463d4d11c83f52c83eb97cfee76b14a77f3f66b8657894bfe3c820a3a0443defb8acb9d2afcde21cda7e16779a56a9279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
784B

MD5
90e564d6a59c3718dc726ff98884cc6f

SHA1
f93d0a271bdf28061697186962da8f4d8eb56cce

SHA256
55a3a64083b876116aae88a0bce50f976b961d1377579975e45cd55b2e28b256

SHA512
041106f3595cf1589a7554b05525dce09fca4cc0771d2ca77a359d74b4249a9d78f90199616dbb64a6d9da46c30b0eb6693f0ff58da0b4e7a38c22367fb95eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4adbc0e377486a71a42e5c5e0f1248c2

SHA1
83c95259472912caf552835dde642485b2c50046

SHA256
23d39ef2864931499707acef12a043669f355b13a7df3067637e8dddd18351e2

SHA512
f070a849f7e68ff82dbda2dc591bf8bd394e9a66a2565a20eb4dcffa7c19a40e56d7e27ea9cdb8fb50d44715dcfc3bd0aa2b981dddfc28199fac0ce776e5b58d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1236cca3f30a7d197c3ba19c63c780c3

SHA1
caf7df0fef2c19508d7d2fca9fdb5634581444d5

SHA256
c571461a8699b4539ed3c8f401ee0064b156088c16368e080834ed38dbc4974e

SHA512
a40a4496fac65dcc0fb2e93682d8b2e07b615ad73a003b1a13e618045f6818113bcf5d9bdee406577f256a1da29f34ef8de8b83aa6b36938fe4e734a7e46542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
4abbe317acddb3187df295696abf51b0

SHA1
9022e3c8d94d0c7accccd5ea8e6ceaa7890cb7a4

SHA256
09314e57e92e8d80d00c06a9362795c56dddf3137461244e61ca5f43bd2dce41

SHA512
b5bc593e02415a3396f14e41ea2da5d1a344d3b1a2dd9d394bfa3c74f4c381095dfcfe89649627952a913188ebfa7cb5517e559206a5595fc0d3cfdcbe10d8cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0408d84462f48a34999e932343d947e5

SHA1
899f5a347ea067dddf3512e5cc317d97254ac2e3

SHA256
980589b6d4034448c1fbf5c25637a5fe2ca9bab7e0358826fb400f1b9290430c

SHA512
45aa5bff406d86e930fd5619fdce2d79f10f006462d979ad5f19872e9af0711edf6bc81d8e9ea47d820b14fa3e0eb8db4adfc9f1d163dc6deba8a04ec5c1a2c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
69c571d2be0ec4d76452bfa31915fb69

SHA1
33e2af9f26d23e9f597e64d7bf599de0ddd80c0a

SHA256
29cca06119c4e8c84a53f1828c332c2b4cb1cc7e0192f324502486e0c2b8780c

SHA512
f4da1baf4fdd9a905d6d6274e65d5211fffce7997476e85381c6a160f6ca1658cb390fe6a6870da768cedb865550e60ccd442dda76d0013aae20cce870af6e13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
15092f942fe2fccadc9cacfa7839d357

SHA1
57259f972f41a607abf905bacf92b7ddfd17f214

SHA256
e38683561fa01001f85a7b69785fb1bcb7278e01252c239479666ae9a7d7444c

SHA512
f4659aee1935b610515fd06aa19703344c956af19031e934c36765968ff0a58312952fc8b94068d7abfa90a9ccd8070a019bc0a295c73988ad2f9d7f3bc9254a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f4249a754f4227437c91218ea5a2531d

SHA1
84139d8fe95f3a061d1ee9e3dd91d2c24293d1ba

SHA256
3ebe8cbaab5399d8cb7b5fe14da2933625d36b2b1748c1db262672dacfdd3895

SHA512
7185abcdaeb67e210e1e305842d7125ee2f0785e5109565d7345420a59d0939b98032955d29e63e9018ea898d147ea6d982d92874d9aa912ebe41c2d6973b992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ddd13010136cd91f84d530897bdf1f29

SHA1
f3c0983390f453866cf93c296c0d004b38451032

SHA256
b4fa10e1947ee364840cecf718e9675d474b1007b7246ff0f0371638a3bdd627

SHA512
cb24323a29bbade14b6ea3137d71777cc05736537af9085c893c2e285fcc7190109432189aba31a07cbaeee04bf840854681fcac4b3a4c2a8c8d0f1dca03bc2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1daa9a36b1ce0f657e6d8d74447bebca

