e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef

Analysis

max time kernel
568s
max time network
572s
platform
windows10-2004_x64
resource
win10v2004-20250211-en
resource tags

arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
submitted
14/02/2025, 19:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

builder.exe
Size

470KB
MD5

8c689dc9e82c9356b990d2b67b4943e1
SHA1

6bdc415b9c356bbeaea75c7336cd72910b95a644
SHA256

e8e2deb0a83aebb1e2cc14846bc71715343372103f279d2d1622e383fb26d6ef
SHA512

fb38a79dbcebde149736d5e1ca37dc15d274838be304d3f86e992d610b50c31d7fe4c30f6697c890f3753443af16eab712aef3f8da88d76ed00790083deb51e4
SSDEEP

12288:7tDkI5O/1MHOvEIfRfaXNCTL98vy7anEvY86vM1kiY4XotXpEKAoiO5wBmrkAUfM:7tQcOdu4BcCTL98vy7anEvY86vM1kiYt

Score

8^/10

adware defense_evasion discovery persistence privilege_escalation stealer

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe

Downloads MZ/PE file 5 IoCs

flow	pid	Process
222	5156	Process not Found
267	3720	firefox.exe
267	3720	firefox.exe
306	5544	Process not Found
347	5156	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 12 IoCs

pid	Process
2264	7z2409.exe
2404	7z2409-x64.exe
1128	setup.exe
1700	setup.exe
760	setup.exe
4400	setup.exe
4528	setup.exe
4200	setup.exe
5548	setup.exe
5512	setup.exe
1716	setup.exe
4364	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gd.pak	setup.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ext.txt	7z2409.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ro.txt	7z2409.exe
File created	C:\Program Files (x86)\7-Zip\Lang\tr.txt	7z2409.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vccorlib140.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\oneds.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\da.txt	7z2409-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2409-x64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\zh-TW.pak	setup.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2409-x64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\BHO\ie_to_edge_bho.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Extensions\external_extensions.json	setup.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\kaa.txt	7z2409.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\zh-cn.txt	7z2409.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\be.txt	7z2409.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\hu.pak	setup.exe
File created	C:\Program Files\7-Zip\7-zip.dll	7z2409-x64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\TransparentAdvertisers	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\sq.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\PdfPreview\PdfPreviewHandler.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\cy.txt	7z2409.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ja.txt	7z2409.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Latn-RS.pak	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\co.txt	7z2409.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\ms.txt	7z2409.exe
File created	C:\Program Files (x86)\7-Zip\Lang\ta.txt	7z2409.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Temp\source1128_2040635557\MSEDGE.7z	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sk.pak	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\bg.txt	7z2409.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2409-x64.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoBeta.png	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\eu.txt	7z2409.exe
File opened for modification	C:\Program Files (x86)\7-Zip\Lang\gl.txt	7z2409.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\LogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\km.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Program Files (x86)\7-Zip\Lang\kk.txt	7z2409.exe
File created	C:\Program Files (x86)\7-Zip\Lang\vi.txt	7z2409.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	7z2409-x64.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ms.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\oneauth.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ga.pak	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\7z2409.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2409-x64.exe:Zone.Identifier	firefox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	builder.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2409-x64.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5492	MicrosoftEdgeUpdate.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2409.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.html\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ServerExecutable = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\notification_click_helper.exe"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\text/html	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xht\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	wwahost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\Application	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content	wwahost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ProxyStubClsid32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\DefaultIcon	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationName = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	wwahost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\ = "Microsoft Edge MHT Document"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/pdf\Extension = ".pdf"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2508704002-2325818048-3575902788-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\EdpDomStorage\office.com	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32\ThreadingModel = "Apartment"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2409.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ThreadingModel = "Apartment"	setup.exe

