globeimposter | 31e98d197c6a99185b97dd573fa2cca10c3bf7259313ce402fcf9ff9e88a3433

Resubmissions

07/04/2025, 04:37

250407-e8645ayxct 10

07/04/2025, 02:13

250407-cnt8qavwcs 10

Analysis

max time kernel
92s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
07/04/2025, 04:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
Size

53KB
MD5

577ff8c29904f863d5796a6f772722a8
SHA1

549734707d5a6ad7a262064255dc4ec51d9fbb43
SHA256

31e98d197c6a99185b97dd573fa2cca10c3bf7259313ce402fcf9ff9e88a3433
SHA512

717638c12e5410317a3d0b0cfd62abdf3fb81cb123f539a77d7f0f228ea3944d8e778c659f01bf4f8781f31f5014dbd0b4796835dc07b69e0eebb98096d552ed
SSDEEP

768:wSvZDxvuye1kVtGBk6P/v7nWlHznbkVwrEKD9yDwxVSHrowNI2tG6o/t84B5et:tDxeytM3alnawrRIwxVSHMweio3U

Score

10^/10

globeimposter defense_evasion discovery persistence ransomware spyware stealer

Malware Config

Signatures

GlobeImposter
GlobeImposter is a ransomware first seen in 2017.
ransomware globeimposter
Globeimposter family
globeimposter
Renames multiple (8990) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Executes dropped EXE 1 IoCs

pid	Process
6032	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\BrowserUpdateCheck = "C:\\Users\\Admin\\AppData\\Local\\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe"	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe

Drops desktop.ini file(s) 41 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Pictures\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\AccountPictures\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-976934595-4290022905-4081117292-1000\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-976934595-4290022905-4081117292-1000\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\$Recycle.Bin\S-1-5-21-976934595-4290022905-4081117292-1000\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Users\Public\Downloads\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\desktop.ini	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\SharedUI.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GamesXboxHubLargeTile.scale-100.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\GenericMailBadge.scale-125.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsNotepad_10.2102.13.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\NotepadAppList.scale-125.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.2008.32311.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\GetHelpSplashScreen.scale-100.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\libalphamask_plugin.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\PLANNERS.ONE	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_1.0.38.0_x64__8wekyb3d8bbwe\Assets\VoiceRecorderLogoExtensions.targetsize-80.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\System.Windows.Forms.Primitives.resources.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\PresentationCore.resources.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsStore_12104.1001.1.0_x64__8wekyb3d8bbwe\WebviewOffline.html	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-200_contrast-black.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageWideTile.scale-200_contrast-black.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\go-mobile.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\convertpdf-rna-tool-view.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-black\Doughboy.scale-200.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\progress.gif	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib\components\Breadcrumb\Breadcrumb.types.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\Tentative.scale-125.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Getstarted_10.2.41172.0_x64__8wekyb3d8bbwe\Assets\TipsAppList.targetsize-40_altform-unplated.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2020.503.58.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\CameraMedTile.scale-200.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DLL	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.21012.10511.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-72_altform-unplated_contrast-white.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_2.2106.2807.0_x64__8wekyb3d8bbwe\Win32Bridge.Protocol.winmd	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\System.Windows.Forms.resources.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\ui-strings.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\contrast-white\FlagToastQuickAction.scale-80.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-gb\locimages\offsymsl.ttf	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.GamingApp_2105.900.24.0_x64__8wekyb3d8bbwe\Assets\Xbox_SplashScreen.scale-200_contrast-black.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\DetailsRow.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\AppIcon.targetsize-32_altform-unplated_contrast-white.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.32731.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-40.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateSplashScreen.scale-400.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.MicrosoftSolitaireCollection_4.6.3102.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxSignature.p7x	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessVL_MAK-ppd.xrm-ms	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\glib-lite.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\es-es\ui-strings.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\ui-strings.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\[email protected]	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\JSByteCodeWin.bin	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DocumentCard\DocumentCardDetails.styles.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\theme\lib-amd\colors\index.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\WebContent\node_modules\@fluentui\react\lib-commonjs\components\DetailsList\ShimmeredDetailsList.types.js	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\sl-SI\PAD.Console.Host.resources.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\Assets\AppPackageLargeTile.scale-200.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\NL7MODELS000A.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\how_to_back_files.html	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1909.12456.0_x64__8wekyb3d8bbwe\PeopleUtilRT.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\libwinhibit_plugin.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\SmallLogo.scale-100_contrast-white.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\en-gb\wintlim.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.BingWeather_1.0.6.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-black\WeatherAppList.targetsize-16_altform-unplated_contrast-black.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\how_to_back_files.html	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\images\EmptyCalendarSearch-Dark.scale-100.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-white\PowerAutomateAppIcon.altform-unplated_targetsize-16.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\TellMeExcel.nrr	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019DemoR_BypassTrial180-ppd.xrm-ms	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.PowerAutomateDesktop_1.0.65.0_x64__8wekyb3d8bbwe\Images\contrast-black\PowerAutomateWide310x150Logo.scale-200.png	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\as90.xsl	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\dasherSettingSchema.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\sr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\th\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\cy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\ur\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\kk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\gl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\lt\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\sk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\en_GB\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\msedge_url_fetcher_3472_1840520500\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\mr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\de\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\sv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\fil\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\gu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\es_419\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\cs\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\el\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\128.png	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\ja\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\zh_HK\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\lo\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\pa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\fa\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\offscreendocument_main.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\pt_PT\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\lv\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\uk\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\zh_CN\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\service_worker_bin_prod.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\ml\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\ro\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\mn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\hi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\sl\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\offscreendocument.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\af\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\vi\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\en\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\es\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\az\messages.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\bg\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\da\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\eu\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\ms\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\ca\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\id\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\fr_CA\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\tr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3472_848317654\_locales\ta\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 36 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133884743422752333"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{89DC338C-4E47-4BCE-A16E-992CE3C7EC63}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Saveyourdata_auto_file	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Saveyourdata_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\翽\ = "Saveyourdata_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\\ = "Saveyourdata_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Saveyourdata_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\翽	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\\ = "Saveyourdata_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Saveyourdata_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\.Saveyourdata	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\.Saveyourdata\ = "Saveyourdata_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-976934595-4290022905-4081117292-1000_Classes\Saveyourdata_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-976934595-4290022905-4081117292-1000\{87A6118B-EC29-4038-AC87-B1F76E1C7CA6}	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3212	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
3472	msedge.exe
3472	msedge.exe
5444	msedge.exe
5444	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4244	firefox.exe
Token: SeDebugPrivilege	4244	firefox.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
4244	firefox.exe
3472	msedge.exe
3472	msedge.exe
5444	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
3212	OpenWith.exe
3212	OpenWith.exe
3212	OpenWith.exe
3212	OpenWith.exe
3212	OpenWith.exe
4244	firefox.exe
3920	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5904 wrote to memory of 6032	5904	cmd.exe	81
PID 5904 wrote to memory of 6032	5904	cmd.exe	81
PID 5904 wrote to memory of 6032	5904	cmd.exe	81
PID 3212 wrote to memory of 5728	3212	OpenWith.exe	86
PID 3212 wrote to memory of 5728	3212	OpenWith.exe	86
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 5728 wrote to memory of 4244	5728	firefox.exe	89
PID 1424 wrote to memory of 3116	1424	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe	91
PID 1424 wrote to memory of 3116	1424	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe	91
PID 1424 wrote to memory of 3116	1424	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe	91
PID 6032 wrote to memory of 6052	6032	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe	92
PID 6032 wrote to memory of 6052	6032	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe	92
PID 6032 wrote to memory of 6052	6032	2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe	92
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95
PID 4244 wrote to memory of 4180	4244	firefox.exe	95

C:\Users\Admin\AppData\Local\Temp\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
"C:\Users\Admin\AppData\Local\Temp\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe > nul
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:5904
- C:\Users\Admin\AppData\Local\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
  C:\Users\Admin\AppData\Local\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:6032
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe > nul
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6052