SHA1
663286a9c0973cf6e04366cd833d96d9b25efc30

SHA256
0549e5c8dc8646bfca8c4a1e63867a646da08cfbd179a4b604739955b306de9c

SHA512
165ea97a3e02f5ed71859828496b6e609712cb36b938d454b123928c7784cb51690a3ed821a44d1e27cb9ea2f6a4c6477af56ada18940b06a295be30a1b55692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e9a87cc75a875dfe0aa0728aa96dc0a

SHA1
052308ad7a0b621d376e7fe2019293d848269961

SHA256
73185a7d5229b27a588e1940d037581fbed3673f1599b223d2928a167babfd4c

SHA512
3a1365177d7a20e8454c1858713d9c616642e188f1d9197e8e7a8963bbd2bd042e5b8d4f0dcb46dfa5ce585c3e0c2d1bf178e183a0a5c6a52db431114e3dff8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34e791933d9e350c98e390abaab17351

SHA1
ff1b9605abd8eada48063f527bfabbe012583794

SHA256
5e6620e7bc4b20a587354383f6b4308750144cab06fbd998f3161588df6d53c2

SHA512
39b3debb032b413778d9b5585572c2cb51cc61319ab6c64952557465a57eb840574afe5310918726d307fb9ed90b49bd4b03bf6038d51c748aaa269464374d88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a99cb6bd4d4797eea75db51b787c54ce

SHA1
ef1905cc14b0e3066594d22d449745d2fde27831

SHA256
9171ee1b87e28f3fa9b779b50407b5617df1c16f34d2c877088b69807b6b6032

SHA512
b9d8b4917f650e599cbc0118fffa84bc8ca3f653b81a85b63dcae5ed707c47d6c6812b16a6ba558b9da1b08004c26dbe9827a797dc639b27c54533b087f1c139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9010fe212d7da97a4e9cf63a903ee7a4

SHA1
8f124a736d045eea3c50a9597d18c9af8b128e28

SHA256
c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834

SHA512
f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
21320325bdfc20c6f4e4d136228fc9c5

SHA1
7e96950811d7ddbc1daeb7341ddb9768980bf2b5

SHA256
5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e

SHA512
ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ba4ae8c34ebc5c0521a4f3da50ba2675

SHA1
695080ca597f6a695b336153a84bca15aebf6586

SHA256
529c7ba1d60056ce94192564dbed9ee6e1495b5c7ce3332db1c92b1cd36bf29c

SHA512
dde34dc07db3a63ea93ea77a2d2636b6b5c0d165a03eacb68f96f303c86613fd9f3369d4f0fbf8b81907d0a388f6988142cf2881e43be3ceda29744bad26d334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13375048601429845

Filesize
5KB

MD5
fbd4decc6506deafcdbca79c4d37dc77

SHA1
60883dc6cf2752aec4a244bc7cfe38c49c59dcdd

SHA256
fb988fef6a400380e06039719821c994e28042b20cf06310471e342b76813705

SHA512
4811065d171599ba07e090580bd3c99474a3e73bb79fd8ecb049fecaa5bb3933e3fae10c899bb3482a890972b94652f5098de10eafb52bb67c77cc898ad36493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
1902c5b27d6ab186feeabb026ce066da

SHA1
588cd0b18d9a40542ad16e2dda2a49321495d4fd

SHA256
3598d94db59292bc1ec2ea0971bf0de6dfb6481bec0750031996102ba898cd83

SHA512
bd12c0d4b78715982f53cd381433ece8804fc165683433c1af5ade8b2bdb64fff44147b207f81c33343a6c4c66cbad339dfec7f274106a95d565e9ee876256bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
693c39b1d11a6a892925c869d9a13da8

SHA1
b9210bac59173f087edcbd4f267af5b19f2aff9e

SHA256
7fe5992c555d4abc4a1ed91ac53c2b6f1833bb69a1af0dbc16148c57c307d8a9

SHA512
6c54c48c9b0b0887d9c5fc5b1a6780d47f7316e3066e3eb4fd2aa7609c4ce79a87f7da330dc060763fb4e44db2bef04560bbb1a922fad7e7b491fa4f1ac8ecf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d088ca5cf16cf2076d66299f64e13a5e