NTFS ADS 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Lockbit 3 Builder.7z:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2409.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\7z2409-x64.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4528	setup.exe
4528	setup.exe
4704	LocalBridge.exe
4704	LocalBridge.exe
4704	LocalBridge.exe
4704	LocalBridge.exe
4704	LocalBridge.exe
4704	LocalBridge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3136	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	2264	7z2409.exe
Token: SeDebugPrivilege	2264	7z2409.exe
Token: SeDebugPrivilege	2264	7z2409.exe
Token: SeDebugPrivilege	2264	7z2409.exe
Token: SeDebugPrivilege	2264	7z2409.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	2404	7z2409-x64.exe
Token: SeDebugPrivilege	2404	7z2409-x64.exe
Token: SeDebugPrivilege	2404	7z2409-x64.exe
Token: SeDebugPrivilege	2404	7z2409-x64.exe
Token: SeDebugPrivilege	2404	7z2409-x64.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: SeDebugPrivilege	3720	firefox.exe
Token: 33	1128	setup.exe
Token: SeIncBasePriorityPrivilege	1128	setup.exe
Token: SeDebugPrivilege	1988	wwahost.exe
Token: SeDebugPrivilege	1988	wwahost.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe

Suspicious use of SetWindowsHookEx 34 IoCs

pid	Process
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
1968	OpenWith.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
2264	7z2409.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3136	OpenWith.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
3720	firefox.exe
2404	7z2409-x64.exe
4852	OpenWith.exe
1988	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 1488 wrote to memory of 3720	1488	firefox.exe	102
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 708	3720	firefox.exe	103
PID 3720 wrote to memory of 2764	3720	firefox.exe	104
PID 3720 wrote to memory of 2764	3720	firefox.exe	104
PID 3720 wrote to memory of 2764	3720	firefox.exe	104
PID 3720 wrote to memory of 2764	3720	firefox.exe	104
PID 3720 wrote to memory of 2764	3720	firefox.exe	104
PID 3720 wrote to memory of 2764	3720	firefox.exe	104
PID 3720 wrote to memory of 2764	3720	firefox.exe	104
PID 3720 wrote to memory of 2764	3720	firefox.exe	104

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\builder.exe
"C:\Users\Admin\AppData\Local\Temp\builder.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2764

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1488
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Downloads MZ/PE file
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2016 -parentBuildID 20240401114208 -prefsHandle 1924 -prefMapHandle 1916 -prefsLen 27345 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a7a4995-63bc-4011-a160-5f1a48bcfdd5} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" gpu
    3⤵
    PID:708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2436 -prefMapHandle 2432 -prefsLen 27223 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {719dc5d2-e202-40c4-9256-c979da4d0cc7} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" socket
    3⤵
    PID:2764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3036 -childID 1 -isForBrowser -prefsHandle 3052 -prefMapHandle 3080 -prefsLen 22636 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6b65ede3-6a40-452f-b34b-8d12befb3203} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:4236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4092 -childID 2 -isForBrowser -prefsHandle 2584 -prefMapHandle 2632 -prefsLen 32597 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4fffbbb7-a902-4408-8d62-f80ddb8482ad} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:1928
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4728 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4716 -prefMapHandle 4712 -prefsLen 32597 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4d771938-57ba-4393-a60c-3d2508b2a668} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" utility
    3⤵
    - Checks processor information in registry
    PID:5128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5296 -childID 3 -isForBrowser -prefsHandle 5324 -prefMapHandle 5320 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d714054e-e29f-4a04-9ade-b120a9ce11d4} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 4 -isForBrowser -prefsHandle 5164 -prefMapHandle 5200 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3218fc81-0931-4fd5-86ec-9012f7083246} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5664 -childID 5 -isForBrowser -prefsHandle 5164 -prefMapHandle 5672 -prefsLen 26928 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9625a385-b1ca-48e0-8ef4-36f76ed617c7} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6092 -childID 6 -isForBrowser -prefsHandle 2956 -prefMapHandle 3088 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be6d867e-8e3e-4423-b07c-8ec7ced705df} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4344 -childID 7 -isForBrowser -prefsHandle 5244 -prefMapHandle 6100 -prefsLen 27114 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {47e1cad0-dd2c-432f-a7b8-bfff105863c7} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:3196
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1740 -childID 8 -isForBrowser -prefsHandle 5980 -prefMapHandle 3756 -prefsLen 27941 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed271f73-086e-479a-91e0-068b7a52fb20} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 9 -isForBrowser -prefsHandle 5652 -prefMapHandle 5648 -prefsLen 27941 -prefMapSize 244628 -jsInitHandle 1148 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ab97af52-8990-461f-80b8-b20f32db3186} 3720 "\\.\pipe\gecko-crash-server-pipe.3720" tab
    3⤵
    PID:5816
- - C:\Users\Admin\Downloads\7z2409.exe
    "C:\Users\Admin\Downloads\7z2409.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2264
- - C:\Users\Admin\Downloads\7z2409-x64.exe
    "C:\Users\Admin\Downloads\7z2409-x64.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2404