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\UnlockTest.MTS.Saveyourdata"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5728
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\UnlockTest.MTS.Saveyourdata
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4244
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2580 -prefsLen 24445 -prefMapHandle 2584 -prefMapSize 268548 -ipcHandle 2644 -initialChannelId {6c3ceb5f-39e4-4f1b-a6ef-adcf5e3aaa4c} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
      4⤵
      PID:4180
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2896 -prefsLen 24445 -prefMapHandle 2900 -prefMapSize 268548 -ipcHandle 2904 -initialChannelId {ae201233-b8f6-4d46-93aa-03cc8203947e} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
      4⤵
      Checks processor information in registry
      PID:392
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1820 -prefsLen 24883 -prefMapHandle 1824 -prefMapSize 268548 -jsInitHandle 1952 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 1924 -initialChannelId {ee7627e1-a90a-47fe-9aca-ad359e4bc8ca} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
      4⤵
      Checks processor information in registry
      PID:2972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 3804 -prefsLen 25767 -prefMapHandle 3808 -prefMapSize 268548 -ipcHandle 3816 -initialChannelId {a8662651-e9a6-4140-880c-527cce2f321e} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
      4⤵
      PID:5372
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4416 -prefsLen 25913 -prefMapHandle 4420 -prefMapSize 268548 -jsInitHandle 4424 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4432 -initialChannelId {8ff74995-e702-481b-a7b2-639de5c6bb3d} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
      4⤵
      Checks processor information in registry
      PID:1972
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4572 -prefsLen 26054 -prefMapHandle 4568 -prefMapSize 268548 -jsInitHandle 4564 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4460 -initialChannelId {62f2f984-5e29-46fa-b042-4e008857f31b} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 tab
      4⤵
      Checks processor information in registry
      PID:5184
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 2168 -prefsLen 35810 -prefMapHandle 5360 -prefMapSize 268548 -ipcHandle 5364 -initialChannelId {c0dc6b7f-a0b8-4afb-a1c3-cf60277b2784} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 utility
      4⤵
      Checks processor information in registry
      PID:3364
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 1896 -prefsLen 34331 -prefMapHandle 1696 -prefMapSize 268548 -jsInitHandle 5024 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2076 -initialChannelId {26c0165e-79cf-491e-8a3c-afde79fd0ea4} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
      4⤵
      Checks processor information in registry
      PID:2232
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6012 -prefsLen 34331 -prefMapHandle 6016 -prefMapSize 268548 -jsInitHandle 6020 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 4008 -initialChannelId {af837a2d-6bae-4084-8592-4dd503f2205d} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
      4⤵
      Checks processor information in registry
      PID:4824
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6160 -prefsLen 34331 -prefMapHandle 6164 -prefMapSize 268548 -jsInitHandle 6168 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6176 -initialChannelId {8b24b6b8-413a-45c6-8e05-ff6ec7374ca9} -parentPid 4244 -crashReporter "\\.\pipe\gecko-crash-server-pipe.4244" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
      4⤵
      Checks processor information in registry
      PID:2724

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\UnlockTest.MTS.Saveyourdata"
1⤵
PID:3388
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\UnlockTest.MTS.Saveyourdata
  2⤵
  - Checks processor information in registry
  PID:5288

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Desktop\UnlockTest.MTS.Saveyourdata"
1⤵
PID:1548
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Desktop\UnlockTest.MTS.Saveyourdata
  2⤵
  - Checks processor information in registry
  PID:5812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\how_to_back_files.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2e8,0x2ec,0x2f0,0x2e0,0x2e4,0x7ffdb851f208,0x7ffdb851f214,0x7ffdb851f220
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1904,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=2204,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:11
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1436,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=2516 /prefetch:13
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3460,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4764,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=4696 /prefetch:14
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4668,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=4808 /prefetch:14
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5368,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=5380 /prefetch:14
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:14
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5364,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:14
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5484,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:14
  2⤵
  PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1096
    3⤵
    PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5500,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:14
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6000,i,18273051823598885548,7398518569020533265,262144 --variations-seed-version --mojo-platform-channel-handle=5824 /prefetch:14
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2f4,0x7ffdb851f208,0x7ffdb851f214,0x7ffdb851f220
    3⤵
    PID:928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2164,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:3144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1836,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:11
    3⤵
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2520,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=1812 /prefetch:13
    3⤵
    PID:564
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4188,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:14
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4188,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=4336 /prefetch:14
    3⤵
    PID:5952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4392,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=4428 /prefetch:14
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4828,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:1
    3⤵
    PID:4208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4848,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=4908 /prefetch:1
    3⤵
    PID:1360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5412,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=5392 /prefetch:14
    3⤵
    PID:5912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5380,i,1811481074491354658,16952947820474997048,262144 --variations-seed-version --mojo-platform-channel-handle=5452 /prefetch:14
    3⤵
    PID:684

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5432

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Public\Desktop\how_to_back_files.html
1⤵
PID:3612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5828

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\EPDF_Full.aapp

Filesize
2KB

MD5
95adf7326e60363772f1b2ceda46ac5c

SHA1
84a7afd2f006a3e08b7d1a0eff6a0a3520094976

SHA256
5e95e4e20d55e087265211fea29b406f452d588538f94691313374eec47af5b3

SHA512
ca7cd45fd626edeeeb76d3ff8fa6e0ca507d34b8ad026164ee957e2316764ab8ed1292913346df87f81d82b574fce8374ff74747cc3262b21cddf6e5144e3514

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp

Filesize
2KB

MD5
a98fe37bf355955b535e74cb93d99502

SHA1
e31db70964f0ef359908b375a9497b8640fe883a

SHA256
5c435a149196d01dab9f870a242ada569cac8b3b6929242e46e0f7054a0f0bd2

SHA512
be4c423fef44644e4bcd7d3f8044fb22da5071b217b93ad777d68346ac41f1548c7633a51637b27cbdd2c7a96be2d4d15d60755cae126ddb96ddd71d58fd28c7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\RHP_icons.png

Filesize
2KB

MD5
60706ac3239645773b2ef152d0aeea48

SHA1
9021b7f34e0476a51a9d263307f70e61c0bb2e3b

SHA256
5d9b9d4a1734e53b91130e8a1eecd1378b9217ccdd96fa5cf724482e6ef08687

SHA512
6a0a18fb66bf6d3ae0b1e79553a0daa755d711082be1d2179419db9f240708fff2e9c4391ac636dc7d53207199d3520e502e4a87e43e9a58fba514b0797cdf3a

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\S_IlluEmptyStateDCFiles_280x192.svg

Filesize
15KB

MD5
6316d158e1a1143a040a280044221069

SHA1
67ee6796836e781b3a4132407bf90f67fd2187f1

SHA256
74fd470231897a930475afe7d646c596c5c663e4aa2ce87fe88a1e3131657673

SHA512
a9f25eb8c8e9b72392edb41f1a5ce60d3002f8dc05e20bc9e2467aff62fffe393bc4096ba3e9ea26a798237bf60500ee7ba9f35c2c5fca1635d533a786507cb6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg

Filesize
3KB

MD5
764a25d016aa6fe0a32a624b8589a75d

SHA1
43aaad1624fd2df9876db1829a09c6fee98ffbb2

SHA256
4cc9e1bcd9acc9995559d7cf5601eb152ecbef8a50a91b2caf2e05af3f58d905

SHA512
8814141cf07a60f63feba8252bb97440227abf748a6f470396ad4fbef4c1332f51e0e897a51dd82054a7a94b9fc8bec42b4bd22d9576dc6dd32d0d7c2bd4fdfc

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_delete_18.svg

Filesize
3KB

MD5
02f10ae77a3455f0bb82985c20cbc0c8

SHA1
a7a975041d27c74a2528ee1b85400aa349641d7e

SHA256
38472f67f9fb89bd1b95f499093a050538164b772c19411b795a0ff502f48b57

SHA512
e1922fc397ab04687e95e6a18f51268c375e0e0484c230022e4c12ffc18d874b0c36a317ad180fcaca024b689b85b4b656afc41e91f48d77601b4ece69ecbead

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\RHP_icons.png

Filesize
2KB

MD5
94c8e56dc18215723ac303217fff0f76

SHA1
e3167c38ee8f491a92309ff9a6268a312d228393

SHA256
e61d78925adcb35942e5e3a6ee821db7ef657c369084367186e85c350a8de84b

SHA512
6c830f5297a3dfc72cfef0a15ae2f33be5c70ca17365cc8cb6456e61d579c466703cb40275a6bb412330c37576e89235c4c936da2f0195ebdc487b5965fe35db

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_folder-default_32.svg

Filesize
2KB

MD5
1420208054610a8ab10f7b0c59dd4987

SHA1
5d64e02e8cb8c94d80ef93b11848f0da83cdeb96

SHA256
fe88598d6ee924c31b4ce98cd5442917dea943423a4513c814c5caa60d15041e

SHA512
a7f2e3f6010a2e51fefd6bf6b1e89fba0fb02df6a3a760ec32a85892d679bc586a8d224b1c58f5a0bc309000facdc2e3882af177bf712a6cf2bc75ae946a9f8b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_invite_18.svg

Filesize
2KB

MD5
1a06ce5d611c1655faae854814408375

SHA1
9e2159ff31348b0f708aae45962d8f71717fc82e

SHA256
111ebf0a983206939164dc33dcc7e198c89fd3f4e2f12058c6b0aaa083c65ecb

SHA512
8168ffaecfcfd5eb6cc9ab4832f555ce5515d4b6cda23530c8b9603bb8ab64ca4ca9602148862adbfe7b5f7e4f8f59e70ecb221b92552119aa7fda73ed63c0d8

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_listview-hover.svg

Filesize
3KB

MD5
da27580c1db4eacf2ace14758f1c3fd9

SHA1
a798ccd7926e7c1592f9a06d3723bff1c2230b8c

SHA256
3b9db200a0b304773adab904d77394de1b7361e46771957c87455ed5d199de75

SHA512
6752651422b0adbbcd7de05b2274a0d095d94cfe33bf24f55f0120b7890a04cd033b861b22be4de2ec647aab3567586217ffb709afb8cfae766c754eb3e653b5

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_newfolder_18.svg

Filesize
2KB

MD5
8202559645f24390db9253b65a46e8e6

SHA1
ce9c123a92be9bd68f310a84a210345c6b34b6f2

SHA256
ff0d3baacb06eb1a9c698e95a575dd7e3c40a54901e2556231f7c044a880fedd

SHA512
4565628e5ac0e64a1ff6fe39a667d2f18923bf2e7fa226cdca2eaae8509c7d66bd31c814b188256ca9427d47cf9310316e30e70d456f0851f998dc11df68813c

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\s_sortedby_18.svg

Filesize
2KB

MD5
17804f4507a9acc5516d6913b2389bda

SHA1
59b9910b8f5c592f9e3a9b71c95fe54431019bf6

SHA256
d336f98e052cf6fcbefa476e7a15baf3748187933da67a0544a8cbf6b5e4e10b

SHA512
01c0ea4090f408cfbf681493464acdd7a09cc126d2f59991a072cc5d930f231e8d69f11b44757e6fb0dcb06a26cc7e7c23a136be452c819f4ba81cc1d27d555f

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\arrow-up.gif

Filesize
1KB

MD5
97f9e0b357a0a13b00ec62a343e77f75

SHA1
38bf28085db8d4ddda8131b44bc97602729ea84d

SHA256
ed56c0be2a41d9525cc905b45212d36d8ef45f5717d77af8ec71537d9244cc0f

SHA512
bbad89bbb5e893f347ff16a51756d63f8aec1d792c9b23340a23bf040cd5e965ebf148e350b93981c6e27205e3c8098ee34ae462a0e16bc973ba11ac145bbbcd

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\ui-strings.js

Filesize
34KB

MD5
d9b8b56a40292c6cf7a7ea35177f99dc

SHA1
f67683fb673dbbbc2dcbeef362daf0b32d6b2b71

SHA256
18dc45329f7960f4736cd4e090192239f35bf90b3044d0c16c2d8fcff9ef2507

SHA512
80c0491606995c78b33cc1ce9aea0bd0ca3bbdd2983f709b3d7be880801b82c4ab68dc58b45321f1ac16d72fa92356160e87e98d4ac79358332ecc37c4fbe286

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\avatar.jpg

Filesize
4KB

MD5
faccdb5f9e5460367327d7107b2190d6

SHA1
18364d8d689bc424dc5dbb28a56a778d5cb768fe

SHA256
7c24f2c1b02029c089f0fa79b290f898550397e3cdfb9cce4e81c77c98861d04

SHA512
1ce6a1383a034aebb0cb88f414d254c90455ec9b58bec737311d59dcbbfe086b7b6e3f470aec7ba524a0bc4f91447119e1a5281b4c4eeb02498f8d14d53e440b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\rhp_world_icon.png

Filesize
2KB

MD5
fca8c38b275e900ddb46961bc0fb9c2c

SHA1
fe6a40c66a7ca88d45b6ba01edf41faf65fa0506

SHA256
0b527b3713460d72b67cf296075cb3f5fe586064fe2ea07451b366d6262bd1e1

SHA512
e4dbeba590183df40b8a360d28c6dd88eea521adbdca4d949a55e077c8533b1fd6b0dd1eec11327b67598846d6b874644362932bd1cc4cd7c1b24e3e59f9f6a3

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\rhp_world_icon_hover_2x.png

Filesize
2KB

MD5
a1c5b91de1b125d180b3a22c629f792d

SHA1
3481f097de9cebdee9507f6a40ecb92b592f3b25

SHA256
f6bf2da25af92af97b1b179b21e48e2e313206a924492e5ba346e16d1e1190a2

SHA512
9c2bbecb13d05e5993496f01395ba89d5ac693f0e12c905f5a0bf21e807f49942005ae59739374e8340fe4e1a74d9e195b58800c8833590e079390548eaf95f7

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\[email protected]

Filesize
2KB

MD5
9057745a06498c824e9404afaad30e55

SHA1
327fa37bdff36a013e41e1b4736eb4426df419c7

SHA256
d70d3ba0ab0bb10aa9f2c789185a22b897f0120213bad99ef547832f3a9d9c47

SHA512
7a500f61620b95f125422131346ded39bf6ea681e9dde4729572543ae2e779ed24a705488add6349ab4705f41e7c22d6206e919d1b82e1daf0a214cfb3a5ae59

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\icons_retina.png

Filesize
16KB

MD5
d375e11557bfa09c4cc5455b9b210bbb

SHA1
ce49d28a174f11f3f8b4807418ccd27cd62898ce

SHA256
90a568e4b398b24552a04c6d671467261abb3775b285970b82c0f3210e56eaaa

SHA512
c7956c06e8ec662501c9c65c0a312522c585416180f39618cf01f00f11514b1d64ee549fb07e908057c40cfd50ce80400020c2a060090e1c481023d720aa8f36

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\ui-strings.js

Filesize
7KB

MD5
2515bb9e430aa9a1d75cdd5d93acb744

SHA1
0afa299ad0e36403a522839df079090d58341b8a

SHA256
9ea614c722505194a44ae422a05c541c26061d9699f699778dabcae6edd402f1

SHA512
afdf67a6623902ba3b513afbe7892f6274db9976218e97b6e4908da4c21bbe945a340168619e797cc29bbc7b221d24351576da9afc6a1fa07b0677b9bd74fe5d

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner.png

Filesize
8KB

MD5
88a887694de5df358d8c295c121167b6

SHA1
d10c34ee15d932ac1cf6f9bcb3b070d47dbc04f7

SHA256
72f76d40f60005d40f7c03b268a8b27fe1650d43b1f9591f073c25d6f8bb5168

SHA512
a59eba6d72ae4892ac369c48602243c2aaba0697f8acdb07474cd76bb17ee8a1327c1dfe96add4af0ede34406cbb31c2bbce79d05e713d3c83119bcf21ad33c6

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\pdf-ownership-rdr-es_es.gif

