hxxp://virtualbox[.]org

Analysis

max time kernel
305s
max time network
312s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
16/11/2023, 15:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://virtualbox.org

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5944	VirtualBox-7.0.12-159484-Win.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\P:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\T:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\U:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\X:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\B:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\J:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\S:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\V:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\W:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\A:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\L:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\H:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\G:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\K:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\M:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\N:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\O:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\Q:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\R:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\E:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\Z:	VirtualBox-7.0.12-159484-Win.exe
File opened (read-only)	\??\Y:	VirtualBox-7.0.12-159484-Win.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3125601242-331447593-1512828465-1000\{77A8CA35-B2C0-49BC-9C4C-628F82EE826D}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\VirtualBox-7.0.12-159484-Win.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1892	msedge.exe
1892	msedge.exe
5264	msedge.exe
5264	msedge.exe
5400	identity_helper.exe
5400	identity_helper.exe
2544	msedge.exe
2544	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3968	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	4076	firefox.exe
Token: SeDebugPrivilege	4076	firefox.exe
Token: SeShutdownPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeIncreaseQuotaPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeSecurityPrivilege	4776	msiexec.exe
Token: SeCreateTokenPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeAssignPrimaryTokenPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeLockMemoryPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeIncreaseQuotaPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeMachineAccountPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeTcbPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeSecurityPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeTakeOwnershipPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeLoadDriverPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeSystemProfilePrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeSystemtimePrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeProfSingleProcessPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeIncBasePriorityPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeCreatePagefilePrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeCreatePermanentPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeBackupPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeRestorePrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeShutdownPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeDebugPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeAuditPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeSystemEnvironmentPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeChangeNotifyPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeRemoteShutdownPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeUndockPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeSyncAgentPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeEnableDelegationPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeManageVolumePrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeImpersonatePrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeCreateGlobalPrivilege	5944	VirtualBox-7.0.12-159484-Win.exe
Token: SeDebugPrivilege	4076	firefox.exe
Token: SeDebugPrivilege	4076	firefox.exe
Token: SeDebugPrivilege	4076	firefox.exe

Suspicious use of FindShellTrayWindow 31 IoCs

pid	Process
4076	firefox.exe
4076	firefox.exe
4076	firefox.exe
4076	firefox.exe
5944	VirtualBox-7.0.12-159484-Win.exe
5944	VirtualBox-7.0.12-159484-Win.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
4076	firefox.exe
4076	firefox.exe
4076	firefox.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe
5264	msedge.exe

Suspicious use of SetWindowsHookEx 23 IoCs

pid	Process
4076	firefox.exe
4076	firefox.exe
4076	firefox.exe
4076	firefox.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
3968	OpenWith.exe
5260	AcroRd32.exe
5260	AcroRd32.exe
5260	AcroRd32.exe
5260	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 212 wrote to memory of 4076	212	firefox.exe	87
PID 4076 wrote to memory of 4580	4076	firefox.exe	89
PID 4076 wrote to memory of 4580	4076	firefox.exe	89
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 5040	4076	firefox.exe	90
PID 4076 wrote to memory of 2176	4076	firefox.exe	91
PID 4076 wrote to memory of 2176	4076	firefox.exe	91
PID 4076 wrote to memory of 2176	4076	firefox.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://virtualbox.org"
1⤵
- Suspicious use of WriteProcessMemory
PID:212
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://virtualbox.org
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.0.756488050\1038628267" -parentBuildID 20221007134813 -prefsHandle 1860 -prefMapHandle 1836 -prefsLen 20938 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {765192ea-8303-45ab-9c48-a4ca39aa5cd0} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 1940 230392d6e58 gpu
    3⤵
    PID:4580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.1.316033165\122544533" -parentBuildID 20221007134813 -prefsHandle 2356 -prefMapHandle 2352 -prefsLen 21754 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80f5462e-18af-4f31-9800-c5fc9f8023f7} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 2368 2302ca70158 socket
    3⤵
    - Checks processor information in registry
    PID:5040
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.2.1522177259\779057387" -childID 1 -isForBrowser -prefsHandle 3396 -prefMapHandle 3392 -prefsLen 21792 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f44f6f38-e652-419b-b7d9-225364abb561} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 3404 2303d512558 tab
    3⤵
    PID:2176
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.3.347861488\621994091" -childID 2 -isForBrowser -prefsHandle 3880 -prefMapHandle 3876 -prefsLen 26437 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ff41245-efd9-48d8-bd28-53df43da23fa} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 3892 2303e606258 tab
    3⤵
    PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.4.972013690\1303638273" -childID 3 -isForBrowser -prefsHandle 4968 -prefMapHandle 4964 -prefsLen 26577 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a763852-871b-425e-ba6f-2d1b4eb95225} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 4880 2303fc3ff58 tab
    3⤵
    PID:5048
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.7.77376169\1242967120" -childID 6 -isForBrowser -prefsHandle 5180 -prefMapHandle 5176 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {53a3dba1-7281-4f1c-8376-a06edabcd29b} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 5316 23040b38758 tab
    3⤵
    PID:4536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.6.736594144\1558845503" -childID 5 -isForBrowser -prefsHandle 5168 -prefMapHandle 4868 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cfdd972-c784-4bda-972a-88911a952f4a} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 5204 23040b37258 tab
    3⤵
    PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4076.5.104765785\805168593" -childID 4 -isForBrowser -prefsHandle 3416 -prefMapHandle 3452 -prefsLen 26752 -prefMapSize 232675 -jsInitHandle 1332 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {162ed041-566b-4f92-ac90-5f34cc1d4aed} 4076 "\\.\pipe\gecko-crash-server-pipe.4076" 4976 2303d677c58 tab
    3⤵
    PID:4892
- - C:\Users\Admin\Downloads\VirtualBox-7.0.12-159484-Win.exe
    "C:\Users\Admin\Downloads\VirtualBox-7.0.12-159484-Win.exe"
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:5944

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3968
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\SuspendEnter.ocx"
  2⤵
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5260
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:3080
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FCF07C89033973EB2266304B4B176FFC --mojo-platform-channel-handle=1752 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:2004
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D294D4F014E8258081835B020CB5D69B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D294D4F014E8258081835B020CB5D69B --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      PID:6088
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A0BC0D774A74E7A88E444D735683E147 --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      PID:5156
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffecb0e46f8,0x7ffecb0e4708,0x7ffecb0e4718
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2168 /prefetch:8
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3628 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1556 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4084 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,17459287183535886806,13004457173984779846,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:5568

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x444
1⤵
PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f4787679d96bf7263d9a34ce31dea7e4

SHA1
ebbade52b0a07d888ae0221ad89081902e6e7f1b

SHA256
bfcadaffd49f5351acf68b8249b32270424bc2459125818492cd3224662a9a87

SHA512
de3f3d1cd602bddb664bd0d2aecb661204dd239b278b1f03d6b9dca6f3d03bd3041ac42f4382f5edf5b310b17ff9ecddff59f16729e8c095625040a364252307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e50c3ff6809ded5130359e1e8baacfc8

SHA1
12b52dc34e1e7767d109e8601aadfc17e1329885

SHA256
e7bd1f02f78e8b57c3c8b99e18d65c04bf3d38a1aa4890de0d4a5510b5792e5d

SHA512
54df1884ad00fb3f23fced52080d3bb91530e08f13d23a8412b493b7b883716678857467f159a9d948e959b5be3220cdf16ed6f063688aa0bf4781ab27f87e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
467B

MD5
af0d1e3a8c442835f9a0caf45f14003c

SHA1
9d5cd0914fe3afc1c83217f90e61786980fbfa0c

SHA256
1481d550f73ca1ae9d4c763c17be8c96a3c30165fbfc43c4942ce2d44a4bba1a

SHA512
d5189d1763e7e74be4494ff654964e51b9baeb3468b5d0de5f029da6ac45ebf3e6fae8cd7f31100e817813a35292a8815f8ddd1eb2df081146d8c01b01714d91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
525257e987189344840058edbef93e17

SHA1
716aaca225413a96f612026bcbc8bdf84b00e198

SHA256
b177101e42a7e17572af13ba77dacb04a7d2e095fd99dac1dc6b6118ba10b282

SHA512
a770c5bf68cd550b430f85cfe8506b274d31816de1bc280ce235973a723fe6d757c4837e65af5aaa006828bd4dde0d1de9a1585e2f2b796b29290972855f7fd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
422c2d4794677b135609526e879f62b7

SHA1
02803129327e362f1de6eee33accca6e9ae5a699

SHA256
eb5fc361ced3b1a58f8c01023115bb6957af89fbcd4c836862d2728843ef6711

SHA512
853321e9062bc7ffaa9439fab2f381adefedd0ad4dfba4c73dd5b26c2f1f32e187189e54abc18f9f1a00ba6da8ebfe5043ce44585a2aa0fc76af29ef1faf4454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
446585f87b0cb30b5610e9fac188147a

SHA1
732e778fc8895d11add1fee04b3a6a770c13121c

SHA256
559112e951ebe436297fd2f276ad44f62d909ba82734563de094c047960360cd

SHA512
ca3121bbba5018ea88c6d7881e46eb543e075cf0b626a477e55edbc9fb77a362d091707aed1b4f088d25c9c51b343cb964feee3f668364f964584e8e10fc6b1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4f6bf574a82527b5c7e14ce2110aad6b

SHA1
180ec69b3d052be4b797b66b01ac5bc695f14b3b

SHA256
9f38ec785451f3341e283f935a7289bc868307b0adf6a3287e04473d9c280d34

SHA512
4e9a94888808c2b7454f63a2bda20a2f9cd8924e1e02a781dd7e19b6788e6a3d1744a7227592c5a9bb9daa27fb853c0178fe77b04808190fbb2ff3d19f2d7037

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a748249c8b0e04e77ad0d6723e564ff

SHA1
5c4cc0e5453c13ffc91f259ccb36acfb3d3fa729

SHA256
f98f5543c33c0b85b191bb85718ee7845982275130da1f09e904d220f1c6ceed

SHA512
53254db3efd9c075e4f24a915e0963563ce4df26d4771925199a605cd111ae5025a65f778b4d4ed8a9b3e83b558066cd314f37b84115d4d24c58207760174af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
43dea59b87192bed333377bc970a7685

SHA1
23c40813507265a31da44b9d1ac3943bc1f2a4fd

SHA256
d73b4bd156dd713c7d3f3b3bff171a3244c530ec23e63defd4aaddc52a882f28

SHA512
4925263ca8b984543ee369151089521b278c0ef888cc84a062e27eeddff983171b89ffa050817ba0b641ec4b835cef1a91393e1a5bc48678bd756e5b9e406813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
02483c65108b4fbcfc660ca47402b5de

SHA1
c588d644f7945727e5e6a84cb1366421e8bd1562

SHA256
6fc55c3312b1db32e0d1b5d5563093276f1ca097faf45ad723ba2ee8bc1faf67

SHA512
8f56c1e0d6636bad1f419026fbed1aaa929115f096583b71072b7d66638ea7fff9332ee615147b9aa5f9667a1e3ed3713cd1b8d1b08355271c88913ef9d83448

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
1096115f45c2079dcaa7ff70eafb2897

SHA1
d6667efa431ba618ed56e2cff3543c6f7893b27d

SHA256
112a7eaf53aafa8d36bd778f1a66b99116229d4eaea6dae5f487978cae9b586b

SHA512
dc9bcd238a215a91aedf5a87c9882e940ec2bc1110ce92d989f38a43d969be10cff0ccd39231522f66956a93cdd2b2a4edc4a0f8f571aac0b5f57e3e55276beb

Download Submit
C:\Users\Admin\AppData\Local\Temp\k8ugt8at3x21mk7q47g42xpd\351n0gqvw2uoa937tzocmv4n.msi

Filesize
105.2MB

MD5
7e8b64d8ea7876fc02f51f8b951544e2

SHA1
444a2c8829f70b38bbb922d7d095329241972ae4

SHA256
ec5669a57d1b4ef44aee8b6a009ae0d5fa8784d8afa1950287e992fd42c823d8

SHA512
592eb35ae8974fc2b42ffc22647b603ba6f6a48af0b1087ee22c8f3f44f6c9127d15ef981575fd0f7d4fb03860863169f2f425ff00ae269d617b9d67a8d4ca6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs-1.js

Filesize
6KB

MD5
2114e8fffcf8c33ababaf581f2a58608

SHA1
b42dd64d4c1ebb3e62e169f169cdcdecfb43b881

SHA256
b248fd2f42a5dcfff73c9fd67ed64730250d7ea8c6eefca619b975fbb65c01e4

SHA512
22e81a6ab7b2ed41805e2dac85b201045d6557c435c596fa014133c3fd4df6b784e638c6394d33526454bb5c5b563a9d1a80a12d4a16b55c1cc8861afa0c5699

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs-1.js

Filesize
7KB

MD5
21f79b94b7ee9b7dfb9c148aa51c5509

SHA1
ca776b146a8399769db2f0c206b4973ae72497c7

SHA256
64c7f5b51d72b188eb834c6e8e44b8cc783dba403523d38d66a2be07eb1541b4

SHA512
91f87d1380377380bf283210d3b6de37fc8c120edc5d6aecffe711d193a17aca777604f49352ac41a81673ccd88dabffbaf3b094550dff501b2837852d3bb457

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs-1.js

Filesize
7KB

MD5
cef14fa286f685a2d6ae2288888e29b9

SHA1
0c15a8259d12e95487f26c98d233e88bc83db36c

SHA256
03fdb9918ee77cfd9e55b4960d147199ce0e9a164d2dd4434eb4cc0bbc7278c2

SHA512
d79fe20814f84355719c549d1f0f76ffbfd4c55edbd97eea922d0b60aeaafa566bd437a384dc47309224a4a5de88cc10f71ab8cfaf6f470f14c3c0afd79539a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\prefs.js

Filesize
6KB

MD5
b3cba0a654c5e568b39c86ab891d0bc2

SHA1
bf2abb80435b9c574cb0559eaa1f147631828fec

SHA256
95e575782062b521c29a1df7f03961118fcb7348e5872f458680ef1eaf65b411

SHA512
4341938d6b4f0c145ea56557bc21b1e20e91c3d690f21131ca236453fbb6e895da4140bea607052b0d8cdd193e342301ffdc58db849c8de10c1ec9d9ec74f0de

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
4053ac107be0773dc0780261c2a50160

SHA1
b76969f920941f923697fc325556426d688a49dd

SHA256
60c74d257fe4d27a722106d47c40f971b590becea5fa92cf1b5bd6c9896b41ed

SHA512
82ba44dbc0d720aa4837ed126c969c3009cdabc227de44648710d68fde51ddde7e3d5a3b48487eda0086ec9fe159cfc3f1eabd04cf7b589df95d613210a42f98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
030ce9eec52d1ddeea4987d31be7f295

SHA1
cb6298cb8c23f52bb78cd8370e8b6fc70ee5ffd6

SHA256
104cedbbd222867001dc5e70304f583e69416fe04907ec1efb7bb9401dd39b54

SHA512
4d30db092fd9d90175313f2587dcd113048a2d3b0a499eacc2d371dc2acbff5ff0e688406f790494e8eae72d06d2af054e75e0875caa2bcfa6c9cfaa572f2982

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
a4f45d352c79b57100daa5d5e7762ceb

SHA1
b7368e843dc75d3ff454fe00548257f599370a4a

SHA256
d1420b1b1a75efa0935ee88b476bef0454ea5c626e29629ec56959e9137f8aab

SHA512
6a3ace552ffa6611f5ea2bdf226208c0edffc41510d9791f51ab528f99b0e7be0b3f7f5bac7821fc03227a663883939ca7202e1c9d3e516201782f9f078b634c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
292613c93bfe178899e76381e386a654

SHA1
234d940360e53f20d9c9e54b7670e87445d5aac6

SHA256
c00181dab9d6e2345e57d3061ba9962d9bff902e2f17cc0dee454ee9add58e7c

SHA512
2ae725de6e190c1d34b50a3caa9e0e494a1d36b70d0ed6e165ded673ea55b5ce3dacda9fbb6bf57dd8e8807d9bd0356c0794b4b5c695642a41e5d572b0cc560b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
e080cb780b03544dc7e4ac12e19bbf9e

SHA1
fefb762fe861c171ee64b6f832d9dbb09263bb42

SHA256
c0dc266903b911b812a8b8d6c0592bbc62e0f617bd24f450060dce5a947e7af9

SHA512
2ff35faef0be9d51638ec017d075afdcaa69a051ed677cb2beecfcbc24927fffd8957ecaa20707bba04b8f938bacdf48574d5e4820ce8d65b24428cf00882eac

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\gcdxm1e2.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
cd84bba866fd962d2da4e072e1d95fd2

SHA1
273f38f8fce27c355ae890d4a48be16bc9d56343

SHA256
94e71b3f68abb9de21e50835892f861997ebb6e86e5ea6b56ff389688d7f20d8

SHA512
e2dc359ffc57844307a91b787b761f420fb3783d9cfb80fd2a80c10ec210da74da55be1fbaff4b25a651b7ed73bb1bfee4f9e8e54666a19502075aa9fe767e2d

Download Submit
C:\Users\Admin\Downloads\VirtualBox-7.0.12-159484-Win.exe

Filesize
105.8MB

MD5
95c4c395478afb9dd78d3de0432a6851

SHA1
4b4ff135111c6f759cf0802019941af736c7d9a4

SHA256
9769bae970244249e043bde9c74d704d25a80773acced5c59a04df64a10a5db7

SHA512
b91dd35dc1fa0500cb9f48d6b51ec240cf0927490d769472d469b3306a1bb5b3808c4b7f6ba5aa2fc19e7d5e0757552863af470b70bc3517b9c8017640f524bd

Download Submit
C:\Users\Admin\Downloads\VirtualBox-7.0.12-159484-Win.exe

Filesize
105.8MB

MD5
95c4c395478afb9dd78d3de0432a6851

SHA1
4b4ff135111c6f759cf0802019941af736c7d9a4

SHA256
9769bae970244249e043bde9c74d704d25a80773acced5c59a04df64a10a5db7

SHA512
b91dd35dc1fa0500cb9f48d6b51ec240cf0927490d769472d469b3306a1bb5b3808c4b7f6ba5aa2fc19e7d5e0757552863af470b70bc3517b9c8017640f524bd

Download Submit
C:\Users\Admin\Downloads\VirtualBox-7.PCF-sFfC.0.12-159484-Win.exe.part

Filesize
3.8MB

MD5
527b014498217cd2d2649ef032f31b36

SHA1
a08ce65e1b42efa28c295ed432988aaca1557a28

SHA256
5f090936e35fc3128bf484877ff884ed1b3c324eae90057a725af2cb34f083fa

SHA512
5d01c7e2b7a1d2a42c32e0586fbb521cd76a724c2bb67c099cf85cb6af1ff5e3ada4e31f18180be5cd3e83a866293ecc76e3b8081c26a993369860761ac16602

Download Submit