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MjE0NUMwNzEtNEFDQi00QkJCLThFODAtQkUxN0ZFMjg1MzQ2fSIgdXNlcmlkPSJ7RURDMUFBNzctNUVENS00QjU2LTlGMEEtMjRDNzdGQjcwNjQxfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTMyMUI0QzYtQjI5Ni00ODRGLTk5QjktMTZBRTQzQzE3OUIyfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMyMzYiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDI1MTE0ODAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDA2Njc4MzkzIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:5492

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
PID:2812
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - System policy modification
  PID:1128
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff735406a68,0x7ff735406a74,0x7ff735406a80
    3⤵
    - Executes dropped EXE
    PID:1700
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    PID:760
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff735406a68,0x7ff735406a74,0x7ff735406a80
      4⤵
      Executes dropped EXE
      PID:4400
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6466b6a68,0x7ff6466b6a74,0x7ff6466b6a80
      4⤵
      Executes dropped EXE
      PID:5548
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6466b6a68,0x7ff6466b6a74,0x7ff6466b6a80
      4⤵
      Executes dropped EXE
      PID:1716
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    PID:5512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6466b6a68,0x7ff6466b6a74,0x7ff6466b6a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4364

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:4000

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4704

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{2B42E3B0-7E88-4937-82B2-3C5B9B72258E}\EDGEMITMP_B3BE9.tmp\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
ad5f7dc7ca3e67dce70c0a89c04519e0

SHA1
a10b03234627ca8f3f8034cd5637cda1b8246d83

SHA256
663fe0f4e090583e6aa5204b9a80b7a76f677259066e56a7345aebc6bc3e7d31

SHA512
ad5490e9865caa454c47ec2e96364b9c566b553e64801da60c295acd570017747be1aff6f22ca6c20c6eee6f6d05a058af72569fd6e656f66e48010978c7fd51

Download Submit
C:\Program Files\7-Zip\7-zip.chm

Filesize
121KB

MD5
a7ba50e8a23bf4a17f827c69bdb8f6ab

SHA1
17db88d7fa4bdb042897cf1b8a8d6620dc4f3b07

SHA256
94561a6dd2e91b42d566846270b9d8915c30dd9200e7aab3a4e37547c0042491

SHA512
16598f7fe5dbad5abac11bbf84fce5a26dd686c1786ddeea7b86ea239fd1fd06587755eee7d376f4ca01a0c61f8b8babf5928222009160949a332fe5e985964a

Download Submit
C:\Program Files\msedge_installer.log

Filesize
73KB

MD5
1796983d64fcd5b7d45d151c0c3e529b

SHA1
1ef30fda1bc1b6e301a44ac75c16adfe29ec2486

SHA256
022b74e24ecc8f5aed938a0ab11b8dd7af9875d489d8e68e9c7ece7895d46e16

SHA512
bf8eccff8d4f62d82f0d192924b42646b0bd8e0e094d10c5d07459195fb1693edaa238a146bc00512b5450623316ba7c06206ba7e7d0283f90abe895184a7539

