chimera | hxxp://youtube[.]com

Resubmissions

16/03/2025, 09:49

250316-ltrjfsxybv 7

15/03/2025, 21:53

250315-1rsfasvsbx 10

Analysis

max time kernel
178s
max time network
189s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
15/03/2025, 21:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://youtube.com

Score

10^/10

chimera defense_evasion discovery ransomware spyware stealer

Malware Config

Signatures

Chimera 64 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-il\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-fr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000049\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\ext\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe

Chimera Ransomware Loader DLL 1 IoCs

Drops/unpacks executable file which resembles Chimera's Loader.dll.

ransomware

resource	yara_rule
behavioral1/memory/6700-4106-0x0000000010000000-0x0000000010010000-memory.dmp	chimera_loader_dll

Chimera family
chimera
Renames multiple (3246) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
6700	HawkEye.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\desktop.ini	HawkEye.exe
File opened for modification	C:\Program Files\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	HawkEye.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	HawkEye.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
38	raw.githubusercontent.com
40	raw.githubusercontent.com
281	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
292	bot.whatismyipaddress.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\node_modules\@uifabric\utilities\lib-amd\test\index.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftStickyNotes_4.0.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\Icons\StickyNotesLargeTile.scale-125_contrast-white.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GetHelpWideTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ScreenSketch_11.2104.2.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\SnipSketchLargeTile.scale-125.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleSplashScreen.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarAppList.scale-400.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\TXP_BillPay.png	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\fr_get.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\RunningLate.scale-64.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Theme_Illustration_Seasons_Winter_Right_Dark.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarAppList.targetsize-40.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderAppList.scale-100_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\Assets\AppIcon.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireBadgeLogo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-16_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-amd\components\GroupedList\GroupShowAll.base.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\MarqueeSelection.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-commonjs\colors\index.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_filter-down_32.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PaintAppList.targetsize-24_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_move_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_21.21030.25003.0_x64__8wekyb3d8bbwe\Assets\PhotosAppList.contrast-black_targetsize-48.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\HxCalendarMediumTile.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_1.0.22.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\MapsAppList.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	HawkEye.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\local_policy.jar	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Grid.js	HawkEye.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ru-ru\YOUR_FILES_ARE_ENCRYPTED.HTML	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingNews_1.0.6.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\NewsMedTile.scale-100_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Todos_0.33.33351.0_x64__8wekyb3d8bbwe\Assets\SplashScreen.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\MedTile.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\GroupedList\GroupedList.base.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\Announced.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsBadgeLogo.scale-100.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSquare310x310Logo.scale-200.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_1.0.36.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-36_altform-lightunplated.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\Snooze.scale-64.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\eml.scale-48.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\Images\Square44x44Logo.targetsize-24_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\BuildInfo.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_history_18.svg	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\Logo.scale-200_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\core_icons_fw.png	HawkEye.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\ui-strings.js	HawkEye.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Download_on_the_App_Store_Badge_es_135x40.svg	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.BingWeather_1.0.6.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherWideTile.scale-125_contrast-black.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\CertOriginTrusted.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\ScrollablePane.js	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_x64__8wekyb3d8bbwe\Win10\contrast-white\MicrosoftSolitaireStoreLogo.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\Assets\contrast-white\PaintAppList.targetsize-256.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-100_contrast-white.png	HawkEye.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png	HawkEye.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-tokenized-card\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Mini-Wallet\mini-wallet.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1927379882\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1927379882\_platform_specific\win_x64\widevinecdm.dll	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification-shared\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\wallet\README.md	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-hub\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Wallet-Checkout\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1927379882\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\wallet-webui-227.bb2c3c84778e2589775f.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Wallet-Checkout\wallet-drawer.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_783483122\edge_confirmation_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\wallet-webui-708.de49febeeb0e9c77883f.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-hub\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-hub\th\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification-shared\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-tokenized-card\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\wallet-icon.svg	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\wallet\wallet-notification-config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\edge_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-hub\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\wallet\wallet-stable.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1173238022\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_783483122\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-hub\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-tokenized-card\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-hub\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-tokenized-card\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Notification\notification.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-tokenized-card\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\load-hub-i18n.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Notification\notification.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-mobile-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\bnpl\bnpl.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-hub\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification-shared\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\wallet_donation_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-mobile-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\wallet-crypto.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-mobile-hub\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification-shared\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification-shared\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\wallet\wallet-eligibile-aad-users.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-notification-shared\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-shared-components\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\wallet\wallet-checkout-eligible-sites-pre-stable.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Wallet-BuyNow\wallet-buynow.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-tokenized-card\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-ec\ar\strings.json	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HawkEye.exe

Checks processor information in registry 2 TTPs 31 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133865492127353357"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{7585C4F8-8E1E-426D-A4EE-516642E76060}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{28BE06D4-A3B7-4A42-B30A-93DFA2287DB7}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3920535620-1286624088-2946613906-1000\{55E90B61-FA07-4B4E-94A0-C8439B2A9085}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\GoldenEye.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Emotet+Trickbot_comparison.xlsx:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Paypal.zip:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4916	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
6096	powershell.exe
6096	powershell.exe
6096	powershell.exe
3096	msedge.exe
3096	msedge.exe
2604	msedge.exe
2604	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
3096	msedge.exe
3096	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	1236	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1236	AUDIODG.EXE
Token: SeDebugPrivilege	6096	powershell.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	6700	HawkEye.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe
Token: SeDebugPrivilege	4440	firefox.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4160	WindowsTerminal.exe
4160	WindowsTerminal.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4008	msedge.exe
4160	WindowsTerminal.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
4160	WindowsTerminal.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe
4440	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4008 wrote to memory of 2940	4008	msedge.exe	79
PID 4008 wrote to memory of 2940	4008	msedge.exe	79
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5872	4008	msedge.exe	81
PID 4008 wrote to memory of 5872	4008	msedge.exe	81
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5320	4008	msedge.exe	80
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82
PID 4008 wrote to memory of 5444	4008	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://youtube.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffb2a8df208,0x7ffb2a8df214,0x7ffb2a8df220
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=2396 /prefetch:11
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2404,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=2604 /prefetch:13
  2⤵
  PID:5444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3428,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3448,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4856,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3920,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5220,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=5216 /prefetch:12
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5232,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=4724 /prefetch:14
  2⤵
  - Modifies registry class
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5328,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:14
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5504,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=5520 /prefetch:14
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5512,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=5548 /prefetch:14
  2⤵
  PID:4936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6080,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:14
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6336,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:14
  2⤵
  PID:1688
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6452,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:14
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6452,i,9298382512384819035,11825758455689765568,262144 --variations-seed-version --mojo-platform-channel-handle=6472 /prefetch:14
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x254,0x7ffb2a8df208,0x7ffb2a8df214,0x7ffb2a8df220
    3⤵
    PID:5440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1852,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:11
    3⤵
    PID:5996
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2124,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=2112 /prefetch:2
    3⤵
    PID:3428
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1412,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=2652 /prefetch:13
    3⤵
    PID:5600
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4336,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:14
    3⤵
    PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4336,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:14
    3⤵
    PID:2768
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4452,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=4460 /prefetch:14
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4456,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:1
    3⤵
    PID:2892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5068,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=4596 /prefetch:14
    3⤵
    PID:3620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5096,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:14
    3⤵
    PID:4056
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5080,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:1
    3⤵
    PID:964
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=6028 /prefetch:14
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5856,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5940 /prefetch:14
    3⤵
    PID:2976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5820 /prefetch:14
    3⤵
    PID:2072
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5324 /prefetch:14
    3⤵
    PID:2528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5888,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:14
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5348 /prefetch:14
    3⤵
    PID:1944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=768,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5988 /prefetch:14
    3⤵
    PID:4256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5900,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:10
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2604
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5312,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5400 /prefetch:14
    3⤵
    PID:6188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=3252,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=3932 /prefetch:1
    3⤵
    PID:6356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5348,i,9034265161564524123,7077568019951405959,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:14
    3⤵
    PID:6492

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4020

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1236

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4356

C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\wt.exe
"C:\Users\Admin\AppData\Local\Microsoft\WindowsApps\Microsoft.WindowsTerminal_8wekyb3d8bbwe\wt.exe" -d "C:\Users\Admin\Desktop\."
1⤵
PID:1340
- C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe
  wt.exe -d "C:\Users\Admin\Desktop\."
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4160
- - C:\Windows\system32\wsl.exe
    C:\Windows\system32\wsl.exe --list
    3⤵
    PID:2388
- - C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe
    "C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\OpenConsole.exe" --headless --win32input --resizeQuirk --width 120 --height 27 --signal 0xa38 --server 0xa34
    3⤵
    PID:4116
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:6096

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2328
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:4440
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1972 -prefsLen 27097 -prefMapHandle 1976 -prefMapSize 270279 -ipcHandle 2064 -initialChannelId {eba206e4-4d43-431e-950e-16694d9cb39d} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:5320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2428 -prefsLen 27133 -prefMapHandle 2432 -prefMapSize 270279 -ipcHandle 2440 -initialChannelId {5631a7a0-b1e0-431a-8d99-c520a17de923} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:4852
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3928 -prefsLen 27274 -prefMapHandle 3932 -prefMapSize 270279 -jsInitHandle 3936 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3944 -initialChannelId {f8e921de-f816-44d3-adeb-0db28a8a83a5} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:3596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4080 -prefsLen 27274 -prefMapHandle 4084 -prefMapSize 270279 -ipcHandle 4180 -initialChannelId {a752f8c4-0ed3-4f48-ba81-55ed6446fa58} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:3648
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2724 -prefsLen 34773 -prefMapHandle 2800 -prefMapSize 270279 -jsInitHandle 2804 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1644 -initialChannelId {8410cb07-50ce-4887-b887-4be6c0fad124} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:4464
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 4960 -prefsLen 35010 -prefMapHandle 4964 -prefMapSize 270279 -ipcHandle 4972 -initialChannelId {54426825-e308-4e93-af47-49c5462a1511} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5684 -prefsLen 33031 -prefMapHandle 5688 -prefMapSize 270279 -jsInitHandle 5692 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3208 -initialChannelId {9e071eb7-a3a1-44b1-adc7-05879d64a2ab} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3892 -prefsLen 33031 -prefMapHandle 3896 -prefMapSize 270279 -jsInitHandle 5832 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5868 -initialChannelId {7adeda06-dc46-4124-b3b9-0862d0b41f34} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:2476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6048 -prefsLen 33031 -prefMapHandle 6044 -prefMapSize 270279 -jsInitHandle 6040 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6060 -initialChannelId {7eb3bd32-2e6b-4b56-b3e1-7f6363d015f3} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:2808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6328 -prefsLen 33071 -prefMapHandle 6296 -prefMapSize 270279 -jsInitHandle 6292 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6460 -initialChannelId {4cbcfe3e-1b14-4ebd-ae97-660bc02a2aa7} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:5244
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6288 -prefsLen 33071 -prefMapHandle 6568 -prefMapSize 270279 -jsInitHandle 6596 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2628 -initialChannelId {67afa92a-5f8f-406d-8d8d-ab68033a6dcf} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 11 tab
    3⤵
    - Checks processor information in registry
    PID:4588
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5584 -prefsLen 35362 -prefMapHandle 5600 -prefMapSize 270279 -jsInitHandle 5616 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6832 -initialChannelId {abf258d9-efa4-42b0-9180-66240e14c441} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 12 tab
    3⤵
    - Checks processor information in registry
    PID:1020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 1 -prefsHandle 6600 -prefsLen 38102 -prefMapHandle 5888 -prefMapSize 270279 -ipcHandle 6788 -initialChannelId {345a33b1-5af4-4988-bad9-8a857c57eb34} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 13 utility
    3⤵
    - Checks processor information in registry
    PID:2620
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 7100 -prefsLen 36502 -prefMapHandle 2920 -prefMapSize 270279 -jsInitHandle 7132 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 7012 -initialChannelId {68682322-5208-478f-a6c4-d3f9e52551a1} -parentPid 4440 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4440" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 14 tab
    3⤵
    - Checks processor information in registry
    PID:4208
- - C:\Users\Admin\Downloads\HawkEye.exe
    "C:\Users\Admin\Downloads\HawkEye.exe"
    3⤵
    - Chimera
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:6700
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" -k "C:\Users\Admin\Downloads\YOUR_FILES_ARE_ENCRYPTED.HTML"
      4⤵
      PID:4680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" -- "file:///C:/Users/Admin/Downloads/YOUR_FILES_ARE_ENCRYPTED.HTML"
        5⤵
        
        PID:2592
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch -- file:///C:/Users/Admin/Downloads/YOUR_FILES_ARE_ENCRYPTED.HTML
        6⤵
        
        PID:3160
- - C:\Users\Admin\Downloads\GoldenEye.exe
    "C:\Users\Admin\Downloads\GoldenEye.exe"
    3⤵
    PID:1036
  - - C:\Users\Admin\AppData\Roaming\{a5ffb489-4626-407d-8cf4-0af2493d7bed}\SearchIndexer.exe
      "C:\Users\Admin\AppData\Roaming\{a5ffb489-4626-407d-8cf4-0af2493d7bed}\SearchIndexer.exe"
      4⤵
      PID:6652

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\Downloads\Emotet+Trickbot_comparison.xlsx"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
ee87916ae4ce0cce972b981b4773cb92

SHA1
571f729ad3b5f53d4f4da86a70a6309cb21f4f6f

SHA256
0059e40b993e2180c6db414c8b6040349a67be701000901b50ebc586f2025fbf

SHA512
e6d6a17e2adc833d86979e203bc0eb2edb8d10c06e76ae0098ec76f109f3c509be25a0855577661f8ad1728c65dac7e6baf48ee168ca9b78a77d19822283d374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
509e630f2aea0919b6158790ecedff06

SHA1
ba9a6adff6f624a938f6ac99ece90fdeadcb47e7

SHA256
067308f8a68703d3069336cb4231478addc400f1b5cbb95a5948e87d9dc4f78b

SHA512
1cb2680d3b8ddef287547c26f32be407feae3346a8664288de38fe6157fb4aeceb72f780fd21522417298e1639b721b96846d381da34a5eb1f3695e8e6ef7264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
492a05d475c2d70f81d87f1a2d57fd60

SHA1
3b1b63070421a86854d10c032eb34865a1d54b9e

SHA256
53a459ae92f89214a0db1fcedf4d9b4579c69419d745465c2ce8b897ad96d5b3

SHA512
d39c3e8f886343390e663be1c63fc25d3defded3c763c732969e3e4221594e34d8a77942df3ed6fee6ac629068c55120a8a5ba350f7533ea8e88635108cb9c64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
76e2c70d9b40a3a275aa235749691793

SHA1
4129f124dadbf437b5fa3a306ad44eb3aedbae08

SHA256
f156c3c2daeef7af6bd2ad79046c0df6f8381ab55dad84ed04bdd0b0b1b9484d

SHA512
4b7ac6ff3f3fe2c8ff23c1cb5419d2e4ab730444d0a14c71b63921bdf26855a33e687118ee54490e8b9095c67434635c7156a68267e577b401a855ad200760c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
f42a780a95f55a9a117f4a9a5c156240

SHA1
5834278b9ca7ad357bb63edaf225d24dad2c2653

SHA256
125d8ca4ec26d7080a384558761275efd267c3f60cd0c914d09c3e941b6fc959

SHA512
ff8b794585381de94feae28f941c4b2fec15851e755b1d4fbf40e2bf5349fd5413ed01bda5b67f9c3e3e8cb92f43125aab99f7f6ae6ea080a09d7b78da302979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
fc4b69ef55582f80d0a6637ce64d748a

SHA1
c43ca7b198dfd475140936f3783ce4732953995e

SHA256
64c5603728f52741971b4ecf9be5ce28a675e5f337b4d52c2893ba56a9e14660

SHA512
3ce61eda50d6e304bd95f5e8f5b191648ab434e2daecfd06488adbd282c40f00165a5062b175bffec4f63c670865f9205cf3b9bc21b0dd52a482c20b09a04f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
329fe2f9f4a183aea41d8012224f0576

SHA1
0f1f99a6b93880a685c61dceb4d35b14e8eea9f3

SHA256
a35582e4ddc2858acfefddf57f9ef832b798e48ec32aef3a292927d21b4460fd

SHA512
da30a24dfd25d93e2eab66dfd4778489227917131e5cf4addb42308cb1c390bd35ba6aaa59b18ef74f8676e096b1f5efd8c515635dc61cd514acaa06125f0e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

Filesize
8.0MB

MD5
68876e1aca0de13f44f1203204ab111e

SHA1
cac268f7e6a9457b05c97c4180043b890ee15ead

SHA256
23b5fc8f2c80e4b14fc8c1659f00664b6c09a6f7d3230e4d82ba5686018a1737

SHA512
c06a5e1f67c8226447a1b897f1d75707cb2f222abe300cbe5237ac58e697e9cd96bd4bb1fcad7944e873f83f0a9e20b56e552e7576190258004d49f3931887d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f

Filesize
22KB

MD5
778ca3ed38e51e5d4967cd21efbdd007

SHA1
06e62821512a5b73931e237e35501f7722f0dbf4

SHA256
b7e1bfadb8d9c061f17a7234df012df7842ab1aa8fb6f9579fa3f0a3b4a75bc0

SHA512
5f6f02099ca8079305fb7e7f43ae4344d522271fe30379c0854d6a81b7d8adf408a50a4b799b5f52e6ed162ba6ce7fe97e24a2b9719df780e75683d3aa103d09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070

Filesize
245KB

MD5
7f9910ea21896bb3e7bab154ecf9e715

SHA1
e17e23d6998e964a26271e46565f2945ff27189d

SHA256
c976d6a68e14746b9fc87035ff0485b8ba7187f0e872548979b23fbb15208f71

SHA512
cf917cb4747dbe7029998529b19409fdd06f5bcb6a991850002e329c806d204da97f717d89c25be1714bd231a6438900043e77e2864f28816dddaca90ee8ad0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000071

Filesize
1.6MB

MD5
55d33c7f1980c42b3af430d1053f3d20

SHA1
37b8ee9dc84b81ca0e3453badff93cf20aa6a9e0

SHA256
9a9517736517cba55b3d2cdcf5edf69dea2e0d89dd2745793ce8a4770c22ac38

SHA512
0bd75adf4be60522c8d0600180405f490a2b265be6e75e1a19d64211a379ca6072083fefbd34e76c48822764b1ba06b2668fba30fcfc213317ce32b3db3f4b65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000072

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000073

Filesize
21KB

MD5
c18f34f25ecd606fd246af8f900afc80

SHA1
dbc75119fc3dd789803ae63dba3d8f8c7eae643c

SHA256
5f9cb057fc35ed2ee7a5d0712fa43f6f4601d2d41c66988dfb64333fd3514836

SHA512
0b5a50f8c38211909c249c0504bcf2b9731a68c0326a9d75088c537192e6042cf2f41880a2b7f32a6c02548854f8da582c316bf28ddc37ef1ee145bc438770fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000074

Filesize
18KB

MD5
c83e4437a53d7f849f9d32df3d6b68f3

SHA1
fabea5ad92ed3e2431659b02e7624df30d0c6bbc

SHA256
d9bada3a44bb2ffa66dec5cc781cafc9ef17ed876cd9b0c5f7ef18228b63cebb

SHA512
c2ca1630f7229dd2dec37e0722f769dd94fd115eefa8eeba40f9bb09e4fdab7cc7d15f3deea23f50911feae22bae96341a5baca20b59c7982caf7a91a51e152f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000075

Filesize
31KB

MD5
2d0cbcd956062756b83ea9217d94f686

SHA1
aedc241a33897a78f90830ee9293a7c0fd274e0e

SHA256
4670bfac0aeaec7193ce6e3f3de25773077a438da5f7098844bf91f8184c65b2

SHA512
92edce017aaf90e51811d8d3522cc278110e35fed457ea982a3d3e560a42970d6692a1a8963d11f3ba90253a1a0e222d8818b984e3ff31f46d0cdd6e0d013124

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000076

Filesize
18KB

MD5
115c2d84727b41da5e9b4394887a8c40

SHA1
44f495a7f32620e51acca2e78f7e0615cb305781

SHA256
ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6

SHA512
00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000077

Filesize
50KB

MD5
efe5292e8d04d99caa4dcaa169330b6d

SHA1
11a8e64ea2570dde50e65eba825a2b3cf38e3961

SHA256
d1ad71461deb535b2147a9d5bed382b8c64c119218d8a17ef7f183632995513c

SHA512
f826c5d791d9fadcb7ce3e1d914cdcb5b0102882e1b8a4cc8667290c60944ba3c0941f05a25ac51b42185a0129e336c4ac17129cc54d0ca6def4648131685e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

Filesize
646KB

MD5
e3c50e69a66f61616d966d3660958abd

SHA1
e9ff7e972b529adf4ba1b7d9e527000a08b7074f

SHA256
0b38812095938febe38600b78abdf7edfa3044dc9b5fb5d7d80d98940017c975

SHA512
a222002e59f7aed6338bfbe1981d5c944f1882660a533bc29f94dfaf90f56ec7717bf48c1fde0b43f90bd8de46924124809fa48ca3075707aff8f8027ce93ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000079

Filesize
34KB

MD5
bdc5438edb25b0a267ae137ecc08c4ba

SHA1
b7f8a298883a1ca2304a3e6a350e220abfd95685

SHA256
8f6c7cea037ed24734051c1deadedf2d164791f1c2e8776eaed0b8af1395cd56

SHA512
5111ed3f2371cc9dfb0912fdd38e9ae6d935d29f2753f18eb045f1a95d5fd2ff74e585b63deb4ec6b4b9af74f62504d23e44f88881a06822904772fa17b44987

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007a

Filesize
34KB

MD5
04346f11b88637bbeba111da1a400d41

SHA1
ab820781439b008c1115c4db0c0f8aa539af7d2c

SHA256
c36141e86a83d543c5f4389a06df6c648bc68ab5a07d03bc19102f1a4e511b86

SHA512
463aabc2d69ef3f6c91c61224f647b15a432a9362b885aa2caad39a07d25e9d4fa0758e99b4174c23c13c371a398b98ebe43d8031f08c18fd93608aa2b7dcb1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007b

Filesize
19KB

MD5
5e5ae2374ea57ea153558afd1c2c1372

SHA1
c1bef73c5b67c8866a607e3b8912ffa532d85ccc

SHA256
1ef458d087e95119808d5e5fecbc9604d7805ea4da98170e2c995e967da308f3

SHA512
46059e4a334e0a5295ebcef8401eb94b8fa0971b200f0f9e788ed61edae5018c917efd30b01631cbd6bdadc5240c9fcad2966ea0aa9c94b538bcc369e10bbbaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007c

Filesize
55KB

MD5
b4ec1e67eace8cdc966ce245db00965a

SHA1
13c458738fd5f60fe827e5c56cad5d44e3367365

SHA256
37d877d8735c06127a87e3e82c1c4b22f0eb60890a5451249ec316eea0a30a14

SHA512
4a09c723da716ce2b5a7eac6ab5f144f2a4590695f8456650099da33a2b5ad5ef0edca51afbe21412f5aa957c40d1e8c3fec967a36548c197998edfb8d20a0a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9220e73967520386eae04d48f2082570

SHA1
5e60fcc40e61cbcfa88b170bfad9515bae70adf0

SHA256
e08932d0c4c6c4d3933ae6c9bdb3c4556eef238f98fab1d1b4dd836b6a8ed218

SHA512
73d2d34ce5c9c02e1fa38640a14139ec0e80f49468dac58d8c44aa9723a6121051c4bf1d6aa0dc41531a2fb5e477f3a7761eda6fb2ad66894429d4c93afa44f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
322a5dc805e098aa51aeec564dceed77

SHA1
ec1a85d9889aa67194fefc6e8265dcc2d4900901

SHA256
77e59a8badbd003cb249e569c2082b74cf58b81f48ac8905a9b1eec765227296

SHA512
95f58e481d6e424d9296a27a8ce9b264975d8f353d906bfe4d05507d6fad56a54c4f8fae39c788da13d03eb560544cea2ed67f87e9f6ac97315f183014d73dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5788f6.TMP

Filesize
3KB

MD5
71c1423cb081afe863eb5afa4b980cd9

SHA1
02a376b168d20d192187134472e3c2eff6f17c86

SHA256
d004b3b0b28bc71bf9dc172ad3eb31af920407ccd3b5b0d3cf840e0ad3b50489

SHA512
e3dd95f2596073d43f5643c8bb247e75656c44076a664fcd32206a4f8a76031e9ccc97e3cfe5f2cd90c9823ef6e487c0db9bfa44798bec8d49ef50747ccf3482

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
9695aa32e3cbcff4c91bb2883eaea350

SHA1
736e957edad8a3a1b841403e4539f0e62cab6d91

SHA256
966a3735c5cff6097e7e6a7e3f23e33373078065dd2662974ca0f042adfb9255

SHA512
9091e70c32846b9e2ba266e2f1f0d64464c0872e6539c73cbb571851f1f616f129d33720f6ff74fa4c36d97f37c6a45076f42f957658706d2954823a0059eaa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
ae816db825626240fa578cdd0f74a5db

SHA1
6a81cccc900cba840b9547154a908c4acf0505ab

SHA256
db26f08e992d5231f52db2acb1e69f64d9a6a1f16a91d0f3c3b0fcc88df16ba0

SHA512
1f850b6e189231cebb1c283c5d235da685cf707381f8f8e323e11af49f575d5b8d91fe0962e92f1dd654bc9ba9fd71d0e1c4c4d7a750700a147133dd2a3c5503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
192KB

MD5
55f6b5622264f71d2cd706d2f1a4e1e3

SHA1
853f47205508b6156126bdf0dfcbb78340376c78

SHA256
47ae3e3448e5c8ba36640e977ecd27ad1a62d6ee31eafb23d87b78c4fafe27df

SHA512
e5ef3709ed59dc87832d21f00569394d14a90065a4935f25c1a90884a00b540741d808792fa48f37ed822b9738fbd6fa8f63b3f902e5d8bf130675398065ad03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\000003.log

Filesize
137KB

MD5
52def0a0ea9c17c6c12dbf92808b0619

SHA1
0020b80ba67ff3a3a737458b03061febe28ab98a

SHA256
e0e0399790854c2f0ac49a17202cb3e5df8f32db9f8e6fd8181c4841b653d2e5

SHA512
9da73ebe332aeef6b05f65a0eea0f3490b52515c9332c67497cfca87bc21c625470333e05e60cadbeacd6830072d89ec91e6981144b54f10515ea9124dd4963c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\LOG

