hxxps://drive[.]google[.]com/drive/folders/1KjC7je7AU_PkdBj82uGsiArNDNPirnbB

Analysis

max time kernel
155s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
12-08-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1KjC7je7AU_PkdBj82uGsiArNDNPirnbB

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
1	drive.google.com
6	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.apk	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\apk_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\apk_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\apk_auto_file\shell\open\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\apk_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\.apk\ = "apk_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\apk_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\TFSMP Beta.apk:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\TFSMP Beta (1).apk:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\Downloads\TFSMP Beta(1).apk:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\TFSMP Beta(1)(1).apk:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
764	msedge.exe
764	msedge.exe
1232	identity_helper.exe
1232	identity_helper.exe
3512	msedge.exe
3512	msedge.exe
3676	msedge.exe
3676	msedge.exe
4592	msedge.exe
4592	msedge.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe
5940	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1956	OpenWith.exe
1176	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3340	firefox.exe
Token: SeDebugPrivilege	3340	firefox.exe
Token: SeDebugPrivilege	3340	firefox.exe
Token: SeDebugPrivilege	3340	firefox.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe
764	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
4732	MiniSearchHost.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
1956	OpenWith.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
3052	AcroRd32.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
3052	AcroRd32.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe
1176	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 764 wrote to memory of 3932	764	msedge.exe	81
PID 764 wrote to memory of 3932	764	msedge.exe	81
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 1504	764	msedge.exe	82
PID 764 wrote to memory of 3196	764	msedge.exe	83
PID 764 wrote to memory of 3196	764	msedge.exe	83
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84
PID 764 wrote to memory of 3148	764	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/drive/folders/1KjC7je7AU_PkdBj82uGsiArNDNPirnbB
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb40523cb8,0x7ffb40523cc8,0x7ffb40523cd8
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2640 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6340 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,14313416045872874471,1560351213643722500,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3992 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4144

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1956
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\TFSMP Beta.apk"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3052
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:900
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EAC61E5DB70649859C22811FF6EF9D69 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1292
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=C097FD58A06CC08534FCB94736E33DD3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=C097FD58A06CC08534FCB94736E33DD3 --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1488
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=CC9EAC74E7705A3DA39CF7C8DA7E6999 --mojo-platform-channel-handle=2364 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3488
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=62D1F35CBC075A2B05C9CCBA525F5D00 --mojo-platform-channel-handle=1816 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4636
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D983025F7A4697532AEAC4A8DC3F970B --mojo-platform-channel-handle=2368 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1176
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\TFSMP Beta.apk"
  2⤵
  PID:4564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\TFSMP Beta.apk"
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:3340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1992 -parentBuildID 20240401114208 -prefsHandle 1920 -prefMapHandle 1912 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7b7ba4a-9507-4ed7-9e88-14c1a163712d} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" gpu
      4⤵
      PID:2784
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2324 -parentBuildID 20240401114208 -prefsHandle 2320 -prefMapHandle 2344 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4510917-9969-4edd-81ce-132395655361} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" socket
      4⤵
      Checks processor information in registry
      PID:1760
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3104 -childID 1 -isForBrowser -prefsHandle 3316 -prefMapHandle 3260 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {856a6ea6-dc97-4cd3-bc2a-e1ed7647a23d} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" tab
      4⤵
      PID:2640
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3204 -childID 2 -isForBrowser -prefsHandle 3496 -prefMapHandle 1568 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {997aef1b-65ff-488a-a38a-7d9dda78df45} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" tab
      4⤵
      PID:3580
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4760 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4748 -prefMapHandle 4756 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {78fa4ac1-c9f8-4dad-8d5a-67279fe883bb} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" utility
      4⤵
      Checks processor information in registry
      PID:5912
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5656 -childID 3 -isForBrowser -prefsHandle 5640 -prefMapHandle 5644 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7fc97fde-12b5-4446-83a8-a306ab558c74} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" tab
      4⤵
      PID:5684
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5808 -childID 4 -isForBrowser -prefsHandle 5728 -prefMapHandle 5732 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2180a826-1694-49ba-ab77-51207d93b6ab} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" tab
      4⤵
      PID:5692
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5936 -childID 5 -isForBrowser -prefsHandle 6012 -prefMapHandle 6008 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1232 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f279606-ce9c-4b03-81a2-f1172199fc62} 3340 "\\.\pipe\gecko-crash-server-pipe.3340" tab
      4⤵
      PID:5708

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\TFSMP Beta(1).apk"
1⤵
PID:5968
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\TFSMP Beta(1).apk"
  2⤵
  - Checks processor information in registry
  PID:5972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\Cache\data_1