Download Submit
C:\Program Files\msedge_installer.log

Filesize
104KB

MD5
93d2f682a4a6c06ce557c215931983a0

SHA1
d139bfb07b25d603e05106938f012a671be5a7db

SHA256
52e1fa6f2d9bece29298e4ddb1e69b213e2e76ed31f2a5392382bab3794dc2b7

SHA512
20eb1bb4f8105cb2dca9c2e60dba4e6c6b3ec53dfd3e0eaa4ab790cb3c92c9c6e6f95ac95f172e56abf8bbac317cd6916a795f3e1d51c50ddeb54cc2834d1ba9

Download Submit
C:\Program Files\msedge_installer.log

Filesize
105KB

MD5
9d7787ef62ea6d7c8a804a359f2dcaf7

SHA1
dae1c4077c6de9a93d01e37b5a9d2ddfee2815f9

SHA256
0c8ea40246187d31f1e8349bda0de3d8eb2455b6a69832a872481b5251046007

SHA512
56aefd325e205098f38c31d9b2e5b55ba3aa795998a53cf270f2d375c4302d505f343e17a23c41b596c2aaa9979ea4eeb0b05d39f7542e4b6e59ab1d5b7dd7d5

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip File Manager.lnk

Filesize
783B

MD5
d4ffb365de9aa43a9cf776c20f79c0b4

SHA1
bafbc48e378f8e1047623e700325710a6d65eac9

SHA256
5c18ccdf711c0bf3c73484cde8d194f14b8cd72aad1a64b7ce20e484149121f6

SHA512
f33f7c80366e127e16a5373916ba31bf6ebddf165f52b0cd338102e1cbb1485dead3eefe591213b3d65efa536233927e016af7b653d49f525d653746c8324fea

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\7-Zip\7-Zip Help.lnk

Filesize
788B

MD5
2e48bf510aa2313ba641150dce397bb7

SHA1
ea2ac921a65a4224ce05a89fd79ba137be194cf2

SHA256
668e8fdac462fe002c36b0c9320aea1543f30d61b2db4c17d7fb928bd5934cf6

SHA512
951d5ef054feef3cd60c31c688641f152cab5aa05189b3c6caa3c0534574567bb3dac800bf9f17922fc78073a236ccbd9bc2722c6d92c8db6cfca14ce967c6e1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\activity-stream.discovery_stream.json

Filesize
25KB

MD5
368e146347db6b807558baad7436db9f

SHA1
0195fc5722c26f993a49e79289c0b713f9c49648

SHA256
6317c5105a5bc9dd00df42f3f6093afc0b7c5d321b71a2c6ae68684e8987a952

SHA512
d47c939521bc162131c7bd7ea6d848ba539aba1978734168c90c5f14f946a0688e6a3f8de164c6ece854dd86f23c68fb2dd76d9dffc595faf2b71ac26e1f9358

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
83254636f460265576da5c593629fd7d

SHA1
60e2db83f20228bc6fba80668ab92551f4337263

SHA256
aa18a62891b57c4e55627d2e56c1298bc83596a9815f338c01784589efc1f63d

SHA512
1a59b6e0c93ff6e5766a854603c58747886972b8d91537b890b3651059eb1a7c62caf4d073e3fbd376ab6d895f50243e39be7d6e79f5d5c87dfad260818e7b96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
18KB

MD5
569a25b81de2820dcd60f835db924292

SHA1
7834947ab793a213fe7f85b34acb1021c89f2e53

SHA256
eb805d4c9d8c34da6382cd7aa1ffa3fd9c44300d1ab3401f3aee54ec9bcda24a

SHA512
fc2151a7ffc9d85ef9ab5bbdab4583cb95ab15e3e30b93dd75f2ee76145a6c90aed8d2bd9b7fd1e00a692e0a9f17207dbe008af9a0c38df47afc1dc3a6ac150a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
19KB

MD5
ccccb7c8b6fd49dfe1cccee5625d23c9

SHA1
a3dcbd9577061b42f3efd63cc6084d256fb08f24

SHA256
2e3a7d8946f0bfe525da3ab4b28111b0ad977a7b6945e36d22149e9818ce9826

SHA512
8553dab0d6ba8c570422ff488969e0810915f4ed4ad339f7ad70c207b5b79ed5bc9e09a9609a157b1bf255ab72a171213492f1584829d18257f3902ce14c2c89

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\AlternateServices.bin

Filesize
7KB

MD5
c98d4e14ecca985d76784d03e2c8d839

SHA1
e6f800684ec2c5a22b92d2d985fced48a6ff8849

SHA256
c2779ffdd738820c9386cefa9f79e8686b7b7a92be2d622d4b9cb0c9b76560b8

SHA512
76d46107fcaaa98e75aa7890467755c88a43b9b4f88ae9d7cf0fcddd7f74ca0dbdd20b123f88f16439f78c12aab77c56d7de4389a658ab2106784c0d3918c067

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\AlternateServices.bin

Filesize
17KB

MD5
92a07d6e50540cda31f9307071a0d2ca

SHA1
43421f691792163969d67c8ba40e07fe757cf5d3

SHA256
1ca772b6aa6abddf1593cd572110e24ba97ed79cdc4fa03ec1227a268a729591

SHA512
9925e6626b0a193a6fde8051216b1da61c376ce2c0f7c44940769153844dd1db75b3f9f95c01323a06b855d76ef06e1cb19afb8884976804cb0426ca61620a14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\bookmarkbackups\bookmarks-2025-02-14_11_uSUNLp-ZeEHYXgarcqVU+Q==.jsonlz4

Filesize
997B

MD5
87cca11c1ebf96a44c68a5dfc5786b58

SHA1
753f80ca768d541b47046732de6c1ea2f9373053

SHA256
dc5ebf99efc5fc5d33d55819a1e6b0b529fb17866674dc205a3dc6021dc06843

SHA512
ff88d1bdee91e2af497796eaf6fbab40fcc9efdae93d378afb8aa49a67d440c6da7e09a494219e1fec7d99e243cb576cab687f835792ec999f1ec6897fafb468

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
85dea57d8304e9e5e796b9180208b597

SHA1
5bc158a15ad5c4c64a5666b18237b98443610cd6

SHA256
f25f7e1f0a2336f3bdc380d117db6caf879fce7faa43f75b28dc7dfd8a02f6b1

SHA512
6dd42a7fc7243a2afc3fd18e38f193732d9fa50be783c5120e643afb49b7aca9baadbd07a87234ed73dbb33f21bc6752d7b34840af5e13756af7760621a267d5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
84KB

MD5
c51cf1af43c58fde39ca2533528f73f5

SHA1
b9c995a409cccc8cb47b5556699f26434e680680

SHA256
532da8eab4b4ff148b0445d92c0df0f9a57a3aaaac449b48eaabf45fac88821e

SHA512
ab607be9cfc26009ae69264db6e43826b6b9a2cf5c2d3a336f17c1c6c8e5a722cbf436d5bff7100fe711cc33f0674f86225b3b7299ac3bd2eb6fb174f26f5de4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\datareporting\glean\db\data.safe.tmp

Filesize
84KB

MD5
86dd7fce8b13cc830dfa9993a3e53530

SHA1
61426675737cd9b991562169be3927b573755cf7

SHA256
25648d4fbb4f0ca0cba2361cc7a55fed4ea682bbbcfd56b0c83e1928ca3d086e

SHA512
40e168a0d2a450fe29e9b70bc986d48743fdf1da10ea18eaed1bc29bb8bf22ca73a41d573804515eedba43ac02c572f40d3349a08a2170ba03d374b45896ee38

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\datareporting\glean\pending_pings\30944884-5750-47d9-adf8-4ea17fc53ff4

Filesize
671B

MD5
0dc48cd3adf0c2a4281dd0d3eef00adc

SHA1
466e18ab4de561835bcd482ea63cdc353781cb01

SHA256
d61edc1f14f88204737477e652e815e61adfeecb6641177bc2b8e91834b92aaf

SHA512
f53197c0b9afa56c012ca7fdd48b4cfe6ee9ece6505e3af84cdd91f8712f3048099afb1a02b557dcd21ae7a6548ae88a8ddfe32e59fd1c015062b8f6bd63fe00

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\datareporting\glean\pending_pings\941e45d5-89be-40ea-b4a2-96ffc7c334a9

Filesize
27KB

MD5
fb2374fa574d6f38854ebbf51aaf80a8

SHA1
febcf6a0ceae93ec873e7bcf47f5b345a1073527

SHA256
bde2641e148fd98a2accee5e61d6fefd1bac9c028206478f21020e9ff5c20643

SHA512
685263ac01bb2d8d1650a3db9940768cf276bad11f83260955b79843a37ed5b9efdd1da83d12805b7b31a3fde82ae5b7d6a1acbb71a6b7ef69f4e3655b5447f6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\datareporting\glean\pending_pings\e5a9cbdc-e09e-4060-ad5e-4edb657b61dd

Filesize
982B

MD5
2165f32c17695589ffc6e4363c74508e

SHA1
7a3b5d3e22442f092d11b8000f8284679261bf2d

SHA256
11700e4ac8cb1519a3b85cc174ec467ec81eb76d987fd7213b3809b2fc420638

SHA512
1293265d7a6f32a011412013f142c183f254c677209885e01ea3fcafd17ab4ed65afe1c64272a4bdf3f9dd83c775720e132f78597b6091384ac15bbb4994407c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\prefs-1.js

Filesize
10KB

MD5
8ebcef0da807451eecc308929e65f2dc

SHA1
6c5817be49c4cfaee5943ba29af5b1f3fa11ffc5

SHA256
007d7c969a4ab86f181c89c8459eb7b7f326be59c1c54d30d6aa4c0f4976fc92

SHA512
24490c14eaf7d80dfc25f644781dac8ba08b51cbbfe5ba00f8b86cc1c718f7a9c54c1c3293151b565ed17ce56f868735fdb30efe68010eab19ef5383813038a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\prefs-1.js

Filesize
9KB

MD5
aa13dab707e0898dd3169efca978b246

SHA1
eacd313d86b9836061236b7b2fad268bd448d19f

SHA256
6a36423e759387950e08d6ed6ea01ebeb9c214dbb60d277d3b06e0656a81d884

SHA512
dafd38b7d8afaf0a5fad99a1054b3acf2f83f7e4f58bf156bf80ee1d433aeab63b85edfdc1e7f10991640c6b706d825bb5d44b8706ad3f8fe00aa10908e8c748

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\prefs-1.js

Filesize
11KB

MD5
d0a51f4ae4b4f2647ebd5d7aa5e6bb26

SHA1
5d9a92eef23344182201abbc08142d458f0b57de

SHA256
343ea78ce014d2da36579cc9efffc6fe1f24e04ed77b4c99aee4d3d4d80ab591

SHA512
ead9ace5660fb6fa6c9cbbd5d76c54397eff7634cebbf930098db500f63d0df7fc1647c4f81a8ec9c5f7e56d349787c08eea10dfdcc630bbfa4fe899219733be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\prefs-1.js

Filesize
9KB

MD5
3dc117c6e9de19142a1235e00b9ef81f

SHA1
bc5a296d99990440ac73145b550bfd0de3df22e7

SHA256
2423140917ea5b39111ae731b5ec3047b5e5dd0908795d2867c600c5a4a3480d

SHA512
6542cbe3400215e95d9f82d90e4304c592fbddad28082c538b27250adca4956c19396dfce1bd5a9a3fc9313ef69fb4a5d78e9cc8423e5321ce007bb1625f7545

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\prefs.js

Filesize
9KB

MD5
df261c75096a2635853f9f532df160ad

SHA1
cf3905b3aca43b722f46643a28b3cd50ab3c96e5

SHA256
04ddd43b9f1246c9a442647be32bbe64ebca824a90ddf0e7e599ae55cefb3127

SHA512
78d39ba1cfa1ef44726f0c6cb575752c8e31a07303832a54881f2117c2367fd7b4fe68bcf3d413fa4149b1485feab1fd3a6a18a413a52a85d5eefbc953cba451

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
20f4737e1bcb774aff1f8a3f663c8c2b

SHA1
ee51a46603329aa087395f8209523ad2cbfbc5ae

SHA256
f05176135c4580e2597c688e9cdaf91ed6a64aa69f9873d036cae1be02faa296

SHA512
a96acd4661684861d6f3757b6ca53a9eec7b9357e262c6f4e2792e3d1d03d2fa4a4bc78ab2ce5a9e7b2a93fd59da7434b499158d0a740c485c5e446bc879ea7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
8KB

MD5
cf1b0a5733cbf282003be160bbb674a7

SHA1
0dc5bec6db2f134d7c1689325789b74c45296285

SHA256
1969fd690c460fda938f74e4698c47086de586870130e698f4086a1d7624ced0

SHA512
11e7261890c0b71e4414272b1a452c8c4aced1d74016e29e8a03f9f903c76df9229bba37342241730d3f10a85df454b29e6a2ea665f449f6eec0215a882d29a8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
7d3e6ab95352e9028918c45dc2c77e64

SHA1
b11ca005da3f36e3bc784910e9fd4e08f0d387d3

SHA256
f44dc2357d5ad259ec4b65de20eb7913bdfe4054afe2737b7d8ce8467c66f5f5

SHA512
b2e00b9ebebc01fcae44a04c2f0bca414d58a25f821307c7bb895816e464c4ae96eb3f5708b88e059acd91b95fdfe48ea4128ea572d529c096b49420aa0003ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
b32596c8e858655fe6973b6ccc0f296a

SHA1
3c3b5c5b6ec1add14e974b831a3125ed62ed0081

SHA256
a139e9ec5881b137926827e24cbac206ec314875fe125f9fdaa4212b05ae737b

SHA512
cc4518be802906b9c076ad4815736832572836c3a63d672598897607c97af37f3238671e0e72b75ab3f4fb2f5decdfb6315196611425838c8d9b8de9173ec880

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
e6182f50b7d80fb8dd16c6b0c13e1b45

SHA1
7d2849973cd080b75766517592e01994e263c4d4

SHA256
f52f700af3e65188a62b7c848c7c162c3a8f25c46d3e8ef6148a15014e1e8a0c

SHA512
5b7764c36571c3afed30928b84e4c8ffde95afa33bbc0dea442df46a159d72105a2965e26782e2e80062c0dd19340a674076ba735796be5438ff71b32e5a3892

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
b5d3f782b7d735485565c769ef16c547

SHA1
2ca8a84e9b3e697d48e0211d70fe66b98ffe9597

SHA256
89fb2fded5cb3ede0bb2560b14914fa16902fab97763016fba2efafe356b8702

SHA512
7456b4f28dd743cb148edafd20c2dd6346107529d47967f42c7d0d49e44055d7ff6fa795646331119189fbd0813d5403315317e4f566963e890fb06d788f3f0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
53cdde0c56713bd995cbc9d8b444ec99

SHA1
4280adc6e9b19c3810e8ad4bd08d8181cd969247

SHA256
a51c60efb1ad3d356dbf29eec4adb9d04f96a3df3472e06fe828253276723218

SHA512
cff0dd59732e4b25bbcbc634cf19ef4ed6314fc682fca27af87a5504bd16b7e92f228f9e1f7e273ffcc1fb1ecced370306c3750fcf3ff7f9824e6bcb7ca43d5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
99d3e2ea02e3c5c333c5792f49d395bb

SHA1
7d7f060327303ae4c50d49fbe3d5a8e4ddbd2137

SHA256
c220cef860db8ba5fa3f500a988081bdbe2b8d05773a6535a30e88e6bd16762b

SHA512
e14bef000995212d932767e4c6ef7b2dc0d6c27719857c199d857a9d9d9b3573b558ba268d531d006fb34f4b1a4b3d1fbcfecc9cc786b7ebc6c47d9cc6dd1e79

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
6e6bbbc2cab68d408b4126b0e18a274c

SHA1
263ba927d4003b2ff5f711d5961cec0cced5fdf8

SHA256
4026acdbd71ee87f51b69f9e47fab9285f43a52180b126c171a38db854ff685c

SHA512
a8f5a610950283955fd8773be232afcde1ec0befff48978d6125c681c8df3e2cdcdf237fee0c3f9f8e523df750245e5b32e0990a9c37f15d4817b4b40a4360d8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
06e56b2415a62b6fadf79590971bd070

SHA1
752428b31fbcd84ee88d0e1b4a60ba6b9805f86b

SHA256
e0c733417c680845720b7e97aba4ff4fedecfbda80e3cb94bca438a6e82f96b9

SHA512
f352ce28a78d3dace64723db2a72bd4463a83d896f23eb41273190bc896587d8e356ea113deb84c9a4cef4eb2123847d79ca2568a4cb348938de78f5bca31f3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i6u2lhv3.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
648KB

MD5
11fe783d7946f49c3b06a6896706ecc3

SHA1
349c649d9a880757c7505cf5cfce41febe6fa0eb

SHA256
04986772843ce478096136b5199482cc0a346904b3b281c4cd6c3537bc243036

SHA512
74a31c659644337642093e731a13d96b5353d42998e166618c7c68a0ba8009fdb3ae5567e7ce33a48a0bc5c39da0281d1f8889fdc52b1644d68d97abb4156f58

Download Submit
C:\Users\Admin\Downloads\7z2409-x64.vbPC7uqq.exe.part

Filesize
1.6MB

MD5
6c73cc4c494be8f4e680de1a20262c8a

SHA1
28b53835fe92c3fa6e0c422fc3b17c6bc1cb27e0

SHA256
bdd1a33de78618d16ee4ce148b849932c05d0015491c34887846d431d29f308e

SHA512
2e8b746c51132f933cc526db661c2cb8cee889f390e3ce19dabbad1a2e6e13bed7a60f08809282df8d43c1c528a8ce7ce28e9e39fea8c16fd3fcda5604ae0c85

Download Submit
C:\Users\Admin\Downloads\7z2409.-918rtF8.exe.part

Filesize
1.3MB

MD5
00cbef9691efad7a56332fbcf51aa762

SHA1
2135a90a9f6c3202c32a87b1c5cf805ce294a497

SHA256
e35e4374100b52e697e002859aefdd5533bcbf4118e5d2210fae6de318947c41

SHA512
a39a84b13b383ac5fca20eb6d92ec6b8bc85f1b6a545c441efdbe054d8d12c9ebe97d366235bdf1383bbdb2a9666d18d0145b10b6e589180502c0c2dfa26ef14

Download Submit
C:\Users\Admin\Downloads\G9Md9ss3.7z.part

Filesize
139KB

MD5
c9c2f3805f0012628e9d62e8f75af4dd

SHA1
b6269b1fc8813b93c11ec6066dc33d9f99f2e431

SHA256
b2c3beda4b000a3d9af0a457d6d942ec81696f3ed485f7cf723b18008a5f3d10

SHA512
ed4cb425807bbef4da92fe9e17b78746e096612e6006521279162379b2fc65f8dec7647e9c5403c6a74e6eb9b61dce7ca1c74c65d77aafbd0719be79cb1d70ff

Download Submit
memory/4704-1599-0x000002AB69D80000-0x000002AB69D8E000-memory.dmp

Filesize
56KB

Download
memory/4704-1600-0x000002AB6BF50000-0x000002AB6BF5A000-memory.dmp

Filesize
40KB

Download
memory/4704-1601-0x000002AB6BF80000-0x000002AB6BF88000-memory.dmp

Filesize
32KB

Download
memory/4704-1602-0x000002AB6D600000-0x000002AB6D849000-memory.dmp

Filesize
2.3MB

Download