Filesize
351B

MD5
7a51722058241f4f4e7e5b226c4aa855

SHA1
de66c9ba0eb44fffd401fe928eae495a4c287e07

SHA256
97811a4167f82073cfa176a3b13a72e6cb5cc094c63eb33d2dfe01af7aedec61

SHA512
7647d7b88ed4e08661b50ae943489d022e904826748615a7e8cb52357c153e4cede96b0acb13a87d6e517e1ce35e3c75a2ab8a34e275b544bc783f92ae18dea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.youtube.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies

Filesize
20KB

MD5
b80d1b9d1dada0a025d86ba854c78064

SHA1
b14bdf54d8b9ec5fcaa026acde77d6a3fba24ad4

SHA256
28785fcf1f8802e5cc20ab404463e90a17d64207e2c916d9074a70ba7cc3ecb6

SHA512
34f48dc65c16a4ae73bb61304966129bd818fa826f14a1992d59fa54faba4152e03d19aadd77652a0264b178c0f3887bf24ace61bee9ad1d9e041afc7457a867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
4b9d2734e2f154dac65b81945fea288f

SHA1
2fe1ae845dc5c7f0cef279ea7a6bb28f8fdd311c

SHA256
4ad34d946097a576a82d9eaebcb031362027d80805144de4053ba699f57d70e7

SHA512
da7f618173842b44caa6246a88610e7cf0050710e383ef62ab31ba2f2fa69ea105df1a3cff64cac19b44c616d9a92d7079d6f002c3f9b69680168569fc74386b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
99185ec97a42b12c4d3ff6164ed63079

SHA1
052627e6e4c78ccbcbcdca4eca6a089a6616ebfa

SHA256
f15f7291ec6cfb55cd3b32f85e9f0b759fa65aee5dd7768619eae874d6a8f8dc

SHA512
7b5cf6eded4d36badacfe3bce314732fd09797dbb3df1b265fd72119ba686c150261c2c473df96a160f6e1b1e27bb4f93223a5fb8f90983ce92e54b84c816c80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
3d9bbaaa8757546dd2e2b39174664cff

SHA1
cea6bb5109f20f90436f48b4904c99f8723bde98

SHA256
3226b97feda9954f0b1a03d7dc7a025237125da623b32eba5dabb64232401eae

SHA512
a310f67ff5745d45f26100a807cc3dd8dd0c729275f6a51911debada80c74dda2f42b8ee0ad2798f3ebdf97ee643e2b4c40c79eae8caa2307c084aa6096dc821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
53f62816aeaf6c4df6dc1c5c615930d3

SHA1
86cab19e4268a54ecbb4f9569909b85e9c97aa84

SHA256
357c7a9098229113fc673fed2712ddcf36bf86ecadfe16cf890e895e40d4188d

SHA512
faa931bc78de40670bae804155a2a91a1e7baa8a57923c094c63873fff31f32853ad74195b3e766b1822e34c076c13d53f8b041d2d091f0c0b0bd8bc1b2503be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
bb4075587b762a6ca99ca321e5e45f93

SHA1
e8fa4bedd5a3ea8565746161735380fea8365a10

SHA256
dec9c71769e4666bd3696fabee793bc8acf67a1f69aa6297e8dace7461f5ad99

SHA512
1446176f71f22f491b32be0b74b44a054c9e0ed0f9b5a534b953f4e5c8f1e2af0b59ace283a35e7a9eec322d2920d9b79f1b8708f1874f50de3817b4c9a0ea3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
bf0702889a873cbc9a1a0bdc869cefc7

SHA1
adb90cc5b34502b8eb6f26e788c654e16ad965f6

SHA256
c74e8a91e54a77dc0eb209692387e4aa53eaec63744a968fade9a34f17c3001b

SHA512
b7a38fdb2b65390a7d090530a8243082c23c47d0f575fc3d4bd4f2f54fb6de2257b37404faa7fc94ee258532e85eb373723ae875a6c1ac6a59bdb75cc9d149d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
e307d1dd383e5ef3057733e6a8c84227

SHA1
a796cace4ff383c64c3d3ffa926cf17b1f7308ae

SHA256
a1598b0b5cdd2e99c7f79b906e5e3382f9d50124a121f43037edcdb5bd6d493c

SHA512
7612401bcbc2c923f571ba34e3aafb730c170d6025f44fb6a4c870df6f82a18ea71b818658bfdcf0603c49c7c7428c7c17f5bf55170cdd6197950dae88add488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\68988af7-73c7-48b2-b980-ebcfc6be35e0\index-dir\the-real-index

Filesize
2KB

MD5
02174b74d7517c5d16714fdeac709a40

SHA1
000e12222909e732d300c5ee2c78e3bce7094b2e

SHA256
dbf3ae6a8305fa77ee1501c990cb51b53fc3951fde0e79916afe03561307f7f0

SHA512
bc5e32cc9d9d92900da401522b29f27b165de6a5424020a8eb1dfebfd4705717df4aec4de2e27b91a4e6cc2a1e2f4e4b2a802ad3364fe8db50f7a18fb670f19d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\68988af7-73c7-48b2-b980-ebcfc6be35e0\index-dir\the-real-index~RFe5783f5.TMP

Filesize
48B

MD5
252ada160a8f47773df77248ce7b880a

SHA1
d1bd4fbd3fa5f01285ceb406adfeacf79f4cb272

SHA256
988de283e20b0803027da29228ae1638282a8718350d3300ee8386b863aec84e

SHA512
e6262f21348d0b36a1dccf0d61ba56cef291c9ecd55bd911cbaabff0235b5ef1a1f0e2d0db7312f63dc9544bed24e25fa9952470ac4ae6f0a2bf6e8264b8eecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
178B

MD5
95e937335817484e746c651327471adb

SHA1
7050ae67eb7c79dfa5737dcedc6b459866d792dd

SHA256
9d16ba5a8685c33f99dd8ef11f0f3e2bc0817f30c3e97d7626eea50b70ab3643

SHA512
f6b9be50553dcc4245fd528cd61cdaf9b5c5a55f1e02b2df7693f427a59f5f240047f55ad2043a5576c7c947ba48c1de091ed841c77ae935be7dc1bf5d6c3857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
112B

MD5
9a9e924d27a97c5d1c97694bab8c19d9

SHA1
5317c1dfe78f4cd6eaeec60f89ffbb0674758184

SHA256
dad51a9cddcc5369dd6dd6f3c148c0207373d8f4097dd0452108bd1f5000d40a

SHA512
bf36a647f4d9b87341f88883cbd7346eaad057bd6d55c2a90bed3bbdbd85d561cff7f537921e32187a237943574fc90b8e3eca3e5ffaaf04582db58bedb0e82f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
114B

MD5
5a80dc2c1d445cd369d3358bee4e5946

SHA1
e163a77cb732d04f7499f7e99c5d14d657cffcaf

SHA256
e8228e279b06f25610789e10aa9093208be93e48a51d78819bf05b1797397408

SHA512
5244d467514b3db7425ca869680bf736a43ae8d814d7b5e3c808922bb03724fccfd87a3882fff4fd3528c4ac995564b01cb9720f873c036ff49b54b873c9ef24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
176B

MD5
f4fb988792de97c6d2d6b9372aef4b4a

SHA1
5fb762b8697f5cf96890e4e95d43b23ea37af99e

SHA256
a8065c0ce81ce3f1724caff0f0d74c25f89b5d861ebcb4bfe87100f4c82d8690

SHA512
a3b0c64ed2e112a4fa361c3640e51c60d4afe42c07d7ee616f7b54773569c85eb9e23b1c51fa69894103ed4fe30423ed909c3f863002c974761d73e5d790a2fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe576bf8.TMP

Filesize
119B

MD5
3713e8ec7313e009d5830f102f7a5015

SHA1
b704ae3cfe4a84a13a52c9d0296fe3d794b438b4

SHA256
17ccce24ee1519d460f792a29bc03e7de9cc3c0bce583e896dd59eddd1b125b1

SHA512
29cf7520cc23928e4eda3d187a5b9ecaf204810d3cc8aef73b9468fa4306780a3740908e68c200b6dac8901f3274c0809e2ba9752b9360dcae73a3b22033f33d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index

Filesize
1KB

MD5
8e170c84ebd030256c3874201cc40b90

SHA1
945f8f29e8febced6c57c29aafb5b76c8165f364

SHA256
a44cba1366a9dcf604384dba59c5bc856db6d1f8aa1e0dd1048a6c9ce3b4d8fc

SHA512
639a679825f7a8328fb1a1048d48e9bd40e94da47a0b82c5ae4e1253b79b0a4d08abc618946a399912884742ce82aee3fba3b50bdc1c3c62e0bf1823585cc7ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index

Filesize
2KB

MD5
77f57dbb5477a1f8f478478cbbd1b876

SHA1
9103ea27a2622d55981c369f512697ca53414d16

SHA256
7c95e6223231ad3fc504428d16a927bf6fee06e11b721f2b238ca3915d644a8e

SHA512
ba6437c145173f423645a2966eee5c564e8643d3164cb2299df46f8520ffd9f38f6c32350e27393ff1d38d20f489207254f2011330afd20cd62962d5c309876d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f0fc5b3b-1c80-48cb-a8d2-b43051a74a70\index-dir\the-real-index~RFe57dc95.TMP

Filesize
1KB

MD5
36dbf56c7994c882c6d9b0e4a74fa1a2

SHA1
837202d0f7f7264eb7037811e2dd63ffcf1df94a

SHA256
a225f1b95e1cfb3161408137fd5e42348b7ac58631ccddbb6ccfc572874ee4fa

SHA512
c1abb9116f63ed571bbe3c77726d80948842314174acee575b0ef61928292d1e074b622278bcf9651696c857973181ce5dba4e152973f374a432266081e329ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
1e4709638d108fdd900dd6a86d9ae2ab

SHA1
d5243315489fa915a50946c965b4e8243553d7ef

SHA256
17bb58e3c18af8f4203b224ba4fee297a29d90990cd22ae0558c44ca4d78971d

SHA512
904a1ce51a3fe26c0b28da02bb70ec44225523812f1f444b0a1fc49f7a5cafcc41b027111eaf3dab2981956c568f1d926a8afe272bf9980a8f9e28a9e7a91fa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Filesize
1KB

MD5
fa65f2ce7f2ecb423bbebb56b42e85ad

SHA1
2b63f91d4bd3f7310f7072eebc8e1ec681ca1ed0

SHA256
91f5e1476cede4ec6a53687ee589e80a4ce09ed387633fb6c6f4f904e93937ea

SHA512
f9707135841ffc71d22c823bea1f2a28e3125988e59fc3c4d87aaf0f2aa9edb3a46086666c54d3a4dd7e45b97ba48b285d73dc8cf0574c6258892cc51c84a707

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
335B

MD5
9a0dff5cbb4c02fdece25c51a61308fb

SHA1
9f992fe779ed01ca819a533fff2f4eef8c32987d

SHA256
c44d63ba12e5b8658caebf498067dad4f7d1e680c7bb8b77d7d59fc4f0c4870b

SHA512
8f3775f9d72724a60c60f8181397fe451650fc023445ede8de5c9e957c12dcb9bd459348972a43331fc234312e6e6a4b386c71d6da347c27cc63c71a32f5a1d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bb7f8ac2bb9a3fad572e835a593dbcca

SHA1
75ea7978ff2251ac0366f61da17ebebd908d43f7

SHA256
d7e87dfe52a565309f6e02186fb822be5f971663b89adc55af1f13d90310433e

SHA512
bc4299f1ff49b7a3502b4e72dba7da13f56fc12b3102084fa501ccf4a09aa38551733cddb3b2c5e27cf515c6b38d4d59c125456d8df86fa391eeee1b64021034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
26dd2ca8c5760af461b8aa236f14d35f

SHA1
228abf1e5995f0689a565f3c67c5a1791f0082df

SHA256
c8979b6682d1e16a6053604b91f0d0d196d584198d706e27bf36b977872b906b

SHA512
761af88a5adc64d991caf12fd0d00bc6ffee85aaaca4ae6ec8b93587f2fa4076f0aa884dfe58b488dbb35a78d6f9b27443901ee63ae36f0c5852d0a639442dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe578906.TMP

Filesize
48B

MD5
04a8f62d8f44725a8c29c69bd9f07f25

SHA1
a6247d1e9f229e4c166510f0f7e5535924747e4d

SHA256
e6910c2b6a7587e3b29b2325adba0e7094b2d31040f837bfaeb656df5e32e92a

SHA512
a887665b7ec06b8f981307b39aa211c29e64b99014398a0e61675865392f864f355761cb3a234b7f85f92974b236f2bd12f407f4abea9f8e5e905146c10a4abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5832b3.TMP

Filesize
48B

MD5
31a440aa6f1878112faa084c66b0f606

SHA1
a4933b074d127f0b121c9a2b6e8994eeed2f6249

SHA256
eb4cbb84cbafcd60ffe4dc948bf3af0aef071c60d5e3277a23f338687eec401a

SHA512
617abef8c8107f2bebccdb84b344a8dabe29535e5e34b1f07e5e23ca6d97804804220962817e1f477cfd260e04da9b8e98f4d8a6c63c2c9c31e32265986dcb96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
100B

MD5
018ed6394534a5a1a937790a2db6f08c

SHA1
e640b214330197cd5b6d251c34f30d26f8dca69c

SHA256
c3796c9c7af3c37dbd6b97cb0ea37ae5e96b574520ae9427cc710842b0bea489

SHA512
c3ef0831ad9ea39442cfd8b24da20ae36ef7903097846628a0efaee77b80af0297d9f09424eb2da37df85265ecb555f804780af4d46858e3cdb377a047276a01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
d5544d55eff1625cf00b32b0920c0afb

SHA1
885d5680e51805fbfe3c3853730d7b272c2418d9

SHA256
d99848628bab7bd754b79445f1c0562095adcb1e507ef26ac821f0de3eee887c

SHA512
0f5011253566cbecb28502815b65c3824324e777bd0ac735ba8aa9ac8a06f1b5845452bf1a64c5e2a8a28cedc216b6991c398014cfeb930ea21693f65f79a281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
c1cbe5789a811ccb86a8da487f327b3f

SHA1
bc99b598b4d6b8569531dcdeefdc13a69e012e58

SHA256
be322eba684670f767c4a8c1954a24a3c6a7734006c477c06ca0951358974437

SHA512
381f6afe40b9bf2a84a96b43d8542dc12c6fb22a3d76389c8180598ddcb6c1ee0708f92daf831a42ddeadde2da3b4ad7c3c411b51cf5066d2c322e7e043f23ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
84ffc1754bb5ce53ab55e76ad897d61c

SHA1
f69d56c7625c3341700567a99ba1bd0b97dab9b0

SHA256
2b5b4ece63fae2f0cd4bf005ba1c686360d15a05ded2846ecb2d01345908ed72

SHA512
d2130916a5fdcb68926ca74c0849b6bda503eba88f037ce275cc1a68b5769edc6f8d0730427527665c5189bd401786758bbfc4f7ed47484b10b15c9faaca9305

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
f94221fda374e47b8e3c113494746e29

SHA1
ade9949a3cbba939098c55543c55fe4e2eb3aff2

SHA256
1d2b59df1ec8cbc00954bec374b3509641e0fdcba2e5f18b3896db11d4a18a06

SHA512
14f076fd372099163f987469ce405d53cc933273d931b8cc5c4f73949946e60f21adb3f1691b41a2648c0d4873e8f42b68c254a0210f122a12ff6780d3851df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
10KB

MD5
7cf7db7b218bc15d31f60eec8af9fe05

SHA1
04f1900ac8941f23cd477fc1049f9220d14e0e9b

SHA256
0493e30a36a085bf77142784adc3e455091f54ba6ea23a011408a11282af9c8f

SHA512
500d6c0a7e421b32015475bfef58e476fdd1a407ea625fd5b62ad23e067cce0a7d92285edae866681bfa9f22dd26000e709f65cd458e7b5662cb14bfb58931c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
10edf8468944938e71882df8c5bf8046

SHA1
a0a1592a9c046355a48d51b92e45a9ea1d32f5d7

SHA256
684f241485041fded57762be2714b1144f425764f38fe197dc3ea0b30f9643de

SHA512
47d93c4a0d298eb4dcc90add847e1780fb8bb5be36a1b8d6fe4a38bc4a4dc3c3b61ce7b70cfb0eeb5b601ff4c6bd95222f0ab5e8b4d502cd879f2091878ec76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
1KB

MD5
302f8041d8ec67deb2e784972bd06ca9

SHA1
261e474315092dac1e7bb776943d66b325ca2eda

SHA256
9634b0cf80c12c72319747e7eb05564c53bbb56ababecf2f07a2b1688bf6a28d

SHA512
d13a6093fce5b09beaa2065d598e1baee1ade47719fe940533d8265b71943110bbc2e833d35254b94de35f4c75ef618825a25b4ea117f20a3d2217c12e27f05d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
b6b15fe780473efc222bfaf06e7f63fa

SHA1
3c364cea3c711eadbb034416b300d7355e486144

SHA256
7902828b1beb88010d3959400bb362f380f452db1d4bedce38cd6708817512e7

SHA512
7cdf6cefa6320a07c1c6e020fdd0fc80c3cff86788ab3a5a986b629514cf6e4c2e94713274429aa260b49b992147ec87ac13704514c79cf25af5fb4deff63a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
464B

MD5
f80ee3f34476b87cfe581bfe467078ba

SHA1
23e939e43ab97630492cc9dd0b89c389ea11c217

SHA256
8d0a6b779d0797ead0f4461790df31d0b89d17e0bce90a56a5a86cd475af0607

SHA512
6b5fb98cb41c15777150e5db3c823247bff1b66da7bbdae1234006cb491852b75f00a1051c42ef501690c0fd020372525ffe654b77799e2869863953f07fc4dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
e5fb764dce26248564ccb4dd3976a138

SHA1
9f2796a106266239e59e9d0e1db9dec4f824d5aa

SHA256
685cbde404e1226d01c4b4b05127e7a6d25f17bde648eea216b9b23dd36fc050

SHA512
e634a638d79d6eb90d25695746c907112aa15bd57c5b2d281350ffa3dec40cf52631cd40b11c3a8f3e96b21addc9f91c491e9c1988a169557e50c45c940a4375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
cb6aaa080a653ff0e4e8c874bc6bb76c

SHA1
812f8884643b90f385b7b77573a4508f4067c805

SHA256
63a6d436429ff68c065b9a148d3e1455a99572345579a0d79da18f8e5f9cfdc5

SHA512
028a2a99b5916ca2ccee0bc292668af1f911b63de5abf9d6125cdf6ec19b620037c6dda7659752ad67a0498f999adb494449efd264bffc3245c43a6e24329a12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
d99e38d642c2ec92c8038b9c3fd56be7

SHA1
817e22e75c97158a637d86bcffda87c4a077c13b

SHA256
2b50085ca07d8ef22b69927469e1f5a9f7b0aa638813e7c8f98b5437f8bc7d27

SHA512
9e0acc271f3f7bc557a557eda429d3e34ecc93ad490563e619fc096c94fd663eda3089a8513e97daa7cff44eacc5fbdfaa5297361a3c0ba913feba5107476eca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
23c1f8d716ddf9368252810e0a05adf4

SHA1
336bec7786a11a9afeb1a7be13e2b23a35f8ffc0

SHA256
9d0159e1cd07b999ac3879d8a5bd525e710c1fb382766213dd7080a461f2043a

SHA512
613c2c948474b5697be5f45be938df81e66c7d34d18253ba7895f41f87cff0196c1ae9d133e3fa395f798605de925b54a128dfa058bfa5026affb26d8e113049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
59e466911baee4cfb17d0bc806e01d37

SHA1
e8593773ed6cffe6389771f77640901352bbe954

SHA256
0fd40358c0eea67ba89b23b7f2428fcf904b7cc0a5abcd530c7f769a6c8b8b25

SHA512
74772d9f63e733e73a24a9ecb349d48b0827250ab04e6dd84c9816548dbe312d2bc2f89028ac1cee4b30d76195d9b6be774d26a5ab5a67b0b3a45b989f87213e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.15.1\typosquatting_list.pb

Filesize
631KB

MD5
ad013f0723d332e26a9101a81483661e

SHA1
a3db6536228681288dbf39d4a94d2d8f11e77d3f

SHA256
96fb259d4c8d3ed7d7c657b6aecc8ccd2b0730b11244a83499c0d8dab91087d5

SHA512
b2c700ac36657d288cbe0bdbbe7856299d6af24e00fce8f9d78434ac2f10fc82f9399b03cd5995817721a0d252976f99424062e5b79d0281d8163aa5af330f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pm60e3dc.default-release\activity-stream.discovery_stream.json

Filesize
18KB

MD5
20c43b01ab3ca3503fa40d9d0a013d82

SHA1
5657d57aaef4e79f01bb3f022ebc57ea2f69adbc

SHA256
50bfbf51b03e5870a2f551e93c7b87568f9bc113d7616161d4ce0465e0e562eb

SHA512
6419abb17fd95e13bc5b0b0e34eb3483c33a492536dc96fe3acc1a254b1c4f049de281041a36e1a0e302e3c7be5b4d0dab174b49bbb4c53afb8f5b0a3f1ab499

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pm60e3dc.default-release\cache2\doomed\22696

Filesize
56KB

MD5
2dceac06156ce2c1349c472c274fd1f6

SHA1
dab0ae776208e930b57cd48cf52db8add6f48785

SHA256
a0a16d711a3099e81353c34ced6d6cce3df9433ced15151163cdcebe3da47a7a

SHA512
fd5f39b83959c1abd0ba8021992197735a9fecc503c260deb1da758b5e4efbbb121fef8028b3329dbdf1c69ab7e9073ae34cc329ad291a2ccc4f8fdf7c2875b9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pm60e3dc.default-release\cache2\doomed\4099

Filesize
64KB

MD5
aa81d5c33c72fb4bb1e64056333d632f

SHA1
1cd4cef29b99367dfc3079c0b46dabfc8935c4d3

SHA256
0941a4de41a803871cda9d64aab1556c8e61c561604ff6a9df818bdd58e7eb93

SHA512
8f464d6153813a6f5e27111b29f5bfd9267edd9547b0fee7a1b644b7fd22bdbe55cbacaa64355a8ed436d6c9da0b64e6fe43fc3286ea6e9d53925652aa6b83a7

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pm60e3dc.default-release\cache2\entries\046B87BBF1D7882D2EF64F04F2776746C68AF35D

Filesize
63KB

MD5
b593fd66b6573990bf3f818b1dc00d8e

SHA1
1389f1dd3245d54824d948c8d7819db7866b75d2

SHA256
f175524a8ec50aafacf763cd2edede8b8c9f58e9a0a58dfebd03c23b9832bd0d

SHA512
c1230079c14d846ffae3510d420591dba998c9eb55c3ee0e3889c6b0b070b442b89e869d303be899957c0d41f296859c92984233b277d48df8c83a7f694ca5d3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pm60e3dc.default-release\cache2\entries\396371B15FDAA3642B182F8FDE8D1147DEA27A77

Filesize
5.6MB

MD5
014f6dbb97257215c46b1afc16f134c4

SHA1
9599668e5d5e1687eca14253a95595a657f0e16a

SHA256
5141827795342d7f424446a7d3d69701f080d6e5e61d98c6cb4fbe8e40677dcb

SHA512
1ff289ce65300d9dae554f620c058de576139e971633c1a321159166c06c0ae7725b5157546d31aa049b4ecc9a88521924e10aed40cee0d46422cc236ca9c628

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pm60e3dc.default-release\cache2\entries\7488F83745B186B02C9FFCDC25F1F052FCA57AD4

Filesize
1021KB

MD5
18366b7d6e35d48dc76db001930eee4e

SHA1
a9bdeae7f642a11551d9e14a368e14e2de86e24b

SHA256
536bbcb0b25a8e3bc0421742b3d7f92ee8e83cbfbada928cd314b7843d559246

SHA512
1a9c2df4e0dbcd527a65bddf5580b07c74cf2d3151b4371f0588ec55d4fd3b33bb67dc0a01f1f0b1efec90e9765bd10ef422efd0b3af29d5eab1d0a75b7593df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pm60e3dc.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
cd215ffca41c291cc9f99d5ae7f25ce9

SHA1
33938331a13fc6ab54b9381539657f8747778530

SHA256
16c4205fc99723827ea993a3bb6ef68e49a07495e512e05df7c9b559e22cb96c

SHA512
0f81745ba7a6f45c1b9a8380ded45c279668b9bda248db4df34371f54caabe44b29de002d31bcf899a28ea3944288fc63317765d0419a73e8e565ea8e3701efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2gvtv4q.lwt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files\mozilla-temp-41

Filesize
3.0MB

MD5
6eed178386859ac9b3ae49d3dcec297c

SHA1
4e41a6375459adea394dc3ff8ec5f8fa189bf236

SHA256
3e5ac22cc012f4db06e208f26782f682fa97afc7250d4a472ceee9c6ed50bfe2

SHA512
345bf7cc25b364b67c809dbe124aeeee0e7c83db8d9627af1a1b9a06a737c5f6ecb49d80ef710a14d63b5283f1af7ac3b02a8dfd8e36fc25d715051429225890

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
13.8MB

MD5
3db950b4014a955d2142621aaeecd826

SHA1
c2b728b05bc34b43d82379ac4ce6bdae77d27c51

SHA256
567f5df81ea0c9bdcfb7221f0ea091893150f8c16e3012e4f0314ba3d43f1632

SHA512
03105dcf804e4713b6ed7c281ad0343ac6d6eb2aed57a897c6a09515a8c7f3e06b344563e224365dc9159cfd8ed3ef665d6aec18cc07aaad66eed0dc4957dde3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
360B

MD5
5c483f43e0367551a27091ec3f4e5201

SHA1
3ddf0a9eaaf5c3c002dd1d9d91fbe1eac1796558

SHA256
e94d36692b8a33bb4f2f554258cf9d3c6709ed0b6625600f26b4f7a9bb4f6dca

SHA512
d06bc803c0992804b0cd99ada33f49bbcaaad694aafd023731b080477e70a35aa83f6b1a22b6dfb251ff1edd67dced8074346e8030b646142e3e1aba30050583

