netsupport | 08c87857828af2165bd0cfe495743fe3f22532effecebbfaf352e30bf71b3bd6

Analysis

max time kernel
559s
max time network
576s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14/01/2025, 13:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

doc_37880002.pdf
Size

106KB
MD5

3591e51a3d3bc00fb3fe112b95b7b886
SHA1

f3f17fdab3631066606a6c5d88dfbae794e91173
SHA256

08c87857828af2165bd0cfe495743fe3f22532effecebbfaf352e30bf71b3bd6
SHA512

0cf07eec388fc5e8164b8108ac9ac80cdade1b56f73003a62dab578416a3e40ba2ce509933e5d8e885c366069086d4d31e578f8c39a33f2c1f34d8b549acfcd5
SSDEEP

1536:ApN8HZDyLYoWGs5pRis0/4D9UbMHxa/NjN+aZZYx06DTyQHFwjV9wyOaMIe1RS9Q:QmjGs5is0DbJ/JnZZY/DTgJxBej

Score

10^/10

netsupport discovery execution persistence rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport
Netsupport family
netsupport

Blocklisted process makes network request 1 IoCs

flow	pid	Process
107	6276	WScript.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	CScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 5 IoCs

pid	Process
4472	client32.exe
1820	client32.exe
6060	client32.exe
5424	client32.exe
4832	client32.exe

Loads dropped DLL 24 IoCs

pid	Process
4472	client32.exe
4472	client32.exe
4472	client32.exe
4472	client32.exe
4472	client32.exe
4472	client32.exe
1820	client32.exe
1820	client32.exe
1820	client32.exe
1820	client32.exe
6060	client32.exe
6060	client32.exe
6060	client32.exe
6060	client32.exe
6060	client32.exe
5424	client32.exe
5424	client32.exe
5424	client32.exe
5424	client32.exe
5424	client32.exe
4832	client32.exe
4832	client32.exe
4832	client32.exe
4832	client32.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\dycrfz1\\client32.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\bzlehq2\\client32.exe"	CScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\rm2316k\\client32.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\yt3f86f\\client32.exe"	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\ProgramData\\ccsmk7n\\client32.exe"	WScript.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\532b75cd-8ae8-4288-bf54-a0aa19db02e4.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250114131819.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MusNotification.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	MusNotification.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Payment_253.js:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2916	msedge.exe
2916	msedge.exe
2884	msedge.exe
2884	msedge.exe
5072	identity_helper.exe
5072	identity_helper.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4644	msedge.exe
4644	msedge.exe
6084	msedge.exe
6084	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1904	MusNotification.exe
Token: SeCreatePagefilePrivilege	1904	MusNotification.exe
Token: SeDebugPrivilege	5892	firefox.exe
Token: SeDebugPrivilege	5892	firefox.exe
Token: SeDebugPrivilege	5892	firefox.exe
Token: SeSecurityPrivilege	4472	client32.exe
Token: SeDebugPrivilege	5892	firefox.exe
Token: SeDebugPrivilege	5892	firefox.exe
Token: SeDebugPrivilege	5892	firefox.exe
Token: SeDebugPrivilege	5892	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4588	AcroRd32.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
4472	client32.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe
2884	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
4588	AcroRd32.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe
5892	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 3320	4588	AcroRd32.exe	83
PID 4588 wrote to memory of 3320	4588	AcroRd32.exe	83
PID 4588 wrote to memory of 3320	4588	AcroRd32.exe	83
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 4976	3320	RdrCEF.exe	84
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85
PID 3320 wrote to memory of 3452	3320	RdrCEF.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\doc_37880002.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=3A601A5F1B5E9E22D686C28E8DCC7418 --mojo-platform-channel-handle=1736 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4976
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=713291F2EB4BD788E88B57A8C83639A4 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=713291F2EB4BD788E88B57A8C83639A4 --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3452
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=26BCE751559E0A37A9E9869420C17C0A --mojo-platform-channel-handle=2284 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:444
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D8D51D16C5C2C8CD373EDFF2AD76FE0A --mojo-platform-channel-handle=2408 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2172
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A8D714F3BF1DAF505EADC31B4E7175BE --mojo-platform-channel-handle=2320 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B049DAE149703ABF80C2CF6D9C479F0C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B049DAE149703ABF80C2CF6D9C479F0C --renderer-client-id=8 --mojo-platform-channel-handle=1956 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.4sync.com/web/directDownload/Jdu3NTaC/LVsbnVsU.89a79dc1171988a7af3b21b9c04059a0
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:2884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fffa09946f8,0x7fffa0994708,0x7fffa0994718
    3⤵
    PID:5000
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2916
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:1924
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
    3⤵
    PID:820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
    3⤵
    PID:3796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2364 /prefetch:8
    3⤵
    PID:4004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
    3⤵
    PID:4756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
    3⤵
    PID:4500
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1
    3⤵
    PID:1916
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
    3⤵
    PID:4332
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:4980
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7ae885460,0x7ff7ae885470,0x7ff7ae885480
      4⤵
      PID:3820
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6400 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
    3⤵
    PID:3396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
    3⤵
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1040 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
    3⤵
    PID:1616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1256 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Payment_253 (1).js"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    PID:6636
  - - C:\ProgramData\rm2316k\client32.exe
      "C:\ProgramData\rm2316k\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:6060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Payment_253 (1).js"
    3⤵
    - Checks computer location settings
    - Adds Run key to start application
    PID:4064
  - - C:\ProgramData\yt3f86f\client32.exe
      "C:\ProgramData\yt3f86f\client32.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
    3⤵
    PID:6636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2116,13336973022319166378,12602692182801700129,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6084

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4424

C:\Windows\system32\MusNotification.exe
"C:\Windows\system32\MusNotification.exe"
1⤵
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:5808
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5892
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1904 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 26929 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {819f3a38-3e92-4f41-8043-a54dd39bd3c8} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" gpu
    3⤵
    PID:6068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 26807 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f18861b-d86f-4108-a517-4c4651091f49} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" socket
    3⤵
    - Checks processor information in registry
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2924 -childID 1 -isForBrowser -prefsHandle 2860 -prefMapHandle 2988 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71dfed85-1484-4c54-9c84-2f7d5f257c3b} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" tab
    3⤵
    PID:1916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3648 -childID 2 -isForBrowser -prefsHandle 2732 -prefMapHandle 3608 -prefsLen 32181 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {577bdbe3-638b-4fd2-9bbb-5714a61f81ac} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" tab
    3⤵
    PID:5428
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4544 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4568 -prefMapHandle 4564 -prefsLen 32181 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {141f8b99-4e89-46c0-a2db-58aac4d4a042} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" utility
    3⤵
    - Checks processor information in registry
    PID:6332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5268 -childID 3 -isForBrowser -prefsHandle 5256 -prefMapHandle 4548 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb36b2cd-aacf-4790-8562-eb22d38255aa} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" tab
    3⤵
    PID:7136
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5584 -childID 4 -isForBrowser -prefsHandle 5504 -prefMapHandle 5512 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {128d8a7b-5ef2-47bf-a6f1-3f20e5891f8f} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" tab
    3⤵
    PID:7148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5668 -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1296 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {501a1832-5733-4956-a7ac-e856432a61c2} 5892 "\\.\pipe\gecko-crash-server-pipe.5892" tab
    3⤵
    PID:5652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Payment_253.js"
1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Adds Run key to start application
PID:6276
- C:\ProgramData\dycrfz1\client32.exe
  "C:\ProgramData\dycrfz1\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4472

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Downloads\Payment_253.js"
1⤵
- Checks computer location settings
- Adds Run key to start application
PID:1704
- C:\ProgramData\bzlehq2\client32.exe
  "C:\ProgramData\bzlehq2\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1820

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\Payment_253 (1).js
1⤵
PID:6920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Payment_253 (1).js"
1⤵
- Checks computer location settings
- Adds Run key to start application
PID:4836
- C:\ProgramData\ccsmk7n\client32.exe
  "C:\ProgramData\ccsmk7n\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bzlehq2\NSM.ini

Filesize
6KB

MD5
88b1dab8f4fd1ae879685995c90bd902

SHA1
3d23fb4036dc17fa4bee27e3e2a56ff49beed59d

SHA256
60fe386112ad51f40a1ee9e1b15eca802ced174d7055341c491dee06780b3f92

SHA512
4ea2c20991189fe1d6d5c700603c038406303cca594577ddcbc16ab9a7915cb4d4aa9e53093747db164f068a7ba0f568424bc8cb7682f1a3fb17e4c9ec01f047

Download Submit
C:\ProgramData\bzlehq2\TCCTL32.DLL

Filesize
387KB

MD5
2c88d947a5794cf995d2f465f1cb9d10

SHA1
c0ff9ea43771d712fe1878dbb6b9d7a201759389

SHA256
2b92ea2a7d2be8d64c84ea71614d0007c12d6075756313d61ddc40e4c4dd910e

SHA512
e55679ff66ded375a422a35d0f92b3ac825674894ae210dbef3642e4fc232c73114077e84eae45c6e99a60ef4811f4a900b680c3bf69214959fa152a3dfbe542

Download Submit
C:\ProgramData\bzlehq2\guarantee\14844_13380793255498334.pma

Filesize
576B

MD5
0ddc9b893ea3af54d152f94410653a9d

SHA1
3c7e16964dffd7342ae931e38e00f67dc0e4c307

SHA256
0128461fac52a5deec5b0f0410928e0c2afc1ab710990bdedea47a68eb5ecc3d

SHA512
24463708fbdacff90fcb4964a6335687d8eeb49094e6154d0aa37fd9e8de7d870396e424756465f4f86edf0baa6138b7f52035559a04fb243c29d42395ae92a2

Download Submit
C:\ProgramData\bzlehq2\guarantee\17680_13380946966794438.pma

Filesize
1KB

MD5
3e4b8369c88b5b5561ef39f297ae5b7e

SHA1
128d40127e1bcd1dc3a26df7ed685ad95482f2ea

SHA256
3774458149778d9527e0a9ace07b42ef609f0bb1e856e6c2dfd0b7cbd8b09f73

SHA512
65c3dc909aa69121ef46a79d8f62d234d69b5856796fdd5f4ae4fc030bc0fb953175577cc34b41b38e2c39d44cbcb97dd34628c074b74c189cfd522b57602f2c

