hxxps://drive[.]google[.]com/open?id=1q69AoV7rH_k11fDHzl5Jja7VfZ9Vsm7y&data=05

Resubmissions

22-11-2024 02:01

241122-cflllsxrap 6

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 02:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/open?id=1q69AoV7rH_k11fDHzl5Jja7VfZ9Vsm7y&data=05

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	drive.google.com
10	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 35 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	firefox.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c0031000000000076596010110050524f4752417e310000740009000400efbe874fdb49765960102e0000003f0000000000010000000000000000004a0000000000cd322701500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	firefox.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	firefox.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	firefox.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4520	msedge.exe
4520	msedge.exe
4292	msedge.exe
4292	msedge.exe
636	identity_helper.exe
636	identity_helper.exe
5080	msedge.exe
5080	msedge.exe
5212	msedge.exe
5212	msedge.exe
5212	msedge.exe
5212	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5516	OpenWith.exe
5948	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe
Token: SeDebugPrivilege	6128	firefox.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
4292	msedge.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe

Suspicious use of SetWindowsHookEx 50 IoCs

pid	Process
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5516	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
5948	OpenWith.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe
6128	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4292 wrote to memory of 2316	4292	msedge.exe	84
PID 4292 wrote to memory of 2316	4292	msedge.exe	84
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 3964	4292	msedge.exe	85
PID 4292 wrote to memory of 4520	4292	msedge.exe	86
PID 4292 wrote to memory of 4520	4292	msedge.exe	86
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87
PID 4292 wrote to memory of 2348	4292	msedge.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/open?id=1q69AoV7rH_k11fDHzl5Jja7VfZ9Vsm7y&data=05
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfc8646f8,0x7ffcfc864708,0x7ffcfc864718
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,12617901243852423850,9326572849110575342,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:944

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5516
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Por medio de la presente, se notifica la apertura de un proceso judicial por injuria, en virtud del artículo 220 de la Ley colombiana. Se le solicita que se presente ante el JUZGADO 18 ADTVO DE BOGOTÁ SEDE JUDICIAL.uue
  2⤵
  PID:5740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5948
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Por medio de la presente, se notifica la apertura de un proceso judicial por injuria, en virtud del artículo 220 de la Ley colombiana. Se le solicita que se presente ante el JUZGADO 18 ADTVO DE BOGOTÁ SEDE JUDICIAL.uue"
  2⤵
  PID:6040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Por medio de la presente, se notifica la apertura de un proceso judicial por injuria, en virtud del artículo 220 de la Ley colombiana. Se le solicita que se presente ante el JUZGADO 18 ADTVO DE BOGOTÁ SEDE JUDICIAL.uue"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:6128
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f96083c-925f-4e99-992d-c0e012efa6f0} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" gpu
      4⤵
      PID:5324
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2444 -prefMapHandle 2432 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc41fb50-23f3-4f26-b8b6-90f495abf8a1} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" socket
      4⤵
      PID:4904
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3112 -childID 1 -isForBrowser -prefsHandle 3208 -prefMapHandle 3236 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {999ace85-af8b-4571-afb8-99dae8b59bea} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" tab
      4⤵
      PID:2528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3632 -childID 2 -isForBrowser -prefsHandle 3624 -prefMapHandle 3620 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e83eab79-3c06-4858-bd06-ee0ead9f3e51} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" tab
      4⤵
      PID:5500
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4936 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5076 -prefMapHandle 5080 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {61ccc2d0-cc91-4815-8565-be29c9a85d35} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" utility
      4⤵
      Checks processor information in registry
      PID:5984
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5544 -childID 3 -isForBrowser -prefsHandle 5536 -prefMapHandle 5540 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {faf73de6-c872-4fa5-96fd-2c637214ed97} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" tab
      4⤵
      PID:5520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5712 -childID 4 -isForBrowser -prefsHandle 5632 -prefMapHandle 5640 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {934ae6ce-f72a-4166-9e43-d1183f68fb64} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" tab
      4⤵
      PID:5784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5820 -childID 5 -isForBrowser -prefsHandle 5900 -prefMapHandle 5896 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e30f6351-3a91-4fc0-8162-51af88e03ca5} 6128 "\\.\pipe\gecko-crash-server-pipe.6128" tab
      4⤵
      PID:5792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
1f40c54550105138bd1677fd41a62ecf

SHA1
22871bec6e809ef5c6465e88d2ab138c17732156

SHA256
a109925cfc32e37897f1acd1d68715c677a73e2a024ccd322bb0e1e7c79e427a

SHA512
2590be7ac9adfadd99b07da893145f3b0cc5e628670547f7ff441ddaf3879293a4f33bbe4c7be9d096d4e333581688c037b93f45ff7e21fc1bbbea46c00a1302

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
05e52121480722a06200537a98839359

SHA1
6b4e5f045ff2546bf6ffa94395a4beeee845fc21

SHA256
764b61589f01951d52ef95d24c3a82fe93e576950d21e300fe133d08403e3af2

SHA512
df3833caf4e76d27bf02c8c8155ac309c46810a222eed2a720ed052e43f203959469d32d9b60989d92e489c29316510b6e075e4addbc986243cf962173503a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
d2ce6e17824815f15247eee8469ff6e6

SHA1
399269a74574805516766abc56f5cae421c751d5

SHA256
0ac923b866a3d73c01412b8e728280d90cb5038fe37ffc88a51c628613248a1a

SHA512
e9bbb3f31b8620c0344c50b2578ff8f4d7a9ce3ef020d5d0f32afdfaaee7fab023c00e946a6f1457dc8f5d7d94978052f31495bbe392433e7821bd010e33e926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3658d6494254c74008e0d1256bafe198

SHA1
9e94a585fea365aec1a4d9af8c343760981f72c8

SHA256
3787ca1ce214a14c63835a8364f4f372f293b18e0a389bdb4d0dc8df96a75301

SHA512
3bd4ea95715d00418746533511edb55f0ceb9a0b54e542ec012ad41ce01b1b593b32399f69448ac1f4743b9418710367ac246026237ad09fa20dcd06cef76c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4c6a52c3a350437269613ee15578dc33

SHA1
7e14a600bc3aab9e17843492067f93ae358f8f63

SHA256
b38e164e0a4937b18216b67cdc584e56f91a36278161207fb933cd1ae7c70890

SHA512
f7817721584206b86a969c5b35f973947d80bb7bb0009a07d5e49ac65d98f3bf10375d3f8ac1905b4a90cd40af8dd571145267f2b4dd25624f975b2073c5404c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e94a320e7f0f292f34eabfa818d64d43

SHA1
b65d03a179d8205e691d04c2ede6e45037a35b12

SHA256
b182ad9abb98adf7d122659d9256cae5eec86a7bd5f48b5962b7cb18ee4adb00

SHA512
76f33e9f35f301f0e08238bad614b888e7fc5b3b7a0ef6419067c789765d87f614d3a48311fcc4f0a3bd70937d2ace8de517c7cb5a48e2ebc8095c344b100573

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e4e24cfb94f6304c10a93e2ec5d0d172

SHA1
092baf0336e0e725d0cf7cc1b902b65d106f9cfb

SHA256
3082776d6a25c0a786dc0ee71e3d863cb784381d484b63ddb3e936ae3b808742

SHA512
5a92b01f532a6e42ff49fb680da67ee8849b3f24688c97c551afdc716dd0c0174013e099b45b2ee804649f78e42663fa37a64bc045441d3e4ab4bdfab8e35920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4daac22b7564e9383e63c526c3f5dd27

SHA1
74b4cabefc521748c537064d2e47881162367472

SHA256
dfe19205b1209ac44d06191810855fd552a38162f79ec95309a55a099f1f7cda

SHA512
22045f6d9b837ef6248ced87b3497c3602de21aeeab4dbff0f1ae0e2a0e90261772a9ebbcb7109cca4e562f714c82f14f1aa6429b30d54087995f0acbb0b09bf

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\42vejdix.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
7fa202ad67f92b89edbc76348c29590f

SHA1
d982d4dfddb0f63bab9f703c4aa826d7e08e6691

SHA256
a242ce48f679b9c2c6b1879782a28bf5f851d424e6407d39bca37ead9be96dde

SHA512
7cb6f5834afef82e60f3c5a416415da739bf4abedf75dd82cdd148d0439f0f860e9fea24c1211c89327a3a869a7af44017eeff84c53a07596f2a2fa5fa81422f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
daa20f84f2709caf736a21ab90fb5a28

SHA1
d7c7ca28c6853db996c5b6d91c0dd24366021fcc

SHA256
77223c26071023103fe7699e183b0f7ed14a247895216d4d54b946ec1378489c

SHA512
21254314a8a94b0cf29abc1d03955dcc954f8c0cc91c172bb497e720b87c307cd865aef3eb4dbeb3820ea7d4f740b0563f5ebbea5e37e7405867ba6100433c3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
6KB

MD5
e24926595c71f123096054b31674d0b4

SHA1
d4a3b3cf3b2b8d913aef67196d6749b4aa483ab0

SHA256
4cb8aa1a046da411d9d21d770f5853442e8b6010c1b2d46117f9676473af8442

SHA512
6b67465f211a30204d7305f0d41aef5caaf22f9d9b42ae327bb009a7cab63244fe790ba4190ec098502d3a1536cfa5b5fc2d6fad7a6083f3acd773b666106b9e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\AlternateServices.bin

Filesize
8KB

MD5
8d3dfd36f0e64eeda5b79c168afe865d

SHA1
47bf15876e292340af39cb3517caac8fb58592f2

SHA256
e12864aaac70c64028016b959f714241d383f1e4e48616fee910ee4f7486b6fc

SHA512
ede72b424cc55f8090e74e7418fb980f5adeb1a40bf4d8a1fb9e2060e02ae5e9575b7ae67342873a7e6e97b0294feef898c54290a9c8ab38d9bda6f067c87419

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
21KB

MD5
525f2c450a97f039e48795ca28a62a1d

SHA1
f7e8b07ccfba6b8688fa0c416cdedd7d96a4fecb

SHA256
e9c1d17818955df22d952e0f7810eb8856787301ddde7157c0874612ce41da1d

SHA512
b167ff322acebd95758c616ff9ca4cca26eae6687794b0ec1457b677ea88da27c2b42aed7f4206c433e095e0bdebfebfa1fd0653c70fb28b83d52030ccc3a381

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
3c4ec8fa795a6fab5a184a3fffaf7983

SHA1
549f4acb9d385073d8e202e8e55c52dba8951bc0

SHA256
12d18fd45c19209e256484d5d0e36f9ff157a7bfef98091e25422cc653799271

SHA512
f72c800c7e17af452917ad8bd1d36c6353c2661cca1d7993d3e79d373ef2af42e35271e5a45319b973c8c4d95003fb62e1a9ef911d775d979794042ceba9274d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\1d313027-ec5d-489a-92e8-daa6aba2ab6d

Filesize
659B

MD5
29ea823e4d13ae1e19f3a348e1fb4654

SHA1
551a82dd955245c4a7d6bc098ec4c44b58df3a8e

SHA256
f3060dd33059705b068314d0fccd9839f2aff9d7731938fb53605d3fdb5228b1

SHA512
235f7e69589d74af717d7c0b798808c5d69c9b8531f65ea39476dcc068151dc3220b2a92f038133678b3aa9f884e1c5bd0c386184b84e54fcb739cefde1b5133

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\datareporting\glean\pending_pings\3ef52a65-111e-4508-8a65-14913215ccfb

Filesize
982B

MD5
5a158cbad26c9bd39fd41a7c1fb48d95

SHA1
27deeba0c5405cbb034091b1d975fdb9c42cab8a

SHA256
2d4e44c78fe844929b3b1aed278dee8d3cdeabd28332a8955ff10328620915ee

SHA512
f9657becee53f41d2dfa4e20f0f47d400e72cdbce6fe2104d890613b3fea227232974dbb66d07623ab668904b06a0fa0ce75e4760aa9d12900947180b02af4c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\42vejdix.default-release\prefs-1.js

Filesize
11KB

MD5
8e880d8b4ad5f560980bb0c6a8b9e565

SHA1
55f715d93558c595f8021df33467087df3db8f73

SHA256
c4a4ccc5af3b1617847a0d7640d658a1a33fda53b8170e044d070df28096cfb9

SHA512
bffd8ae843e783e9bc07df46ba6c4f8c9391c099fe15117c64d52575548f64a802df46a0b28c8a33f0c11a6c6fb2ee22ce8a66e3053160a71c201c5951345aa6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 743652.crdownload

Filesize
786KB

MD5
f4c087b05fa32ce7a132598e5d028f76

SHA1
fabd3cc3b409e14b6ab1b056df5da45aced2e7f5

SHA256
dcd5f9eb6bcbfaad0c59964a292bb5b9246ef459e53a4b1d744d2314e59c2aea

SHA512
cc1dd48cbea55f3f026fec3f4e7d9fe5f0ba962959c1251587a1b4025d24ac087f9d31be4a2c7547b238fcae3a19123f79416bd5c0dcb7e5195438bcbb51e8af

Download Submit