Filesize
264KB

MD5
bb5ffc2bdfb4e8954f3a6d30b6ec9280

SHA1
3895d94122716d038204fd3500acaf6daaac84f0

SHA256
91812250c6e8626f812cc4b0d27d0bf3bcad455d97799b18fbbdc0f81a97d30c

SHA512
fbd6b628288e98cff6346ada1068e2b119cf00fd37351d5e6150d1be443c8bd38c2c09cbedf11628aee7202a883dea41fe8a07adbafeaba7fa7e7a55ae394b03

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
ef55946712f717bf7eff86bfefd3cf2e

SHA1
351be5ca7fbd23966c067db7d310257e3320fbf0

SHA256
bf629a58a727f7b7cc04a9123312684ee461c136a007459e32378c4be252c7e2

SHA512
7614490e06c40e186a2c3ec1bb96f7d9dd5956db3df3b857f593207c842e0aa8013b8359a82684cc85e2cd3e9ec0dd37c8b0594a57f2d14ae57d1b6b94a3da4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\26e0c239-bb83-483d-b30c-f5afb2ff502d.tmp

Filesize
11KB

MD5
0427250affbca9f1f7f1b5782eeda5e0

SHA1
8faf641ba8891b27377ba4a17483e7844856ff7a

SHA256
6ec244b7a4f9482ee6d4735e4c9005bff17158601065b7ebf0a7cfc240f37667

SHA512
bff7c2259c24a45830531ed9c72ca896f945298b59f332e3e0b6834e61d3479e0050a6ef1bfaec4480d4d3d55a39fe59f1785c2efcd7b34f4706e5a590963696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a9b3d12206efec1f3c7bb1b59011135d

SHA1
ae87d654cadd1361540a7e3a5c8201303a10435b

SHA256
beb159dc239d04ecbdafc6c736fd913329f6d12c5c0bf8e861432e7319584e20

SHA512
79e320ac4c6cf644bf31c06110464a4439569e6ec1f05fe7de7448f5d3bbb98b1c818146263fb5d60dc7c194af9a400ebf0b09d4a3a273c53f5f594f1f7b7b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
c46a145fef4059375f08ad0bed6fcccd

SHA1
12e208494917550d0bc054a6b575902448df2509

SHA256
f25db403404de7df832f26f184b49314363a2750fe3569ada4e0d658013c4a57

SHA512
a3c5e3cf538cb30356620d6eda94a348b570b7e90af17e7c6237453a2a3c5f6f6528bd4aa37999b23ac538f8956b5a793b1f2310117eee2534d66f7692f2f6bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
4ef06a8c821dbb1f94099030e518bb1c

SHA1
e42e52b79afb6df7c6957e41454cab647282a8ca

SHA256
ffb75c6c2c3b8d3bc91ed24931ff50fa1d3fe514b937b88a41deec27b4216c97

SHA512
e93ef3e488f273e8b702a8d997d073d69ed96f224c5557572e19311d06e7dded7651f54cf4ec42f46bc66ea68bec092e1d99b2fbeafe67e3e53f247a7ab5ca90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1c57a511f7f6c9097073e43164949128

SHA1
aa80a8467d79e73a47c97bbeae43ba40b5866adf

SHA256
b037ed701269ab7ca8b9318e803dcaa650600965725860c98ea52acd024dcafc

SHA512
f77ad4b98079c8bae5d4fc024b3b0e720c8985209b13918b4642e7c66ab62502e514ba575777b58a54d5b241a8c3eadba33cba371ddb2e978cfdff5319b4103a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
a942c3e41bb507c472511c210b4f1e5d

SHA1
75f81ae4a133eac04216e73675065467f3ad032a

SHA256
ba1fb146fd70f68bfbe3186e7540c61f3543a473fa6891bc525885a56bf7fc7d

SHA512
298d189e0906487955861e93b4249878fe727166613b7e9edfc9f662d4f8d64d94c72507a3ecb2f44d86f9a0806dcf0a37e2747fcb747bc434a883586e64a2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b418e6f9e91f1d1043f4c90c2ea8429a

SHA1
d4dc5e1104b729b9d9fb032006b32c1ec0490e3a

SHA256
cc1a7ff62bcc26811f20599ad7a42541329205116b274c3811408d19a1e410c0

SHA512
ea5a74b6eecd331346fab694f9fe942da751ef50117f4182944790471e3c21dc915a6ebf0798d467dd057b86502afb79108fcfdbdc8e049b1c53b0fbe5e859a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8303dd4eafc53540cefa66470434c2d5

SHA1
838f8deb5afd6ebd6420dc7b75a480403ab45e71

SHA256
95f52df3ad45b61e051483ff1baa95dd7f00eebe4df46d2a18542aeeb1703e47

SHA512
b7e9df6d7a78850d0c1b9a47ccef37dfc269db09c15425db7f92c543bf9f4c75a6518dc760d9ac57b1853552e2be89c01acb5620bf330f98e0070bfe60cb4f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
395eec9f7861aab656db0cce07f970c6

SHA1
d003847247f1fbbc8a93290eaab78cf1d9f94295

SHA256
d99c259f0a2975ddc8d71a613a0e506c18caea053fa5145633adaa4d2a6a3b34

SHA512
b07502ccbbac8a285077e5e78903b2441b20bc955c119a1ecab54fc3a7dd348e2e30c1e3bd64d49af1f21f8a6b90fed804032a0700199081a37ef49b0df01e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ade4b98cead809c634b600f51a497670

SHA1
3f48eab2b4ff653cabbc8134298cc4c261d68814

SHA256
90c1703ee40efa7570d4eaab36e33d5e0547c40e851db3de7d9aab0d0b51b15d

SHA512
7fbb100830e1e27ffead64cb84c816ca3d81f299e0fb9a9605fde7d5c2f98ddcd057ab7d130f43381b8ab6c54b578e6ff234931cf512df63c4b6f1c2680fd32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f1535233260fa496aa8f3db2ffb5028

SHA1
2f33a3a8c45f4c32b2c9c30ec0e9f9abf493e060

SHA256
b6d7480fcd292258464ef2b0ceb3b54f5fa8e930a1b25844333e24a5d75d1bdb

SHA512
6cb8854a8c06067c795313d65d13ec590ba128e92ce297f7343814274e8afc49df1ff5160c99e8d0c4c3729d47f5c15e2be7fdb2fcb0cfa75879b2811a1d337e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58af94.TMP

Filesize
1KB

MD5
1450c8649f262727d94474b92cab03b7

SHA1
dc9dd8664f452251a2fbdab9ea4d473b3ebf493e

SHA256
a01a09d51db37df8e07a3627a3e646b9dc41e023ec92039f87fd58688a7d1716

SHA512
d1268e645f3e6726779e0014d727f75ed51ceba905b16719456a8faebc3338200da3475cc3ac6bb08bd9d707bd2aaadb8b94b92f013f1a64f91bb8b3cdec86b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51c83798600cd5e3ba17bcd9d1e5aa11

SHA1
c25234be4718729e749bd298c1a026969e0ecbbf

SHA256
2c12cef7839a34340ef653d1f2815dfc2af3590a30f800e58748eef9320fe780

SHA512
4b8d9c4fb81c54ffc3307e33e2f66e5e53c9700dafa2e3cfc7e8d73af6cc6b6d211e9cdbdd5909472011441e646b578bc224955cc63515d22b895c13c77243d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
da8a7b1516baaea2384dda4cbb38f76f

SHA1
50189ef62e4b146e7076ddd73df18f800f76ce3d

SHA256
ccffd47713407bcca15cbee98b1468b621e3149f8134ca0828ee4a7521dd5935

SHA512
20bd28ff08170aa6b63eed45ea444bda7f3daaa9ffda5a685edda643f60a85c4fa67ec2bdba716ef1759722ee7793cf8549289c4922e89d76f07e4997b4ca1a0

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json

Filesize
35KB

MD5
58c0dd227509305d4d2cca75f6e3d02c

SHA1
8f9f8da728b24c6ae8b07668e114a10055ba35e9

SHA256
23881d428bd316e9ddb1c39f2eea7470a34759ead11eb36acdc1bb28184015a6

SHA512
3f83cb9c8f2aab8c49b40263bd0ad9eee26c8e83eb472df9cc2221abca8dc5fa2abd275b1c99e97be6cfb2ad7e210a5ebe2c63136b9a926e74f3beaca56a2a68

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c3e08121cabb9380e3d50cadde97d53a

SHA1
0e666954e83e97e3883e52092fe2be88a520e8f8

SHA256
76e1d3ab7320c4b863adb091b5b77205d81e13eafb539a18ebe3d8ea46b29433

SHA512
9a6ef7710781d2f3a1f873129b21990548c1b275720080d87fe4051b464b0aef4ad8625656c388a65163563c6fb2086c29c01ba5f518c5b9679e7227fcc7941f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
1fb7859b9dc882b3bbc713c94f5c1030

SHA1
ba81cbca9dd77e8147e83dc75b1126246999a3b3

SHA256
3a8e472ba1ef54e375d71234144de98a06beeceafd20cf35810df690f2efeed7

SHA512
62ceb3641dcc8f6725a16eeb5e737dc18e0f5930aee68698b62e4c4a8bf4938cf73282f6a0b049a1b86b77b7222439dd735afcd993a9fc06b7ddd9a72546ff1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b2c8223dc0fb7d054134ac42c6903872

SHA1
1d78a4aea8eeca622fbde9805824fafd3cb9b089

SHA256
15b95f0c5b7807f3ef468a3857e7c2848e28c0c0e96159882eb92b4792952bbd

SHA512
e4063aa02f1d6201b54ec6f185fa2dc9b1eb39267aa5082ea01a6a7b0a88ad47c08bf4e5e82d220f103d762df79e4303cdc1f0e69bf56ace616842c39bf5c4e3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
cf5672a061757ab588d1866b2a96cefa

SHA1
33864052646009ebf68afd2a32a0c8f9cab597bb

SHA256
371dc8d9a15e5047caf547a609a7bac1eee2affb945ebe014bfe83941897f6e3

SHA512
d5839bed05cad0cac11f0b3f44d5633febf9a11cc08fc0238b75920820fbe1ddae24f04dad4332c9b00ab21a3ef235fc08e16430ec7c488f79be34ae4773a212

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\470616b4-e4ee-4fb6-9642-b9d3768db4d8

Filesize
982B

MD5
092f1411483587d001051d4e5557a70b

SHA1
a25af956110b407ea43a98de68b8634fe0bb46ad

SHA256
ebb4b5b82124e0c58adfceaed756dd42a441bf0fdfc36ad16c282ca4e6b12114

SHA512
ca8dc68a1e2dff106581e2302811ca2a287851c95651dbac982e701f5fa7e05739010abd890fa072c13943332c6414f476ebde3ab44582ec035cfa293c4204ff

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\5b2f7338-bdd5-49bf-9ee8-12bda63f1e42

Filesize
671B

MD5
b8fd8dd6bd52a7a5a68c8ca3bf932c1c

SHA1
fcdac9c8a43a0ea81e754f0a5e33883b756f1d25

SHA256
4258d85606d3da40b707fc9f4ac6eddaac9febc6707ba06731e82697d3efceab

SHA512
91f6e5888f0ae7d5112c170cdcadc57eb73acddbc4527059663c76cdff52e8bc012953b8d2b4196e568dc748cc26d69d83f2073e59b8e232b7d0378c10bf55b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\a84f0c96-e1dd-4799-865f-c9435fed9da0

Filesize
27KB

MD5
5eebe5f79b26e65baf6e045698407b46

SHA1
708c1549e9a62ac03b88b4f02e9fceb7440e8de0

SHA256
c77a24b66e4527beb84aeb629573b04a45655e55efa5ff6342b456f8a699141d

SHA512
05a69c6d7ae199c4cf032303ece84f10b8783e3d423f36645503baccb9cce1c6d31bcbfd5d93a06161934ae6a187389fd604251838f33121a8fbffc4efcfa6cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

Filesize
12KB

MD5
a7b8ffcb25fc7cce6d5b7688adbc3556

SHA1
3cb6d1ae291c5d68057c8a4f0b71270425115e34

SHA256
bc0bd977f3ed9fc916431327eb7639e6096326c4028c89b9291ac8012620a5c9

SHA512
b4c879b699c4963d5bdc87e67f7896785e0fd6ddecf6fc077e80f66e045240cb06f63eb4f8ad36593a8c2b94dc3bb1747ce9ebece4e3c57e452a8363b0a3d30d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs.js

Filesize
11KB

MD5
e5042b2cc0f0b4d283fe8d2ac31b0590

SHA1
f0298942b25b11aa0a19c6a756608c04bbef4d89

SHA256
50e7b178eda266272b25428207e5b1974247ed97baa8ab879b055207be9619fa

SHA512
0be60cc765a3f2748add5cd98ec9b702f415c191b331af437133ca6c1f6ecd4dafe8ed4e6e8f51344e71e08f46d5e9372149bc22f092120e85192047dc458c32

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\sessionCheckpoints.json

Filesize
259B

MD5
c8dc58eff0c029d381a67f5dca34a913

SHA1
3576807e793473bcbd3cf7d664b83948e3ec8f2d

SHA256
4c22e8a42797f14510228f9f4de8eea45c526228a869837bd43c0540092e5f17

SHA512
b8f7c4150326f617b63d6bc72953160804a3749f6dec0492779f6c72b3b09c8d1bd58f47d499205c9a0e716f55fe5f1503d7676a4c85d31d1c1e456898af77b4

Download Submit
C:\Users\Admin\Downloads\38e14b76-1046-4656-aa65-99064657ac27.tmp

Filesize
54KB

MD5
075bd7c7425075e83c8349e77fdfb81c

SHA1
8f82b6671e26d8ad5870d2b1a55b0d4bca6768c7

SHA256
d25dbea90e1418bd64a0d1a8a6fb9c35be67ab136182c10c8ff77ae849b5c693

SHA512
2895b3d56459f8c455b5461621199a9664644c9ef359e0173ea2be9922a59a08b0a9cdef102d5441e6a41a0eb0de2ee876802db250121dc7ca9868993699f4cd

Download Submit
C:\Users\Admin\Downloads\TFSMP Beta.apk:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit