hxxps://drive[.]google[.]com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing

Analysis

max time kernel
59s
max time network
60s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09/11/2024, 19:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
8	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3632	msedge.exe
3632	msedge.exe
3600	msedge.exe
3600	msedge.exe
5020	identity_helper.exe
5020	identity_helper.exe
5380	msedge.exe
5380	msedge.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe
6728	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5664	OpenWith.exe
6584	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	5888	firefox.exe
Token: SeDebugPrivilege	5888	firefox.exe
Token: SeDebugPrivilege	5888	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
3600	msedge.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5664	OpenWith.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
5888	firefox.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe
6584	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 5000	3600	msedge.exe	83
PID 3600 wrote to memory of 5000	3600	msedge.exe	83
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 116	3600	msedge.exe	85
PID 3600 wrote to memory of 3632	3600	msedge.exe	86
PID 3600 wrote to memory of 3632	3600	msedge.exe	86
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87
PID 3600 wrote to memory of 4496	3600	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/14B4oJ9II5rDyYUSUa1-M1dZBuJsuRCcJ/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe485646f8,0x7ffe48564708,0x7ffe48564718
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2124,2734756319896960608,6647682650385480811,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3076

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5664
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\TeddyLauncherV2.apk"
  2⤵
  PID:5816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\TeddyLauncherV2.apk
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1964 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d45a7510-d7f0-4107-8521-6bc71c5abc74} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" gpu
      4⤵
      PID:6076
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2408 -prefMapHandle 2404 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3617248e-5393-451a-af94-6cf8c969061a} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" socket
      4⤵
      PID:2516
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2740 -childID 1 -isForBrowser -prefsHandle 3280 -prefMapHandle 3276 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bf75fe8-0285-4b1d-a093-1713e1adb17b} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
      4⤵
      PID:5140
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3248 -childID 2 -isForBrowser -prefsHandle 3704 -prefMapHandle 3700 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c947b93-d75d-4c33-a6d3-a42d146287e8} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
      4⤵
      PID:4412
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4348 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4516 -prefMapHandle 4512 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {57c039c4-f4e0-4a8d-b367-a329feb7d854} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" utility
      4⤵
      Checks processor information in registry
      PID:6632
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 3 -isForBrowser -prefsHandle 5328 -prefMapHandle 5324 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {26769c6a-2641-435c-8608-e6977dfeab68} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
      4⤵
      PID:6964
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5568 -childID 4 -isForBrowser -prefsHandle 5476 -prefMapHandle 5480 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3b5ccc02-1739-4f4e-95eb-d851fc90e1a4} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
      4⤵
      PID:6988
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5832 -prefMapHandle 5828 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1288 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {087e4d55-12ce-4536-86d3-f9beb165f838} 5888 "\\.\pipe\gecko-crash-server-pipe.5888" tab
      4⤵
      PID:7044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6584
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\TeddyLauncherV2(1).apk"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:6728
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6828
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C1BD159A798FE82264F9A8FAF52A5BCF --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4360
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=740C35C1BB11EC96AACB1EC5A5F18BA1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=740C35C1BB11EC96AACB1EC5A5F18BA1 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:6928
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E5AEDB5B261443B719B86A727CAFFDA0 --mojo-platform-channel-handle=2292 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5440
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62DEF300AF6D6FCC04BF57A725CC9AA6 --mojo-platform-channel-handle=1920 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6164
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8FF6447CFC3D3174F70198D65C72FAFE --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:6288
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A9B77D3A570EC19130E48E62E4C5F8BD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A9B77D3A570EC19130E48E62E4C5F8BD --renderer-client-id=8 --mojo-platform-channel-handle=2484 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:6492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0a9dc42e4013fc47438e96d24beb8eff

SHA1
806ab26d7eae031a58484188a7eb1adab06457fc

SHA256
58d66151799526b3fa372552cd99b385415d9e9a119302b99aadc34dd51dd151

SHA512
868d6b421ae2501a519595d0c34ddef25b2a98b082c5203da8349035f1f6764ddf183197f1054e7e86a752c71eccbc0649e515b63c55bc18cf5f0592397e258f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
61cef8e38cd95bf003f5fdd1dc37dae1

SHA1
11f2f79ecb349344c143eea9a0fed41891a3467f

SHA256
ae671613623b4477fbd5daf1fd2d148ae2a09ddcc3804b2b6d4ffcb60b317e3e

SHA512
6fb9b333fe0e8fde19fdd0bd01a1990a4e60a87c0a02bc8297da1206e42f8690d06b030308e58c862e9e77714a585eed7cc1627590d99a10aeb77fc0dd3d864d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
4fe6a538ac769dfd67bbdb5b19e11b3a

SHA1
0c953362077d842893522da361d04311074a5497

SHA256
ba5f421321807b874d5b148175af957743080a21c13bfdc84a98b9536e5966fd

SHA512
689dd709a0ec9deb696cad3130f2a4eda08f483eb0b2f97ce89e774a3e392acf25b98d3f3f5d4a2a713a487092e920a66e676637989e44b0d47322aecd2f7c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
df3ea6c9a35a5b48856049cad61ab3c8

SHA1
6bb9c13d12f8187c4a06e1a8e58de62a28fd016f

SHA256
06f6eca4b832931f59a5671f7e39988297c1286ecddb4bc188eeddaeb51bbf8d

SHA512
081a1d5cc046e0527f3ecb99d899f7c378d4c5f6e363572a165ee03428e39cf9f2c08214250280a1239b5179a0e8416c8e33dc58b22667de9510d0cf7b4c8c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8429b063169eb1f8f954ca58687b8145

SHA1
20720840a0af307f5fdd00956096397bca5b93c4

SHA256
01b9cdd9ae3f720082be8f221f8a61568eb67195138dbc19b0287e5c5566daea

SHA512
e15f6e7a7f8b9cd9725af08811f15e92b5e68f3909c934c7bb695de10965c6d9919167342bd7ee22762e873a66b38990d77bdc606c48e11abc8a6a1b0a60042b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2ba15faf433ed93dbaa8c6f21d02ef2c

SHA1
81ead80a2495fd7c22b8d61be42e81a5db541890

SHA256
2e9a28a3442338b2f0563437774151bdd472cac071e6429d6d6e319fbad963a0

SHA512
7492461c0c70c321c2a24a362a80530c4f76c08fc4956c463fd71c24db90752698ed0c1696cb768bf9802197d4060c9cab781665299b051d89e8fabd10490c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8bab7a6037e529ceef384676d2e24db2

SHA1
49d17272dde653135348143ba6612c1b40256459

SHA256
5878dd7f95a0a7a4b89d2f5b1c46b4d193d20bb6c2ce24de1dcd8e4438e0a4f9

SHA512
2af376f76d189269ea5c6fdc33f6ffe14698c2de65d1e0266f84c6993edfbed4788e1533bde9455dec9ae287aef354361b90c474905a29755d31429b77a50905

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c687ce39cc3d68c38fca6e9799d974ab

SHA1
b414185d5706126e43ee7770ec2ff17e6141d38d

SHA256
4818f487369297bd35b3d9a0b8f1cbfb10cf51b39026c650741d084053e64533

SHA512
691776c68bb932b8984734888494d1a0803bba21ef0cda8e027e30df87e18dd28c9fe64e03b63d59785c3a9871457caeef6f58eebee02164faed1825870bbd0d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
a7ec731c5ab612d5e35367909dc9e3a9

SHA1
ef587357128a59b533524007293d877e898a9f81

SHA256
9e7075e1a6b7ab45daafff28d2f67de2e2f6e77712c73f9a109c480b0f221746

SHA512
ec01ede2b052069d98fdf3001e0fe8f4b2404730a2e14b2bf5b1e68f71ec5fb3bf4d68844a3f05bae3045bc71cae8cffb6086464ed31df519ad4ee6be2987689

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\AlternateServices.bin

Filesize
6KB

MD5
c2252bd94edb619bbb2d2976a997ec06

SHA1
6cab5f2de45e8f6cdb8b6a2d1edde7b591909b9e

SHA256
b849150ead0e9bebf8823a3c348ef262bfce00db7bc2c5682d6c8e9536d85618

SHA512
c49f428264c1dd8978dfe088d6df177263652024e6461b0efb0b97d6c87ecc656f25e16150da6ed93f32c302e916c7fe2e0979c562da19487484780a549f5e9f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5a466027b1f27ec0e555b1a067331374

SHA1
cd3540e63b268f3e229aeec017ac846f4f548e6d

SHA256
60137ffea55469c0229c2daf15a8478e5e8ac99f64506e308fc7a37b16303bb0

SHA512
c1af27af84f7af0444e8641ca63716c381bc5c295a462549086d994e3c624b74c93b3ea3882cd2ad7c52ec9cdc421e547087c6937540fd60db3294a4999bbc04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
30bf9d3ca374b1d667d3f5cf7dbe631f

SHA1
ff73fefcfa62f4dd2d25d994088d2bfa45a96be5

SHA256
e82d262ebde82228f5d29aaa3c1cf15abefa50a9999c108f5c4fa13599c16ec7

SHA512
46f669f446b28247809b1e99ab23139d178dfb07dd41b6a0526ddc68ec4848fa8d2e9f217c61e3143256dcb38c6c4756de70aa99a837b8c0037294b05b085a77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\44a9125d-2919-4c2c-af90-bce30fa0fa01

Filesize
982B

MD5
5ec81998b3115cbef41a2c1f91f67737

SHA1
077aeb1cfd146a68c3e47af38379cc5f95e6c0d5

SHA256
a00824af09b3b0a4a1b5881bb1c7bef8708c422f19f82ecbbf43d162504e6cdb

SHA512
1caf8b8597d84a41359f7c418795479c2e7070f0a536d82c493f3555fcba18951832ecc15637dbfe93b909e678d3b4e3d4e3481763261520401c36e5aa13288c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\6d84058b-ec77-487b-bebb-8010829c43b1

Filesize
671B

MD5
a733abf57d16bf7347fa67a50a1327e3

SHA1
6a0e4ff84d53f6b58fa8f486fdc672dbe923cef9

SHA256
7d33f43385e665a7473f3e0b946213b017a9689b1349344d6cdc9be44447ea56

SHA512
e0334fba27591fe80a1b1041438896ca4ac1e9f1262eca466ae5c0b5e380c265451e8013310259c08edbaa2ecf913593be02678c8bc093171d96e0ede5b48cc9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\datareporting\glean\pending_pings\da076455-e16a-4e5b-af22-1b1517d509fa

Filesize
23KB

MD5
b9d8aef7d1cbba953af24130c78263db

SHA1
16f14d98b704cded33c9a72c97dd31b9b52268f8

SHA256
4ee32148c7fa1df949c35edd2b8fdb645394971c8c58160660cd7fd8365723a3

SHA512
678fbca3553ed55aed0a7d35dea3279a154c28ae23146ee0eeb6c64201b732e8a7e560f6d1a0f0521be19df5e8a4e3da81c675523c5649f6f81846c4d6e77dd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
88d7ecd83acbf1375df373b193ec3226

SHA1
4cf636c3e2e1cbaf3151f00e502d5d0438166958

SHA256
25f4bd9da9b3d840a7c036b01047baf476620469aa8753274756e64d52dcfb7a

SHA512
ef5e9cdcd232f48de368775c638b9e01c36b5dc5ab44c868c88ebe4d3bd224e063db420df4d6b179c760e710b8bafd14390846b53b01fece5b193285d3f2511e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\iz0mcgq4.default-release\prefs.js

Filesize
10KB

MD5
7b33696a0d10dcc0fcd87995e3f5085d

SHA1
dc0f0a6b082dbb609cfe09771d022aedcabf52b4

SHA256
fb2993819e2f1fc71255bf872bf78ded8d78929f9c12bdc3cad30f4c071da335

SHA512
4e6d5f46044c32bd7e85c26bbe0ca02fcf56c19b5840e58e92c90b01d4699ffa266b515f769245e6b03ae60df16797d26767cdfeff1a475650e46f8a101d1a95

Download Submit