37e9920fd573d58df3623bc118901a705e6a10c8dba6ae2ac995640b8d7106ea

Resubmissions

17-01-2025 06:29

250117-g858yavnay 10

17-01-2025 06:06

250117-gtsdjavpel 8

17-01-2025 06:04

250117-gs3swatrex 7

17-01-2025 01:53

250117-cbebqsyjew 10

Analysis

max time kernel
953s
max time network
956s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
17-01-2025 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ui_0.0.18_x64-setup.exe
Size

5.9MB
MD5

fe3262712b0588dc4171eab5d36c4ed4
SHA1

227618384173ffda1bf4ed16fd6cd780a9b2f807
SHA256

37e9920fd573d58df3623bc118901a705e6a10c8dba6ae2ac995640b8d7106ea
SHA512

021a0bd82833c554f3141908e238b352ee7c2f337f5b17c8f189672a924bb8610472feeeecbc6d8756c110ff5c8213d6a763d8990032e66ced563842630224d1
SSDEEP

98304:x84rE89Td1HtKAv14RTvhyYdiyl4jEH+EWavAP2/KSY+mkQ+L0eF0FNdjRQLrSd0:x84rE89Td1NKvTv7UI4AeEW2KSBmk1LL

Score

8^/10

microsoft discovery persistence phishing privilege_escalation spyware stealer

Malware Config

Signatures

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4069049685-955655941-4058287599-1000\Control Panel\International\Geo\Nation	setup.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 22 IoCs

pid	Process
6004	die.exe
5136	MicrosoftEdgeWebview2Setup.exe
5648	MicrosoftEdgeUpdate.exe
5540	MicrosoftEdgeUpdate.exe
5680	MicrosoftEdgeUpdate.exe
5740	MicrosoftEdgeUpdateComRegisterShell64.exe
5644	MicrosoftEdgeUpdateComRegisterShell64.exe
5628	MicrosoftEdgeUpdateComRegisterShell64.exe
5948	MicrosoftEdgeUpdate.exe
5868	MicrosoftEdgeUpdate.exe
5824	MicrosoftEdgeUpdate.exe
5936	MicrosoftEdgeUpdate.exe
6704	MicrosoftEdge_X64_131.0.2903.146.exe
6908	setup.exe
6224	setup.exe
6776	MicrosoftEdgeUpdate.exe
7720	die.exe
6568	setup.exe
6564	setup.exe
7432	MicrosoftEdge_X64_131.0.2903.146.exe
7756	setup.exe
5468	setup.exe

Loads dropped DLL 55 IoCs

pid	Process
440	ui_0.0.18_x64-setup.exe
440	ui_0.0.18_x64-setup.exe
440	ui_0.0.18_x64-setup.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
440	ui_0.0.18_x64-setup.exe
5648	MicrosoftEdgeUpdate.exe
5540	MicrosoftEdgeUpdate.exe
5680	MicrosoftEdgeUpdate.exe
5740	MicrosoftEdgeUpdateComRegisterShell64.exe
5680	MicrosoftEdgeUpdate.exe
5644	MicrosoftEdgeUpdateComRegisterShell64.exe
5680	MicrosoftEdgeUpdate.exe
5628	MicrosoftEdgeUpdateComRegisterShell64.exe
5680	MicrosoftEdgeUpdate.exe
5948	MicrosoftEdgeUpdate.exe
5868	MicrosoftEdgeUpdate.exe
5824	MicrosoftEdgeUpdate.exe
5824	MicrosoftEdgeUpdate.exe
5868	MicrosoftEdgeUpdate.exe
5936	MicrosoftEdgeUpdate.exe
6776	MicrosoftEdgeUpdate.exe
440	ui_0.0.18_x64-setup.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe
7720	die.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
181	camo.githubusercontent.com
184	camo.githubusercontent.com
186	raw.githubusercontent.com
255	camo.githubusercontent.com
179	camo.githubusercontent.com
182	camo.githubusercontent.com
183	camo.githubusercontent.com
188	raw.githubusercontent.com
189	raw.githubusercontent.com
187	raw.githubusercontent.com
180	camo.githubusercontent.com
185	camo.githubusercontent.com
190	raw.githubusercontent.com
253	camo.githubusercontent.com

Checks system information in the registry 2 TTPs 10 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Detected potential entity reuse from brand MICROSOFT.
phishing microsoft

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\mip_protection_sdk.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\beta.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\pa.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\dxil.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\SETUP.EX_	MicrosoftEdge_X64_131.0.2903.146.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\oneauth.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Trust Protection Lists\Sigma\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\nn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\MicrosoftEdge_X64_131.0.2903.146.exe	MicrosoftEdge_X64_131.0.2903.146.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\he.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\MicrosoftEdgeUpdateCore.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\msedgeupdateres_az.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Trust Protection Lists\Sigma\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\nl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\eventlog_provider.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\resources.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\msedgeupdateres_pa.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\en-GB.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\msedgeupdateres_bs.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedgewebview2.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\msedgeupdateres_ml.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\ro.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\sr-Cyrl-BA.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedgewebview2.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\ml.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\VisualElements\SmallLogoBeta.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\BHO\ie_to_edge_bho_64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\am.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\d3dcompiler_47.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\gu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\ug.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\prefs_enclave_x64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\telclient.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Trust Protection Lists\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\msedgeupdateres_bg.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\msedgeupdateres_ta.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\cs.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\Locales\ml.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\onramp.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\cy.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.146\Locales\hi.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\d3dcompiler_47.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.146\msedge_proxy.exe	setup.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File created	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ui_0.0.18_x64-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	strings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5948	MicrosoftEdgeUpdate.exe
5936	MicrosoftEdgeUpdate.exe
6776	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 41 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ = "IAppWeb"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ = "ICurrentState"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41E1FADF-C62D-4DF4-A0A2-A3BEB272D8AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F7B3738C-9BCA-4B14-90B7-89D0F3A3E497}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{41E1FADF-C62D-4DF4-A0A2-A3BEB272D8AF}\InprocHandler32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\Elevation	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachine"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CLSID\ = "{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.Update3WebMachineFallback"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\InProcServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41E1FADF-C62D-4DF4-A0A2-A3BEB272D8AF}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ = "IPolicyStatus5"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CLSID\ = "{5F6A18BB-6231-424B-8242-19E5BB94F8ED}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebSvc\CurVer\ = "MicrosoftEdgeUpdate.Update3WebSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A0B482A5-71D4-4395-857C-1F3B57FB8809}\ = "PSFactoryBuffer"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.PolicyStatusMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Strings.zip:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\die_win64_portable_3.10_x64.zip:Zone.Identifier	firefox.exe

Opens file in notepad (likely ransom note) 7 IoCs

ransomware

pid	Process
6072	NOTEPAD.EXE
3396	NOTEPAD.EXE
4384	NOTEPAD.EXE
3448	NOTEPAD.EXE
516	NOTEPAD.EXE
6912	NOTEPAD.EXE
3412	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6004	die.exe
7720	die.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
7640	mspaint.exe
7640	mspaint.exe
5648	MicrosoftEdgeUpdate.exe
5648	MicrosoftEdgeUpdate.exe
5648	MicrosoftEdgeUpdate.exe
5648	MicrosoftEdgeUpdate.exe
5648	MicrosoftEdgeUpdate.exe
5648	MicrosoftEdgeUpdate.exe
440	ui_0.0.18_x64-setup.exe
440	ui_0.0.18_x64-setup.exe
7024	msedge.exe
7024	msedge.exe
7472	msedge.exe
7472	msedge.exe
7440	identity_helper.exe
7440	identity_helper.exe
6184	msedge.exe
6184	msedge.exe
8172	msedge.exe
8172	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
6004	die.exe
7524	OpenWith.exe
440	ui_0.0.18_x64-setup.exe
7720	die.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
7472	msedge.exe
7472	msedge.exe
7472	msedge.exe
7472	msedge.exe
8172	msedge.exe
8172	msedge.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeBackupPrivilege	4276	svchost.exe
Token: SeRestorePrivilege	4276	svchost.exe
Token: SeSecurityPrivilege	4276	svchost.exe
Token: SeTakeOwnershipPrivilege	4276	svchost.exe
Token: 35	4276	svchost.exe
Token: SeBackupPrivilege	4276	svchost.exe
Token: SeRestorePrivilege	4276	svchost.exe
Token: SeSecurityPrivilege	4276	svchost.exe
Token: SeTakeOwnershipPrivilege	4276	svchost.exe
Token: 35	4276	svchost.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeRestorePrivilege	3092	7zG.exe
Token: 35	3092	7zG.exe
Token: SeSecurityPrivilege	3092	7zG.exe
Token: SeSecurityPrivilege	3092	7zG.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeRestorePrivilege	2788	7zG.exe
Token: 35	2788	7zG.exe
Token: SeSecurityPrivilege	2788	7zG.exe
Token: SeSecurityPrivilege	2788	7zG.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeTcbPrivilege	6800	svchost.exe
Token: SeRestorePrivilege	6800	svchost.exe
Token: SeManageVolumePrivilege	7676	svchost.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeDebugPrivilege	5648	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5648	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2264	firefox.exe
Token: SeBackupPrivilege	4276	svchost.exe
Token: SeRestorePrivilege	4276	svchost.exe
Token: SeSecurityPrivilege	4276	svchost.exe
Token: SeTakeOwnershipPrivilege	4276	svchost.exe
Token: 35	4276	svchost.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
3396	NOTEPAD.EXE
4384	NOTEPAD.EXE
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
3092	7zG.exe
2788	7zG.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
440	ui_0.0.18_x64-setup.exe
7720	die.exe
7720	die.exe
7472	msedge.exe
7472	msedge.exe
7472	msedge.exe
8172	msedge.exe
8172	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
6004	die.exe
7720	die.exe
7720	die.exe

Suspicious use of SetWindowsHookEx 54 IoCs

pid	Process
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
6004	die.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7524	OpenWith.exe
7640	mspaint.exe
7640	mspaint.exe
7640	mspaint.exe
7640	mspaint.exe
7720	die.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 3912 wrote to memory of 2264	3912	firefox.exe	100
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 2100	2264	firefox.exe	101
PID 2264 wrote to memory of 1884	2264	firefox.exe	102
PID 2264 wrote to memory of 1884	2264	firefox.exe	102
PID 2264 wrote to memory of 1884	2264	firefox.exe	102
PID 2264 wrote to memory of 1884	2264	firefox.exe	102
PID 2264 wrote to memory of 1884	2264	firefox.exe	102
PID 2264 wrote to memory of 1884	2264	firefox.exe	102
PID 2264 wrote to memory of 1884	2264	firefox.exe	102
PID 2264 wrote to memory of 1884	2264	firefox.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ui_0.0.18_x64-setup.exe
"C:\Users\Admin\AppData\Local\Temp\ui_0.0.18_x64-setup.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:440
- C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
  C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe /silent /install
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5136
- - C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EUC4F0.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
    3⤵
    - Event Triggered Execution: Image File Execution Options Injection
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5648
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5540
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:5680
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5740
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5644
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:5628
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTczM0QwMjItNTYzRS00NjFBLTgzREEtODg1Q0ExQTc0MDM0fSIgdXNlcmlkPSJ7MkEwNDg2NTUtODNGRi00Q0FFLTk4MjYtNTdGNjVDNjYxNjI3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntBQTRBQkU1OC03NkEwLTRGRTUtODEwMy1CRDQ3RjI4MDFFMjR9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiIvPjxhcHAgYXBwaWQ9IntGM0M0RkUwMC1FRkQ1LTQwM0ItOTU2OS0zOThBMjBGMUJBNEF9IiB2ZXJzaW9uPSIxLjMuMTQ3LjM3IiBuZXh0dmVyc2lvbj0iMS4zLjE5NS40MyIgbGFuZz0iIiBicmFuZD0iIiBjbGllbnQ9IiI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIwOTc5NjA0MzkiIGluc3RhbGxfdGltZV9tcz0iNDE3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      PID:5948
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{1733D022-563E-461A-83DA-885CA1A74034}" /silent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2816

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:3396

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\jusched.log
1⤵
- Opens file in notepad (likely ransom note)
- Suspicious use of FindShellTrayWindow
PID:4384

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\FIZOFAVL-20250113-1352a.log
1⤵
PID:4728

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\msedge_installer.log
1⤵
- Opens file in notepad (likely ransom note)
PID:3448

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3912
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1948 -prefMapHandle 1940 -prefsLen 26929 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85fd449d-5bb8-4448-89e2-26f695ed59a5} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" gpu
    3⤵
    PID:2100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2404 -prefMapHandle 2392 -prefsLen 26807 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5295b1cf-f9b4-4906-bb4b-a1720c504ce3} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" socket
    3⤵
    PID:1884
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3164 -childID 1 -isForBrowser -prefsHandle 3172 -prefMapHandle 3168 -prefsLen 22698 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f2817594-f766-42fc-a969-6b7b26e2a7c1} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:1848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3948 -childID 2 -isForBrowser -prefsHandle 3940 -prefMapHandle 3936 -prefsLen 32181 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6cefc0c6-c3ed-4789-be7e-8f7291fab4ce} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:1960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4724 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4788 -prefMapHandle 4784 -prefsLen 32181 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be7a9f99-acbf-462f-a178-85fec3f3e1a4} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" utility
    3⤵
    - Checks processor information in registry
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5376 -childID 3 -isForBrowser -prefsHandle 5360 -prefMapHandle 3756 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {645ed641-97e0-448c-a6cd-8ac6e8afb87b} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:3352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5524 -childID 4 -isForBrowser -prefsHandle 5436 -prefMapHandle 5440 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b5c7f28-e106-42c3-a84e-0d2ae017facd} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:2096
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5704 -childID 5 -isForBrowser -prefsHandle 5652 -prefMapHandle 5656 -prefsLen 27097 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2c392ad5-1010-4700-8968-cdd603a3d366} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:2328
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1424 -childID 6 -isForBrowser -prefsHandle 3216 -prefMapHandle 6076 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {21a34285-0fb1-4d79-8a9f-935f49f8dfeb} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:3948
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3588 -childID 7 -isForBrowser -prefsHandle 3632 -prefMapHandle 3628 -prefsLen 32434 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a14bbbf-14cf-447a-9b80-89dbcb516124} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:1072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3604 -childID 8 -isForBrowser -prefsHandle 3608 -prefMapHandle 6384 -prefsLen 27257 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d9922b2-56e4-4fbd-b64b-1d4c8bed8440} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:4932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6540 -childID 9 -isForBrowser -prefsHandle 5028 -prefMapHandle 5248 -prefsLen 27823 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {014865ef-0596-422d-98e9-56480dac5476} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -childID 10 -isForBrowser -prefsHandle 6684 -prefMapHandle 5040 -prefsLen 28044 -prefMapSize 244658 -jsInitHandle 1176 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6aa9b45a-7b48-4527-8ae1-3fd0a111e301} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" tab
    3⤵
    PID:1144

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:2252
- C:\Users\Admin\AppData\Local\Temp\strings.exe
  strings ui_0.0.18_x64-setup.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\wmsetup.log
1⤵
- Opens file in notepad (likely ransom note)
PID:516

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\AppData\Local\Temp\" -an -ai#7zMap23718:94:7zEvent7021
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3092

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3575:116:7zEvent18581
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2788

C:\Users\Admin\Downloads\die.exe
"C:\Users\Admin\Downloads\die.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:6004

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\aria-debug-724.log
1⤵
PID:6352

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
1⤵
- Opens file in notepad (likely ransom note)
PID:6912

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6800
- C:\Windows\system32\dashost.exe
  dashost.exe {b01103fa-e50a-47b5-841fc20a9090a211}
  2⤵
  PID:7144

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:7676

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:7548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7524
- C:\Windows\system32\mspaint.exe
  "C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\modern-wizard.bmp"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:7640

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:5824
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTczM0QwMjItNTYzRS00NjFBLTgzREEtODg1Q0ExQTc0MDM0fSIgdXNlcmlkPSJ7MkEwNDg2NTUtODNGRi00Q0FFLTk4MjYtNTdGNjVDNjYxNjI3fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUZBNjI4NkYtMENFMy00RTkzLTkwNzYtM0YwNjNGNjBFODdDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0NC40NTI5IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iMTI1IiBpc193aXA9IjAiIGlzX2luX2xvY2tkb3duX21vZGU9IjAiLz48b2VtIHByb2R1Y3RfbWFudWZhY3R1cmVyPSIiIHByb2R1Y3RfbmFtZT0iIi8-PGV4cCBldGFnPSImcXVvdDtyNDUydDErazJUZ3EvSFh6anZGTkJSaG9wQldSOXNialh4cWVVREg5dVgwPSZxdW90OyIvPjxhcHAgYXBwaWQ9Ins4QTY5RDM0NS1ENTY0LTQ2M2MtQUZGMS1BNjlEOUU1MzBGOTZ9IiB2ZXJzaW9uPSIxMjMuMC42MzEyLjEyMyIgbmV4dHZlcnNpb249IiIgbGFuZz0iZW4iIGJyYW5kPSJHR0xTIiBjbGllbnQ9IiIgaW5zdGFsbGFnZT0iMyIgaW5zdGFsbGRhdGV0aW1lPSIxNzM2Nzc2NTY5IiBvb2JlX2luc3RhbGxfdGltZT0iMTMzODEyNDkxMzYwNzQwMDAwIj48ZXZlbnQgZXZlbnR0eXBlPSIzMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMjE3OTg2MiIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIxMDE5NDg5MTYiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:5936
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\MicrosoftEdge_X64_131.0.2903.146.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\MicrosoftEdge_X64_131.0.2903.146.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:6704
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\MicrosoftEdge_X64_131.0.2903.146.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Drops file in Windows directory
    PID:6908
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x240,0x244,0x248,0x224,0x24c,0x7ff6eedd2918,0x7ff6eedd2924,0x7ff6eedd2930
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:6224
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTczM0QwMjItNTYzRS00NjFBLTgzREEtODg1Q0ExQTc0MDM0fSIgdXNlcmlkPSJ7MkEwNDg2NTUtODNGRi00Q0FFLTk4MjYtNTdGNjVDNjYxNjI3fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9InswMjlEMDhGMS1CRDg4LTQ2MDQtODA2RC03NDVCMEJBNDdGQzB9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ0LjQ1MjkiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSIxMjUiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEzMS4wLjI5MDMuMTQ2IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSIxMjExMzk5MjgzMSIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjUiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMTEzOTkyODMxIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTIzODYxNjkwNDEiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzLzhmOGVmNjc2LWFjYjMtNGYxNS1hODU0LTE2MzQ0Y2EwM2U5MD9QMT0xNzM3Njk5NTYzJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PWNDcDJXRDJKemRaM3Z4eUhvUm80UGJOZjZvOXh6QzJIam5Odk5tb0tVblhnN241QlpiOEdiZUpuM1pOOXZzMnNkd1FSc2VBZjl4ZVpRNE1MREZhYnl3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBjZG5fbXNlZGdlX3JlZj0iIiBjZG5fYXp1cmVfcmVmX29yaWdpbl9zaGllbGQ9IiIgY2RuX2NhY2hlPSIiIGNkbl9wM3A9IiIgZG93bmxvYWRlZD0iMTc2NzU0MjU2IiB0b3RhbD0iMTc2NzU0MjU2IiBkb3dubG9hZF90aW1lX21zPSIyMDc1NyIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjEyMzg2MzI2MjA0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iMTI0MDA4Mzc0MjUiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjEzMDEzODc0MDc5IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIiB1cGRhdGVfY2hlY2tfdGltZV9tcz0iOTAzIiBkb3dubG9hZF90aW1lX21zPSIyNzIzNCIgZG93bmxvYWRlZD0iMTc2NzU0MjU2IiB0b3RhbD0iMTc2NzU0MjU2IiBwYWNrYWdlX2NhY2hlX3Jlc3VsdD0iMCIgaW5zdGFsbF90aW1lX21zPSI2MTMwMyIvPjwvYXBwPjwvcmVxdWVzdD4
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:6776

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\die.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:3412

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\shortcuts.iniwin.ini
1⤵
- Opens file in notepad (likely ransom note)
PID:6072

C:\Users\Admin\Downloads\die.exe
"C:\Users\Admin\Downloads\die.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:7720

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:6568
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_C62DB.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x240,0x244,0x248,0x21c,0x24c,0x7ff6eedd2918,0x7ff6eedd2924,0x7ff6eedd2930
  2⤵
  - Executes dropped EXE
  PID:6564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:7472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x128,0x12c,0xd8,0x130,0x7ffe945f46f8,0x7ffe945f4708,0x7ffe945f4718
    3⤵
    PID:7044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:7080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7024
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
    3⤵
    PID:5180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
    3⤵
    PID:5472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
    3⤵
    PID:5620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
    3⤵
    PID:6156
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
    3⤵
    PID:6848
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    PID:6788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff71cca5460,0x7ff71cca5470,0x7ff71cca5480
      4⤵
      PID:6744
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,1808295872935675705,15461715985827411163,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:7440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6996

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:4764

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\MicrosoftEdge_X64_131.0.2903.146.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\MicrosoftEdge_X64_131.0.2903.146.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:7432
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\MicrosoftEdge_X64_131.0.2903.146.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:7756
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.265 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.146 --initial-client-data=0x25c,0x260,0x264,0x238,0x268,0x7ff643392918,0x7ff643392924,0x7ff643392930
    3⤵
    - Executes dropped EXE
    PID:5468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --force-first-run
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    PID:8172
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ffe945f46f8,0x7ffe945f4708,0x7ffe945f4718
      4⤵
      PID:6128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,15029811874348160813,8040117992462378961,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:5108
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,15029811874348160813,8040117992462378961,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:6184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,15029811874348160813,8040117992462378961,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
      4⤵
      PID:1492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15029811874348160813,8040117992462378961,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
      4⤵
      PID:228
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,15029811874348160813,8040117992462378961,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
      4⤵
      PID:1200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\SETUP.EX_

Filesize
2.6MB

MD5
7349ba3fd11e969251f9ce1f5daf8f78

SHA1
04e7417dc17a848b2fcfeaebb84e403a77ae9b1c

SHA256
bc16ba05ea264056790d6fe3ce3d253e7a601f4087ff1908d9cf2a936528c57b

SHA512
e1fb555ff9b641efafc9e0715af620f7f58b188f8340a64d9fce5270fafc67b709f2aa1b0989d8606bfce53ce94ed9ca6c5cdaa77dbe63055f29644ba736840c

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{B454C4C0-2808-4330-9322-6FF28CED837D}\EDGEMITMP_137DF.tmp\setup.exe

Filesize
6.6MB

MD5
e8e8b726812f34db032aca8b97d8ae7f

SHA1
cfc2f7ddc42bcd55bc1de597dbd228faef9573c0

SHA256
46e9e7a54c7cb4b0f6f3eba955827af81cfd62bc7ba2b374c21ba7e802d820a7

SHA512
f26ae84b91c2f3cfb8b531c4ddcee86e3a95744d4d52162b54b055827952c78c3fcd138f1508babbab68c04b87138a74d9b81ae7ccc6919b2c4f482f71dc1d6d

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
73KB

MD5
7774c7bf4154db9df3743eb5844e4d97

SHA1
fde31fec1759271d9364076a4c6720b2b28a4859

SHA256
17bd7f93236570af1b2f5e6bf789088f3142d508ba0bebbbe9b2a5df6e7aa47a

SHA512
414a1acaaf6635c462fff553de7d3f0b6e697a7a1c5ef6964a0174838eb39cf615ccc03f662d4c2a73e9f17e4e8d2c2dab6346d40d899b90f8cd0cd71d4ea49e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0da199ac67820bc4c96e176174e38cc1

SHA1
f6b4a23c73929c0c2e2d1a268ca89b753f596dec

SHA256
36e5092ad9290f59d081c982719231cd062b6a67759c46b84a779a71b8ecff80

SHA512
8baf4363928b814f632fb330d37969b94b00b8cf8d005feac7563e407f4c90241fa7ebe36f78a0518c225382cbe7855c3f32dd7520087d2f876ea90d95cc4b41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
396ddeef4edbd36a594c9ada48a36916

SHA1
89206d81f0a592aaaad1f2363c04b7e2d48ab865

SHA256
de61493a9ab4270343e8c38f58a37c9d4e102db0c49bac8591e02fb9f55b30f8

SHA512
0ba199d51b8efba45cc046a9802879646cb055d142234155c5762bd8c5a5438c83abaed9a4625f0fcf1477edb69428310fca27be4e0da8d12779a8f25ff7bc38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb72bdba32542ca9461c0e759821f801

SHA1
5336e764840da0df6e929dfb6831e95ba353e02b

SHA256
ec844e57972d182b9a87ca521045e4e853f74ae7bff9b517a6ef1d1c306a2da3

SHA512
6d7e13ccde84f60a109c488444b419c3184bb151682b1333d66048f55cc2127416f9f24a9f4fe554a980f023a380caf2f71de40153d0659d98b138f338c99bb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
fb140bee334d3f80dfbb5f779b6c7728

SHA1
4973f67c2b5f10eda2e5be5cacb4f0d66368081f

SHA256
7a3886310249c09577ba33fc58e8ed7872b4db9aa9b128c82f24cda0424ac103

SHA512
3fa0dcc85913274082374152ca9a7f4f71e1a92257c92dbcf8aa2494388b0240749b8630a9bfa9d65ec06fc153e2c2134af23729f64eaa9eda4af83b81f59ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
dcae552634ab3490939cf5687a95d461

SHA1
b67ee5f04690a5569dc71337972981c9cefe82a1

SHA256
80a3f2bba6fa1a001aea2b9ade1e9de1881a75888de1a0986ee7caf16ea84c16

SHA512
d903f0bf56b495688b7b7bfa68e53a9485285a3b1dd9df07efd59697c1283017b123399d812d897e3e76c0a0586e2386f46bbf1cfc96f40d57981544863a837f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe65cc74.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2a5c6bfa4961e3d186823805559e1ae7

SHA1
ed2139a14b2f9471f38892848f854b21ba8f9013

SHA256
df88683773f49376865dff5f66ffd98d81dd33aea54fc6144a93c7e929156ce4

SHA512
d4467bc14c41f5d327ba8455465c5d08593e5a1873e35e8fe062cac12eec12c12124b654a459a2f75d52ab1ec8a6393babcc7127fbdd23d96c5acd5e084aaaa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
48bcfced2d6cb89a77ebae8064556d5b

SHA1
6fec489fbf2b7953b2ece59999907f1c7020cdf5

SHA256
385da7f028b7d524c00501314e43e71a6b8a6b321f00a181510f7dad03374a2f

SHA512
5078fba059ffac6418577e4ac428893268f1b7237035a25d0c69c27d7b10b175358cd8f8411b3f2321c4c47da50410088cae9a9b3b1869049f91e9b56cb16797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0a1a03554c200c5aadd25c6cf51f3ba

SHA1
f0ebae9f08ccd2f6a5cb2155efefd852ea61baa0

SHA256
8dbddbf928d13120823470908e108b95d9ab7dd1c52cbba7a6da247285b1dc16

SHA512
ff094f68be075e6ccc80799e41d38cb7759800d8e5ec8f458aa85001b4d0ba5361be73fd8e02dc414411ebaaa8a25fd3ad88cab0f869ec23c32ca414f8d1f95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4911050da4205fd20e4647f1e2607b47

SHA1
1d826bf95ee2400c29ec45f65d3684d5e4cb61f9

SHA256
87933c4fa66b09a0bac25dfa89155867486be3a8b1e9588d79d821ec0eba416f

SHA512
cff953cf0fe3a0cfef426ec8ebe5fe40f4f53e9915d432c80ab3b49d4383f32ab78c24429e7f45a730f7c555a4b93c6560ec98043d2b8dce851fff70b4062194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3ed665ec3f8b52d32617d54c37053abf

SHA1
2dc854af48d853950aca8af781cee9a20acbde7f

SHA256
cacceb61025f8537c12220895076a0b846ddb2a14d68d7ccd98f710d42b2d473

SHA512
d07b94dfce3973bce04d95f32da9f84ed2192b571080ce4179201d8784c0108075de15ba92e3ad919946aa5feaffdf7a538724b4821dcd1507f03c12fc854b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
185080eb3d5b0a66db58e0095f8c331f

SHA1
bff8dcc035b163b0c9ec6e4407733b86affef965

SHA256
113641bc7ae03411b69562ecb967139fd6193ce3f49251ec79449317ace9d331

SHA512
75ff3e926bb1a6bcbb6cca5b735511a0e3d203e7fb90416c3cdb0b03aafc9db16ce824e0f018ecf721166f589ff8d5fad6cfcb9287418716d50256348572a790

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ed5208c1f808bc3060ee268b37756402

SHA1
034686621c966a7ffbd112d425fa6fd600d0c664

SHA256
f1101bcaf7c09312f161e9ee88255a6869fef1a8ff3dc11a8a46b425d444e710

SHA512
beb4d264aed90cdd73646f674b9a9d7c659b0c11994401a96ade73e807ebf04b8166471d35aedb0e41acec52576c3ca7baf2c0b20782f1e7fbee57ba701804f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
aa7f3a98851cd498ddd32a337219bbcb

SHA1
b2dd6d99e0073e19322c274a07d48b8088e75268

SHA256
9bf5739085115ed91065bb4c1a84328d335403406cc6a327d59899ab0042153f

SHA512
eb9046ea2b13af4247f93d46eb88d7c3fa55615126903821371e3e61c448ce6949313e505dfdbfffb3c31b7570217fbcf0b140411b9ad42c0ecbe73a6088bf2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a1c27d65e75088fa1508148202993f0a

SHA1
1bfedc983c8084cb7507fe57a7a5ffb48d88daf5

SHA256
d32ca265db47015b1fe4eaf11be3c447c77030060502f179fd2dafb44914929f

SHA512
8001fd1c6c2958518850cd20a7356804a76f69f504ba31e85910072ddb6d0aa7c52d6b0f67a4015ad02a804b845dbb090a445bc9ff0720fe3ad4b951f82557d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a669bd676be5f67618dc0fbbaaf838a3

SHA1
c29998fee8abb096ea254539e0d71ec48223f75d

SHA256
2520efe692cde6088838ee4c4b7b87d86ec9b7d32626db660590ceb01bb8b76b

SHA512
fa8589e02c791669a4c7089b4893128c21efbfd7b540852c71e8bbb7cc1d6d479fa70988a41117171d8756d19175c0ab536870c3702713031822331b6ada3b16

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8xqgylkg.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
ec967f6e975f8f77b1b85670bb4e2342

SHA1
2db60ba6087dd0d97d463772af655540a3e2914b

SHA256
640aa4a0342e87115603ea1925098afd658e6b3ebd434cbf2dad81918dcdaba4

SHA512
149d86c9f746d662500991b229296431dcbe79b3aa3938f124a22d28af1147711e49cbdc2f70e661e3adcd0e355734e18db7f3c826d049d7932b923ec8bd7057

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8xqgylkg.default-release\cache2\entries\4C18F2016606B43D054C8200B2142B749FA7F8F7

Filesize
23KB

MD5
a7855b02313332fc962a232ddbc7882d

SHA1
5cb246847ef9c727d5b1b51d5fd015683c8bf6cf

SHA256
863890897d14cc87741a459e83a1c705616166a3376e6dadf573a41bc56461cb

SHA512
c580b419011e002d19ba7aeec752523307eacbbbfe7d2b5becd76aca202bd3e12951f58f344be12ea08681f1affb3ff8bd4f478725db2ea3a56457065305a8e5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8xqgylkg.default-release\cache2\entries\6E27134051362714D3442D444DC784FAF60C432C

Filesize
19KB

MD5
05c9ed2de0e1c1c24719b3a8856b75e0

SHA1
c0305975fbac9bf91902554d74d1e6f92eba9c15

SHA256
f52457213bd4016d21b8b90c552a470c56220491e167902d50610d319937ad66

SHA512
4f52aa4754931237c5323588a48541395cd4c8d3edf8c64acb48d7a388c0e152a8cb200c5bb4abb23fd84025a2185935bb5b0d3d0ad8ba6024cec97f2d4075f6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\8xqgylkg.default-release\jumpListCache\09ReQHRBdJFX_U+_FCiQx2KODHxFUi85EovHS6dc1YE=.ico

Filesize
965B

MD5
c9da4495de6ef7289e392f902404b4c8

SHA1
aa002e5d746c3ba0366cd90337a038fc01c987c9

SHA256
13ec8c9e113de6737a59d45ea5a99f345d6cba07f9a820bb2297121b8094790f

SHA512
bb72f0cc815e7b4c44959808b153aad28dbced8d97e50f83ef90229d19ea1c4b3fffff650bf49efe562451fcae0325cdbdffc1a5c4ec5d2c7c70ae9d1a0d8a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\StartMenu.dll

Filesize
7KB

MD5
d070f3275df715bf3708beff2c6c307d

SHA1
93d3725801e07303e9727c4369e19fd139e69023

SHA256
42dd4dda3249a94e32e20f76eaffae784a5475ed00c60ef0197c8a2c1ccd2fb7

SHA512
fcaf625dac4684dad33d12e3a942b38489ecc90649eee885d823a932e70db63c1edb8614b9fa8904d1710e9b820e82c5a37aeb8403cf21cf1e3692f76438664d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsl63AD.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
20KB

MD5
1b5884028a23c3f8bd84a36895307cb4

SHA1
ff480441a477d59672b154ed1e3ee71e6b4a34e2

SHA256
2b3821c92c3c189c4b77d6d147d480abf8c8cbc9df422b84ef69eab8c8e08ee3

SHA512
024b1a5abb583cfc2fbee816eab70bba6133066cf2986e017dd64b6495b6864bb58ac2b3146c46f52b2985a9c60a33959b45d6d789416e49207c4b611a2f16d2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9LX0GDUAGLJENPSLFRCL.temp

Filesize
20KB

MD5
20dd9126db7a0b448b23f1251a1fdcec

SHA1
f80add9c948180014029503078364a21dc492957

SHA256
552b366c54b8fe12d12d78f6811026a89ac88118d7e516c87eb7d6476a898d1a

SHA512
b8635e1bc98d55054b0cc3c7f54d4f3e539266251164c9a1b60fbf3aa5af968163d7ae790df23d977b7ad6ea9c28d0dc6186d6b6b70aec2599c7da071ea2d3ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZD75MWE5HHO8D0TKPUY2.temp

Filesize
3KB

MD5
6d063158d682c783fe0e811e968d40b6

SHA1
f855077005ab930cf8cd748cf6bacc4503676a4e

SHA256
134d7acd7a0e33c9fc7ebf16d2db0918688c87373e69bdaf5bf029c7ed41ba9c

SHA512
a3d9ec65a54737e4d5b6c1f1376d52838beb861943eaea8f6e2ed35c306c178f77275a979a7b49fc89d7cd2031748613e51b3b48ba61eeb332c0af6cce3cfd76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\AlternateServices.bin

Filesize
8KB

MD5
f2b2e0c9ec73a05d4d78ead4d355cc7b

SHA1
5901170e477336d1e445ddbaf05df59cfe400099

SHA256
455521a966ab9f40c14c887d29d05d40729f927cee1bc70429a7d2550d78751d

SHA512
15c38a16f7bd5a3fbd26194ccc176019508b802a04b0614eacacb446b6add050e1c50eff22acee98abba604888899a8e84e14582ecf160bcdb1fb61ca64d4f0c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
eb7d761f4f5b68d967f6e54980d1a193

SHA1
c3c238509eb0cc9f4c2b76692572afcb56e974ff

SHA256
527d72340a4dfa8fb9db5d5f299393f252cb481e6cf09fb63f9a6f6dce428eb1

SHA512
7450cc442ba5b0862c6ca88f7124fadc5465e39d7aba439035d04b39e77e9b2bd7812fb7a2de98e639decdac428b5821e8d4c3efef7c520ccbcc56f7d02b6a70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
41KB

MD5
229dd227f076de5626eb9c45e0a6d5bd

SHA1
933fe113a49b0929bb9b47732d3988336dbc7785

SHA256
d9c156f5ccfb811b0e42a151431bbd4f544fbbbda15421e4c2a0b817f8a126d0

SHA512
57453fdb0eb77457c50432dab72cbc2e841f686db4a3a83082a1c872961a248fc9240494809e7ca8cc9cb123ea27729ad152adb54f187ffb5fe896e09324ff4e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
81KB

MD5
017f49799d9604da940fda0686ce3b34

SHA1
d4a47fc35a6cf301ea8d3151714709c841d3bd1b

SHA256
41585fee192b17d2f67ba64db3b1e19a7e425e630ea9e1cc8b6f392b93fe85f2

SHA512
13dabaa181c9662161831c591bb7f21465aba245eb15b0f2d523c6915ea648cd57754fe13111ff040aa0e108ace2e84d61d56d886fc46b55d1489a08d485c7c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
1a9f171367c4cdbe69ce7760bab912ac

SHA1
b3498e0c41602c4ace69b1d23c68b13d297a43de

SHA256
a81dc8589eaed45bf7371521005064df0b2c4e154dfd97d3aefd799b8486623d

SHA512
b75d946783d39d69e3bf7e6f08ffaae5c89281c686987b65a7d47bd7c04113867e338a8874bfa3fb98f50e868ae860aceb6b9b6f4f549ea3a579e388f22bc178

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\pending_pings\1449861d-16b6-4826-9902-3071b7eb2dea

Filesize
671B

MD5
dd5021eeae65e765db750e23b6b2d57f

SHA1
b789b05d9a98f1fef51881b79ca62143d4e3eae0

SHA256
6cfef2ffcf913eb52454f0c1f78d8740b910babb9d5aa9335fbefea8cda314e4

SHA512
356a3a89bff51106b029bd68349f444dd8769069b1764a8c56063b3a4c92459524b0347f69ef069ba2ae40ed7546f7fdf9a0a35b4f6135f32a21495fe6d6f29f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\pending_pings\6883e046-d9b2-476d-94cb-e242a92f35c1

Filesize
982B

MD5
da37434ecf625f18d13994424ec0909c

SHA1
077ab9adfe2380b28028e54f8892375a7203f2dc

SHA256
767d91c59c641424d394a5369942994fcb111f9f3811d2b1474ad1a4626929ad

SHA512
18ad87cf6432fcb72d278217bdb788617047c0cdd8fba225f67df190e8ff1f6beb794f5dbb2a2b643986f5437fb06a63a97170d613668c7f658c2595401c6268

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\datareporting\glean\pending_pings\a34ce7cf-e6a8-48d2-81c7-84cdd0e5ad83

Filesize
27KB

MD5
43f25fa08e15d828d3b824fecfde789f

SHA1
8e0bfa82135b349b2bfc834d7176694329aeec3b

SHA256
110da9276bf7b56494737a39190c574b73acf48849b4b4761645ae64548cc09a

SHA512
19391b4e8eb7f170fbf5015a1b8ffbc32fa969926a63b39bae17b85ef5c7ac002445ec3bde26a39e8a8def7d963fb288a9aad2ddbfda4ad8bc5df66b17e27e84

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\prefs-1.js

Filesize
10KB

MD5
5ad826e2380bb7cb5a9caa08208f76cb

SHA1
41fd1ce6f760d10cc16a2eff338480fa069f72b2

SHA256
2496d4e6a1473f605aa0ae9e9b8b3ef954b3e039ae8b6b043971a3a85e083280

SHA512
c66d73a8775c525af37cbaee9994a5654ae027dd3dbdeab619cdd65032d649dc1be6f4e2b374d52bc9ea50abeaf6ed23e2befbbf036755086463a13fac4f2235

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\prefs-1.js

Filesize
11KB

MD5
c6906b5ee9279995def85e3f9e425065

SHA1
f84eb8d921cdf4e918649258281e925aea0f9126

SHA256
582a99ab72e7de86faf38d94f6bb25e6b839ff130422b626ada9585fbf5d5bdc

SHA512
6276fb37babad08b9bf202154550fce7704bf6d208ba526f220bef34e5b21cd48488b2293c0ce56b33fa41fa2d291ea421a87aa206043337fdf942b5a6ae9c9b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\prefs.js

Filesize
9KB

MD5
d53a395b88a902960abc7790c6fd6f6b

SHA1
9e5944530239f23161bb6416216855cac2eff712

SHA256
3d0015f3e7f761060281e328f105a320c83f41f401b5f48207b1bf7cad379a74

SHA512
ca86fb38ea0890e820183112c51d1e56cc3fdaa2531935a509ede7a1374bf5ad4e13e7974af7437a25380eba80a0d6089bf35ac8f5617f669f70b15a8fe9c13f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\prefs.js

Filesize
9KB

MD5
e0575a4bb63bb59f942c67a712bb0628

SHA1
ca37a81e556932e9933b997e51eddb2f3cc2ef20

SHA256
894843bf31e11f4c8c5d6a5e4d793c0e990e8d79e55c4273d1b6cfd09174f9b4

SHA512
bac6aa27ebf7e82920db93b3a7dc68224355734b68e32b3157017bb6343a374f58836b7f72a469aa0d80c7fef8e279680fe518a4d0f3c9bc58fa6463a5e102b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\prefs.js

Filesize
10KB

MD5
8947229f1517b6bdfdd325b5f8d1fd3c

SHA1
5fb38e5471245f8a666db52ae66a35e2c7a926c1

SHA256
6ea39aa02aec9fc2388efd37e36e79f945fe1c5ff0c07a70979cdd6bb43563e6

SHA512
7c4c71aa918243f21d6b48e2db4b0a8474928a7a065258a8f974a9ad2d1340a84dc3ee4ae55099ba7e9a1283abb0765d21948b7d1db1f2343354f997910995b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
c4000fd14ffa3fe6ea506b8d531c55a5

SHA1
a23bae2998d792ec42a45afbc129d08e0c2b93dc

SHA256
87d33d22f9f42a9fbcfaac638148f5c923491759692a10f28642cc12efcfa906

SHA512
4f696537171bc05878344fd2ea885428b7df9af36bec26e90c3a54504c7cea4688849b6e52f69bed8d63fdd0b4829905b9aeeafb590f339d278d07660da35017

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
d5d89d274eff423f492b5a48f68c7982

SHA1
c52f3a6fd29538f394b84b349d47e998081aa7a9

SHA256
f932906cc9d40da90d0e545a59d6e16ac2620ca103f78633dd72a0c3964e3916

SHA512
54203b9153d5e8d888d608f0bb4d1d9584a687372eaa96368aaacb4eb7336f97cb6cc8f83b8c37e6e3917e8707b676707576612f1bc23b3f6aca868d70754b8b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
1a671610589f27218f5c03a5ff92ed25

SHA1
252e08dbe8143c060ea3c9a9f554be7a1ceb447e

SHA256
80c382b800106c0db4c86c31eb537329f54891bb82c3bdfee7983bcba120edcd

SHA512
9ac9def6913229a0cb5b1c79f09a235495820c7493b362376fa226194a55f0e88f1a48dda0402bc694690d85bcee9e6ca676894b7d168ed4149accee4c9455f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\sessionstore-backups\recovery.baklz4

Filesize
18KB

MD5
fcb6573ecc4eb056cc18fe4c1bb1d310

SHA1
e935ecfc3f084f3ef1d29411d3fd0df615f8612b

SHA256
3388505335474fca4b389a61dd41f62becc4ab6416f3c995e31194a282d98367

SHA512
30494fdd220646c0bae5f47f394a18ef4dc8e832e937fec1500363925e43c7c9cbbd5dce9cdc5276a0f9a0040eff19811436fcc3f7d480d487babe735785ac28

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\sessionstore-backups\recovery.baklz4

Filesize
23KB

MD5
0c288d1b85da6a8dc8a45d618cc63369

SHA1
da75581c0c964b2be088f6a26416b0012f6b5768

SHA256
be6ae2bc28a979e2793bff281af3cc4b1ae62bc2aaed3fa0c1e06c25e582116f

SHA512
478aa56e4a09d1926851c3cd770fffbd6a0410360410935c12754282645e46eb6fbb2e2858c671e18a3fa612fa76324c1b189fa0c690b7788b7d9fbfed57e372

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\8xqgylkg.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
624KB

MD5
c3de216f00b6c41f1f6118d813913b69

SHA1
770b85fdfbf4c42d795ad0b6caa40763a36b1194

SHA256
0b76d7a0b012ca4673805921816b65f95ff886d41e48ca8cbe50277d029994ee

SHA512
b11d9931070982b43d77e9ddc68eb8424a44ddc617ea7c1bb352b8493bbacba109250b64b93522d31b3bfc9658dc26ebc9338b6f0e0b402fa7bef7be362d6aa8

Download Submit
C:\Users\Admin\Downloads\Qt5Core.dll

Filesize
5.7MB

MD5
817520432a42efa345b2d97f5c24510e

SHA1
fea7b9c61569d7e76af5effd726b7ff6147961e5

SHA256
8d2ff4ce9096ddccc4f4cd62c2e41fc854cfd1b0d6e8d296645a7f5fd4ae565a

SHA512
8673b26ec5421fce8e23adf720de5690673bb4ce6116cb44ebcc61bbbef12c0ad286dfd675edbed5d8d000efd7609c81aae4533180cf4ec9cd5316e7028f7441

Download Submit
C:\Users\Admin\Downloads\Qt5Gui.dll

Filesize
6.7MB

MD5
47307a1e2e9987ab422f09771d590ff1

SHA1
0dfc3a947e56c749a75f921f4a850a3dcbf04248

SHA256
5e7d2d41b8b92a880e83b8cc0ca173f5da61218604186196787ee1600956be1e

SHA512
21b1c133334c7ca7bbbe4f00a689c580ff80005749da1aa453cceb293f1ad99f459ca954f54e93b249d406aea038ad3d44d667899b73014f884afdbd9c461c14

Download Submit
C:\Users\Admin\Downloads\Qt5Network.dll

Filesize
1.3MB

MD5
3569693d5bae82854de1d88f86c33184

SHA1
1a6084acfd2aa4d32cedfb7d9023f60eb14e1771

SHA256
4ef341ae9302e793878020f0740b09b0f31cb380408a697f75c69fdbd20fc7a1

SHA512
e5eff4a79e1bdae28a6ca0da116245a9919023560750fc4a087cdcd0ab969c2f0eeec63bbec2cd5222d6824a01dd27d2a8e6684a48202ea733f9bb2fab048b32

Download Submit
C:\Users\Admin\Downloads\Qt5Script.dll

Filesize
1.2MB

MD5
03c6c0a60c0d3e7fa86b4388f4cbccb6

SHA1
cddaa47fd8c1a7de32c2376f27edcfc594e92074

SHA256
0b58e5e79df13110a8258f14d7b3658d1dd0c8dddc337a164b89d4ac12a0638f

SHA512
a297db87ee1055190580ad2bc539e89e38729dcb9ea9075dc535b05cb45c62f1b0fc99d8866047383cf519d7dde4016cc4ee0d5796190635aeb3d5c2f5e7cd2b

Download Submit
C:\Users\Admin\Downloads\Qt5ScriptTools.dll

Filesize
555KB

MD5
dd9fecbf34374972577a058e5a4c7c3d

SHA1
16c3114a75a2eced0104428dc779a3dbda951cc0

SHA256
ad25c27bc99075b4883a9bf7943954094885798969038d46785e0fd1ec1ccbc2

SHA512
8aeeca34b63930564d42056ca1b7d3c59d6fe017b19e86fb294fafab982a014b09bbc40f32a9cc5d36c8afa13d7863ba4f144ab6a4af465acbc8a6a72f6d8554

Download Submit
C:\Users\Admin\Downloads\Qt5Widgets.dll

Filesize
5.2MB

MD5
4cd1f8fdcd617932db131c3688845ea8

SHA1
b090ed884b07d2d98747141aefd25590b8b254f9

SHA256
3788c669d4b645e5a576de9fc77fca776bf516d43c89143dc2ca28291ba14358

SHA512
7d47d2661bf8fac937f0d168036652b7cfe0d749b571d9773a5446c512c58ee6bb081fec817181a90f4543ebc2367c7f8881ff7f80908aa48a7f6bb261f1d199

Download Submit
C:\Users\Admin\Downloads\Strings._D2muHuW.zip.part

Filesize
534KB

MD5
84da43f99b96401e2014829a6960d0f6

SHA1
2a78c66d06f6c9efde76576d7f38fc0c9ac67c78

SHA256
b1a0a3dc5f639af1c98ae5832676727646eb3d543640e65e310dff747e733a25

SHA512
a46465a1e5ffc93adcdde26e248875ab6076ae86fec382fe086ee362ea451a5f2930199fbceb939241779eb28235f26489a7f2d1478d265e7f771c273efbc750

Download Submit
C:\Users\Admin\Downloads\VCRUNTIME140_1.dll

Filesize
37KB

MD5
9f4eac207cb58e8d110477e7fd19d565

SHA1
687051b863f7a7178cabf9c06ab3b534b1e23dd3

SHA256
7cf38d20d00b6640d510eab70171e1c6f8fa2e42040832e17c7433ab61d94a8e

SHA512
9c5c4499adfc7b61751510f52a1288ff386dd1c1aaf8e8a9660990194813394329f8123f38e026ea10c6e30b4a5506625b9060329d524db68e48f36ab2691a05

Download Submit
C:\Users\Admin\Downloads\db\ACE

Filesize
1KB

MD5
cf0ef0c3cb5759e6a1a954eacccdc776

SHA1
fbdc89ea191d62ad50150d6aced552dbf930cfb5

SHA256
f320aaff9a34d41ae7d0a1ca72ddb688ed3c83e6098d4ceb1f715101e6135aef

SHA512
ee30c6c1b52950705a71871398aaf3a4805694ed16d8ef761943b164b61c7b751433e63ae056ade2fa0e6887353092cd09a0f3951ffea024be320293ddd71788

Download Submit
C:\Users\Admin\Downloads\db\Borland

Filesize
1KB

MD5
748935dbd281adae655b2472a071eff1

SHA1
d1b9e322355cc80bd863a0e27e095b95c5f77f6b

SHA256
740682d5ef1d8f702fa242f0f17bcc5984aa9caf457635ca18276c38bcd49613

SHA512
5692da559df14238613ebdf0323c47de801827ae1ce890c515278fc8c47907682fd24a4cda15840a608eda6b1852f604e0218cb51e58a015589b7bfcd736ab25

Download Submit
C:\Users\Admin\Downloads\db\CurIcoBPP

Filesize
468B

MD5
62154944ba1d4f3e1665a767bdcd10e8

SHA1
8b2b317a358209cbbd330e726e8300e2126f6761

SHA256
8622204c2529929c27ffe545a6be9ad12a67d46304f40d9376c38f36ba85c4a9

SHA512
8573a0d90fffbe52b8754c80dd8577e3784d6eb150866b2cc13638a116daccac2b4dc8266bdfcbd03412565afa5c203ad031d830f3e5c607335cf7ff8fbc7c10

Download Submit
C:\Users\Admin\Downloads\db\FASM

Filesize
468B

MD5
bb7cfbbdd39648536cbc881bc7c2097a

SHA1
a8f0d1c039c9900c60c8959967b2e27bad03950e

SHA256
d4ff05841dc5e59afb5d2752545acd1269154f4485b9bbe787e93b94b1fa1766

SHA512
4fcc55b8bf339dbb45dbf39d191fa661d611af299a5e00f593156685397bcf11f509cdcbf17461e085d0192d82dd4ed24a79d25da3d7a513d80f2705c18d2508

Download Submit
C:\Users\Admin\Downloads\db\FPC

Filesize
340B

MD5
7e76d573340733affc602561b448a7d8

SHA1
16e1d7f230286055f9255f000d3d0d99e5a50ab1

SHA256
e5f7ee83c4573f8d47818c95209b52ccc17a17045da1375c64f31fcd657f841c

SHA512
57718251db5bc88154aa38c342c7e63f27cd5ccc0e86dabd8b6b5022602bc5c0db1a27a5e8a61cd18534defe26bb9a4892130890bf012e8765df7ba60ddded92

Download Submit
C:\Users\Admin\Downloads\db\MFC

Filesize
399B

MD5
c937ba01c56c15fdaeea50bbfab82332

SHA1
1bbfde0a2e9e9e570bf8e4c72e92698917875d0c

SHA256
57bc259936ae232c2209042a2c999c2002ba3123cd537b56ace45577ecb0fd8c

SHA512
625dab2200153df697cb3d5abf6d560e68f1e379c71aacdb531d21d7cee05b91180da17b8842c8edd7720e777591ff7c6c452eec1472bc1007ef1edeaa304133

Download Submit
C:\Users\Admin\Downloads\db\QtFramework

Filesize
523B

MD5
6b856f1fd54dd672513d5bd8454302f2

SHA1
f47c5d22409cb659b8f13795729e23ba5c09a89b

SHA256
a1af43de3c7660e1459c39d0f86876f7b305f93bfe084d25df8852cc922998ed

SHA512
89082b00903ace3ac0eb7019efb87d36260434f40fe529f8cf1d196e80935f12b23f0ebde83d2d713f48691f1204b1d2845590651d3fbe294816b47e8094a73c

Download Submit
C:\Users\Admin\Downloads\db\RosASM

Filesize
620B

MD5
25a989098229220b6961ff742b9ae0cf

SHA1
d4aded03f43473b25a79b07168b454d1dc80551c

SHA256
7dc5b77f7d085b835cc79164895f2795525f0bd4778457ecc8c1ccf0df17c76c

SHA512
c810c12384b5a5c0163db5f054008e55a71303b59f403e6130d8e6ef0c96c463c3b69ee97c1cfd14568487d45b658f20d529715c496168d64c219272dc83acb0

Download Submit
C:\Users\Admin\Downloads\db\SpASM

Filesize
470B

MD5
1b31bf94c37b2c00eae643290e2289cd

SHA1
cd9709b9542165be378dfe0fb5b82500b6027bc8

SHA256
c3b1ad33299a1e8b20c70dbc194ae30be98a79f17e1ae0819736ea764d68a09e

SHA512
03dd0b9e77ccdb582bde4d44f8ee0ea6d4a1271e18a59ef21cfe74467311ed23b1bab4be506391da3ee6da85af9d926bf2ba3ec8e70f97a906a218be690da26e

Download Submit
C:\Users\Admin\Downloads\db\_init

Filesize
3KB

MD5
387efaeaaab1518510c3675dbd718e4e

SHA1
e073e90e4ab31d94816610e3ce55dd9295bb011a

SHA256
05305f34a40cd06234dcce0845359c691e1ebafe2c463726ac38b0f18b6b1626

SHA512
9eedeebff702394d53929904bc35ddb2ec8c0d5916c1b19b08c8daeed27514164b60fecbd24753ea5480ac4dfab1e20508b403688ab0d354c88e6a628579050c

Download Submit
C:\Users\Admin\Downloads\db\archive-file

Filesize
1KB

MD5
2a88973a2072e18b34d625e24cb5ee64

SHA1
189074b6837b0b8e31dc972c668a5ac92bb0c166

SHA256
6d2b0b5fe08b6c6bf78b6d9bfbae25c36fadcf9e3873ab5be91255505f31e121

SHA512
81ca16aabfa2d5a1adc33cbee45e5a3bbdc7f9658cf23480393d55bdde203914bca4fc0ec8aad02c209539ad151fe59ee74735af9488a05bbc8e713c5b76ce35

Download Submit
C:\Users\Admin\Downloads\db\arj

Filesize
2KB

MD5
c816c622233842ea243f9fef879421e5

SHA1
1f825b9c925bbe324ac6d4303e7208bef1a431e2

SHA256
f17d7029e7401f376e49a659824768eff0ab93ad21148979976de21778c16d8b

SHA512
bb4794e52b267fd496211451e4a25b31d4d047e9f343891cc8943946f53620d24c42ed5bdb7292e8bb75874bdb1e6c8fc860de4aefedb45a5c824cbaf634b26a

Download Submit
C:\Users\Admin\Downloads\db\cab

Filesize
1KB

MD5
7742cee536f363fa2e3ff6ba84126b54

SHA1
74dc97abde14d2e8d79ffb6f82df72a8845f8cbb

SHA256
a17deaee976e3c4ce362d131586ef47e15d1a008ed57ee831dda1ac539010d63

SHA512
5a5d12371a9b17bf3a10246b457a380c4a754317bed9886aa162d8a47bc798efe358be9a25f8ed9a1fef377bf167c11148d76ba6ad3b06313a3e925a3f7110eb

Download Submit
C:\Users\Admin\Downloads\db\duration

Filesize
454B

MD5
10790ab5ee9abecbf9519e56916b6f55

SHA1
45626dac26b56f38c96bd040f0b877ff51a9fd5a

SHA256
46662785e01f8035889ac0fb5249ccd6d3d0975aeff1a6cad9b2fef98f6b561a

SHA512
a92cc4066ba18d004b6c329a0a7c67601eaa516f0702d2858835b93d4050b619c65e4f9f732eb724024c6d1bd8ce8e484a1effd8c3bf73f935311dd3344edbc0

Download Submit
C:\Users\Admin\Downloads\db\language

Filesize
1KB

MD5
fe4fe23b107ef399083aca1b054c6502

SHA1
42a4dc4acb063946d90cea4d816b1e6bcd53df3a

SHA256
bda4f516d50e24121a9421bf52037e2bea8a21540462ad24f7ef0c79180a3f59

SHA512
8c7472655714f3801d612088cd40a93c5645081c465e42c22eabbb3890083ccfcbbcf0ad02a894dba8de95d67fd5ebdc64cea5727e7074a88fbbcb334540e9b4

Download Submit
C:\Users\Admin\Downloads\db\python

Filesize
867B

MD5
83dbe240f57ebb005edc80612d0e2fc7

SHA1
e58d293cfdea6849cababead910b7dbfb8f556c7

SHA256
98626f86321839814acbd3ab9554322475db1435fc03292414e9f95f635c1ec4

SHA512
2d1f6f208a8c3631a88a7a2bf4a5232f0580b6dcf464d5bfe2909758daca5bbffec1b3c2290cbf0f9b9f487643374412eea3e834675eb31e4f2e3180a709f2ed

Download Submit
C:\Users\Admin\Downloads\db\rar

Filesize
2KB

MD5
847d218ee6fe5de26d0ab2408619481d

SHA1
c40f0d8a5baf24ede3d0a88fd8d8b94443331bec

SHA256
50a82ec44cfefff7bee412c3d5697995d771924792efa7385a712f6e4133531c

SHA512
d1b1eafbbf0f5ccba742e0e77a71a2c7584afce231e98755a9665ffb4d7db325329420aa918fcc5127919fa25c93c56c9d526fb32a6443954e04475358a0f257

Download Submit
C:\Users\Admin\Downloads\db\read

Filesize
19KB

MD5
87a9ba78799b7183b24cf01e1ae52a39

SHA1
cbd18b74ea2d8240c0fa8f03418f0dcb5bfef4d4

SHA256
399196a028b9f1dc85ccbdd7029bf0bf89a538512b40e92192f1185d976d4fe7

SHA512
54de9d670cdfaebd7da9c21e96562c902f0abea694ef11fe8377f392754b414ec921ec9b490823da617542111a2818eeedf69dd5b295b6b811dcde7102f12d28

Download Submit
C:\Users\Admin\Downloads\db\result

Filesize
624B

MD5
a1e3f6aafe9bc1220a9abbd0d1781996

SHA1
3702a0051f6cdf485afbf41e6ac7dbc99bb9984f

SHA256
086a7bc8119d44ebc15dd6e707cf6adb3ba0085e2f8427f89c3258d070646329

SHA512
c21e6bad032e9aaacb74a85d991d75f13e77d5721cd7a1c5b7d3ccea85460398986dad86b4c581ed10eefd31e9bb051a35e7f7a70110215a61ad313ecc879acd

Download Submit
C:\Users\Admin\Downloads\db\result-general

Filesize
802B

MD5
06406f92ddca0ddb72620472e19afc2c

SHA1
377034e4697e11a9830fd47f0662de2b8384e487

SHA256
4936a82d0ed46aaaf8a105626ffeb5b40759aa28ebd3976beb5c603d2706d37d

SHA512
bcccfd21c48d4e74b6f345738c91b5ed02ba718c716d82ab69150fdb8b8043f34fccc1da9f4ca0cf39f5c6062a2d408a425c8ea799de51185335fa17ea7cae3c

Download Submit
C:\Users\Admin\Downloads\db\result-minimal

Filesize
704B

MD5
2b1f9d48e85d820c437ce123d04e3a85

SHA1
618466e91b7b5523b21ff9a05a47f2837697c364

SHA256
f9e33cdb0a0adb1f39b82f2366b14e1bcdb734e39de817779e980a8fdb734148

SHA512
808b099a499a86fb615125d2ab8cf5abc5c70774d2713916a456c9978413f58b286a11d310e7d9df286a613a36b21ee19ef9fae1035f4f2906bce71ecdadcddb

Download Submit
C:\Users\Admin\Downloads\db\shell-script

Filesize
742B

MD5
261ad24c45485d749f0044e81b882093

SHA1
2fbd3e0545cbc700f41847900933083f04560d3d

SHA256
5acca22a0387b778ed7925a3de9236187d68757162facfe6783656c730aeba05

SHA512
d6ce1d95523da153a40375816c3494bad1cd78cc493de34eaa58cd16eecda14239d14720517edb5641d19f29a273ffa20ee9a9dcf99c63bc8b1038b2c8646481

Download Submit
C:\Users\Admin\Downloads\die.exe

Filesize
12.3MB

MD5
b9cbf29d5ef9c8acb6acd6edfc0860c2

SHA1
42e574c770beb7c75c1cad20d955bf020cc4eeb8

SHA256
41d16838d3ecde84348bfb6e88e4fd96c9e0bf291d62786952c1bfbc2363c78d

SHA512
31af45bf49e3e94d6f5ccaf384bf8c2ea3ae747f362172d2a46b7ab172a9db6c8bad167c66da069ae7d844982cc76154b0ab6a972338004958b8923046b23b24

Download Submit
C:\Users\Admin\Downloads\die_win64_portable_3.TupILJGo.10_x64.zip.part

Filesize
20.1MB

MD5
913e398a24f4bc9cea4a8d5f72c64cb7

SHA1
3ed7708f95359941effdfb31ef8cf43bc15d8312

SHA256
8eb0604244f029718f2bd6ab8a9fcf5f8eaf9f2e7ab4041fd02d2cce9bdaf7e8

SHA512
cea3b305854df19f08747079c3c53f53b58318886ca9eaba7a3e84b8ad5c606bc2a46c3aecdff1bf08be5ff4aad8b5ab742cd24bb695766e35e8df40fd0b0440

Download Submit
C:\Users\Admin\Downloads\imageformats\qgif.dll

Filesize
38KB

MD5
52fd90e34fe8ded8e197b532bd622ef7

SHA1
834e280e00bae48a9e509a7dc909bea3169bdce2

SHA256
36174dd4c5f37c5f065c7a26e0ac65c4c3a41fdc0416882af856a23a5d03bb9d

SHA512
ef3fb3770808b3690c11a18316b0c1c56c80198c1b1910e8aa198df8281ba4e13dc9a6179bb93a379ad849304f6bb934f23e6bbd3d258b274cc31856de0fc12b

Download Submit
C:\Users\Admin\Downloads\imageformats\qico.dll

Filesize
37KB

MD5
a9abd4329ca364d4f430eddcb471be59

SHA1
c00a629419509929507a05aebb706562c837e337

SHA256
1982a635db9652304131c9c6ff9a693e70241600d2ef22b354962aa37997de0b

SHA512
004ea8ae07c1a18b0b461a069409e4061d90401c8555dd23dbf164a08e96732f7126305134bfaf8b65b0406315f218e05b5f0f00bedb840fb993d648ce996756

Download Submit
C:\Users\Admin\Downloads\imageformats\qjpeg.dll

Filesize
411KB

MD5
16abcceb70ba20e73858e8f1912c05cd

SHA1
4b3a32b166ab5bbbee229790fdae9cbc84f936ba

SHA256
fb4e980cb5fafa8a4cd4239329aed93f7c32ed939c94b61fb2df657f3c6ad158

SHA512
3e5c83967bf31c9b7f1720059dd51aa4338e518b076b0461541c781b076135e9cb9cbceb13a8ec9217104517fbcc356bdd3ffaca7956d1c939e43988151f6273

Download Submit
C:\Users\Admin\Downloads\imageformats\qtiff.dll

Filesize
380KB

MD5
9c0acf12d3d25384868dcd81c787f382

SHA1
c6e877aba3fb3d2f21d86be300e753e23bb0b74e

SHA256
825174429ced6b3dab18115dbc6c9da07bf5248c86ec1bd5c0dcaeca93b4c22d

SHA512
45594fa3c5d7c4f26325927bb8d51b0b88e162e3f5e7b7f39a5d72437606383e9fdc8f83a77f814e45aff254914514ae52c1d840a6c7b98767f362ed3f4fc5bd

Download Submit
C:\Users\Admin\Downloads\msvcp140.dll

Filesize
554KB

MD5
0d89995cc45c7eb40e5a7e287506c1e9

SHA1
096c27b06ee7fff2bcd290af0264cdafd04cded9

SHA256
e0a22a594e148fa55ceef3e49969bfa77011a801267a0bd7805b681b593c9d0b

SHA512
3497c2957d10fcddeec8f312fb15c53f82d770dcc3e771a94daf4f4435c3ddf323ecd33310baaf1ad56673bac7c6268a9ef921d5f32cf7e4a7c9dcb0d8aafa63

Download Submit
C:\Users\Admin\Downloads\msvcp140_1.dll

Filesize
24KB

MD5
c060bb176a671f068362db2673a08c5e

SHA1
1d6b4ae5e778f1daf3573d4817777a51c35cbac4

SHA256
768e0829decea713afb35a7de07e276f051581c8ff2c17e1bae9b07dd1445dd0

SHA512
78a6c8f76d3ebd8db9c784d7775ec44647c4776fcb11d0b32ae2b3a6f2837c0b3be12f053ef6a25811a68da17d0eea83077521f496e238757f5539b445a58a7d

Download Submit
C:\Users\Admin\Downloads\platforms\qwindows.dll

Filesize
1.4MB

MD5
4931fcd0e86c4d4f83128dc74e01eaad

SHA1
ac1d0242d36896d4dda53b95812f11692e87d8df

SHA256
3333ba244c97264e3bd19db5953efa80a6e47aaced9d337ac3287ec718162b85

SHA512
0396bccda43856950afe4e7b16e0f95d4d48b87473dc90cf029e6ddfd0777e1192c307cfe424eae6fb61c1b479f0ba1ef1e4269a69c843311a37252cf817d84d

Download Submit
C:\Users\Admin\Downloads\vcruntime140.dll

Filesize
96KB

MD5
a4cf5c1f71c540c69371c861abe57726

SHA1
f272b34182db8a78ffc71755b46a57a253fcd384

SHA256
c179d8914ba8e57b2f8f4d6c101c2c550c7c6712a7f0f9920a97db340f9d9574

SHA512
f2b53f28a6369f76b22e99fddfb86730f3d33e87c68dae7aa3d05808223693bb86ade263cccb99d5462cf98eeeaa6a6f1cfe5ea3aa1739f8ad6eb624caff1045

Download Submit
C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
16738b5437dc8ee79888952ef57acab9

SHA1
76bc08c97b4123b64d80276ca6d0193d81ec12a7

SHA256
4fec391d16c581e4375ce600f960a259fbc6f982ddc406ec06f195dd41e714f4

SHA512
9493ed66b51e9f069dd4c512de8c72ca81e70708099658b39b34406577a7a9ff8d837e5eef03fbd0d327706b69e8317751720f3c9dd24bae78a1b0b9209e2f37

Download Submit
memory/5648-5112-0x00000000745C0000-0x00000000747E6000-memory.dmp

Filesize
2.1MB

Download
memory/5648-5121-0x00000000745C0000-0x00000000747E6000-memory.dmp

Filesize
2.1MB

Download
memory/5648-5111-0x0000000000C20000-0x0000000000C55000-memory.dmp

Filesize
212KB

Download
memory/5648-5165-0x0000000000C20000-0x0000000000C55000-memory.dmp

Filesize
212KB

Download
memory/6004-4868-0x00007FF6900C0000-0x00007FF690D12000-memory.dmp

Filesize
12.3MB

Download
memory/6004-4869-0x00007FFE96D70000-0x00007FFE972B1000-memory.dmp

Filesize
5.3MB

Download
memory/7676-4958-0x0000015D9CEA0000-0x0000015D9CEA1000-memory.dmp

Filesize
4KB

Download
memory/7676-4960-0x0000015D9CED0000-0x0000015D9CED1000-memory.dmp

Filesize
4KB

Download
memory/7676-4943-0x0000015D94B50000-0x0000015D94B60000-memory.dmp

Filesize
64KB

Download
memory/7676-4926-0x0000015D94A40000-0x0000015D94A50000-memory.dmp

Filesize
64KB

Download
memory/7676-4961-0x0000015D9CED0000-0x0000015D9CED1000-memory.dmp

Filesize
4KB

Download
memory/7676-4962-0x0000015D9CFE0000-0x0000015D9CFE1000-memory.dmp

Filesize
4KB

Download
memory/7720-5199-0x00007FFE97BC0000-0x00007FFE98101000-memory.dmp

Filesize
5.3MB

Download
memory/7720-5198-0x00007FF6900C0000-0x00007FF690D12000-memory.dmp

Filesize
12.3MB

Download