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\AlternateServices.bin

Filesize
7KB

MD5
0bdade5a5df2302cfed878c556625b75

SHA1
c390265e15a5f06025f43e22c1a669fa05c37944

SHA256
0b02583c2e53484103ad1fa7823f7831520be71dea5d1785ef330fb034183e78

SHA512
c3944d059fe03e87a47722f561ac756428b5183e06fac9162c54c92d5a86bea9ed48678508ebb8a11dc6d7326ef2fe282aed615e821dadc49297fe7417225bf8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\AlternateServices.bin

Filesize
22KB

MD5
19596b066fe98a634acd2dfcdc3c4797

SHA1
423ac05f531067a065015b322837c043c52eb7ab

SHA256
d7ba042baa6b957479bb279ba01b2055fd2cd85d93e746e3232785390136be3e

SHA512
36c655087e1f1bcd52fd4863abd7ecad9ba4d49b4af2987ecdf82b70174aef92deaa8e44e84e2e96ddf69b991e0d0e40a5a3d03ba8eea83c6663e041ff77e203

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1b86b528e1c9987b7a1ed7f173695554

SHA1
6132e3d82353ebad1b16c1ab3df322e3dfa9ef9e

SHA256
b402f0df33a32c0f90a06b2653d017bf4eecb5904515c049f0399be3c69ed1bd

SHA512
75bd1c87c2eccd627045c447906db90e7ceb8d3453f1ae427eda995b82da980012dfcba7373dfc9669f8ef8c6963565de1ba1abdb276df7ee22b442f9f6ab781

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
843137dfd8ef2d841d5b34560d99f715

SHA1
583fe79250a31f854d732e9a7fe652e93ccd772c

SHA256
f1731f1b45b2e51541229a6908b09f88e2c299e5010bd87f275c05d7a660d985

SHA512
305a9c71c8db6785058e0a9c54e6182951de379b23e3ca8db879ad43c0c086b5a6dc061528b5fc806d18deca6ef87bdc0785f86a7af5478efdfa6c13ebaf874d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
34975a6744158dd63d4bd53bd3fe34e5

SHA1
b6cb5dbaf6c3d822c08580c979d46c2a4a589835

SHA256
dca945ffb7aaf16066a2de2786a223b2f1cbc6da7cb401e5ce623d990c9916e7

SHA512
a493fc2fb2a76bb125ed20ec995f7261f1aabdf852f6cae2eb98f1bfbbf36df8792507c0fea99340934b3d566a672c2702a87c3f50ab6a6bfe197fca6093671b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\events\events

Filesize
5KB

MD5
59531c11db51ae5be245402c143185be

SHA1
bf530a2686043fafc6e56a3ab99930ef9303c70f

SHA256
633314a26b69e8f7127f82acbce264bb5349f844f9c1d0828bfb2887f8731891

SHA512
b8ec622b60e959be856e272768b941b4cedb7082bf65a9ae0912e63b876d6fb034cb7d7ebf59b2d27b567d740e1eefa9fff17ba6eb9efe725a91283676bfe1f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\pending_pings\3a15d731-1de2-4726-a243-1db0faf7fb0b

Filesize
2KB

MD5
fd6c2ad260748a406c8f0b792e6d9aa1

SHA1
07b2cba64b9e87111f567bd3124b097f352362ff

SHA256
71a0efd5f26fa4b2c3ba666800e310e54a2db5fe8e81c6544c9da947d9a518ca

SHA512
4fc6ada95b9cb79afc1ccd71a7c9867be66abdd506be35959947507479d81159700e9d7b0309043839ac915934d5124706d6270de6c432dfe62f9a8bcb21acf4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\pending_pings\6ec2bef5-f5b6-4164-9762-ffc948226de5

Filesize
883B

MD5
dc77ffc7035d1acdf4f3d4038cd20aa6

SHA1
456afcaa9acc30dc2b037967eeac6f7e49af3736

SHA256
5223d315be8d397294743f8cc4889402dfe9ff2dfa4e843874c84dcbb665d4d3

SHA512
5de63fd3ae06ab69a63f82f118a93dd57a3b37e9b90b2dbcb79bc815b6a21709d938bec509b40a2c5f665078b6c131c33eacfe360c83f5349ce204f73c0ec91c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\pending_pings\81cffb52-80c4-4b32-bab8-493d0c4f518c

Filesize
16KB

MD5
135522e9bf79b053743dc3792e8e236d

SHA1
49640e89d02486ab7593aeb685e75ca6916aecd5

SHA256
916fbf4cf80851c1f00cdb492d4f959b7be674b96ced507098b4cc61a1335115

SHA512
a53eef629d5850c50b3ae2d995d78646c4cf2f2c73efe79621b4ebed8b963fb1673903dfc58c91c7241ebb91622f0f8bd96fd3021d6133bf4085f6adb37b46c6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\pending_pings\9fdb9bdd-c6d8-4c6d-b64c-9b37bcec98eb

Filesize
886B

MD5
f37a2fd9670d6c50689fd6cc701bd10f

SHA1
4320475ab1b707f184e7816be182e0896ef1b40a

SHA256
3e070b91ac52c9591651f85073084b4e250840d028320a994dbd572e1fb5aad2

SHA512
41a529fd5aa214894f9b24200cf3e4708ea527e5046a14a2dccfdbaae735f13d0c14cab3b716b8c47e5070c125485e0ede23c21b407f69b65a22e62ca7628a32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\pending_pings\d3e1b831-3f17-48ad-b21c-a89ecb044ede

Filesize
235B

MD5
242a8da36f38b75fd66516367867d1be

SHA1
bade8537f3e747009afc4541630089a4401a6b0c

SHA256
1efc3cbcc628b568879509187cdfabce884e15e20b8bce01898cfdfc6ada7853

SHA512
410166e457a78f98432fab40e62c9fcce964550d20fae30eed297c246ade3841d276941c4241515585925b217fa07897f8211815d5b5e5256380fcf476aa42d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\datareporting\glean\pending_pings\fe8e242d-1c17-431c-b744-cbb1149f586b

Filesize
235B

MD5
31a62752e1a192b8a7caa04d5bb5de32

SHA1
9677003e44c420ae1dbb8cec94cdfad00cd0e1af

SHA256
25f21b45a15bcde969e0c8059e8eb2d2af5b5f615466addabc6ea839412faae5

SHA512
75271fc760e08513cc185f4de83baad09d8df92f80511012657a924f63d72531e421f97f8a6863e46d338018da2594f23ae04923f067ce7a27b7dd117e13dfdb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\gmp-widevinecdm\4.10.2830.0\manifest.json

Filesize
1001B

MD5
2ff237adbc218a4934a8b361bcd3428e

SHA1
efad279269d9372dcf9c65b8527792e2e9e6ca7d

SHA256
25a702dd5389cc7b077c6b4e06c1fad9bdea74a9c37453388986d093c277d827

SHA512
bafd91699019ab756adf13633b825d9d9bae374ca146e8c05abc70c931d491d421268a6e6549a8d284782898bc6eb99e3017fbe3a98e09cd3dfecad19f95e542

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\gmp-widevinecdm\4.10.2830.0\widevinecdm.dll

Filesize
18.3MB

MD5
9d76604a452d6fdad3cdad64dbdd68a1

SHA1
dc7e98ad3cf8d7be84f6b3074158b7196356675b

SHA256
eb98fa2cfe142976b33fc3e15cf38a391f079e01cf61a82577b15107a98dea02

SHA512
edd0c26c0b1323344eb89f315876e9deb460817fc7c52faedadad34732797dad0d73906f63f832e7c877a37db4b2907c071748edfad81ea4009685385e9e9137

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\prefs-1.js

Filesize
8KB

MD5
cbd8672f52d72a7ce10a9b619d9b962b

SHA1
6f3f543b8e1d8665da1afa819e3a7acaade0d66b

SHA256
ce9314bcde0b1237b15a125f2a58414733b17483cc3706043d802caeb9b00784

SHA512
904068c89debf7b70190f13fcb8ab45e06f7c64638815e3e92ec22e29e2a1976dd77055b1a1ba955a5b062f778cc40287912aa6ebd3bffa168c4da797724618c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\prefs.js

Filesize
6KB

MD5
cb1172e884afdf3160e6f475f6ac34c6

SHA1
3da0bab37e40d1b51afeddb3a8e52f8859655ec8

SHA256
734d6562f8e46e908542d6bf9008731acc9fc8aeba125ae1f497213304347973

SHA512
453e8bbf6ab6f58b0bc3eb56a3a825032e85fab6de2a7d433e9872e3abf6f07ce318f39ca2267c044a34046576cf5ff77e8fd395b6f102f300a13d3835fa67fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\prefs.js

Filesize
6KB

MD5
b2cda28461460d5bcb9fb60b155a7165

SHA1
0fd4c614edf5c6d3db83283c8f56e440d822cb40

SHA256
07ad50490b78578cbe6f7fab3af174baae5fb18e02af1992db11e58efa8829de

SHA512
77b6b0188113947bd3d5935f823bcdb0054a584cdb335a8d5e9059d603ae18429eac5cfae841a36e8ffdce4a4cf17dafdefb79f83f8b723f55af2c1d9efec681

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
04ca058d27ff2f5b2dec70b2e3bd196e

SHA1
fc46058ac44e874d54d69ad0b46ecda3105c0065

SHA256
4eb6ebef581209c4f85b256ea6d3e94f10015c85e092affcf181cfcb374a89c6

SHA512
c6036fd2b132810239a6b4da74ce763256671ea37800e8c54b6e87aeb8c8ccbe7998e6d8a0dd475a9b04d4951089459726d680c472dfe2ff0cae2964ef4770ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
1cec0b34e4c0cbc1a238d2f2d0ae0966

SHA1
01d46f71adbf874772087bc6c295e6f30a6b2437

SHA256
401f49d5bb064a9f202713963b7b2767962e63caaaef69accbc7a0683144bbdb

SHA512
b73002354ae9b0c72af00101ce9f40ff3abc08bfee4803f2e5661ef5d0b15aa5bc2a3ff34c093561ac91bb74152001f436a1e379375405299ae66f5cbb7f76d0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
8191c9478c41909b4fc41d3a9df90264

SHA1
7c8403da78d7750b3f4f779cbbe6c57e46e5319e

SHA256
c20f38a20db6ab7ec999f1f42001439e979b886b120146d3672cbdf2d5506d70

SHA512
e5d6b87932a63364aa1c3e3a6d08ee6e0ef2171193faff2fae789a4c327805c7c61af7962c8e03ef65c44dc5dbb838f71a27032651d5034f9ca1b86ebc0129e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\sessionstore-backups\recovery.baklz4

Filesize
9KB

MD5
bd5e4027d181551ec29d47dbf33f2149

SHA1
17447614dd51c0ce0c129134b4824cc3912d7173

SHA256
90553098f2f2c3d84e914b79902468da8856ee5011a97dcc89a940eadd98bb69

SHA512
a55328fe48393f756fd76d1ee5456a836170888f5283559ca3c346a0059f99af06150b66c3bd9fd64d5835544b8e1b298905325048379a820014fee455f8613a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
0724254ddfac475b3b678c718cdac4f8

SHA1
5b73e4ecc59553dd7578204dfcc1cc872fd124f4

SHA256
615ded6e47e4b93822b0aabf3c97118f8b79072816c1ef7b2ce1d57b5566d82e

SHA512
42b4cd15662f33095990bfe957d13247e1396fa3a7ec59edf62de33240b77fbdf8b5b3456795aef368fe98f4e41f772b171662095fef322013b49b74946cb46a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\sessionstore-backups\recovery.baklz4

Filesize
10KB

MD5
1c64e498b61753db4961167b63667168

SHA1
bd786af0cb01c468bdfdd66d0b75857532d7494e

SHA256
1d30ff2aa17fef0d93bcc1afc7ee9c4f6a9eb912f5765e84234c77242d825ad0

SHA512
d99a428ceff295dce53a55aca799e08f9e50a4574f35b2b6f7f1f50197f106c6e40a28f484c3923df41d9258c37ed35084b5341afdd04a72627722802c2c1d0b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
c0169d513e4745b3fd1452b352cfc06c

SHA1
b3dd5fc5ec24c78149b29a6a44c9cd86d56e4f8e

SHA256
b202e31773e8b53e1a75a341fe6e5547ea46b9e2b1df7f99bf372627b02568e1

SHA512
27c6542365246946c41854c62a24d025fb560a5cf3fb7fb5aba54b99bb70861f0581ba14f398f2e67134904ca0a986d83eaa9a243d1c6cbea34203405ff8bddc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
a0b2a5a0baef105d19948b07d00d51a9

SHA1
c043f873192656805af07642313e6036b70f8f8f

SHA256
3948e51cafa6889e6c57af75972d937ca967c0e4c35baea9de9acbf423a4b203

SHA512
0614e54063cedff32e19abf983e66163943e141560a5e7b1f12625c8e96d85e0c83a07ee6235286f4dc0316f85f2c0401a99786474cc44cd391dfb7cfc86eedc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pm60e3dc.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.5MB

MD5
043ddaaf7e72bd0f99c762fb965c9a2a

SHA1
cece4613c84c057e4ec7967ce5c8c6d05af301b6

SHA256
ecfd2d7e8185125523f9f6f1f041ae448f4bcd888c181611065cf7ea731703e7

SHA512
0c60555eae0d49cfdb9478ae444cfc63e1f44a21c93a56c4d46fafde9987d34d0880bf1b0b01c8368478754648be855931a531640fcc924cb89f53fc36868eff

Download Submit
C:\Users\Admin\Downloads\GoldenEye.exe

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier

Filesize
50B

MD5
dce5191790621b5e424478ca69c47f55

SHA1
ae356a67d337afa5933e3e679e84854deeace048

SHA256
86a3e68762720abe870d1396794850220935115d3ccc8bb134ffa521244e3ef8

SHA512
a669e10b173fce667d5b369d230d5b1e89e366b05ba4e65919a7e67545dd0b1eca8bcb927f67b12fe47cbe22b0c54c54f1e03beed06379240b05b7b990c5a641

Download Submit
C:\Users\Admin\Downloads\u19X94BI.xlsx.part

Filesize
14KB

MD5
248cd700a82449f4b0d107e6a934ae2b

SHA1
d1763d827d614ddd6f3ca046ec6d1cf880f4dc25

SHA256
6ff88255226a7f0de338e8383904a6fd8af5eb630c28ae6846b107de41fa22ef

SHA512
c5755cc015b3e6aa30ce1c87c05a7712fc7939f57d7d470025a50c8d280ad53d97701f34b85b8f9300652989720915ccac28a22925e73ea48455116f37c31746

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1173238022\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1173238022\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1927379882\LICENSE

Filesize
473B

MD5
f6719687bed7403612eaed0b191eb4a9

SHA1
dd03919750e45507743bd089a659e8efcefa7af1

SHA256
afb514e4269594234b32c873ba2cd3cc8892e836861137b531a40a1232820c59

SHA512
dd14a7eae05d90f35a055a5098d09cd2233d784f6ac228b5927925241689bff828e573b7a90a5196bfdd7aaeecf00f5c94486ad9e3910cfb07475fcfbb7f0d56

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_1927379882\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_2058455974\manifest.json

Filesize
118B

MD5
56decbaf515f574521f86e481e880496

SHA1
cf86b7e930bccc9168458b7202ff89b50a41a8e3

SHA256
4aa32c5d74a694c56869211d6ff4a3d61334b9b61659dab631eb6c285416c608

SHA512
669804a28a9e1adde2e259c2a0442f2d8c054908fb1c382db27d6f08353f1d8e3ba495ac18ad4746aac4d19eeac67594f3b2b0789a607ceae70c445d07ba3196

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_394884800\manifest.json

Filesize
121B

MD5
fde1edabd926edaf85bd8dcfd6d26f0d

SHA1
380c447a4df3871885c99d926edd1e689f247b99

SHA256
3bab6a96aa24d25d5f838199dff00837be00480f92a559d30a24f67334e02a2a

SHA512
acc5b7ee98a6652a74477d2a9b295ecdacfd0182b75931653d373fdb15c52d1d869bbe3a41e4a79db36ed91ed55c39c47526268b56b123e9b7f19479bbe8dc13

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3096_783483122\manifest.json

Filesize
145B

MD5
0df2306638bd60162686e9c4bafbd505

SHA1
ef9e16bf867f7950d5a30172e1d34d38686b0e72

SHA256
fd7b554588c5e72506a0bfed89bc298911a5649b9f5168ad7c1804d1c75de42e

SHA512
73fca229097631104cf352061d62455b6c5520bf59777520165719d2368b0e77f3ce66f52873fec53ac60e35274bf397ba321bc62610f0b7b172a7c5c4975174

Download Submit
memory/4916-3983-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-3986-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-4048-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-4046-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-4047-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-3988-0x00007FFAF62B0000-0x00007FFAF62C0000-memory.dmp

Filesize
64KB

Download
memory/4916-3987-0x00007FFAF62B0000-0x00007FFAF62C0000-memory.dmp

Filesize
64KB

Download
memory/4916-3984-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-3985-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-3982-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/4916-4049-0x00007FFAF8E50000-0x00007FFAF8E60000-memory.dmp

Filesize
64KB

Download
memory/6096-705-0x0000024ADBC90000-0x0000024ADBCD6000-memory.dmp

Filesize
280KB

Download
memory/6096-696-0x0000024AC32E0000-0x0000024AC3302000-memory.dmp

Filesize
136KB

Download
memory/6700-4112-0x0000000004DA0000-0x0000000004DBA000-memory.dmp

Filesize
104KB

Download
memory/6700-4106-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads