njrat | hxxps://mega[.]nz/file/chxBRaLY#Hj8a5QMBYVhwQ2Glu03kQ7ojmpUPvICXGSG6zq3P1ro

Analysis

max time kernel
492s
max time network
493s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
27/03/2025, 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/chxBRaLY#Hj8a5QMBYVhwQ2Glu03kQ7ojmpUPvICXGSG6zq3P1ro

Score

10^/10

njrat hacked discovery persistence trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

127.0.0.1:2918

Mutex

CFGloader by Zxc.exe

Attributes

reg_key
CFGloader by Zxc.exe
splitter
|Ghost|

Signatures

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	FireFox.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	ekacleint.exe

Drops startup file 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CFGloader by Zxc.exe	CFGloader by Zxc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CFGloader by Zxc.exe	CFGloader by Zxc.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CFGloader by Zxc.url	CFGloader by Zxc.exe

Executes dropped EXE 5 IoCs

pid	Process
3456	FireFox.exe
4404	FireFox.exe
4608	FireFox.exe
1496	ekacleint.exe
4652	CFGloader by Zxc.exe

Loads dropped DLL 1 IoCs

pid	Process
3568	msedge.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CFGloader by Zxc.exe = "\"C:\\ProgramData\\CFGloader by Zxc.exe\" .."	CFGloader by Zxc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CFGloader by Zxc.exe = "\"C:\\ProgramData\\CFGloader by Zxc.exe\" .."	CFGloader by Zxc.exe

Drops desktop.ini file(s) 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Documents\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\desktop.ini	firefox.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	firefox.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-ka.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-pt.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_829249038\Part-FR	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1899593985\edge_driver.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-hub\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-eu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-mn-cyrl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-mobile-hub\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-notification\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-tokenized-card\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-tokenized-card\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-tokenized-card\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\cy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-nl.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-nn.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-hub\da\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\wallet-icon.svg	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\wallet-webui-792.b1180305c186d50631a2.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\ko\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-bg.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-ec\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-hub\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-notification\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\wallet\super_coupon.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Mini-Wallet\mini-wallet.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\mr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\gl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\hi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1658215067\keys.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-or.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-te.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1899593985\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\crypto.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-ec\hu\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\fr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-cu.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-de-1901.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-fr.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-tokenized-card\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Wallet-BuyNow\wallet-buynow.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-sq.hyb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-ec\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-hub\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-mobile-hub\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Mini-Wallet\miniwallet.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Wallet-Checkout\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_835215745\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\bnpl\bnpl.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-notification\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-tokenized-card\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\wallet\wallet-checkout\checkoutdata.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Notification\notification.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_287680716\_locales\ru\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_3153583\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_668745059\manifest.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FireFox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FireFox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FireFox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ekacleint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CFGloader by Zxc.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875537528580932"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2123103809-19148277-2527443841-1000\{3E4DC5CD-27C8-4B37-89C0-475FF1CAEBA4}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2156	msedge.exe
2156	msedge.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe
1496	ekacleint.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4060	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

description	pid	Process
Token: 33	4064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4064	AUDIODG.EXE
Token: SeRestorePrivilege	4060	7zFM.exe
Token: 35	4060	7zFM.exe
Token: SeSecurityPrivilege	4060	7zFM.exe
Token: SeSecurityPrivilege	4060	7zFM.exe
Token: SeSecurityPrivilege	4060	7zFM.exe
Token: SeRestorePrivilege	328	7zG.exe
Token: 35	328	7zG.exe
Token: SeSecurityPrivilege	328	7zG.exe
Token: SeSecurityPrivilege	328	7zG.exe
Token: SeDebugPrivilege	5720	firefox.exe
Token: SeDebugPrivilege	5720	firefox.exe
Token: SeRestorePrivilege	2908	7zG.exe
Token: 35	2908	7zG.exe
Token: SeSecurityPrivilege	2908	7zG.exe
Token: SeSecurityPrivilege	2908	7zG.exe
Token: SeDebugPrivilege	1496	ekacleint.exe
Token: SeDebugPrivilege	4652	CFGloader by Zxc.exe
Token: 33	4652	CFGloader by Zxc.exe
Token: SeIncBasePriorityPrivilege	4652	CFGloader by Zxc.exe
Token: 33	4652	CFGloader by Zxc.exe
Token: SeIncBasePriorityPrivilege	4652	CFGloader by Zxc.exe
Token: 33	4652	CFGloader by Zxc.exe
Token: SeIncBasePriorityPrivilege	4652	CFGloader by Zxc.exe
Token: 33	4652	CFGloader by Zxc.exe
Token: SeIncBasePriorityPrivilege	4652	CFGloader by Zxc.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
4060	7zFM.exe
4060	7zFM.exe
4060	7zFM.exe
4060	7zFM.exe
4060	7zFM.exe
4060	7zFM.exe
328	7zG.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
2908	7zG.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
3568	msedge.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe
5720	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3568 wrote to memory of 4072	3568	msedge.exe	85
PID 3568 wrote to memory of 4072	3568	msedge.exe	85
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 5736	3568	msedge.exe	86
PID 3568 wrote to memory of 5736	3568	msedge.exe	86
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 4972	3568	msedge.exe	87
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88
PID 3568 wrote to memory of 5112	3568	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/chxBRaLY#Hj8a5QMBYVhwQ2Glu03kQ7ojmpUPvICXGSG6zq3P1ro
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x2fc,0x7ffc5734f208,0x7ffc5734f214,0x7ffc5734f220
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1960,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=2912 /prefetch:3
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2700,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:2
  2⤵
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1808,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3384,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3364,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4784,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4772,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5424,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5732,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:5424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5980,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5452,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5452,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5572 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5540,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:6120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6488,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:8
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6292,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6704,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6748,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7400,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:8
  2⤵
  PID:652
- C:\Users\Admin\Downloads\FireFox.exe
  "C:\Users\Admin\Downloads\FireFox.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5564,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6340,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=7656 /prefetch:8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7572,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=6728 /prefetch:8
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2124,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6160,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:5924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6376,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6000,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=7000 /prefetch:8
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6772,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=6428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3576,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5620,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=6756 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5984,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7396,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6764,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=7448 /prefetch:8
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7680,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3952,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7004,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=7056 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4796,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2128,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=7472 /prefetch:8
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6392,i,11973048855241892771,2344253663914602503,262144 --variations-seed-version --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2360

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4680

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x48c 0x44c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1496

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\FireFox.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4060

C:\Users\Admin\Downloads\FireFox.exe
"C:\Users\Admin\Downloads\FireFox.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FireFox\" -ad -an -ai#7zMap2766:76:7zEvent10333
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:328

C:\Users\Admin\Downloads\FireFox.exe
"C:\Users\Admin\Downloads\FireFox.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4608
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    3⤵
    - Drops desktop.ini file(s)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:5720
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1984 -prefsLen 27100 -prefMapHandle 1988 -prefMapSize 270279 -ipcHandle 2072 -initialChannelId {651c6f61-bfdd-45b7-8f4e-d46e6fce86ac} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
      4⤵
      PID:4204
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2448 -prefsLen 27136 -prefMapHandle 2452 -prefMapSize 270279 -ipcHandle 2460 -initialChannelId {93c14d16-cf2a-41c3-9bb4-c3389930d814} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
      4⤵
      PID:3872
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3920 -prefsLen 27277 -prefMapHandle 3924 -prefMapSize 270279 -jsInitHandle 3928 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3936 -initialChannelId {7f328ecd-bd0b-4d21-bfac-ef478d7df790} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
      4⤵
      Checks processor information in registry
      PID:4908
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4112 -prefsLen 27277 -prefMapHandle 4116 -prefMapSize 270279 -ipcHandle 4132 -initialChannelId {57c89b2a-9db2-410e-9e5c-b71738a274d4} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
      4⤵
      PID:6132
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2800 -prefsLen 34776 -prefMapHandle 2940 -prefMapSize 270279 -jsInitHandle 2640 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2996 -initialChannelId {84e9862b-5363-4f7f-9a8b-440c10f46551} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
      4⤵
      Checks processor information in registry
      PID:4912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5108 -prefsLen 35013 -prefMapHandle 5112 -prefMapSize 270279 -ipcHandle 5088 -initialChannelId {df22f9d2-5f91-4728-9e7f-2c6db2624416} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
      4⤵
      Checks processor information in registry
      PID:2616
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5304 -prefsLen 32900 -prefMapHandle 5308 -prefMapSize 270279 -jsInitHandle 5312 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5324 -initialChannelId {1e8affe7-1ce2-47c2-b0a6-a6067431ef3c} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
      4⤵
      Checks processor information in registry
      PID:4900
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5528 -prefsLen 32952 -prefMapHandle 5532 -prefMapSize 270279 -jsInitHandle 5536 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5544 -initialChannelId {a20ad071-b023-4b10-8c36-e064d46c41dd} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
      4⤵
      Checks processor information in registry
      PID:2604
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5572 -prefsLen 32952 -prefMapHandle 5560 -prefMapSize 270279 -jsInitHandle 5660 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5252 -initialChannelId {b817380f-39d6-46bc-a410-8e7faf4e2720} -parentPid 5720 -crashReporter "\\.\pipe\gecko-crash-server-pipe.5720" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
      4⤵
      Checks processor information in registry
      PID:796

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\FireFox\" -ad -an -ai#7zMap23961:76:7zEvent24602
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2908

C:\Users\Admin\Downloads\FireFox\ekacleint.exe
"C:\Users\Admin\Downloads\FireFox\ekacleint.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1496
- C:\ProgramData\CFGloader by Zxc.exe
  "C:\ProgramData\CFGloader by Zxc.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
7da492a02c29529dc0ca538b502e3379

SHA1
cee6a1b81936f6a20f1c9c4f35c29394338ff54b

SHA256
553164a83cb91c4905a86373c61bd899bc1007e7719791878bb95290f1f27f36

SHA512
3a1aaff3da507ce35c4e06ff9fd2516c65780849b24fab33417da2e799e20bda3594e5f2f32b1326dd1d3da560c76dbff1f626c147e99c7a990fe09ab0a2e89c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
69fffe3fec1e05daee63060dbf081c93

SHA1
ec25f941d5de039dba8503f30f4c70b825eaef94

SHA256
83e64b2bf3d6e72b3f0a5414a3358856a2b241f7e4574f76bf1fffcf88ee8be0

SHA512
d55fcc33da027f20ae32975340fba52cd9c78538f911a0c6206ad7d4a679807e4b043331061e136d736d62e4e834c0fe5742c3cbdf6d2207951f9b6514fb9860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
331B

MD5
2239e19de04594dad7dee52e87748fa9

SHA1
b71c09e635943109b2ad3ca5c191f586d2b0c87b

SHA256
a96522c00a1633bbf58455258f7315c92535a36e15d0c5e005b598cf37576dbd

SHA512
21844a0897c75962ea1a252956ffcf23314e8d68de4b5487e229275d58aa760d400579546cf8283161c7278bfd57cc959a3ba5531ff218fcfa5821aa2f6eb5fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b1c1c9e06f5bbadacdcaaa359048ecd1

SHA1
d232499a92718492e76dd001c581befa0e3a80cf

SHA256
7684d64bad91397c2e909d1aae25bb42892630792fa11f613ea2d4db908e7540

SHA512
e9e693bd0f295f472e76d8b972bc3330d4ca41605be8333ae0859c95e8b10d627c8d7839e0c7ed1b5e44773ad3700d2b9669ff2cb34c50a65937777f751ad5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c38e.TMP

Filesize
3KB

MD5
de11f8e1d0b3b91fd793296d4976ce5a

SHA1
e2b80c0b83358081ca2c42a33a501390632df627

SHA256
7b389238885da91895878a35876c7829f158da570badaafb57e77dad39b60477

SHA512
7afc21537f07650bc10cad4700bace62715e1139829c3eed3fa4ecce06991514d9af650433ca299b5ebc0325c1c0eee7d48cfe70b88887e84d56e956bae4b943

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\p\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
aeece61db1ed42f025bcaf3c8df02ce8

SHA1
6448ea4f7634ae627099ed15e381c457f3d831f2

SHA256
1a4642487d1a818cbdbe9a53ace6a62455e59ed1e24b3fda7519298a0653cb2e

SHA512
4d5b45a111c6d8ed5e3d193b2a37acc0cc870145012398582df3ede369d8fce79b941257cd4192738bf609c237cf662df518205175de6f8155721e52b46664d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
78da86430b8306f7655735b122638a0a

SHA1
221014875efbb558052f94f0e727a835ae23f32b

SHA256
e79bc8f50b4c5f0db41b2d247be828e361a19e2ce0597c1344306ba10d425fb7

SHA512
061fc04e32423ebd7797f99f46fc6217c38a9ccb7ce104cb2829deb48ec8cde2e0e9810c3ca2464457e8343221c62c1a182aa032937f68b95858231b4a03539a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
feb6d5cc0ce23670ae7c12c5379636a3

SHA1
99a5b7a1e84e84c0b3ec33b43e6c9766326ac174

SHA256
8b329507c4d6f4c4033885b272294f945076d59b23cccb1017fce761b71406cc

SHA512
6b850e7745fd43c7349fbe1906a45648dd8890c9136676ce6890304ed20bb8d0a6e60d158c8ef7ce756941fa61a4fdb17efe00f31393f704ab5dd33d655773cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
8a0de63ace47a7c11027f92ccb6c3524

SHA1
78ab7e04302bc83b812bef2afb7b59acbe869718

SHA256
411711015c46339e1c3db2bfd2743be6e14fbd28e28981af1f44439b27b8b846

SHA512
d6d8c40bb50432bdad404e14290bbef3eb10d6b73c2ee4add31f6b5b7ede80f1f33253ba47c59a3b723a24a82451ae88aedc8a80ae2f90f7701dc6434a5b3180

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
e3b8ef29544673a2e20f20dd0219f9fe

SHA1
7c48bd2349c2690fe57e2194a3a6d8b30744149e

SHA256
b4d8beeea4e0154e46e1f35cf6594cac35e8f6e9cf10da363253337a4c172623

SHA512
09c462a7ceeed24b9dda0314dbf3ec40d3d20176296597c71519ef4851bf61103243cf6a87df1b341cbe568ca0a1b00f96e94fc70dc45eb3f53fc0132210049a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
1d4edb92b96c20d546355a530eec0e8c

SHA1
af7a9284438011559e956acee660041abf3bd6fd

SHA256
e9c015098d6f9c7e020ef86cde14ba7f01ccad2c6a4b9250edfe9e49d5e5fbb6

SHA512
4d9f1d4423126759f37aa828f6533d28bd8005974dd01d9689c071a3265c473d231ee9005170de778a91b5d96f94d17a529b88011889c05ee9d9edeb9625e857

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
2448ed85b643299554cb655294cd1a50

SHA1
11c3f66c9a397cef427f96c35ca2d12616d236bc

SHA256
5802971be421b14f8a32d60fd8804f1f3b8833a1da27ee0fce807f565fd015c7

SHA512
3876f2015f43234ec5e20860a17b0ab6837ac26b9c09b7bd11454f4e0595be3487c63502265d33644b84b07eb524d3ee92ae630541f133a2dbdaae40fb82d3ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9db23011-5021-49d7-96fc-d0ad57b8cbeb\index-dir\the-real-index

Filesize
2KB

MD5
5ca187cba6ea698b74f10867910aae3b

SHA1
07d74f0c1927fa64469203a50c177a976a8df3e2

SHA256
23f533a9815034527251819a99c7380ad1f1ac4ac41b27109e82bf1c03ae3126

SHA512
60942d0d745f7e3a0cb0a253b99ea7268111036fa0a432f6f8f668c3eace83a0a63baf96cad6e30e547d9530ab7fa2dbd99ccf1e5b73825f49f25037a76e6b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\9db23011-5021-49d7-96fc-d0ad57b8cbeb\index-dir\the-real-index~RFe5be452.TMP

Filesize
2KB

MD5
a0fdea877932b20c723e1e5315d5d14e

SHA1
a7cbe214f87daa73dba862c12ffccc5178861e01

SHA256
3284bd40420f373e1abeb904f0990edf185242b8bf060886e01b03ffaacc5329

SHA512
bddf527405f32f54cfd819fc9cf1bab726c2cb514c7795fe0a9ef5f6c4f38d804017cf301b2e7018a9a710d4881a5a0da73a3a44b4a6e09983699c48ad09559e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
2c4abca0660130b3575b64983f58df8c

SHA1
f1b04ab6563247464a79e1432fdcc11ac06dd8d2

SHA256
c3b31f286f8b1540ff3107c0ffceeb92ca494a3bbdcbbe7026af887a79faf744

SHA512
77d30e558b7d29830a25678dc82f5abda7fc28bee3da57f5c778facd522a548628df6df9249b0ff07822acce571b9ffc0b1b247bdf977c2c603b2177a14c4ae1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
d14e913a83153d9f78ac9adb3f61881f

SHA1
5e9ec3215cfd00a9183d9de18a9bf0eb6466efb2

SHA256
078b5a024c5f107d0d363c1c8557fe6ad9a9ffe16bc1fbf8b5534c2fa0dab893

SHA512
5d835290797bdcb1d131038e10a762ffeb3f71a9b5a7dac22ed50917faf58c5117e1b919ed7b0310ef71221b3fd50b757b20abbbf53042b4130a920ef4e24651

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a8c3.TMP

Filesize
72B

MD5
5f106989324d73632f55aaeb90ac6dcc

SHA1
49f17caab3fae6837abdb4bac9ebcc2d5f744e37

SHA256
ae949db78799f28845691f56fd821e67125aa1d98a020609b234214dee009fa8

SHA512
a55891a5ea5ab3bf01806ee4d4452ef854293c65a7f260776114aad0676df13077f560b0da000ba15264d0dc11df7deeb8ae660ef2e594d51fdb64663ae76e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
c41e579d4d6821a9120e960ec6b649fc

SHA1
c160ab891ae8707563c62a00392f8b86a5c0fe05

SHA256
0d05644691ef8742516d4d24d6149f15fa080ba679c145d6323adff1e63dc550

SHA512
d7d63d635d7692684596da30b7fb60b9be18f5997e5e3af68b7c8ff7dd3ca70d84baf7a67c9c6cce823e5502f4b3028d92ded1597960a4338a3b910a5950e55b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
aa5d68e0ff4e82c14f1ca1d6195f0800

SHA1
cbfa8a7ba0aad356e3536d516549466424853ee7

SHA256
906e3c4d0e4350cdfb66909c5f76fa29b5f7b714152a3239dcec245064037774

SHA512
8baa583fdcdb3dcc0fffcc18c9eadb647f192cc4320f46d914f8d24cce1884efc55b70c69b8326fd008bb5bbf47f104089f48d2a3ebaab6e9cc68c0814778a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
da12debf3344780615e65d4669d11b61

SHA1
c51a7476db141bb902d88e1a6b2c52cb1e1d10f0

SHA256
3ecaeeb2829ea3ca5f78de5648c7a3da2d341f8940baccd3cbd5e33149582e1a

SHA512
6702d12b5b51886c38e7d4828f11407ab24496e8f15729061999753274eda5f84a6a214922020624a06e96ff01e3dd9c46025c76ab35712813c45aba2fc8dc59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
842e32264dab77392192c8244aa4bd51

SHA1
1222ee4a9a8e67b637b12084ff459cae1adf216e

SHA256
539ef17199c27cad279e112f5b5fcf47a823f8e49e45840dc0ecdc5804606fb5

SHA512
ff883a1530a687f900c9cad15789b33f4fb230ca04e433b7c9fcfedbbc1f6fb898e0afd24cab3800aecd8b82aa3fa8aed44fac4841bc61e4321a44b65d1941ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
4131e926b291f477722669f17c501956

SHA1
a959cd73fcb4fb99c33d19540ff6584b77531e1d

SHA256
e5aae6d0991f6d861964a85712255b5809f385e1d6d957966ec0a3eaf40d485b

SHA512
f28149254591b9207642f37832b31f603b3841c6704a1f3b6ef340152cbca67ad1b037585530d0177465f99bcbb3424618a33076c9a959b97cb95e900a102e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
06a28118ae0fdc0b81e3422d003c94e8

SHA1
8436b6ee7cdb6287cd80f1b3be8ca9a5d3bca157

SHA256
34f526bf2ba8763db333dbab548ffb33d39312e36dfe9f8f435e96db186f2fa3

SHA512
7b8f42b1f5b0bcba4085e7e8767d48ff14dfc8021f36ed2010909b3364eb22cddecaa8385778ae116a71998cd6b9721084eaed0724be444b3993187c34e4d639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
cbf3dfed52dd853c93b9041303b2b615

SHA1
a3d0407223ec52fb5157f17042c2be8a3f85a63a

SHA256
79486c454cfb1d158e5a13c6e3c3546e2c50a0e3c87d3a313f73a209f34bfaf8

SHA512
17f7f482645002827d0d5b73e6a1f970f6cf94f2579754e30fa450cdfd2d866849cc69919e187843edb9507fdb301eceedfa9fc8b918570b459e8173a911f426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
21b821af181ed6b62d5fa673f443329d

SHA1
e73a8a735f9e963a0f23ef4653bb18ed80966cc1

SHA256
7fb0d05d28b262b9b668d54b452f33ab1bef59f495db1966e892d8cc8d11abd3

SHA512
edb49032a089f709ce3893b175af27b4846c1368d39a8a514a2e5e97029ba3bfda4506613b4d29ffff09c4d1000cfb2f54027ad760d75fe6b9ed5873c0486382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
790131d58a0715e0279d75de802a6513

SHA1
ae3b56c172aee76ac04412e7caf9bf389f846eac

SHA256
348f47326cebc3c8b4865db324fc077adf3678cdc2711b3af764d85b88a9ebf4

SHA512
457d4f089435289848e5a07655e06cdfc3ea7c45617e2e96ba177eefb0df8bc967bfc9bed99162d222764f6c15b4b334958c165119832bf56004ea891097882f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Well Known Domains\1.2.0.0\well_known_domains.dll

Filesize
572KB

MD5
f5f5b37fd514776f455864502c852773

SHA1
8d5ed434173fd77feb33cb6cb0fad5e2388d97c6

SHA256
2778063e5ded354d852004e80492edb3a0f731b838bb27ba3a233bc937592f6e

SHA512
b0931f1cae171190e6ec8880f4d560cc7b3d5bffe1db11525bd133eaf51e2e0b3c920ea194d6c7577f95e7b4b4380f7845c82eb2898ad1f5c35d4550f93a14b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
27196fab0024113a5cbbbe929ca3c0fb

SHA1
d88bdda36f08b7e431c7b4181f7797973f87bfb1

SHA256
e6c38379896dd1f8d4568fcec01761b4b63f0da94595401008405399f114a07e

SHA512
6a6431554381a0a31f5ac4e611d567432ae8efc9bd17ca4e8060cafd58e4fb7091eac30c8c36bf25229f1ef064625d68745e35aa77d7a2e508376dc2f9ba30ed

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
14285affdd605cb8907cbc6b65a6d95f

SHA1
614daafa1d408666d6620d3fe74bc980434aa770

SHA256
407e3cf6432993bd5f84b8a7485e5cfdd0420e1f3463f245ba7cafbf2938e237

SHA512
f151a95c3f8e7af6ebccac73d44f295178b7125be467e9d835fe3109dbec4840e416cf6a89c496361c00a3a2390a7a7d38e5cee2c517993a508f858d0797d069

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
edd7d2ad282898e467d5d06abeeaba4d

SHA1
3037dd41635546bbc09fe6821f5bfa4149fb6764

SHA256
cab2d00176a4b21843be12af0490991bb589b2b14cafef1d1b7a6fe9c3468797

SHA512
b9713f19ff26e0f8702c63e584cc9f602cfd4918f14592ba052eec1dc9dd00a04025bfb65897095693efb10e004f5fbcffbf3609e0a8ddb52d66248f2e2883df

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ptqf56iz.default-release\cache2\entries\E19316B1CDA62317F9DA2551F9B56E711FCC77AD

Filesize
13KB

MD5
00400b62e6855d826751f7876d532b19

SHA1
330d06572d19f14bd17cf9f50716f28bd91ed9b0

SHA256
6eecbeb07c58d07cfe7d6617ef004cc34a3992f8b4a884dad2ecd9f9a0dcd59e

SHA512
9146494965fa246b02228d2f77fc8a58001d18a6ce9e2c1391f849fbda18a5e5846338c11cca94cabd0475e9f35b7491a1e6616abaf3cd398f34879e59a9e972

Download Submit
C:\Users\Admin\AppData\Local\Temp\796badd5-10ee-4f0c-81c1-3dea0cb20707.zip

Filesize
3.6MB

MD5
eee2a159d9f96c4dd33473b38ae62050

SHA1
cd8b28c9f4132723de49be74dd84ea12a42eef54

SHA256
52c720ca9b1d7649214694bc46a9ea0cf2ee3091e1ac717633ee06b6e2864384

SHA512
553c8b347e1654ca256dd4b760deb669cf394763419c972bb60a555006525afed2cff53b2516e8b239bc4bb35afd5429bd89611303143e7e65b901c0f5c2cc07

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\AlternateServices.bin

Filesize
7KB

MD5
c3c2d0c68821b615989645b529cf23fb

SHA1
c1e472e0e6d99bb1d574e5e843d3e383b7ff8611

SHA256
4cbf558903437f58e900e1abdfa4da3727d1d58f9dd67ac1092fd618d840a5f5

SHA512
f118ac4aa39bfb21912f282a4f3f84f953b01038b4c9f771c796392bc49f73f0823d5744e7f09d932204c58d9e683562a037e8cee3b48132991e1f908a8f6351

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
449aef4f0677716e9ad58c80e8b4e91d

SHA1
7ec8c95692f951736d73f747b73cd99365046bf2

SHA256
32959fa465341b8a3d6f9f205990f84cc8b6e97b74146aee7bbea80275a07c47

SHA512
9ef4f36a27bd5991ae9767835470ef2f3785374ef81ee76a79f415eaec15fedc776cc0501f43d524247cbaa4549369b8ac1a8839c5f2c131382d29c4c320433f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
b05d2e22e1e633c374f2fdccb8b77f2b

SHA1
b0a78b3369cddda88ad7f56b035c60721673458d

SHA256
ebe03a4a35e195176361af455c60d677c8d2bbf9c8a8df077a2fd0f936413bd9

SHA512
52b3e4f1032f876181cbdbfd24c1d8c2574af9c586d7ced61005695085a95cc00e77e20050b7678460fdfad6e3cda1d46f0580a72ef113b14372e3199eae8ad6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
b46ca76e9b7346a8d9f28545afcf436c

SHA1
ec52f3ae4e229bf5e9dc0556c6d55f8c18879f96

SHA256
dffd8b753f183b8157413a006c5e087452bb35540b8566fc576cd190b6f02536

SHA512
5f4bbfc3da7f240c7a0e5f3a2dc0eac7b6272b474660efa38503bdca246bc9eaa89d70193e50f92b2bf348fcf72dbb8da1c36d4745545f940e6ef7997409d863

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
25KB

MD5
c1d588581912ec61db3ee446fd8aed2f

SHA1
e374bdccead42d36245766ff5311ca4a0e9e0c1c

SHA256
9bc4a572a4fa97eaf62b61d82b3abd609d59980a58806f82da438f5472ddaaaa

SHA512
b89af7a9240c6f4a8e40139f9fd8297214551b51f9d05a64289cdef6aa28abe9f08fc3739810c970ccc896b2f9c9b20fd89721f0f09d087755f80bbfa18cd8d6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
7a667328623b8055114f7e67a2869a78

SHA1
93c50fe0a2fcd1751ddca6bec9e35a39a7faf29e

SHA256
0958c10f70dde4bd62a656a9e6a83dc184690287ae81928b768a92fc97f06627

SHA512
015f2d0774802630333a6ad0474198bf847abfeffd83e1e35dfb291cfdcaf337249b276a5c3157d5dbe535f227c26c2bec5cc4dea0cc9ee44ae535d427a44403

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
452d7e37fa1ef683fe8a4f95db796b1c

SHA1
9900d00b933112db0a27a8f71c0e5a38cebdb0d4

SHA256
c29706ca799caa0a0aa8cec8845031a25e1c111240eafdbb2293eea14b88294b

SHA512
e0e5e377a20cd590452bf5f4b4fd1bc9af9705ba4dc654554fb617e36ccda5f4ee741c8c332111b8928f5e2f92bf4bc759924a1e31500bc321681fec9a3aef18

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\185b6ffc-1808-4332-9efb-b8843eabbf11

Filesize
17KB

MD5
f795d9d48ae8332477c46b88d38a10c3

SHA1
57e2c706ff72a31a77be7feb80ed7f5d1c86d9ab

SHA256
30a5b7156d070b7bbfde7522b22ff940e7d1d077f15d88b1bf5bf1ed0f880655

SHA512
6cf81a3d91dd32dd30befb2a325c111738d3b3465309d93cba2b2efb0d7c86ea5570ed5d60123f09f1950186ac5dc70f6aa946b0f0217b2eefe02fd9fc7170dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\225ee6e5-c10a-43a7-877e-2fc3557055a6

Filesize
883B

MD5
d9c2ae69f7c9854b6f1d6b83fdc45a82

SHA1
f7a33126464d2c96d05609e85d707ff1b4f966ca

SHA256
2e1bea2f931c0a6c40879b8653da9f13ede514fe36456913788486d7194df316

SHA512
1d78629f8dc65ab15a9b5eaaa3915ba58d7b9dffbc577cdf75ead9618c3713ea442dc01a18835ab0d343bb775a8d32269086e524ee80fee803c427a4e9119512

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\5c251716-da36-421d-8937-b71890438538

Filesize
235B

MD5
3f2d95b362417b2b7676fc5f70cc30ed

SHA1
d4b3cd661f1c7cbf2c3b83b943d6a0cf1a1561d9

SHA256
91a8e655eb8dd81c6c970ac0bd5437b99eef6b084320c6248da9f555790ccea1

SHA512
50ca6c6ebd0d1fa695b21cca696a11d86d6849e92b2aef21d0bb9dcb11f1f8a37f2ef7bfb5ecf8671e44fdb244f1d558580a0b4dcc6340b7e8b01fa964d32fec

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\6821ea03-16a0-43db-b330-cb29a1e461e2

Filesize
886B

MD5
3cc495abb36feea94684cf3e0418915f

SHA1
c4b3b2dcb582938fd645d06aecb70cfc89cfa895

SHA256
bc468936298bf74542dfa33b8afb27b726766a21c86382d10cc25481baddc1b3

SHA512
86e345e06c6d6df2878ba3b9251df5f9403eeb63f472a517992b31b346410c3ba93d9a7b5b19938fe8e344db0a499280043f005b0dd602ca45c02055c71be678

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\ce620421-7a42-4a63-9a4e-3ab3303b58a0

Filesize
2KB

MD5
1107bae588edced1081ad11594b1eca4

SHA1
97307e38a5442b14b6afd760e5c71dd0003f75ab

SHA256
f9d4df20b0aaebc72089e1c6d8cc93e5cc75dbdb57974bb326d7cf2c1f0e9fc9

SHA512
ffff4e59fcb0fa8d59dae1005a9eb3245dda1df4b0a53223c9555cce37ca1d281ce845159d732d026c0518623fb00bbc710f867bbb22d30c6ca7a5c3f6f48e82

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\datareporting\glean\pending_pings\e6498c58-c43a-416d-98a3-dc592bf17f14

Filesize
235B

MD5
b58622e35e0f54edfff967f77cc779a5

SHA1
e67da3ab5de578d45eaaf1ed3ced4346477325bc

SHA256
55aa106f48ae5b1c07016bc05e09f9b1cbadb565350a32c860e1b168394d98d8

SHA512
d94653cda8b4b52d8145bf50f1414f193659066380537c003f5001151816c5056fd2a0ea4e814c67e79787f7a621a53ac3396f37015dbd9ab4ad2ae18f475cae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\extensions.json

Filesize
16KB

MD5
552033ac483cef56de9ebd770d1b49d7

SHA1
d5cd47e04fd835873ded479aa426770b88b89496

SHA256
bdab36af9ec660d87087129232b0d4750cb616ac5bae403209d051fc66425b16

SHA512
34d751ca6e1b14d3fc6dfffef6533b94e3f9e635c80111fe1c4128cd07b0a244e040ee26f503c99f389a24ec33916047797d24f46bd0b5d285d257aa387a18b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs-1.js

Filesize
8KB

MD5
1c9d233b620fc5c2fab4e3ed39d77553

SHA1
f65da3a4a28d35d0d843117c914ec6ecb2fcec33

SHA256
37a0d2398ad7b07335caf11314065cd69f4b8a95fcefb185084aef85b29462cc

SHA512
8b1be6769d513cde1f9c2029c11d6745ece045e2a6c615fec1ce448361ee556ec62e5ef7df1180b7d45839dbb5e90e3dca3d2e83836aa8629b2f429c935be68b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs-1.js

Filesize
12KB

MD5
bd7681b0e8d76dcc5f7edafabd3da072

SHA1
221cf5273639b43a2266e367b364677358165565

SHA256
8301d80b768f622b84a07bf7ac9c9ec26b3e0dab7c0eaf30926e5a2eadf893cc

SHA512
33d1356f4e20b7ff0336db3f86aa14a38e0b556adfde3fd2edec8cca14edf3845164c9721f1fea48df1a9ad067b8769c21bf62750c3691e7744a570a64a9d475

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
c2131aa0e71b9e89a92212858c962c88

SHA1
0d7dba5774820fde4c5b449d71f2168aa1e5c03d

SHA256
3a050f357d25f61aca8cbaa75a22cecca90e495da1fd1ee7203d5f7dcce79f27

SHA512
af28a297f0e46efa49f78935b93ff6bc11bb1ed6625db6f17aa417080fa0e9fc599a9af8b59d0f51a55192e44b2bef4d18b67015f9628de65bc9556702dfd33b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
f963f9445faa24db637ce3a87483b610

SHA1
464788b7ec83ab4670c71bad0c82e0a8c6502e1c

SHA256
c6870496aead33ac563d13e575052838d1e76f92f55687e72e98df6f1a915e1b

SHA512
7c189a2027701a8612f7fbe2ea5fcdff1d8e3117b0425cad7620436ec6e0df301311872039be1f8dac94f3f0b818cfb8b70ac463d40af38ae3c4ceefc702ab41

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\prefs.js

Filesize
6KB

MD5
23e3d81e8fe8ca93297bbcdf7148f944

SHA1
50b1aaa96ae74d1415ef9afb78e2b05b90718ebc

SHA256
01180ab1acf14d224254c4f8208bccedb2c7e3b50cc5d074de7f5ed4af25312a

SHA512
553468e7fa884c116811e416392a18e7482fc6adfc37efa5473e003d0f332049d2698868cce62ad31b8a4e0518ecc1e28de4ccef72c521fb325df0fdfd6edbbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ptqf56iz.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e5b7e99cb45691379543b74fd1cea810

SHA1
22d7caedff67e57fa74acf0b61e3fbb8aacf2506

SHA256
2df54a1c270999a98a9e5b8bea2f1f5ceb5b38b9c9337e8d60721ec392c04a87

SHA512
d7111173d127704da4ec8c211fa194ad67a818d4ebe82abbc6849b94c00316ec3d1ca805f8cc0212cc9b203c55cd97bcfb0a002ce21f17c94b50edd1fa0b29bf

Download Submit
C:\Users\Admin\Downloads\FireFox.exe

Filesize
378KB

MD5
afa5afc2a4999b2935e6c6f12591004a

SHA1
1cc30c782f29392698a9b83cf08e937ebce97670

SHA256
de92c938b0f308a2035ee83fae456e9053b7d36e12f4a8924d2c142f0fa59c03

SHA512
bbd192773801cc9cf4a40a154879cb14eba432269a14aaa9c9ce9672adbb31525114651cede332dd647ff6f6b261d1d3443c7c3a55490b89e7f30e72ece7212e

Download Submit
C:\Users\Admin\Downloads\FireFox\ekacleint.exe

Filesize
65KB

MD5
4e53621c76d15d9cf58bf3f335a87db5

SHA1
5ede089371ec6fbd69aff5fd5d6e0ff6c32644fa

SHA256
199e7a2c041a7dcc7d6778d27baf68d839dca510676f85ab16fd917a803eba49

SHA512
732eb0ed0b16c8982885d0dc1a44a42c905f5e35d9046ac3ed5a24227476ff3e6fa56f550abe8f8ca4e5e6c5a3f4045b02d6c2157f3446fd8577cd5727c387cc

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\Notification\notification.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1033168353\json\i18n-tokenized-card\fr\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1658215067\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_1899593985\edge_checkout_page_validator.js

Filesize
1.1MB

MD5
0e3ea2aa2bc4484c8aebb7e348d8e680

SHA1
55f802e1a00a6988236882ae02f455648ab54114

SHA256
25ffb085e470aa7214bf40777794de05bf2bb53254244a4c3a3025f40ce4cef7

SHA512
45b31d42be032766f5c275568723a170bb6bbf522f123a5fdc47e0c6f76933d2d3e14487668e772488847096c5e6a1f33920f1ee97bc586319a9005bacd65428

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-bn.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-mr.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3568_2103041972\hyph-nn.hyb

Filesize
141KB

MD5
f2d8fe158d5361fc1d4b794a7255835a

SHA1
6c8744fa70651f629ed887cb76b6bc1bed304af9

SHA256
5bcbb58eaf65f13f6d039244d942f37c127344e3a0a2e6c32d08236945132809

SHA512
946f4e41be624458b5e842a6241d43cd40369b2e0abc2cacf67d892b5f3d8a863a0e37e8120e11375b0bacb4651eedb8d324271d9a0c37527d4d54dd4905afab

Download Submit