SHA1
3d2fc857d70804e3f04e6b5adb9c78c658d84351

SHA256
ae07a11371d3997278d91e635860a39b9ed845ba6a951cffcf7cd96b56faf795

SHA512
d7ec2e6742e38ffca61241a8861d58dbd0d4972b024174046009d185fb0411a7cc5363984cce2e090c0966603c41b38611f83c1dae747ca1db864d183316a564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
009162eae08e49b0d2ee6aaf36a8cac2

SHA1
f18f63a56327278b763561e1656587a311f8fbab

SHA256
6ec282f2e7aac120593ca2e5e77adf55608530a03822a370cd3256dd2518f4a7

SHA512
7462a0af8e6072998d3bc478bb379bcd9ece7b95885a4481c35c68b7aed974aefbc1530f8bf009f4c926ca0d31b1dc9ee200645bc9938304b44cee9b356beba3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
fdcb0b92c7fdf2e90ad6ba1eea2a79b7

SHA1
f92de6200a4420d773fe10cb9b0471afaa1dcdec

SHA256
568d7668a634aa92ae0b57ecb33643102651116699e673d99556b05b38d190f4

SHA512
e0203b4e419b680e46ab628e64f6361dc2c91942daead40c1b1083e9c5c39b82b95dd7036b71e74d8b6afd280bd4d0c4647b61ce7d6a6c9416feaea879987b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
445f27fb3026858e4b19ecb8e827facc

SHA1
341a4f05d522d834aeb15b14bb3f430dd97f1eda

SHA256
cd61125fe7e75f62958b70cf6670cf207925f7f1806c494f84076c0cb3b4b7cc

SHA512
30e3141dded6f80771f0e9840f68bc0d2a14513ff105d2d4568049c6703c16797304f96fd9e8588764e2e67f7b498ad099fc954a331ff73478aea26d8713634e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
d00d61b27592791dbf285adf83560730

SHA1
5eb7dc432835a4c76d73ab5a8c2c298e8ec07a85

SHA256
25abdf66b98eacaccd51a17f0d789c683d26771cbacac0641d70b081f8a65acc

SHA512
e2510ef66ad332a9ef95bca9f4d7b7a169b3cf9bcb024be45b12d20ee03a4fc86038d1bd73272c4239eef14442fa0e5ac1408ea7f86aadd7d98276c9f8714c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fe6959397719c4914c7c72737741c483

SHA1
fae32db9aed1d8821e20efa5f1156c95106dbf30

SHA256
4fb46369b014412c7294dcb5ae0c1d99d1dd6d2a025d3a1e61cafe86b5ba491a

SHA512
0ce54e9325b44f89e3e4b10e23da30d15177d0049a9b2d45770deceb915a1938ee0a6b948b9d09f5e799376d9f99dc271b7e4f6a3354689801f28682d9f8e027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ac89eadefdcb6adf210fdf9d7c9ad5b2

SHA1
0fe4c4388ff5b80ba5ff8964ab48875fe6632c4d

SHA256
9b0025e5a2c4b2621d81094d9f37c095858392954770b7779ed0130a79b38d5b

SHA512
d3bb5370efdd1cab27cada366948766842ebf804ac1d7a24694b3073c005dbd92904c01da8780ce5600c019d01b61d1ed0c8591e527451f9023aee8011d5da92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
22551d6225d80faafa47f6ef9e883e28

SHA1
be3568f5f9ba1601032319b073d692480b4be6ac

SHA256
3228c11caf964a57cc709e8176407d052ec6f1fe29af662a4126b6aa5f020345

SHA512
0fd088d8353d5314f6c043f60287ff79569956b5277ec38663e675641ecf6484c2dd072bc7c71a3f78d22dffb6c712e23680468ccdc86d0a7080f606bf2d9961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
856b8946216d78baaa74c1a1128f7cca

SHA1
485b89e4b74a4807eb57a2da39fd3f68a29deb38

SHA256
c42e36a348292ce828a0eb7c37626a93992358f81175ce80870a64eb5ba9aafd

SHA512
f7b938a2980c3e0b74a92362dbc2e3de4bf443ae1ec1009187b95310b6fb395a215716bb34bde3aeb34393134ed75835cacdd0f263004232f591bf8f70d673f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
e073823fa3d858271a5db71384d11a2c

SHA1
d7cbede1f0209d81fd878a5356495ea73fee150f

SHA256
68538997f99330f75f0619d4d3b7281244ea98b0f321218d690fe6484ad3cc5b

SHA512
b4d34b78adad0f20d7c1b698e7b6209ce168d09fda955249f00502e85f78f13826158b5332297bb089c7a1f6dd95a6ee2f290ef525991ff4489534e7a8ca0578

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\f1lggfg7.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
2f2375105a7ece379932f15cb95b021b

SHA1
0cf6258102b5a5c898d8aea6d907a5136b09e286

SHA256
c1e85ca55a999e380f41cce71eeec45563cc0aaf7e05af395dcfc128226ce8ec

SHA512
ac5e691aebf842ef06794f755c8662f2c159a21c2009deebf65bb146bb70060a9000fdfb926753cb0bb8fb391f0617656c93c0e5ee35b5aea258b1f896b5b6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_h2ljdzsk.trp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
4ab25867d713f35c06e25a198dd283d3

SHA1
6364e8f22ed6b8d991f1527fce917587aba098e5

SHA256
8e52da2083fa87008e1376b832b736ade7dc82e029fba94b424d3b71186616a2

SHA512
afeff938ab44d8b324902db423ecb89a1db58e29c55aa99732e03838575e09a83413f069798566e12c0e2b3d44ee0e5e57c66052da23325464f5987adb4f0ff5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
2671cafa968b0814b699859d37e4ad20

SHA1
940079608fb2ddae24133e8ab95dd59e72dce0e9

SHA256
3a04511e1a9cd29e6bd35d5a54828d70bf8ca583984d2cdf689d7ec7852609ce

SHA512
aa7801d29eac09fd137ed2cff16512481655ffe104978f37471450bdb44daedf11d56b51155b0e15c4c89b3cf5e88a6b98481965b2d34938d4d71e402efd8b9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\AlternateServices.bin

Filesize
11KB

MD5
3d7694bb5d9abbdb186b9d43a7836804

SHA1
44fc67b5f4397fdc4ce5563ad039c862f3ec4cba

SHA256
b14aacea9be13b7e79be3e315883e9136472c4c4a9f7cbad9d0f106c4232d756

SHA512
99890d899c41b847f083fffc41cf2642a9c8e7239d8fb502e42a6cd0107dd2410c8a3cee02ed780c7a6a76603b6fe1dfc4686b413d31dad106ebb92510fae107

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\AlternateServices.bin

Filesize
13KB

MD5
a3426d9dd2f568ab9dc31c5ee6affeba

SHA1
c4f6029f63f8572bf79d847e0028b52bb329da81

SHA256
549ee5683578f2f3f4f968811c1833e714d6f2ae1a3da7bbe2b2dd41bc0f6c61

SHA512
d976594777da4547d028928faf00173992ec2f669e78f9fc983299773ede2c80b0df07eb0fbc5fc99a3974884a4426a2b63b257dd76c7c716c9b6339af412e3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1f9e4d4a17b1dfe3242e2660ed894e7b

SHA1
d16c7b7275e2422931914f4fa205f0a47c20d34f

SHA256
9c0b1f2ff2c6d7e949e0f6f2963dd2f7186d283c09181a7929d4c8bc0f2e489f

SHA512
da2ef15c5345c2566f9e8deae1eec68c84ee77b036b29f27c0acf871a9af7a7b71b0ad71340aae5c97d4fd7338d1ccf6b0963635208be011c650a9ce3e3cc646

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
ef26699509d73c257a5fbeba24c6b9c7

SHA1
2edfc4766a4cc86bdd4480184d70518170d2c22d

SHA256
9c2b33ddd7c46141b92f322beea30c63b7586154bb4f5520a8cf032f7f80a402

SHA512
9849545ca4947861fded588cd714784d3187de13cd33a3e8a16c1a757fa117f0b455bbacf35faf4b7d85227de43abbd6668fdd09e0051439416f2a44dc21c589

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c6b3a4d00c0c8711990f2b65821c4cce

SHA1
a5585f2eb9bc06e981a1c65ce143626a59806dec

SHA256
b02cee59e495378ec816cb1533e2d633d21de94c12340b2233addfef1fcf7634

SHA512
3e0ab37133f27771aecbbfbbd34143b9e212fc6584c7e59eedaae0589f43cebe91af3e133bc7ed963b82a9c378bffff814146ee791b10193c86c9d41188e01dc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
c0301e2b9a4e194c355bb662a670bc03

SHA1
4ad39ef3dd207d2dd0f8c2f8fe9d2f74430b6668

SHA256
0c03839f1aed5c6beef1caa9ebc09686ed6a366081a95397a332640eb88f1a78

SHA512
14420f5e079c2b0af83bd0e754fce8e78fb264f54edee179fe972e9f5a51e2fe904fd926ea93904baaa979a7a4a82727b20aaab4e4a5cd89cb31fc9f7fa85107

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
d396cf55abb7a0ee415efe6d59bd84a7

SHA1
ca82e27b7e7c2e35c57ffd689f72bbf4acf02b30

SHA256
46eb4bcb12faf447f4eec6db7fabd8c1efd6d10efa80e78be0fcd28f74367f81

SHA512
23f1f15ef42dfef87bb000e15c7b703cc8707f15839ce600f5b1ee061d90e0a886591cda84d6db5e3e329960dea3d5f976deb97eebbab0abaa8441134f644ad7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\170551bf-c64f-462a-96b6-b2c372c2eac5

Filesize
25KB

MD5
b459791327beb2858767bee94bb0096e

SHA1
cb1b1f89a1eeabd13c577516787cb665f7e63cc6

SHA256
77798e690c12b9794f5c2bc9d3b74310f34615c5612a1f16d3c9e91297369a1d

SHA512
63f6f9e433e555540f2df9973083d963a61ecb314b4313dd666c7dae03499cbefd53500de99a8db3fc5b87176995e0c96efd7599289fbaae56d4c5cf11ebd06c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\492b5f98-e95d-45df-af37-85aa93c82b4b

Filesize
671B

MD5
f4ee4f1661614980a1b561c215daae6b

SHA1
4e39ce44e1deaf5005da1e2f79c7e717a17ac293

SHA256
6205931565f032775d3c98e7331e41b4ddd58994277114719f13f49544fbecd4

SHA512
08c17948bb87cf5363d2d837ea74cbea1dff2c8da6d686fb1d9e4e32a4200c4186aa3467ec39fa6d26a83e7c05440ed956a232e2de3355309c9d53e5fc7ab158

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\92466561-c456-47d6-a3cf-aa51fa1e2e4c

Filesize
18KB

MD5
0f4143e78de5ea722f545af7d47e981c

SHA1
0fa93961332f6ff5ff058ab2f24b8a9b3b3239e4

SHA256
b42f5cb0eed52013aa1ff1ef6edfec48cc388da68acfd5d77e93ccaf21c645e9

SHA512
d4329e75d8f521dc0cbcf22add8adbaf905188ed82f58240df053074541cd205e6bf4b4691b58011544bfbfae785ea6d87a941524209360001577fdf10325974

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\datareporting\glean\pending_pings\e2f44200-4905-481f-89ed-ddbbaf1b4288

Filesize
982B

MD5
f17782e8bc4ab658663333f7d2de8dde

SHA1
3600a05fd99742e0725bf1988ce36f38fcf7684f

SHA256
a03766d623511b2d9433f5df89270aba0456e3104997ca5eb4c1bbcb4a167c7c

SHA512
e05499a37b992d4b27d004f141116007d6bc06a478f69b110595da3ca5402fe057bcc5d000ef51a85fcd6616d84f49817696e783f2cbe1b10106374894b579f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
12KB

MD5
8f47f696907d2b361d09258718ddde16

SHA1
8df3821b0ec49b1b0a5a3b7365c7524330e57433

SHA256
06413978b22b1c03abe530198681e39d7147f08d3b1ef17b970f3b5cd000c06c

SHA512
5bff6273fca2868bd8a2f50340cd28fa5f8b1c230a18dd300a0afa09274a7473f1aef381f448fad69bcbb0f05dab700f516204c2b3ea233fc77af6962166c37d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs-1.js

Filesize
12KB

MD5
58b8ab233d8333b41792793f2825b065

SHA1
aed4a3f0f249432c58f24e8a2f617b4ee96651b8

SHA256
ff89446543a33d045a8e02efe322197cd771f7e7d5fa816b6236c30ae3aa2f4f

SHA512
071c2b475e12940a09c0431b1e4aa52d6e45730c2b325f6d5763d9e2d8b90ae12a3e1c1066d4150132b7c3debd66a60a963e962d5bc76fcf7cd5e049ce28d97a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
10KB

MD5
41658908981435b279b8f53204eb11a4

SHA1
a4a9729db562cd216a1e1bdf1692be3d046e1533

SHA256
27571e81a308065d9d68bf10f5c9f812432874637e43fdb51cab8af1e1249fe5

SHA512
4a5ce747b5d92c085ecad4317f8976b67ff7abc0843d34ae16572861fcd6c7c22c7f3efe261cc54d5c149f62a349f3e2ef923694d55d266230b78a33fc225f39

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
11KB

MD5
0a9e23ea3b1c2d3a85ce183b926725ce

SHA1
962ad66d22961237790b936c114ab559137ab512

SHA256
5644e9d5188bdb98c998dad4dc593d87a8c238b3fb0d4ff7f04406aa2759ceb3

SHA512
c2215ef28201782097742a730c05d155afab3a0245ebc7d6d9c4382a53ee4b5aff7eca399829f80b1918209b73067693891927c03d3868e1413e690f8fae5a4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\prefs.js

Filesize
11KB

MD5
05c949a906b339d4de7c6c2581b0aca2

SHA1
022e1f930113772511f2fd74316f564e72187bbe

SHA256
491046c4cfea78c46f9ff4b03512f04fb82325818739113f1ff13aaf3877195c

SHA512
2935385b7f237eec88d23fe63143661f7ea07e001fa8b3f04f0fb1f92b4890c7ec46fc64a813b2c4e93236196c2d3058dd6c5fb0629c76b8fed8059e8fbf7c79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
d58a2b3bb57155e7b2093882f01b60b2

SHA1
3ee861a98131be0bed10f3edc3cfa1005979a1ce

SHA256
c108d7a6de94c4d9fbb3c1f8087e87645ee9917026fa439ab0cd3790c93ea1fe

SHA512
0269113ec0c3886a098f7734dd0944ae30e23dbcebbb701c02d08408a82439b30d5cad4ff37f2aeec545035c572d82dbde021fb56265ef0ecb0081158ab700e7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
71e3d186066c997302214f5d04ba5224

SHA1
60a0def01182fb9715c439eb99b599a5bb7a4678

SHA256
9328580fcca405e181601b3d7da164bcc08d19e374eb6fb6c8ef3835079b16da

SHA512
52f2f6345ca65e3b8029da9c47194f40d47cd3ce9a7bd67f577b066a3f85c6e946acc90288da6986cf183502da6b895d0334c3b4a4224c12bdd681f8b7a76abd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
5498d8139b1d5cd2acb8081170e0975b

SHA1
cfbdaedfdb7302a1496e94ad1c109fb4a5a2bbb4

SHA256
514665f0fb8dd4affec87677739387362a4d52b229d88cfc0d31fbb5c52269b7

SHA512
242651b092b26659a55828b7bd9fa02b8588d4a45b19abd7c27090899a44ad8d57d7b90bef1247383cabcbbc0f5ab68ebdc8b0489f98c73cc1bf40d4a4793c8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
17KB

MD5
0c808a47d877785c12fdd214da18dab3

SHA1
d6cf3802c289b7f8f649bbcf4208dcfbf65b5b19

SHA256
46e37b078505403d93402fedad1c893df2f04b7ddbd6614171997ab98a034471

SHA512
6e591170dfb6a846478b6d8c540ce2328b663a9729e4f3f3589ea2a08498bcfbc6944065f84ae03f4a5bc11f35f16064555494ad4564334d41411a797902c60f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\f1lggfg7.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
ba0cded6a631720f447f4ba075f6014a

SHA1
348f2f4d70129b801ee16d5601167f0693c930d5

SHA256
a5f07afcf90a078a0a0ca5795cda4bd8644e65c23fd5842a6b85abd30a0b688e

SHA512
79d09c2fe95dc1bf50d678c9224dc032f44f95221344dc069c660383f25153e0be329ba4e630778611b040887fe2f850f78f0dc1cf9ce792bfdcf84fa48d5f60

Download Submit
C:\Users\Admin\Downloads\MEMZ.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/712-1623-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1620-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1612-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1622-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1621-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1613-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1618-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1617-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1611-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/712-1619-0x0000000005F40000-0x0000000005F41000-memory.dmp

Filesize
4KB

Download
memory/1944-1761-0x000001981D790000-0x000001981D7B2000-memory.dmp

Filesize
136KB

Download
memory/1944-1789-0x000001981E180000-0x000001981E1C4000-memory.dmp

Filesize
272KB

Download
memory/1944-1790-0x000001981E250000-0x000001981E2C6000-memory.dmp

Filesize
472KB

Download