Filesize
472KB

MD5
5f83322e776aed2e76b7b7aa40ff75d1

SHA1
1110f56d404d32051e4a21462ac106395d2be779

SHA256
db7b395006e17dbe71595ce6b38f1ae7af000fca31cbfce4e07a68f1a882adc6

SHA512
7274da211834da725dd51402ebbe7d5a669a304d7fe0d51e18ce6780a11433cd3877b23cba59de43d3313070ea70a8dc0079a81901066c3c0579f95f63d16c7b

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\sign-in.png

Filesize
23KB

MD5
0d367de6e3246b031ce37ee679f168f0

SHA1
08e4daf2fda45eab5e82c9b4276edfb5a25935ec

SHA256
46be210287d464349a98d2cbd32ac84129ccade8a5bbc180b010f769620375f5

SHA512
0c418a041dde7f0fae85e2598c0665d2d4706b91ff13cb322122b6f9681c5d966ff81ece87023c369158e944233c567bf588cf5d0951f998b682ba460e618a66

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\welcome.png

Filesize
32KB

MD5
2911c944fa1b705e82435bc3968c7bfe

SHA1
c0aced14d1c7464f21dc80cf60e9a324157171f4

SHA256
10b078ee7cef83e97de21a3a8c943d905016e63c296a71ef0763d71a523b179b

SHA512
c4b38d0e1ee5b976f37fa6801d7227ea8c4b8eb7416d185d1111d700bd9cfa2c1d16491889a85319c03b3cc0d30f2c3e88e97f76c0c95fd0652a5dc37c1d6bcb

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\ui-strings.js

Filesize
2KB

MD5
a03216499ec79b599a7db72415793cd6

SHA1
94badb75f42d7f8bfb4a323b91bb318ffb8652a7

SHA256
99ea84202e068b4749ff1f75032df980871de26eb1d35a1e1573d39e117f6383

SHA512
ca3a5201acc37e0319896d24ffc337892fb474ec4e832a5f3f2db2f544c6e5cc638036130c91a3ae0512ef7afee76fe04e39ed19d78063dba8c1aa4a038a3243

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\ui-strings.js

Filesize
2KB

MD5
cca596d97dbaaff05482696357f2d6d6

SHA1
3ded42b61acf39ee0a376928223c0c6d11c43ec0

SHA256
fcb99a15c7ba341037f54b04d1f60dd2c07e4b9721c7c794eecdd9bf4d88383e

SHA512
874702123636f65a773bb93b7d561c1ee7e60d7071e5ffafb65a3eafc70e0551990d8fa80bfca235786d1c56a74c37282ec7b74f0dcd41347bb3aa809fc54471

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ui-strings.js

Filesize
3KB

MD5
99317498c01ab8d9753748dc9f623b0c

SHA1
60320c731da0585dca8860c9258c89ed0c84a50c

SHA256
fe24bec9b2872245b062842621ea38bbc2ca7899389fda6eff63ea350b3bf969

SHA512
87755ea10f1afcc8027121c0e0cfc90ae4c60edb035fd8465fac151447a63cbeaaaecd7a5779c0d9179d2fe67882edceb82ab36460d9c84509f8775494c85dac

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\CYRILLIC.TXT

Filesize
14KB

MD5
43ab1288f3b430181616d6ce2d526d07

SHA1
ff7c30f1839d15b39edfc4e878c703cf3d100ff5

SHA256
780840fc190845c582c2c02eb4879669c336b56a47c67a0390b82fdbdc4ef9ed

SHA512
457b318da92015d2c2e8d2ea59816f07883ee976c043be357364fc6064b3e808b72a0b54531c8cb865013dfcb7215696e012cf6b380db6d394e6e74aede0a7c0

Download Submit
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\ROMAN.TXT

Filesize
15KB

MD5
77421995ff085d6f94abb100ccc55acc

SHA1
eba93fb015ecee41e871ed800019d962b001b22b

SHA256
3b13bb75cbc72e7c2223f7ad9e75ef3ae0b1302b05222303e3bc9250fb7a442c

SHA512
09346f37609ea59bbbe3980ad19d92b6b1623ec2496dfdad0e21dd53565fa9948eb57d3e6d21f1ca1cd2a1f94799ae20dceea079030d97fbcf388e9ebf029e88

Download Submit
C:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE

Filesize
4.1MB

MD5
3fe2c536128a68ade8f17738a52435b3

SHA1
76bbb7a9721dff3c2d7d07fd03777e5333765706

SHA256
9def99d77109d8ecb0822f4e72b366894f6454db9b998df466277f920bb223d4

SHA512
ea3dca3ff5175cb6798509e44abb41ea27e8272fc3a290dfab354897983129bdbdff64d023765e64474b56a782f00eb94d397f2b1aaf625f05c784736908ee94

Download Submit
C:\Program Files\Microsoft Office\root\Office16\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
22KB

MD5
5612ac2a1cbf9dfa80db4cd6179f00ce

SHA1
6b078b80ffb70efe6367d4d0b89040fc3b6dae4f

SHA256
cabebd34f70d7417baae98b487e7f64dc244ec345d42ac5a7b2378e7ef0e8825

SHA512
9f6037cb1c5cd387714bf95abcf0ad9548d8febfe6776ba2564a062f61db4f288a35ba8464855fd21ce28ed89c3bb786a5ed54aa0648145721ddaaabf9aa580e

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png

Filesize
2KB

MD5
ee290b325008570e046968c42a039ea7

SHA1
ca9d393fe36c8974806aea66650d162ac4a880e9

SHA256
15e0827baa8f2d8cba77e389247fe5b835bb2274e65f9b795b31315809fe2a75

SHA512
f16f764f2a9cf654e060cf9b82bfaeab925b4d80eaec38256d7020942036f678a3c0b37e2ebfd696d3685ced3846bce20799f2e1ac3baa91cfb97b78dbb22371

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]

Filesize
10KB

MD5
79af52a9b6f06352d15854d2da9e975d

SHA1
b6fa51200dbf7b0c6866794f6e4eb32216002425

SHA256
abbda1c3fbe71d7476dfd095cb633871c54f723bb45d7396cb0ef9daa6c3245e

SHA512
299c68afe66bb2c060da802209d6c8b893d9f77929e7704c388de64ab7ab9c83b74c9a880dbf16a477490721fa70310c80d24104d9cdaeb23e4d6fdeedebdb63

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]

Filesize
2KB

MD5
14165a2252af03ea6910f10dfdf93f28

SHA1
8e22f6bdfd1c214205e26c1af7a047203fa74edd

SHA256
1e9d91442dae82094da94b904e5fb05c7f15d8a61be529c3f7b9c5529b22c9a6

SHA512
8aa8ae6416d223fda4ee1835c230fd731d87b98d8ec564f4eb161abd0680253449109b23e4e44bb4a80bb901b5a6f3cf673d69a07f711ffa856de8f5c99c9f22

Download Submit
C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]

Filesize
2KB

MD5
c6f0719cb2cb7e485a810caa3177ed57

SHA1
9b9f57ce1132e486a4cd348af073ef387115d0ef

SHA256
0c87a9c753f5b02fc5e4b91c0b0c0ab6bdd055b6b2ca6f40e8d5b041ec911ca4

SHA512
789a39d30ba6284ec717efe379f43f47779628d0bcde26f63a1bf2b6aa2e2f9b1b25c83423c101cff10cd2dffe15309aa31aae8199ca4d5016d1ae2b4f24bc2b

Download Submit
C:\Program Files\Microsoft Office\root\rsod\proofing.msi.16.en-us.boot.tree.dat

Filesize
5KB

MD5
7541a63c28f943b575373158475e1d23

SHA1
d775d026f95e26e7fed5f5a6185c7ed3a484083c

SHA256
d5e77d37284a649a0d114ef22535fc8104a8885ab992e0a7146887c4db85e0aa

SHA512
6452fbb67ef2777f81d3e2cdd5cc43a7d04fa4a64dcecc8d41908f3d8d76af0c1244b5bc9f57afbaadbe4f672ea33faa8e05b5bdebd83580b1e47ec9b2789075

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARABD.TTF

Filesize
196KB

MD5
c7ebfd09810b7ad4e8c51aed9ef0fae9

SHA1
5c6abffa632ff61690e850ce276aed537cea0651

SHA256
1ddf9654ee029b9bab5faa2a513e82666bf306f55d9a6e9f8f251cde309132c9

SHA512
09df0bfdffe24ca1545aec356f0bb05f5cb02d7ef4091b7e75c276f0520590d05513a01cd7c3a689e2f305a37933778da3242b82e875b5d37a68b2d5c1d13efb

Download Submit
C:\Program Files\Microsoft Office\root\vfs\Fonts\private\TEMPSITC.TTF

Filesize
76KB

MD5
595d50c18e9bdea2d9a12bdfd863ff49

SHA1
4a2f6160da9e13e070417f7c0ed3b36f02a6ee4d

SHA256
8b9e83c1c8672d3d424d02d5f51e5d549057ee691fe105a51e0ae917d6cf67f5

SHA512
a48071675fad0da6e3cfbb9bb44d6f34fb7c53998f4d0439978db7e2a46246d26225165d83289f8e1fdd4990f29680c6756ff6b6a148c217cc3ee79eb351d56b

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\ONBttnIE.dll

Filesize
217KB

MD5
d0ea93830e66c940fa83d35bb0e6046a

SHA1
7c8f30daafbfc63f6d94c97ab9be623561f00eb0

SHA256
c598de61d87ec758173148c48b80e9bfccdddfa985e3552db7d7955cdf8d00e4

SHA512
1f82020a726397df94826ea7d5bf0624f61e4be833751d79081435b5143e7cd3b35a3af44b901f4ef4d00278ce189431a8863df781fccec48ffa4dd85b0e3c79

Download Submit
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\msvcr120.dll

Filesize
948KB

MD5
a4c1b596c64964833bf3afe107f9783f

SHA1
d199cce3e25a840e6f088e216714e64fe86b3a9d

SHA256
0dd3ace9e1c358bc5c1af4849e2482ede1c7ef460429574c0378bf744d9f1a93

SHA512
d5c5af9607a267cffd5ff73af85d7f6936fc5f3c754e75a1eac1cdcf58ea56e08db8eae47c9d0e2ad2a96dfae9ff9415f4a66e5c845710d7f5de2ec6edfcddb8

Download Submit
C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\vlc.mo

Filesize
47KB

MD5
ec12965ef72b9b5d43532f6c6bdbd74a

SHA1
62d58f5cce21781b816f002354f5d967e33e684e

SHA256
703cee0b1456e6acfc2ab7c8ed8757cfe9c6177a111e90e19efeefd169efab9d

SHA512
e6ce6d8f912a369195a937800391e9466a154a13db7a0530da0e01c9056c3a78d573158058ffd0634d1e9c527c0c6f2f6b0de26e3106f5ef5f8e23375b84ff42

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\codec\libaribsub_plugin.dll

Filesize
345KB

MD5
6aeb4b422e6aa0a70dfef33318d653fd

SHA1
7c7f99da66b2195d4c4ca77c4a6fcacfa7fc690e

SHA256
a54d0bd38830becc78e89a9f009c7b5cc334b22d2066382574b87e76cbe9df05

SHA512
23cea8eb63554bd7b81aab3e03e6ae44b57d82c346af36f2c9e27b566b0e775a96229f632d9188d9f8489de8b30a3ad6c34d694736778d917aed75d7a4b07fd9

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\codec\libqsv_plugin.dll

Filesize
169KB

MD5
b41763393f030eb24370ba7d4d926d1d

SHA1
c47038fe7c0800c82cc484d58c747696fe623004

SHA256
44e740e15ab59a8bcdca7f18e8e5abc546725f371b5417050758cb74e5d28864

SHA512
01a5a761b3b9ef723c2c6f9e895621307a493e8587122c34a9d086000876bae651520f27828e495bb4bacaa81f4c1c2ef8231d75629a0a2bd5067eb1ee26ad35

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\demux\libmpgv_plugin.dll

Filesize
42KB

MD5
e9c4fd5c3b4eb50774a2ef17a604e86a

SHA1
8629e9a63bd3e00b9fb08fedd52d74b29a0da36f

SHA256
b1bd037ee3c2a16d9f35a2b75cef7b4d0d2c35c6b421123b9ede707aacfc5ea1

SHA512
41523eab8908b0e8d99eafcd09d049e966dc88abd40e7d024459035cc7a6d8b9f2bdb3990c1aabba65f703720d2f32e46738afda03f7275f7b3f26d2519f574d

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\video_filter\libhqdn3d_plugin.dll

Filesize
56KB

MD5
32ef8b55a387943058c8cffd1642181c

SHA1
6bea6e69643598c519b9c8f67758e57907a6a087

SHA256
5ab4423803662ef171c6ec618e165a4011d56dbc17367b58bb72fdd85aa85819

SHA512
ac05a86032d0e6a366a9e5c80a4b2cf80930e495dedea6671a39cd3496fb9ad289c92ee564849bef5b8950ca612e9c12b384fb05a5ab56a8764f06c2622635ab

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\video_filter\libmirror_plugin.dll

Filesize
48KB

MD5
744a68a8ca3687bf200a913e1b4d56ae

SHA1
d201c6f9859c2194b4f375e9fed253eed713641c

SHA256
f790e376c6ea30104ace23fb92a076fbea1268464d0cb09ec36057b5fb05b7e3

SHA512
555d31e4149d6d9504516ee60274cbaa01feab33ef710a69b9fd8ce5b17184c0021055e95ab59ca04f712df0c3db7befeb2501f1dbc008e6c2f77b1b122b0856

Download Submit
C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll

Filesize
42KB

MD5
4347c0489c3f9446a75bd81b22b625ce

SHA1
9622836c7cb2b2c34b4022d1e206c5c9d24b6d31

SHA256
5e074bb8f52c3755a5dc8a0f9a09974ce990b65aea767617d745cf01fa20cafd

SHA512
a250f6db4a995c19919422f5c71849bdadf18a4183528f46f972a5e7a3e489c55f3b3475cad23ccc11c675c1837dde058279c4827e17d010074c827bbf0a95bf

Download Submit
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json

Filesize
102B

MD5
7d1d7e1db5d8d862de24415d9ec9aca4

SHA1
f4cdc5511c299005e775dc602e611b9c67a97c78

SHA256
ffad3b0fb11fc38ea243bf3f73e27a6034860709b39bf251ef3eca53d4c3afda

SHA512
1688c6725a3607c7b80dfcd6a8bea787f31c21e3368b31cb84635b727675f426b969899a378bd960bd3f27866023163b5460e7c681ae1fcb62f7829b03456477

Download Submit
C:\Users\Admin\AppData\Local\2025-04-07_577ff8c29904f863d5796a6f772722a8_globeimposter.exe

Filesize
53KB

MD5
577ff8c29904f863d5796a6f772722a8

SHA1
549734707d5a6ad7a262064255dc4ec51d9fbb43

SHA256
31e98d197c6a99185b97dd573fa2cca10c3bf7259313ce402fcf9ff9e88a3433

SHA512
717638c12e5410317a3d0b0cfd62abdf3fb81cb123f539a77d7f0f228ea3944d8e778c659f01bf4f8781f31f5014dbd0b4796835dc07b69e0eebb98096d552ed

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\f4d41c5d09ae781\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
2KB

MD5
da2efb95b70078fb200ec70fcb327605

SHA1
e4ebdf407e297f289a628e2fb62b63fe51f06a25

SHA256
95f4ef3c6fa38f0ad69cb753b0a4dfa7ae84525d97ebf8a54216d807677af064

SHA512
77e8976aae4f8eab75f919722e97eff6ef644c3e4188672113813822f99cbc4664b2127b0448ae23642cd99be0a51fb18018cdece10b04d31de9e9bee98dd40e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
623d0eb0c4a36135a270354557aae018

SHA1
864d2599207960d2aedba50ada4a3b1b2a5a8b87

SHA256
52b485675b621aa85ff48f5cef95a29f845616b63d9a683bb7503f324cee3d03

SHA512
685e69631c295fee7ddb6bedccb9ddab7ac0fd5d5476f5236ee22d7b8af871f9705be8f30ec71b0bfdeabc69927be677942bf8bfcfbdb7ed1151e7dfe80105ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
ea51aa6d845add82c1fdb7c6693da6fc

SHA1
43e3f559399167e845e08528031b7e989bb77bf3

SHA256
45355904acddc7acf15b6f5f9379bc29fa44c4c049c747017e5230d0f4d98efd

SHA512
d1582568b637455cfd44d2a2bf9e3dcb3c3a8430c66ff9b9a34faa018d1cc407c14a47cb0a91a2d97516a8077fca9f4d7598fcc25cf7b4b97bfd5c927b42dc6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
960d9e9d25e993e952d6444b85a3c0f8

SHA1
c7b0c714e4346be22b6cc01b77128c1854ec67d8

SHA256
9ad43d67636b9e10fbbb0af9ac492c84700b7b193286333f7d30e5e3188c003e

SHA512
ea86ac21cd7d614577b533fe90edbb1e1e5ddd62879cf05aa07b0e4d3ce92275d937be042fe4ceafa9552feb4b368803a0b396874f11d98aea4855acf44bd213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DawnGraphiteCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\928dda71-37fd-473e-8bf2-e3369c462dc3.tmp

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9275d63e54b26e55a3c8dc37941fcf77

SHA1
a5611d4ecd7c9b7e0bd3f018b7b35f2c239ce7fc

SHA256
5695f0d3a4da0d06cb524b0785645f6039b153545ce5f814fd9435b3f2c39320

SHA512
b71749306ac653a0f7f018fae012d377c8b7172d1a64d90d9c56e596e63dfb2cbd0591135136806ab0adb580148c24fdd6da841342c3570bfdd521a9b24ecebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
a49939fbaf9020d8af6d0a06e4e8da4a

SHA1
e1de6945f0920dc215e8941528b1f5cc46d651e8

SHA256
50cc2c6071c6b10267c7ac58c16ebed233cba74f567b29d67c051011d0e3eb0f

SHA512
9d0480fa4cee8d758be20f56b7adfbc1331e6bdf5f630eb162a7932da2a6a6ebffebca3030283e8ccbd65424e897a5a9f28a0ae991dbde12a22a409118f859aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
4c4b32ab8e06f646d285756ff1bb1b60

SHA1
d1beeff69dd898676c24c8ede199299f4f9b467a

SHA256
67c10859860332f04149a81165db0b7df18c6683d8c1f653ec016a9d1778a0a7

SHA512
0db8514a2af769c976acdad444d28c9d8a117a9b50176cdf6a9fd67858caf3194eb4e00200879904f7ee6dcc2183d2999ff7612a7f8c11f221cfae60e408aa23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
fc23ee2d9f835221844376e4efe70f0e

SHA1
6a95e77f98106b1a36270e6ff7f8698bf26cb0ba

SHA256
6abeaac8fd4d987cf6e5f2334d5279c69b5a6316510ce1a3c63177d18bb6d6ff

SHA512
e993b25a3af9df0f51483a451f510b6544a4897b983f5f59c5a99f0da1027b79f8665f9f846237f3163c8830f946cd484e2de4ab0202b61278b733cfa960b41d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
de6768f0173b9b7dff38bc9c1ca0acad

SHA1
4dfa0fbd1fa137ecfe804ec694f9e0ba1e513706

SHA256
ca66355c492e086ca042de6d9de80870548989f322bdbcde20edb9c0840346db

SHA512
b35c71bb1e48229e6f698d7daf9d943074eef7b1dc654f5e250fbbabc16b5952de422f956bd9c9c92ce01459f7fabf4087f1b6ae4d0be0f75b1d99df8860c388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c9b75eda-cad3-4726-908a-934fdce8f18a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
22dfe97668fc3fa20575914503214c81

SHA1
6a7c1c04bea8edba0905cbf79b4f9a0c3b0dc688

SHA256
0d8f5d73b7a5f9d2ce2a2ab0dd710a54fa09490abac160788d864cdd254e69bb

SHA512
6f4cd3f8fcc1439cadc63347aab7bc1bea69262fd3edcd1b64c9f8f2326a85c595829852cc68a66686524ed91aa2dbcefd5d8b2ba555cd7a9db2afe771dad356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
bfa41bdf62c6d8600290478e2a14feb8

SHA1
079fadb3c6a906537a026bad91f8e9569387fc65

SHA256
26a00cbb9bb92ca60cf3581fb2b42e1f9bad3a920daddf875af6cd70d4b4bef2

SHA512
5fdcde157972d0ccf5ff2babdec88b33456c98077e70aff5d32e2ca94c2cbb612069d903a6e5959ce603a25abff44a8bfea272b361020199da685b7ee4997234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
6095fa72fbaeaff9061fab1577c61094

SHA1
1f7e99c812dcdfb1df252326b85f46aeef05f100

SHA256
065ef1890cd046ece1111d300255be15064bdea78ea7c7a0531ad3ab263bbe44

SHA512
04789facaf08e9befd23a404b28842f6e11a6ecc5cabd5c1881a5dd4150332524abe1d3214da6ae5bd309b8c55c1523df27f2a6812b4cf7e6a441b1a0cf4af1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
379029b24fd288ad47510496e24501d4

SHA1
cdea79b9446ace7a9a9e797505d5ea46043c0388

SHA256
f328ce0f94d9c8cab28bc0f763b4dc04aac422273e8332bf8fa99f745bb09235

SHA512
e125eef7778250a6923e40f667a4e6af2fae2f966ba9ac8684eb4730523c856bd69f01dc3af30b0bf57447b6799a4daab8ffd4cc90ab46f24f278be58f7b8fb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6393z01c.default-release\activity-stream.discovery_stream.json

Filesize
29KB

MD5
0625274a442a1b3f2579dc2c9f7d4d7a

SHA1
5866958c54de1db85b12c1bd30758a0c30d49ac7

SHA256
d8b61a966eca69c92b6d71a5e41d8f5cee146b5a959bbfa3b0c7d1e560e83eea

SHA512
530a684bf54585f49418440240719203113b6037c72a5611df0ee9759ceab7de382eb9a8bbca1f12822f53d3cfc7bfa1b60bd0b2b4ecada076b57d59b1dad327

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6393z01c.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
ddb4a01bcdfd372794bf5d74a48cb2d1

SHA1
8064219036a1a372538b2f7c8077ed35424350c9

SHA256
5c361b85bf766205af1a440231cb8930b22824c271cddd3c27350bb4ccce479e

SHA512
214078985d53735a494ef3794981624f792431b420f464b1b04ac9c6f578f584398fe1e90ed28ea78e6cf4cb18a3db5c93929e57f446ec02be10827f0868e207

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6393z01c.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\s50w9h92.default-release\safebrowsing\social-tracking-protection-facebook-digest256.vlpset

Filesize
2KB

MD5
2062bdb68151fa0616a8d621a91b75eb

SHA1
20da03c014f7d7bd4762b9b80ffa5bcd5d7d0507

SHA256
f986609953c24cb9a80b8016effbd7fb40302c10038c7d7cc84207481d6c60b9

SHA512
73209479433e10b6776d6cf6e8203c9dd29cee1f524040b4bb0801ea5e5d83d670a256c2ba834eb0ef5b1590496af35b0521ed11f2e94a6dd34308784917e2e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.WindowsTerminal_8wekyb3d8bbwe\Settings\settings.dat

Filesize
9KB

MD5
f0fa42b83c19a726259f974c3a2bf1fd

SHA1
d48099059e5a51a75bb3a84e0b0c45f0164816b7

SHA256
f7550f1f833d5a6db2a5b10d35bb63e5af5729cefe6186558192e0ba06a39b68

SHA512
2f83c9882a256d67ecf99960103f717519c7b0e11f41ed98a4faa74494f1f5d60be5bb02c2315e4c7ade42d88ab51cf5379a424dae6293e85183fff0ca92976a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\HT3M4TEU_1\U84VA4V2_3\9AYD7DOHIH_42

Filesize
2KB

MD5
bfcd5ad9092181ae84f85ba883a6e98d

SHA1
71bd7b24f8b58df144d7a26ea5f88090ecade37a

SHA256
3f22434079897216bd6f9eaf8bcfd3a313b8ce10720c3341455f67878d9c1e7a

SHA512
66875bb6199732e0e7d84e0cc3d0bfd7c0668b5f81a79b47f90db4c9b288026458d493456a9ad8d3bda63e5c950496e5ad2e5adebd66e44c0c44212035a47611

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\HT3M4TEU_1\U84VA4V2_3\FF3UJL4IDK_11

Filesize
46KB

MD5
8771883c9512ec64b79d328a4abe506b

SHA1
b6001e2483a52d3733cb0c609ab14ba50d53bf81

SHA256
6310f9b4a2842bb3bc5f92110a357fba66258c87a0ee959ea5dcff3e070ea90a

SHA512
f5f801d462b772347212ab9e8c98c33cc4fc5857a24cbbdba66cb797f34d437db3f78a34d4363553dcb0ec3b3945c5890cc6b51fb1da6dd6aa1242ee9d6c2c09

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AppData\CacheStorage\Files4\HT3M4TEU_1\U84VA4V2_3\FRJ83Q974T_45

Filesize
2KB

MD5
efce922d4ba94822d2d348565fe42195

SHA1
cefd7ee0787d01c005005de2e3b007d80e44b26f

SHA256
c31486e886309cb92208f5b974700421fcdea23a5aac301f833536c48efa4ee3

SHA512
0a2b83d7abf59010191b54681992ba0814caec958726f5c909cac7cde8c44d6568e06f97ec0af8e44cfacd33e01eb03d0da6ed9d0e855d612336af56cb48079b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
857f55b929903232bd62706ccd8068dc

SHA1
f5207e46b69313bbcdf65d63962e7f6ebf62f85f

SHA256
c31e1bfa324f110087d6a81c345f64a084093db212419ecc39f24c896a07b0d6

SHA512
3d8dec76512fd64d40c52088c3d6118a3fc75d69f9086e2ac940a75c43a16eee59074d7b28c91c3f035419c2aad9f1d7ffc622dbfcbcc74ebdecb131f60bec78

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI2ED6.txt

Filesize
416KB

MD5
d698e55c4ec381195df05197f57af8b6

SHA1
5025cb4427be6e8d99308ef0c7a6d5a7f1af31a7

SHA256
d72e17cfe3f4ab82eb58adff0aa1619924e70c6aec6896e9831789e98e5002e1

SHA512
6761f7f09043a4819211657a2d1f16b75ba064dc086b5a7ecadc9ad842743d3522feac77b3bf4a7461e8bbe3681568f6d327a740bff739aade11566c214557d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\remote-settings-startup-bundle-

Filesize
195KB

MD5
231d6ec9da65f87ba10ebc9c34a1f5c6

SHA1
96c337dde3e63318a4ae37d78ed28deb1723b0d4

SHA256
485ef8a4a05f08dfaead870bfd31011852aca9d2a47416995a0fd95e2a60e2ec

SHA512
2a5741292c795989543a8d056024711b2123b542313c94b1c54ea1736cd3fba83066f8aef16638a5abc45f38c68554e51d0bb65b0f30a97449e4be4bc2c8fa83

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
1KB

MD5
949fd92dde9a674cfa412b1e102e7ea6

SHA1
fc9a9def439ea2ff58adce1733d9f170075f7d34

SHA256
e2efdff9a50c6b884672b24e22b1963d05a2d14c019a2ce300854126882da3a3

SHA512
c825ef3d14e7c62cc68ee82ccc48f1a654a5ba70e1f973b58eda6c080947e83f3ce14bb12da7949501699084536ce3dae4f02ca8d290d4730c862cb0985f2c5e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
e4bc78eb0b65605da345e10e5963ad6e

SHA1
a7b43401f0ec2944a3dad2d29a4c1f590cbb457b

SHA256
897fe5d06eb681944135cb9ac98acb68557be078170fb206187efdd4bdbc7e10

SHA512
2735b2c1880ddf721e514f7cb4607b81014bcb51a6f1784b6f8850f78d579e15c3fcb029820a3d24f3e2dbdd3867a3cf6a2b11a7cab8708c2764d89402095cf2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f73f3c037f13ffafe3154ef19700b20c

SHA1
c1c3a651bf7b940d614b6ea9669935802c440af9

SHA256
dcdb664f0f583cda9dfe8e1f81e0fc8a55dbac70337b8b14dfb6a80d8c2dc03f

SHA512
4cc95e1c4c39cbf9de9942771cd836cf5db95eeb7ec506916835a16185e12e1b240365dbce550fa5686a1e179e6227a28d714e03614c02bc59c54e3c9b0b2a78

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b7c8df1a8bbb975a62b73bde8386a7d3

SHA1
a3a6db36330c12c1f525cff7dd72abe5a7bd12a1

SHA256
ff421af7871360b7022c001ea4f208d75760cd8e6382795a67df35269001973c

SHA512
5e3fccc029348711f6f28f53c532ce64aed9be2eedebc1820ea39bd086ca804ef1513f2706454290fe99271d0c5bd47690f533ae06e577e456e9ba585c6f81f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
bb58221c479a02b6fcc88ab684176def

SHA1
a09623db0a56f46478c9b096f7b906dfc82da6e5

SHA256
dde8d0614dca07335733a4c071d05a2c65341261c3bfaf7ba0d3b8af22a91a45

SHA512
18e1fe29db8f6516e8996c7e6875c53063490151a08af8085a4b403345929a79847eeef130299f758e0bf87e428dfef508cf7fb9114935cdb61f16e27a512e5a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
dd3f4a83b693d2f3e755bc6862fa47f2

SHA1
8be332739440cb5d4f713a58e1d804e4895996c9

SHA256
f73294f1d1e47ea9db2ad8388f73a2f9801983114882a9bcbe03e54fce8f08a8

SHA512
57ff755e3f2de4a960041b938773fb914012c00656f2e0dd9884a7e5f50638e767e13cdd2f1448aae20d0a975f7c55abb2188d04a01c37a60d1c33fa7d4eaffe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
06225d21d395bff9cd0fcdf37787769f

SHA1
02fe21606f947ee909cf96a69197d9e00836c065

SHA256
9abb651e1d442e7e7871ce8c4b7f695c72bfaa612cc7f767b63aa0938731ed96

SHA512
ef5202b9816fce6b7e6bffb0c4def6c671361664546564fedcb0f63297af39448003520ce0c970a3f63ecd0bd4c03f58625bde78f764500c7edda047dc2ee314

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\datareporting\glean\events\events

Filesize
3KB

MD5
cefd228ff931a24ac7f4096aa8374ab1

SHA1
804b2b751de9e98ce8e8135fa6088b99777b9acd

SHA256
5a67afc80243cb3390936d4992d516bdb718e7627e6a171239dc5616e73c5340

SHA512
bf672547b4588c4f02df9d0c3e2aaacd50e8294c023e5d618661d1884990d93b9b94edf35823137ae3a05282265c999aa95094862d2aecd0113b0588fcdb3160

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\prefs-1.js

Filesize
6KB

MD5
979f18501c8f4eedc54077504638226d

SHA1
7292316b3712fb1a062de3f6de22206c0b1fda1a

SHA256
34761df04e1efce3c91a363609aac85907916ea6d1b1409a712eb4c0f6188e14

SHA512
4623cba62f69f5b51a3f301b7e089cc029291614cf00faa3567078bd469f889dff7ef02eca1dbfbc7152dcc738bb90b1d0d1aa4380331d1f5c7d0eb705ac1361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\prefs-1.js

Filesize
5KB

MD5
8d8f908f369c8d4827f4fcc251d14d43

SHA1
f41ec986f2f142b550880c4087ba44baaf35a42f

SHA256
6fe65f816ba6dfa7983454b4efae656c0748ec977d3cc6cde8ee9d058c476b7d

SHA512
21a8c575d4d92fe648a20a1f1f04220a3b7506ec1b25b8eeb382deb20cef4f539e6f7d4f00eba9951b8a71f3b14d998e4a85891d3abc04b56a6b061e392275ee

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\prefs.js

Filesize
2KB

MD5
881f3b5fb8719b6928f6fd69a6e82a33

SHA1
45fbef96e0b17b7c550a78d537be7744fc13730f

SHA256
e5b49a6a5cd385881766c4bc01ba581e8f2ca8ddf1b9f3ba291da9a4bcb4579d

SHA512
80bcc8cd50a4c95c86168a413c2fa0732513acb190c19cd1622ebbd38a56a26ddd230b870bcd16da8582661d6336d50246b7ea794174ac51d82852cdd9656b23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\prefs.js

Filesize
4KB

MD5
26f32a420e16231e4f71bc0ee629e0b3

SHA1
dfc17a8694d3f636bf0acf2183038d92d5fe4f40

SHA256
043230bc1ce644af97905daf2e2f2c84b3fff18c61df2e48cc99fd134f6b17ca

SHA512
434bcb596eafc59de2f1b375e2a763df90fd1c768dbefd61124fbfc5bf8cfd7929a2d9560c5ac4a4c863b038748b318ba2f3bba0fbb231114105cbb7c0b3dfe8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
948a7403e323297c6bb8a5c791b42866

SHA1
88a555717e8a4a33eccfb7d47a2a4aa31038f9c0

SHA256
2fca1f29b73dd5b4159fa1eb16e69276482f5224ba7d2219a547039129a51f0e

SHA512
17e2f65c33f47c8bb4beca31db2aff3d4bbb6c2d36924057f9f847e207bdcb85ffcbb32c80dd06862ffc9b7f0bd3f5e2e65b48bb1bc3363732751101d5596b1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
48KB

MD5
2a33c0a9562e034ecc78db90b2cce364

SHA1
9660568fa07da14136c5e2968b8552bb5dd36fc9

SHA256
a0ad08f5b1da0cc744f19ceb70ea5d95d5272026b7104d26044557815f0c16f4

SHA512
1fd2893e6eb1ef975b0e52b46719d4180978f6b4e4ff810dbff9ae94d9a605dc6833b0f61207a88ce97a154710d7e392935e7cae55127325f10e9d8f56aff6e2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6393z01c.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
2ed6becfe948aaa87e8f67439095dda4

SHA1
cac4395d9330e341c824c1ca2ce8ea42ee5f1a0d

SHA256
719b445dd9a3bfef2e523c9ca2ffb41156f66fc183d55339a3835f5c92e0208a

SHA512
486fe89707a924bc84ec9faf8f26490600da0856ddee9a13ad8660fcc1308b8490422a7ef3b48b281d106ff02f130e1c7d91ff852dbaf217a12d192a8c541a1b

Download Submit
C:\Users\Admin\AppData\Roaming\OptimizeConnect.xhtml

Filesize
98KB

MD5
043a3999892a7d8afcbbbda6588c1e08

SHA1
63c47f3ed73b2b12a9c289f9d665c68fdb229c3d

SHA256
578e3bf834392520fcd440040f10612830e228a153afb7ac69aa7407d19a6d9c

SHA512
11e8a9e6f9206e3ccc8658c75f8195769b7167a732be746710bd80bad15524c0bd0d448f98d6b2b080245736bd803761773d7985e5f1a83a8fec7adab25468f6

Download Submit
C:\Users\Admin\Desktop\ImportReceive.bat

Filesize
272KB

MD5
f8009ae0f1c14815872123cde32c6aad

SHA1
d2a462c48a7f531c10cf0c6f58138c1f5a716b04

SHA256
58d59ba64f0fee602b6e2c8c425b8268995a8bf66d9c89e1e90f7e460b903ae9

SHA512
d7c045be690574f487ff8a3c195aa69358148ba33f2fd283f00aacae5505367535bcc555736fd1d4f28366aee1fea56c77241985bc2d35ba69ec16ee06f1f5be

Download Submit
C:\Users\Admin\Documents\ResetDebug.xltm

Filesize
536KB

MD5
8f327fd4cda63d1f7412ce24fd3deb75

SHA1
e3611f662acf9b07443c0b3dd58d450b42163de5

SHA256
cd0c6f98ffafc036d06f0ca8dcc9fcfe7748fa2bb91416ea42c8815d82b4f505

SHA512
08b8362bc8636faacb33cc1dff653b375d9b762c061133d9ebc29e3eaa56cd7ac523489f9732c195382e160ea4109c5e0e63b4818f8762d57f6cca0511cdbb2b

Download Submit
C:\Users\Admin\Downloads\0RK7Hz1b.saveyourdata.part

Filesize
440KB

MD5
ff6be5d06dba5c717bbead2096d723a3

SHA1
56e40017e6542147eabd9999c7d6d5f410689c28

SHA256
5ec727be6da66df1a4c7d9c0eaa8730e0ef76df32105be6e6c776203b0abe6e2

SHA512
c6cefac4a0b1da5e7ba89e4edfd9dde38a18dc9065b6bd22e8949cdb0652511f4c77b9f8547dcbb2e580261e6a55a882a3ff24cd1a9e30b544968d7ec76ff306

Download Submit
C:\Users\Admin\Searches\Everywhere.search-ms

Filesize
1KB

MD5
b4273de3dc960f0d63b1e1439df261f8

SHA1
2bad18cea2b1c976e576ac2c91c1b9da0bbe823e

SHA256
ccf7c2a6bd9fae20e960147d2dddfe7ce2af3e9e9a64cf81c7d401cc9630aaf4

SHA512
08595dd0d0212d6aa312a89638c810135d48f33c82113211cd3148f0fc01dec93ad8efc6b2f2c079a718eb074be0b264d5bf8ba023f9fc6c5b701ffb30c6f35b

Download Submit
C:\Users\Admin\Searches\Indexed Locations.search-ms

Filesize
1KB

MD5
f3759b71242ba5c921ff19b096598284

SHA1
fd9027e3529f8652fe8f4a2b7d4b4c9238e8cbfb

SHA256
c766250c93e2847d50dd9cd1a7f7303d776978d71d556174faa89748382cb4f7

SHA512
cd12e6da2b9efc406b9cef7225b08c32ba97712395d2d56154f5069ada0acf60d4bc3d5f62362b47c0f0f26b6eafa8602638ac429e3b866e33b7f0af9bc735f0

Download Submit
C:\Users\Public\5D95CE0E407687C8EEBC27E7C28F78DF44DA75E3AAEB0905D7270BAF38AA16BA

Filesize
1KB

MD5
763508a3eb8451ecc1a3cc7a62866712

SHA1
2e085038cf2eb631593ab681d16259468229bc92

SHA256
a195af141a72f62e229b899712716910b6ead843ff739c978e40220e2528b006

SHA512
c8c9fa32224c17316b62a1fc8df0ef46d21f5403b4fe55aa84d2796ef628571a0f0e3ac465b5907517aedfa2e878e2136b467e87894a5dded4cf4f6eb98bf15f

Download Submit
C:\Users\Public\Pictures\how_to_back_files.html

Filesize
4KB

MD5
6a765ce7c0b8bae893e383aae2e4a369

SHA1
2e8a51d53bef2fc10515dc671574ffe5c41e9e5c

SHA256
1dd458d59e6c3ca490ec8095e01fb7c6deffb0ea4243556e45c493c95183b83e

SHA512
a6ba37a7ba5f3a3f78b5219089e42bdee961dfa7f6c96ece16e37ce3c4fff8c0ce02ad93183a448c6ffd63bfadb7fe9026725ceb1cf2a1b710f0bd58565c2646

Download Submit
memory/1424-0-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1424-2441-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/6032-3102-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads