5ff14d16853c8c9b95a9d7a337f2196cbeca4d3169725b0f906c91efd272934b

Analysis

max time kernel
273s
max time network
267s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Adobe GenP 3.4.13 Beta 4.zip
Size

678KB
MD5

32e664a4fe87252393adbe59bbc17438
SHA1

fa5f13b07ba9461fbbffcc9081206d3a3cc87bba
SHA256

5ff14d16853c8c9b95a9d7a337f2196cbeca4d3169725b0f906c91efd272934b
SHA512

b4be2f817b9f9f9c02fe10b4fe9e999a0c219f9977f8f7248d4c3e6a49d7fc0fb6b0c87df46b6d49e9af472a4921b7b8ec7d33cbe1f6ade8a60e956df795ff08
SSDEEP

12288:lhdeAI3Bd5PmVDyrFhM5kweeykDoqacLxi8EakeNrBDnv:l3Az5PmArYyPrdcFFhBDnv

Score

1^/10

Malware Config

Signatures

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "9"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac04000000c8000000354b179bff40d211a27e00c04fc308710300000080000000354b179bff40d211a27e00c04fc308710200000080000000	AdobeGenP-3.4.13.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 010000000200000000000000ffffffff	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	AdobeGenP-3.4.13.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	AdobeGenP-3.4.13.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 01000000030000000200000000000000ffffffff	AdobeGenP-3.4.13.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = ffffffff	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "10"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\NodeSlot = "13"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	AdobeGenP-3.4.13.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\Shell\SniffedFolderType = "Generic"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0\MRUListEx = ffffffff	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\3\MRUListEx = ffffffff	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\0	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AdobeGenP-3.4.13.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\Shell\SniffedFolderType = "Generic"	AdobeGenP-3.4.13.4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	AdobeGenP-3.4.13.4.exe
Key created	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	AdobeGenP-3.4.13.4.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	AdobeGenP-3.4.13.4.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 19002f433a5c000000000000000000000000000000000000000000	AdobeGenP-3.4.13.4.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	msedge.exe
1752	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
2348	NSudoLG.exe
2348	NSudoLG.exe
2944	NSudoLG.exe
2944	NSudoLG.exe
5020	NSudoLG.exe
5020	NSudoLG.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
1624	msedge.exe
2132	taskmgr.exe
2132	taskmgr.exe
1948	NSudoLG.exe
1948	NSudoLG.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4676	AdobeGenP-3.4.13.4.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2348	NSudoLG.exe
Token: SeDebugPrivilege	2944	NSudoLG.exe
Token: SeDebugPrivilege	5020	NSudoLG.exe
Token: SeDebugPrivilege	2132	taskmgr.exe
Token: SeSystemProfilePrivilege	2132	taskmgr.exe
Token: SeCreateGlobalPrivilege	2132	taskmgr.exe
Token: SeDebugPrivilege	1948	NSudoLG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
792	msedge.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe
2132	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2172	NSudoLG.exe
4676	AdobeGenP-3.4.13.4.exe
4676	AdobeGenP-3.4.13.4.exe
4676	AdobeGenP-3.4.13.4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 1820	792	msedge.exe	93
PID 792 wrote to memory of 1820	792	msedge.exe	93
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 3448	792	msedge.exe	94
PID 792 wrote to memory of 1752	792	msedge.exe	95
PID 792 wrote to memory of 1752	792	msedge.exe	95
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96
PID 792 wrote to memory of 4620	792	msedge.exe	96

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\Adobe GenP 3.4.13 Beta 4.zip"
1⤵
PID:4264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\README.txt
1⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8c15c46f8,0x7ff8c15c4708,0x7ff8c15c4718
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:3392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1556 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,9438291248635160363,15875452563596946636,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3936

C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
"C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
1⤵
PID:5036
- C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
  "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2348

C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
"C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2172

C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
"C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
1⤵
PID:32
- C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
  "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2944

C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
"C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
1⤵
PID:4048
- C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
  "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5020

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2132

C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
"C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
1⤵
PID:3456
- C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe
  "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe" -U:T -P:E -M:S "C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1948

C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe
"C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\AdobeGenP-3.4.13.4.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c00b0d6e0f836dfa596c6df9d3b2f8f2

SHA1
69ad27d9b4502630728f98917f67307e9dd12a30

SHA256
578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

SHA512
0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
54f1b76300ce15e44e5cc1a3947f5ca9

SHA1
c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

SHA256
43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

SHA512
ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d97946ca4f01dc5231059eb3600d809

SHA1
eb33b0db32b3907cfc2bfad17d4a52501f5a7764

SHA256
0be2d44dc237b3655c3a8dbabf1f14a2c6e5e0ab83b12d8ef509e2294f8369e9

SHA512
1d5f1604d61b9bce2fb21781a9d46f13974fd8f25e9c4b13bb76cdecf26909957ca98fc91cc2e00e377a3e336d92209bbaa5a9026dcdd1728d48a7709c92fcb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c2b29fd57b004bf17cdc67afc9ccab2

SHA1
5be9207e160122b0f75e998b80692e3c8985bebf

SHA256
9d96dacb1c2f210bd510c349f466848bf57f5f6b828d3311230b70a24eb657ed

SHA512
b0a1485a69b34110dadca12268eba20625891e3504aae401f90e8abff0a6098d525bd0503b630941ce2aaad048b8190cbfe6ee81289fd0c196a7ea278381912b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
287e4ac45b66b2e76360440e0f0f4e2e

SHA1
f3aad9d12602ff8fb4914d84f81ec6b2387e0bb6

SHA256
2663a50f2671469fc670ea04023b56c094d87c2b6cc4b8e1903c49fbf328e87e

SHA512
dfd0b56b5cc154ac28ec6b9287be6516ed6fbccf45952feab578fd69d4f3eb0f99b66ac29fee42a2ed662379ff2b83183b99e11a14809bd7788e8eca1d6e81a8

Download Submit
C:\Users\Admin\Documents\Adobe GenP 3.4.13 Beta 4\NSudoLG.exe

Filesize
156KB

MD5
7aacfd85b8dff0aa6867bede82cfd147

SHA1
e783f6d4b754ea8424699203b8831bdc9cbdd4e6

SHA256
871e4f28fe39bcad8d295ae46e148be458778c0195ed660b7db18eb595d00bd8

SHA512
59cce358c125368dc5735a28960ddb7ee49835ca19f44255a7ae858ddd8a2db68c72c3f6818eca3678d989041043876e339f9fafe1d81d26001286494a8014f0

Download Submit
memory/2132-64-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-69-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-75-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-74-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-73-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-72-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-71-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-70-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-65-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download
memory/2132-63-0x000001A849C70000-0x000001A849C71000-memory.dmp

Filesize
4KB

Download