Download Submit
C:\ProgramData\bzlehq2\guarantee\2176_13380946966665858.pma

Filesize
344B

MD5
1b7cdddfb06152ae01f12d9f253237d6

SHA1
1ef358781a086a0727f4fa95cd53510eb328bc52

SHA256
fd668d6edcf6b6cc176edd9bf7b0d7f1881fe2f0d94ebae656127c27a359550e

SHA512
4705c93b233be92dd2d04649d404b538bc76607bbe655d5e35a739653ac1af776ecdd12ec1cbf81476070ec5bae633f891817155014730a06939efb21bd132ea

Download Submit
C:\ProgramData\bzlehq2\guarantee\camera_mf_trace.wprp

Filesize
24KB

MD5
8028ab84d61fc5e00feea816e1d1e293

SHA1
73f6340be4c6b5af09673dacdf1aab7405b966aa

SHA256
3f2eb6455f54365c27829f85dd64ca0bafaa8577a6c8e79a54a6dd4c67df6470

SHA512
276df846f72f2b410852f0709f3effd853c3b012e94a6a3dffb364f9597d4ccfe453b6533ce7a67c9dce5b829c0f96e9838a267269687213d996b60591c586f0

Download Submit
C:\ProgramData\bzlehq2\guarantee\external_extensions.json

Filesize
291B

MD5
708428751d01199ed5f53e0fb2ad4bf0

SHA1
93f563a090f7ee511d8774c8af4f8ff46f0d66e6

SHA256
579032cb7b7bea083e077ba85cb62dc231ba672f93ce1b55a379968fb3c2cee9

SHA512
4a75eeaa2a973d7f726dd10e7769a22e9fdd084d9ec8a1cba742fbb66f0a6a6343421c9fdf58c61b91920d2f3dcc99c705a2844d33b53f8fcf3d38a909b5a00b

Download Submit
C:\ProgramData\bzlehq2\install\5B8FEB2AF817493Es

Filesize
45KB

MD5
d224c335c82acaa733441ce43e59c881

SHA1
ffc9502870ffbc116a44ae491306b7f6903d25b8

SHA256
f3e8ff2ca65192446a62d85b75c8c75c105cfbb7b17a8fa67f9a0c6e87ef3ec0

SHA512
d57a7902b2003b751796f2cfa1bfe4ad90a393bb1f68ce354b6d24b749937469aa8fbee77838fc6bffd83dc13d799c8c078783ffe236a1558b8900f71affafe5

Download Submit
C:\ProgramData\bzlehq2\install\5F3010ACA99103ABs

Filesize
122KB

MD5
74c052d8af6c37eba1fbf76663a8522e

SHA1
9315ae6aeb3e913f053d53a1f7ea1a29692e90e7

SHA256
5110690167dbb46389ff5792eb2672ed41ea5983382207d1e365c4634e620b7e

SHA512
a8aca06caf290f879e8daa672a681d53f191e8f03c90bafb49856616248205b33a8c466dc25d81fe215f0d66e42f2d7221075250b3be6c4299491ccafde08220

Download Submit
C:\ProgramData\bzlehq2\install\api-ms-win-core-localization-l1-2-0.dll

Filesize
20KB

MD5
3b9d034ca8a0345bc8f248927a86bf22

SHA1
95faf5007daf8ba712a5d17f865f0e7938da662b

SHA256
a7ac7ece5e626c0b4e32c13299e9a44c8c380c8981ce4965cbe4c83759d2f52d

SHA512
04f0830878e0166ffd1220536592d0d7ec8aacd3f04340a8d91df24d728f34fbbd559432e5c35f256d231afe0ae926139d7503107cea09bfd720ad65e19d1cdc

Download Submit
C:\ProgramData\bzlehq2\install_state.json

Filesize
1KB

MD5
3f78a0569c858ad26452633157103095

SHA1
8119bcc1d66b17ccd286fef396fa48594188c4d0

SHA256
d53fc339533d39f413ddd29a69ade19f2972383db8fb8938d77d2e79c8573f36

SHA512
89842e39703970108135d71ce4c039df19c18f04c280cb2516409758f9d22e0205567b08dbe527a6fb7c295bda2ea8ee6a368d6fcaf6fb59645d31ef2243ad3d

Download Submit
C:\ProgramData\bzlehq2\nskbfltr.inf

Filesize
328B

MD5
26e28c01461f7e65c402bdf09923d435

SHA1
1d9b5cfcc30436112a7e31d5e4624f52e845c573

SHA256
d96856cd944a9f1587907cacef974c0248b7f4210f1689c1e6bcac5fed289368

SHA512
c30ec66fecb0a41e91a31804be3a8b6047fc3789306adc106c723b3e5b166127766670c7da38d77d3694d99a8cddb26bc266ee21dba60a148cdf4d6ee10d27d7

Download Submit
C:\ProgramData\bzlehq2\nsm_vpro.ini

Filesize
46B

MD5
3be27483fdcdbf9ebae93234785235e3

SHA1
360b61fe19cdc1afb2b34d8c25d8b88a4c843a82

SHA256
4bfa4c00414660ba44bddde5216a7f28aeccaa9e2d42df4bbff66db57c60522b

SHA512
edbe8cf1cbc5fed80fedf963ade44e08052b19c064e8bca66fa0fe1b332141fbe175b8b727f8f56978d1584baaf27d331947c0b3593aaff5632756199dc470e5

Download Submit
C:\ProgramData\bzlehq2\remcmdstub.exe

Filesize
62KB

MD5
6fca49b85aa38ee016e39e14b9f9d6d9

SHA1
b0d689c70e91d5600ccc2a4e533ff89bf4ca388b

SHA256
fedd609a16c717db9bea3072bed41e79b564c4bc97f959208bfa52fb3c9fa814

SHA512
f9c90029ff3dea84df853db63dace97d1c835a8cf7b6a6227a5b6db4abe25e9912dfed6967a88a128d11ab584663e099bf80c50dd879242432312961c0cfe622

Download Submit
C:\ProgramData\bzlehq2\webmmux.dll

Filesize
259KB

MD5
49c51ace274d7db13caa533880869a4a

SHA1
b539ed2f1a15e2d4e5c933611d736e0c317b8313

SHA256
1d6407d7c7ffd2642ea7f97c86100514e8e44f58ff522475cb42bcc43a1b172b

SHA512
13440009e2f63078dce466bf2fe54c60feb6cedeed6e9e6fc592189c50b0780543c936786b7051311089f39e9e3ccb67f705c54781c4cae6d3a8007998befbf6

Download Submit
C:\ProgramData\bzlehq2\webmvorbisencoder.dll

Filesize
859KB

MD5
642dc7e57f0c962b9db4c8fb346bc5a7

SHA1
acee24383b846f7d12521228d69135e5704546f6

SHA256
63b4b5db4a96a8abec82b64034f482b433cd4168c960307ac5cc66d2fbf67ede

SHA512
fb163a0ce4e3ad0b0a337f5617a7bf59070df05cc433b6463384e8687af3edc197e447609a0d86fe25ba3ee2717fd470f2620a8fc3a2998a7c3b3a40530d0bae

Download Submit
C:\ProgramData\dycrfz1.zip

Filesize
2.7MB

MD5
4c1afe882e6d7c945a8397dcb02a2478

SHA1
85ba754bb1515a1edc4054a8a3396c238dce2b7e

SHA256
67f6fc03cd53fb2a5ab17b97caae29b4fd0e0afb7adf4c9c64cdb2f7f99d03d4

SHA512
a1778ae5f89dbbc57ac70c8a8b1cc419dfe015c7f9c9a58ac9957ab3723edf812a4681caf167ec63d0ea571448dc01fe01e5b12c5538c98b6ba404cad2f79b0f

Download Submit
C:\ProgramData\dycrfz1\HTCTL32.DLL

Filesize
320KB

MD5
c94005d2dcd2a54e40510344e0bb9435

SHA1
55b4a1620c5d0113811242c20bd9870a1e31d542

SHA256
3c072532bf7674d0c5154d4d22a9d9c0173530c0d00f69911cdbc2552175d899

SHA512
2e6f673864a54b1dcad9532ef9b18a9c45c0844f1f53e699fade2f41e43fa5cbc9b8e45e6f37b95f84cf6935a96fba2950ee3e0e9542809fd288fefba34ddd6a

Download Submit
C:\ProgramData\dycrfz1\NSM.LIC

Filesize
195B

MD5
e9609072de9c29dc1963be208948ba44

SHA1
03bbe27d0d1ba651ff43363587d3d6d2e170060f

SHA256
dc6a52ad6d637eb407cc060e98dfeedcca1167e7f62688fb1c18580dd1d05747

SHA512
f0e26aa63b0c7f1b31074b9d6eef88d0cfbc467f86b12205cb539a45b0352e77ce2f99f29baeab58960a197714e72289744143ba17975699d058fe75d978dfd0

Download Submit
C:\ProgramData\dycrfz1\PCICHEK.DLL

Filesize
18KB

MD5
104b30fef04433a2d2fd1d5f99f179fe

SHA1
ecb08e224a2f2772d1e53675bedc4b2c50485a41

SHA256
956b9fa960f913cce3137089c601f3c64cc24c54614b02bba62abb9610a985dd

SHA512
5efcaa8c58813c3a0a6026cd7f3b34ad4fb043fd2d458db2e914429be2b819f1ac74e2d35e4439601cf0cb50fcdcafdcf868da328eaaeec15b0a4a6b8b2c218f

Download Submit
C:\ProgramData\dycrfz1\PCICL32.dll

Filesize
3.6MB

MD5
d3d39180e85700f72aaae25e40c125ff

SHA1
f3404ef6322f5c6e7862b507d05b8f4b7f1c7d15

SHA256
38684adb2183bf320eb308a96cdbde8d1d56740166c3e2596161f42a40fa32d5

SHA512
471ac150e93a182d135e5483d6b1492f08a49f5ccab420732b87210f2188be1577ceaaee4ce162a7acceff5c17cdd08dc51b1904228275f6bbde18022ec79d2f

Download Submit
C:\ProgramData\dycrfz1\client32.exe

Filesize
101KB

MD5
c4f1b50e3111d29774f7525039ff7086

SHA1
57539c95cba0986ec8df0fcdea433e7c71b724c6

SHA256
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d

SHA512
005db65cedaaccc85525fb3cdab090054bb0bb9cc8c37f8210ec060f490c64945a682b5dd5d00a68ac2b8c58894b6e7d938acaa1130c1cc5667e206d38b942c5

Download Submit
C:\ProgramData\dycrfz1\client32.ini

Filesize
676B

MD5
95c974137591c8018ac92dea29aa416c

SHA1
e0808277d7fed2b4db1176fa4fa79da420bfd865

SHA256
7f92999396927d24370f6fe3d2e8ea408c9917d34f42c0205ea3f3296b6c04f4

SHA512
767ae7ffca47bb8f8170c44c66eebf9623412a5d2e07d67fc3fcf1ab5f6ce49c08a68d91e00ebd0b52c052ad5454e57b16a28baed8b1e0b2c585448eae8ae1e0

Download Submit
C:\ProgramData\dycrfz1\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\ProgramData\dycrfz1\pcicapi.dll

Filesize
32KB

MD5
34dfb87e4200d852d1fb45dc48f93cfc

SHA1
35b4e73fb7c8d4c3fefb90b7e7dc19f3e653c641

SHA256
2d6c6200508c0797e6542b195c999f3485c4ef76551aa3c65016587788ba1703

SHA512
f5bb4e700322cbaa5069244812a9b6ce6899ce15b4fd6384a3e8be421e409e4526b2f67fe210394cd47c4685861faf760eff9af77209100b82b2e0655581c9b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
337800b9a03006ab428fcb2746f35697

SHA1
2226ea3871da2a77dbf8407b8753ddd5299dc311

SHA256
41ce57676897ece6ea5d4885869757edf8641bd5e3442d6d49324db97f082da7

SHA512
e3ce1fde214ff6c490f5112879ea7b3d8b5823df142305883e5a89317717c0e22788b90b4d40922008dee328282ff025d78a9338a809678a1eccdd027dd34cd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
60aab4074f232dd1cb2f87a438a2e2dd

SHA1
761c8a4ce231bb050634c495b6b83a699f393787

SHA256
10a871d699c523cfd3a2da36b0cc0313bb7fd70ce358922dfb1242e42774402d

SHA512
6d53cd1a2acd78e6d75066f346f119fc8dd46a3944f3e95f4e97de564250da83acc91f88fe5d037bc40c2a44eb085b820f8c00b53d3b880243721273e1e7a101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d9e89a46ea1c979d600d8ecff95392f

SHA1
a03b20076c4a9bd34d03af90e43d5815943d187b

SHA256
7d5e0d521951eff280f780f5134b8f1b4c614bb4e96ce15577201272a1e4478c

SHA512
7bd673c3e908e62928b35bb2ca183a79e575775a1b76b1bd3e584c9da331d4a4c213b3de25fe209090504ce0af3f3823a27767196ed81cceb7f881106e068429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e66a3d46ce02326d71914c69bb1ff5e

SHA1
91ccf10b11a8c2d127fe825840b0f5a3c5a51513

SHA256
8408d688778cfc5151fd454f1182175674719a8a5709dd36aaac95512c7b1054

SHA512
3fc4c3299a000fd48b25ec9fa88d87892fe60b3e82005195d0afc80e028ff270e1429bb2a4fc07cfcfd5d8c23a44283c92a11f9ff11d28ec951331e3df05326c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
14f095b226bdf10e0d5ded2fcb389299

SHA1
972695a147a3680226d8ff00fc5aeb15aaf549f6

SHA256
54d7da4a113b136e485d167991b67d2dafe1e451b60b1ab9e919238c6a12eb9e

SHA512
d16f6eac5865fa4be3f7ecfb12cfb7f4836849d3797286e1371bc7d6c47ed82630fb16a1dbfa75c7d8c21b8423f78a7aa2242a313f80d30f656cc5e07d81346f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
8802028341ee0d66de3fef6933e426cd

SHA1
2e235cddf32d1b78065bfdcda6b551d3bd973e5e

SHA256
5356666494426bf31bc220ba92fb8214a6bc6abe4b9655808a2de5826559862b

SHA512
1af27f933efd3ad9a62b5f5ae09831c91001f84d3ddc87636b295e475b8e409a5039142b26676c822f3d2f9c0a8f0669c8a4a4b27d3a94964e414ec1d3ca5093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2ecbdc797fa065752aaabbcd751229d1

SHA1
4065d4bb3a1fec338a1bb35c81809d466078576d

SHA256
1748d761d6c16afdad84a9e694f79ffab54c8a3675ab471ffc1b22e8ab1dee3e

SHA512
c40c10280caf93639cd77ae02fa54911e822fd0bb8f8f0251a10a8a7a74ce03934dc765e9ff1c1a6a70e72e7527d8bb0def667c562c4830c87851d54c0a9e7db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6278fd5303fc6f655dcfcb4b6a31486c

SHA1
d2b8d7111a6c760d154b9d358dd0fee32c09a136

SHA256
04afa092a0fcdd356ed7a960dd093bc57c06497306754bf4f538090bc1a69adb

SHA512
668d67bfb683ebdd22647bed74a4baa1feb17abb7c47ecf7dd934554ac904716add06fc58d74f30101d9af9b2de009b51de729e56bab5a2dab741cc5f42d36a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ae3fbb52657c9d6d652ac0afd694a48

SHA1
a6e21f67572acdc4ed7efd3d201590b2355d1b40

SHA256
c221e81a1a689fa9dc82ff196863649f73a4461585f6fe8d85b9be3bfb7edd8c

SHA512
ee1b0fb34325e15dbfb2e2076209f6a63842174645511850927fb64f9e49816f0a8dffcfffc9420765582dce60560ab544b5f58c6ee36d0ec934bb7a35b81d6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ff5dd20177add5f2fb07a017c096ccce

SHA1
7afe60457ca44419c3421847c4202a50fd4b80a8

SHA256
0e18c1f1f59aefdb789413aefaeaa005421e9369195f7c35929008ec30b50cb0

SHA512
3bbbb7e4af49e8a92b5dba457567a249db23b50a1b4a79c33bc38a14e5dc4ae9dbf480b6f42abfd3da28af57c06aeaf4b0b7f3da39b712ca49981c8c7973c77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
8bbb70b63ea38955801783c83b928cf0

SHA1
91e76aa432aa9b323f7f8efb7dc94fe0b9587496

SHA256
e31be9b1110c9d3f71b40293c8f3d21fbdb1d53910d91dad2ed1f29c363102cb

SHA512
1172db8453c8902fe6ab8e417ae44da691b72e8e05a50c85d5bda1ae3cd6b54407b1393d9707cd152bc37ad56b1c380ef23dae445f8f27e35844f6233132804c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
d74fa483558cc39bca976ea6f87601a3

SHA1
5da5275de819f6c35f34e9930b26830a9a790a76

SHA256
fb9b1179e6c23416dd41f1f3f648091c847812e452f62acbca054a228ac823f5

SHA512
5ca172bbd4b63214e883bf9b049b853740fa07160b1e529364a192591acca023c769dacaa248b6da8f2fada7e5f76865c88549e5c1ef2f298e09325fe1889142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3c6f4013035f6ca3b10d0c9737ec2f29

SHA1
d86fc0f85b9208b3d58b21b3b858ac4b6263cfbd

SHA256
8d7db89730a6d0ac15ee0fc221116fd178ef0ce576941268141056682cf990b0

SHA512
05c1519c87ccfa7d205c4089fa493396da5ac00de7b081dfff94990c6db251c19690ca62cdbde2f21544c30be07ac14118f04bd2203f8ab03fdefa7ba9b8e631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8c5de77c1dd715bac7c77f934051d004

SHA1
c516290cf84900b3bfcb371bcd3c74a79589cdf2

SHA256
66aec42a94b51712467b09dea935124d46353e5dc5836aff3c7be6fd2b444d5f

SHA512
0f037a23162e49508c9fe16415e2a67843dcea341cea3b397108e9bbe81170c63fd7b8696412a0091873f0458f26cc003957fe0bc3bbd80784cf2118b42ab349

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8de86965445d4c90479a8002d093168e

SHA1
806066282c931620d0e282e87b3fe1ce6d488f83

SHA256
912caff106e420f7e4ff074917052f8794319ed5667e87d8136fc69e2d57643d

SHA512
d173cc7079afebdf4b9e4b953295fc04512f3a586af119f9c499cfa4cf5878bac59d27c21dd5ee7746a2a1cd0f30ff88f946be69560032973ee87f33606fd8c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47bc99bc23e76227fb04196d14f8cff6

SHA1
d7ff4858d44dca869d5f013ec8d1e148453c0948

SHA256
f864a602e032af46704a17b709aa612604a85d32fb6575a518fa28a8aa3d5079

SHA512
5886c93b01395ce69a743cedcaf054ad9cfb1d779877489a7e1df35ef58b9d194bd41826ba21e4c34c2a2ed98234986a0b0a3fa7f90baaf600d8877a218b0351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
344bec0381bf8e01fd2908bc39d6e770

SHA1
9bb4d0a64c76817423ae79cb0c7a178edc70b9e6

SHA256
6c0044bb3adbfc52e591d02b3e044c777d4056498bce14aebba7cda6b08e8b42

SHA512
fb7740b9d362fe2df26124166815cc81a0b80c459ef71182cbd86a427b4cf486403c4e1a7f6dfc838a78afa1c79d2adab0e5bd7e9a8fce160b5d85b27c223162

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8ul5krx1.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
a605b1e1411a15b45325582ff1757dfd

SHA1
dbb7f04fa1ae595a9b4e90cdbedb3110c063d0fd

SHA256
708830fb984bcdadfe516d2137b864756359ca6c7085261e71f4b97732800147

SHA512
8dfe569febff4666e8f2371fe6dc86a45acf18f46a3e06305be626979eed659d5bb7b597b6e8145f7c83fb8e23d767689103c824e8b334f7d102f562791bc89f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
11KB

MD5
8dd76007744820de1c52896011b45ce4

SHA1
c049df3fefad00a4530e19c6bb6f5ed51bd0ea0d

SHA256
9535d4f3fbaa27c5297bdc8e0824a813f2677bbfdaeb1eb6a104928e42f324bf

SHA512
0fc43e9ed27cf943de115518ce8b1c42515e8d48db2825e0fcded28e028cd4e4559e4c9ec51adb7be38d13e5f09aa7159df744e00df418ca2620356a85ab7efd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
15KB

MD5
1a6e5cebb3d696c2fdf5c799d00b6ee6

SHA1
8695a7a4530762cd855dfbb26761f9ff4e463b90

SHA256
80e1001332c14a5bc9cefd83ce450f52b55bfdb2c2a765e433a8bdbabad7a2c2

SHA512
663af9eef0db713d9df2e3ec9eb48915f66dbec132951ba874341d64201b1999fcefa8a15841543b4bd049f652c191c4640aa85039a521170fdbd0ba6f007ad1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
0009fb3d6a0b51ca6f1f1d93c61531b8

SHA1
e35b43d95b01832b04a58f25a876f866c5598f8b

SHA256
8ef90a3fdd2e2d55d3a52bbc8b711bdd552fa69b94d701524fcf26379e416013

SHA512
a2b3e6fe5a5f5145296f13fc7b7343aff4d35910c1ededd03ac560beb35d1b710e65edd642be866f9231dd79d7e482ab1b8c5d13b378df24898ec6e0788ab9a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ca4155a33263bf7c5c563ae3ef30d742

SHA1
b58d2dc6ab605b30e08a0b3c2bd16f4f72566eda

SHA256
4365316e2c0ed6a1c9d88e345f68e92e5eaca491481a606daffed7de2aa7c338

SHA512
24d374b485281e0ec8d0f91f21a10a522ca0b91c3811761cba193ff14877f6d18d4abea549badacf25b4572161be0485dba3d6d3bed17770620c99f262ded30e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\AlternateServices.bin

Filesize
7KB

MD5
23eed5a4746a03003cd2383e5035d42e

SHA1
51544b096940df5ed6d68d2e5efa338ef21d4975

SHA256
41345581c41c825d9a26dade7f8717f727b6a6e5c285ec8ec23719b502881a11

SHA512
f4b40fe314e8f7ea442046239cc1b08c24735c5f84ac621cf75b89adaef940fd6a8176c5a6297730f629cc236e28a678f7db5042dc5d845da880743451f61942

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
ecbb9f275cdbc94c871fc5e219f42beb

SHA1
a2eed598d31619305d2d5b746a0f2dc4032e23cd

SHA256
eacea4632968df1f9a0ed2739f98b644661ba458d685a8766de3b87b8313a762

SHA512
d48a9eda929ba01f04acab2b36cf5edc373873e09d8d71c32c9fe351c4ef755496d061a3f51ffe969debb4b8f7b8692e4e4642387557031c1eb9891a14bce289

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
93e3fa737059cc1134e2fc3b0649307b

SHA1
755f4d80d3edf4982694d4fc0376dcdb4c37143f

SHA256
6773dd25c5769f05660073578d2035c863919b273b40e955da79de5593e48490

SHA512
d63349e81753cd250985f82befa2f37ce229332e55151a31b1c92c56743b9f89b173cfccc504c260f0d1fab0005b3996ef050664c359b5738892106c12af7792

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\datareporting\glean\db\data.safe.tmp

Filesize
17KB

MD5
f2d2c434f2702318fcdc9b5b128645ee

SHA1
6fb7edda0c5186b15b65f79ab61f81abb377d718

SHA256
4ca922ea38725eae60f05af46bc1ac8e81e12e9f4e70b2e1a1e72f91c95a9afd

SHA512
737c03f15d43ada9ca326b5262ea7e497695c1c24919f1924594c04d357797f42677232a860e8bed800c370710158ecf9cb8385701086468fa26882e1976533f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\datareporting\glean\pending_pings\27f98bae-c4ff-4cdf-ba9a-79b776d68e24

Filesize
671B

MD5
0dbe02a56db39ff264ae9666a62f565c

SHA1
5c1c16074726647390accb206c819ec017cbb362

SHA256
c2a7b0962eb45f78c8bdb938fd1e125eb6833fc3417382f5a5aad97b44f8da6a

SHA512
83bdc1b2a390b87f308fb9f583332302111092b18a8b90a28da6488e7b89e2396115bb1218feaa925606deae42d84a04607390abfc3126e4ad9c2814ee35c2e4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\datareporting\glean\pending_pings\687352b2-5592-43b9-a82d-0093b11dee8a

Filesize
24KB

MD5
3606f9b95d835955df547aef2911e7c5

SHA1
604cf7433ed4bcfaf36ab82523d5c2458711ed9b

SHA256
c7969710290bb504005ee04b2cbfc8369628d33276df9eb607db10818e3c4ee4

SHA512
d8349ed5c4108f69e1e1200a04cd19e56ee5bb37e83c0809b71b9b2f74bfba6ad6fc7b46119dab90f615ea895011adf9fc3cc257c606933e116acf254073c642

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\datareporting\glean\pending_pings\90a48a24-6aeb-4aec-a8a3-120da60060a8

Filesize
5KB

MD5
1529d0a21e9135f0f9245f823fef5ae0

SHA1
8dde79bdc13dbef68843f8605b73f57f247005c2

SHA256
d0d82d5fb5c5f20bbf105e044064756e817633bb443b7c562e322a11729bb886

SHA512
dabcd81e2b46e386c46c10e6ea8807966ad8829528df5a632e26398aa230d609a10ac9cef3e4fa0e796550f9c21b0d76d9e4b911f548e64e7bd96e8fd53d4742

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\datareporting\glean\pending_pings\ce5a6287-de3a-40f6-a9ab-12d8b3de90a7

Filesize
982B

MD5
a6b74c4f6e6b3a3a0e3ca24e75590e9a

SHA1
1ad3f36b82adc83c8393a14fd3c2b71a537c32db

SHA256
650cc269ce72c2e0b93f629fccec839056b9d2476aaa52ab7d6db778f66a9a24

SHA512
67b9d5535d5b7d184dc51894d211174740e46508f6ccf263a66c616353c9c8c57e7025b848397eac7b180e1d995752fba909a2949ffe29803d0908c3957f6374

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\prefs-1.js

Filesize
9KB

MD5
f4717aa35f1073c3285a1dfa7d8845da

SHA1
aa38f1c9e673027f3fdb0bfb26a6a39c21d3dad7

SHA256
c22846f712c60d137b6384917e421184f5972f2d4f68cf4bf32e7d0f1d3804d7

SHA512
e795392cc3cc87c7cd5b09f52371e1572dc71321a66b1ded06865e9b3e9f946ba03ef9c226b133260308de3d7e953acff8c93e568bf9852292486afce9048534

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\prefs-1.js

Filesize
11KB

MD5
9e7613c0ac381b369b8c9ce54b475d2e

SHA1
12d654a785ff9f022cbcfe2ea1860dbfad2e06e4

SHA256
ec5a2e1b59f67b5e300a7683b0db6ebd4b94f6220d197302a7095c3b30925bd4

SHA512
abf025c6b755cd01e6265c9fa7b7feaf3d81cd60419b7d16f0680bb340f5f21efca47be69000ac5d58ca3a03b76ff61b9dd1d7454361759577b9816774094f71

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\prefs-1.js

Filesize
10KB

MD5
58a016fdf9a66065172b3e81e96038da

SHA1
80cbd8b89750d1ad0f4b27a5bd0a222f18145d28

SHA256
d2d2132a161e61d55a30935021ccd605291de412a413fe5227ac4974d614dc98

SHA512
98d69b761a5e25c9d3147b9cd067b72818300b2558e3023910601d647e3ce78a3fc977a825150785d796eba58b95402c5f25861520434964218e027573b66e02

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\prefs.js

Filesize
9KB

MD5
23a276c2a3f6c1adbcae772544bfcbda

SHA1
15f62c872dff28c7ce480082704e1e6bd8133853

SHA256
1c832c19471d51710fbe41d725d3e28d07e94f05afe69b2a3e5eb94c0ea7c8ad

SHA512
ca18cf01be6bc8dd8f3bb91f9f6d54d465ccce845515bffb5041f1857d0cd0316d05db554bb0699d2390a895a95f815d7bd42282fad42cb50f250297f5f4944b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\prefs.js

Filesize
9KB

MD5
4947f49aafb4a4342a2029ab278b1d07

SHA1
53a2f0743df95481a73da1b3d767edaf8203b2e6

SHA256
a38632c6353f5e4bf95c86ac7c33391fd5537ff4c43334add196c08945c27d04

SHA512
4d239fc359d3b153f639b5e12a4247e3174f27ca3a146847f8ea9efdc105e4acd5519f1f65160ef2d1f85c4bf05da59ce5c3f06d5508f961d7a62d53b6a279f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c957d18e4eda8a5dfd304188ec375a65

SHA1
98a19290577fe7056a309441d5e0fc166c12bbd3

SHA256
2f1ac374c4bfe9f495b9ac2ecaf57f117bd441da245a17722e99fe70c6726cd3

SHA512
b8f612cb8e9e8e28c7cdc852b11a05f2e6111af3aac6a5133d1183289da58684030376b64f36056a7c14f7dd46e5a9f033b6e4cfc6deee19a0971a8967640595

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8ul5krx1.default-release\sessionstore-backups\recovery.baklz4

Filesize
14KB

MD5
dd586a88b8892e2262f4e5b85d3c8f78

SHA1
9686dfb0f77b09c853d6ff3c66360545821c2647

SHA256
64655ce038e26a3ce0021a18677d37f2b33b44d1ea955806f982f76f6921d4e5

SHA512
13a7e17e91c8907ab1c2603f6b1d1369f27e096e3dca27ea236d9c9e4b18c60dc49948090714b1e67a8684fa8efae34e9472ff84aea3cd0e37c7e7ec4fe199ec

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 545022.crdownload

Filesize
5.7MB

MD5
9102f68f339fc9d8e964bded11458acf

SHA1
da4ca73ae51eb264c8f5e17fefdb1cd3d35668d3

SHA256
2403a50cc8315a4bad375c20598d63fd3a3e0def08cecf05d7f00767d9740c90

SHA512
653a34d1729a8b5f3d6e1ce2eb5e0f49297a2c70eda52693f364f7a1c553e8dc3a1eedc1ce98fa378c85ba74925d46ea3d35e40fb660aa750cce279c49688812

Download Submit