hxxps://get[.]adobe[.]com/ru/reader/download?os=Windows+10&name=Reader+2024[.]002[.]21005+Russian+Windows%2864Bit%29&lang=ru&nativeOs=Windows+10&accepted=cr&declined=mss&preInstalled=&site=landing

Resubmissions

22/08/2024, 21:37

240822-1gmr3a1grm 7

22/08/2024, 21:34

240822-1ev1nayfrb 8

22/08/2024, 16:43

240822-t797qaxdkb 8

22/08/2024, 16:40

240822-t6nbkaxcnh 8

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 16:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://get.adobe.com/ru/reader/download?os=Windows+10&name=Reader+2024.002.21005+Russian+Windows%2864Bit%29&lang=ru&nativeOs=Windows+10&accepted=cr&declined=mss&preInstalled=&site=landing

Score

8^/10

discovery upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
5260	Reader_ru_install.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000002350c-88.dat	upx
behavioral1/memory/5260-246-0x0000000000E70000-0x00000000012ED000-memory.dmp	upx
behavioral1/memory/5260-298-0x0000000000E70000-0x00000000012ED000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Reader_ru_install.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 57272.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2108	msedge.exe
2108	msedge.exe
3696	msedge.exe
3696	msedge.exe
224	identity_helper.exe
224	identity_helper.exe
3248	msedge.exe
3248	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe
5476	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe
3696	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
5260	Reader_ru_install.exe
5260	Reader_ru_install.exe
5260	Reader_ru_install.exe
5260	Reader_ru_install.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3696 wrote to memory of 716	3696	msedge.exe	84
PID 3696 wrote to memory of 716	3696	msedge.exe	84
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2620	3696	msedge.exe	86
PID 3696 wrote to memory of 2108	3696	msedge.exe	87
PID 3696 wrote to memory of 2108	3696	msedge.exe	87
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88
PID 3696 wrote to memory of 1556	3696	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://get.adobe.com/ru/reader/download?os=Windows+10&name=Reader+2024.002.21005+Russian+Windows%2864Bit%29&lang=ru&nativeOs=Windows+10&accepted=cr&declined=mss&preInstalled=&site=landing
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7fffae2346f8,0x7fffae234708,0x7fffae234718
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2264 /prefetch:2
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6592 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3248
- C:\Users\Admin\Downloads\Reader_ru_install.exe
  "C:\Users\Admin\Downloads\Reader_ru_install.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2324,6898284181731131788,4882194736633750602,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4940 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
ab1a4dec26d98fde04e6ff8a13b53088

SHA1
91bfeb0985862c4ad0ed1e003b0512c10338d6e3

SHA256
89bb40e18b89a69cc802010ff8cb8d45d7eea26258ffd18357428a2f2687b75d

SHA512
b956532b3f6db8fa2cc4d0b113e2be874d14a3df423e26a3490db096a0672251510f19de1a8864678512832763d92e357a3deb8eeeaea00ae55ccffb493d5a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
05d9c7364c1c68edbb508a87cceaeb79

SHA1
0a19b4198a3f5bbfab26aca21c13948c240cec7e

SHA256
598c6829f068c85bf30bc94a23fcbeb8acf67503954492a2b90e226fb3085e6c

SHA512
6f8751ba4e24adebd79789b3c0673ef1542fb2e06d8ba539de913a6306f59b04f62dce5b34f1d69cf36369ff5d39e9937ef3e6223ca3131a106bc4d60d85eec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a4a4b347a62afd6c3c894dfc9d4a16f5

SHA1
1dd0b78c8f57fcef82a3f8a933189b0751f2d9f0

SHA256
79d9f6e2b6880d4d7f0576cfd012789f0ee69ded366131dc0eba82aaa5847fac

SHA512
4d503a16f6f68aba5acb29ae2716fb1e1fcf025a64e47c8cfe5900d95180cbd99025ac9a83736dc531ecc69929691f0f82359c7c10cc80d790dd8459ed785f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
65aab43364d2462a8961d7eeecffc7b1

SHA1
db5f675d3397dc373891a81ae6b7d23d35b7e1be

SHA256
7c5fc9de0b92fe49743913676cf3f9ca40a3bd206ff4920f0ab2308abcee50d6

SHA512
08ddfed9c755084111e9fb48dbe726eb07dd49e2f8c5741c83df7ba64626de1aa54517d3028940f35bc888fce10b4f9ec70bd193dc7f67d5c784e1391a5e6a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
633c425dc10076b602c6d511edb8ed22

SHA1
381dcb3a062c9bd81df3ba836ce0607b3fd011e4

SHA256
4fb8a229d28fac4f3aa2ae4a75aadf506f263619c8fed83e0484cd9a45738434

SHA512
a362f6157c00c4e8887b3683c9ec7714fed8945082ca2a399e768bdf4757a1c045a44b784d66359de7b9815a416aacc437530779a742b2042f54458b78605aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
04d3e4a2fd009697a11100db65605316

SHA1
9b5729be2f37f1c0b082fa72df4f86605610e5ca

SHA256
1d42c998902241940fd9f16b8e1b5a94a4b78d0aaefe5c28afeb75accc658be1

SHA512
bf2ee3e6d8b3a11c9986720fa2dee28a4f82013cd72ef41ab920f77217012757da987624ee5c41214ab92f72a7bffba1d0e874f0809fc584d9bb54709e2cdc96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4ec500e04e5b2ce3479e54e2494e8f987594435f\index.txt

Filesize
90B

MD5
c4a64cefa744f0ff37d17d959fdf11e6

SHA1
2c12c504b3861979fdf0139fc718afdb11da96e2

SHA256
cfbe080a9e5a46289a79ff802241c4576db996de6a58ece7f7e90b1e2897d07b

SHA512
93c9e279358a13d16ad63f51ae16c3cd62ce12da5b05311c5e5f2c01a4bf9ede63d569b8d94b08b1d0f9fe28aad8cf8363af286638827243a083187f81788469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4ec500e04e5b2ce3479e54e2494e8f987594435f\index.txt

Filesize
156B

MD5
089d1d9b4f10b7fb86629059acddbda2

SHA1
38421628e171d8a8418e70092144a782319836fc

SHA256
7930168aebbc1396b6f1664036e390eefc9d435a905650aad68dee74c517728c

SHA512
5575794ceaafbf42c3b9717ebc249bbf5f61547ec38686d99d5048e13b7c5dd3e5ef5816315994663f08d85bbb258c0635fa02c226473fcffeb5c1f80e1ef2ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\4ec500e04e5b2ce3479e54e2494e8f987594435f\index.txt

Filesize
149B

MD5
93cca2ca03f2358c9993986253aab9a8

SHA1
8639781aaa60cf06c84a7243c3c0a1e5c8988469

SHA256
2d9c1b8ba1832b1ee8d181ddea84f1d659dacd825a67cd805cb3b9685181192a

SHA512
8760d1c03e7aaf65113b9d08d5d8abc6add3f691211b1f122c78a5408e7bd65e053e2277550fdcc7c041b2ffb4b00d188dbc8b34da08dccb583d8b0f0fcd80ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f4ef5e3a06d9c917514cd568479cd23f

SHA1
9351442d5ab8bdc02b45e03cb719a0bb64cedd21

SHA256
20f85b85e413ca67a891e8ee6ec4d30c1a5f59ede508a5a25707718b32889984

SHA512
8bbc63eb4a209dfefe97ba8b77a9440614aa4961f1fea6e40264d6444cde585c096b5fee15e06bc0959a1cfb9f20e4f48d507ca54c63983d388ea6aca40b58cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f0bb88502f4880887f66f1ca53aa3b67

SHA1
7de06f7bb5cdbb57901f9e6c5f875620408ff927

SHA256
f3a6a254b7d3dc8521992b0d696cbadcf595444f9a4bb9499fef4297e8897235

SHA512
7916c3e5ab4de234d59eb4ca2353a956e8ea81bc03970131c7c52719d09ce6bc4393d097aa98a9d54c1bb0aba510d13ae5a78bf153f41892f311316a4080e5ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f6d3.TMP

Filesize
2KB

MD5
25e91fde57407ad0ed4a8ab8077f1292

SHA1
47b9235832bb28a6fe5bd993081e8a1b222089e5

SHA256
f4457d54d1ffc4c9fb9961833f69c8a0041fbd1ae377b00f220bc8c3588d7aeb

SHA512
0a7963d482525183304098360570adb0dc3df1a7210dc1acae76074e0de1f6e43efb98e9695aaef3f982c3318dddada4722d9495c7fb24f2a5e1e561e3df2c96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3a21507aa9b8371b4ba34089a2cd21bd

SHA1
76934856c577dfce29cf85cc93d9ffd377404c8c

SHA256
35157112948c4debf4a45753927287a04fab0806318a803ad84eee8612cb45f5

SHA512
bf3d9e79bd947e31300980286ad0c7101d6269efdef9a58925087db5e947dfba583a029be02bdf9827d53d27eae854ccd8d8be75b65265854ae191a0045ccf89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7add134d52f8a5b4108ee72ea7f8058

SHA1
cbc1e501415ba0bde744b330b3addc4898f7e2e8

SHA256
aa956ce82a6cd6c11c2ab74182be9132031d3060404c629bdff1f70281ab174d

SHA512
ca1e90ca7350d3915e56afa949adc9bb23cef698378a3beb3b6339999927e97a21cd127443f31db3622b74fde96357b259a8e7ad4949ab0e577d16a2cb7a862c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 57272.crdownload

Filesize
1.6MB

MD5
50663d00f6a49163f1a4d41fc60bcbe1

SHA1
bddfae54aee8d9f85884392c51041166df2279de

SHA256
355cca470f7f207650dc41fe0772a2df6e8b91b4c250474ce883df122f3c170c

SHA512
78ff35df6e7072d911f7239ef6fdd8ac6f9a8585fb9607417619d0e6e07f284cf90efc2788b3f11fc5dfce8cca54cb0b36843acb9d90d90a948599cc66c92f6b

Download Submit
memory/5260-246-0x0000000000E70000-0x00000000012ED000-memory.dmp

Filesize
4.5MB

Download
memory/5260-298-0x0000000000E70000-0x00000000012ED000-memory.dmp

Filesize
4.5MB

Download