hxxps://softzcr[.]com/dl

Analysis

max time kernel
268s
max time network
221s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://softzcr.com/dl

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4384	winrar-x64-701.exe
828	winrar-x64-701.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{889E48FA-D2DD-432F-BB5D-8098D65E91D8}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 134639.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
3600	msedge.exe
3600	msedge.exe
4856	msedge.exe
4856	msedge.exe
552	identity_helper.exe
552	identity_helper.exe
6084	msedge.exe
6084	msedge.exe
4132	msedge.exe
4132	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
5968	msedge.exe
5968	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
5068	OpenWith.exe
3660	7zFM.exe
5604	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: 33	5256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5256	AUDIODG.EXE
Token: SeRestorePrivilege	3660	7zFM.exe
Token: 35	3660	7zFM.exe
Token: SeRestorePrivilege	5604	7zFM.exe
Token: 35	5604	7zFM.exe

Suspicious use of FindShellTrayWindow 51 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
3660	7zFM.exe
4856	msedge.exe
3660	7zFM.exe
3660	7zFM.exe
3660	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe
4856	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
5068	OpenWith.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
1224	AcroRd32.exe
4384	winrar-x64-701.exe
4384	winrar-x64-701.exe
4384	winrar-x64-701.exe
828	winrar-x64-701.exe
828	winrar-x64-701.exe
828	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 3724	4856	msedge.exe	84
PID 4856 wrote to memory of 3724	4856	msedge.exe	84
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 4088	4856	msedge.exe	85
PID 4856 wrote to memory of 3600	4856	msedge.exe	86
PID 4856 wrote to memory of 3600	4856	msedge.exe	86
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87
PID 4856 wrote to memory of 1896	4856	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://softzcr.com/dl
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9f5746f8,0x7ffc9f574708,0x7ffc9f574718
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  PID:3428
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:5268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6644 /prefetch:1
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2128 /prefetch:8
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1756 /prefetch:1
  2⤵
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:5892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1124 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7116 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6148 /prefetch:1
  2⤵
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6684 /prefetch:1
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4624 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7516 /prefetch:8
  2⤵
  PID:5324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5968
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4384
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,6162630128576220167,18378141355550792607,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:3804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x34c 0x348
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5068
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_-_##Latest_Set-up_8485_pAs$codE##_-.zip\-_##Latest_Set-up_8485_pAs$codE##_-\-_##8485##-_-##pAs$codE##_-.rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:1224
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3112
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5027A1A5FA27CBC6909B647DFD614DA5 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3940
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=624227C2B04AB6DB8C91B09C4A1D1B21 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=624227C2B04AB6DB8C91B09C4A1D1B21 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1088
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E1264E2E341B0223B9D5829E3EE71F63 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4560
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1AD76BBF4DCC653D666C088A90CD7F6F --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:356
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2C8B7108CF1CC1136DF125D08CF588C2 --mojo-platform-channel-handle=2380 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5636

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3660

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\be3a4079c60345c7be3b744114ec94d8 /t 4984 /p 828
1⤵
PID:604

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\49ade96962a8472b94f8156ae5e31991 /t 2636 /p 4384
1⤵
PID:5684

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:5604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
581310f7e719695007bf3fe0595e269b

SHA1
f4102f27d4c13305a5f82ed4e2ff1e90f6621592

SHA256
ec3bdef5cf0342bc0d34b55a5d01a06837612516ab7c3f39f9f5cd0b1233106b

SHA512
9aa6e2cacace92eb2430a7c74e82cd024d5c8855683cb4347fc8fbacbfde6cf16b600778e084139f59e13724fb4e811cd050df54a543e0bd2e619f9c1236db6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
47KB

MD5
0d2283b0df70bc0217118f5c6d1fd836

SHA1
0aaa2e0daa0f0671fbf7817e222fcd777be523d0

SHA256
fb02c03e84b9a15ea357644f15643bc90eb9c6ef6532e1c82ecd052df34c2abb

SHA512
16071fce7468cc47fd7a57dc6913cbf41e142fd16b3f145dc30b13fb4a84a05fa3211d3b435ace7378c76682a1afc49e45d180eb88f6d32b0deaa2266196b2f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000031

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000032

Filesize
67KB

MD5
ed124bdf39bbd5902bd2529a0a4114ea

SHA1
b7dd9d364099ccd4e09fd45f4180d38df6590524

SHA256
48232550940208c572ebe487aa64ddee26e304ba3e310407e1fc31a5c9deed44

SHA512
c4d180292afa484ef9556d15db1d3850416a85ad581f6f4d5eb66654991fa90f414029b4ce13ed142271a585b46b3e53701735ee3e0f45a78b67baa9122ba532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000033

Filesize
41KB

MD5
60f8cd04587a51e31b51d1570d6f889a

SHA1
88574c41d0ab81721b275252464da5c7927a4835

SHA256
27cb4390e32a97375dd4987ae000406933bceba5199f17893711e782333b81cb

SHA512
84c12448ac55dd819749fef9be9919111a3df4bc51e66d2fa9f7376c11c101ed1349cb36aa119aa873cdd6c0c91027e201fbe23c2c83b89bc900a4d9077bcc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
1.2MB

MD5
038c1f469deb6932520d09a340856ebc

SHA1
8b361a8c0489b69e9ef4e132e36f20c161c5ec1e

SHA256
5fafae77cfdc093baea4dd31485ced7dc4ab8e734311b3c2aaac1dc2ed95f451

SHA512
fc3123f11323a9f18f5e1bb31c61fa229e0de8b6d07bb01b220605cfd9ba499ed63e76be0b7146e096412cc94486bdba0ee102982b38b258958c6327fc6bb6c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
43KB

MD5
d9b427d32109a7367b92e57dae471874

SHA1
ce04c8aeb6d89d0961f65b28a6f4a03381fc9c39

SHA256
9b02f8fe6810cacb76fbbcefdb708f590e22b1014dcae2732b43896a7ac060f3

SHA512
dcabc4223745b69039ea6a634b2c5922f0a603e5eeb339f42160adc41c33b74911bb5a3daa169cd01c197aeaca09c5e4a34e759b64f552d15f7a45816105fb07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003c

Filesize
27KB

MD5
f930621607e050dff86f94bbf4806b73

SHA1
d06bdf16d5794550b78713955629c465b6970676

SHA256
fe97ff9a43f7f196dcd9088da3818e6f80ecdc2ad8937a5bd4a52c8b3979a09e

SHA512
df4c634c95cbc63c44c0f884817333fdb3965d225fbcf008d134a12ea99d05965b043c4f74bbe57f8356fd7f698fde30fe34638387ffcb8ca1226fe7c8b00cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f1c36880eb7451c6bf34fdef85acb882

SHA1
d719a9aa2f11172efc15b707d31221c9b1e49596

SHA256
d5a62bf2185b4811792fb6121d91918a4f116dfad5ee523f1ef5161ed5b75e2f

SHA512
3a6a731fdac05f95a53abf2903e2cfdb811271ecefa7edad30e54bb433b82a554330bcff3461575670a8f0c7d05bedf3b2e8f1fd8bda71740be38d49eb8f0e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
da9e7e1d7c78c4fa683fe9bb1dc390d7

SHA1
ef5d8187a5188c145d0f4c9a0b19f4f7627ac0ef

SHA256
dd3b052bc2783fdd140952b1128d5381d434704f7901ab8f4c12234e5bf2a4ef

SHA512
229191eed12a0df0a78765895814da5aed3f9cfe8ba779010d5254a813ff94440284cf06e6c7d5d6ff62cd317a04416acf5e825cca49ca9328271df28bd7bd10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
871b87d4869e629f2a65a0c382d63c7e

SHA1
dee5c03ea1b899b7fd16ce4909b2741e1c71cbb9

SHA256
4c0e9f4d38c698f64bff9328fb246b35c0ec7de5fd9f3fc54b7a82f901a9f124

SHA512
03e3d025f68ae70ebf72f9b65aef482a419036cd4dd3758180d9661047d97420de13fae8ae6b51a752da78c65fd3e82540cd5eae92cf39a5d1cc35c8dfb20efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
97aa02903425ac80465b035e4289a64a

SHA1
d7cb399c313993ff3313bff1ac3c5b36970bdaab

SHA256
750c770e4982ab80d74399ad763704e2aed2cb86d789f21d04eaddedae0793ba

SHA512
051268eaf776823166b91e60f0f8e38185495327e1d864f02bb8e35ac8c17bd8c53959f8613ad6ae4cf1e65fa4dd167c0ef45831e36ec59ed99bfbf047c34eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
bec668f4bb3d2057a4b20b9341238243

SHA1
97c99b11c0e88b49d68b28784b36d8f2f4ebf3a8

SHA256
d46b26d8aafe7fd40c70e5bb67a6feaf1103688965efe59a30563bba8bdb5b2c

SHA512
a7ae6087e96a9a3fbce46b92b9b6c2b5405b4369f694cd8fffcbd14900585682e9719aa159e0c94ba71d66bd2bc0b811356889d96bcf11823c01159c6f1b50c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
251ec45be2314287b7ad76231de8bfef

SHA1
ef76594dbea481705e071a294e36127061cbad7f

SHA256
58dacee22bd5e376c8d89fb57c48846689f4890aba3b254bfff8c54112ef5b26

SHA512
0c5640389fb96a246324afdb01f8ab41c98503e270afeb1aecc6260e55faafc8ba7e2ae235d5df97927673d4f45c1464e5d1ea4768a1923ca544ca439ec0e263

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
e08ea792b729f295d8c43b92b4a2af39

SHA1
cd2f46ae9c32925ed091ed66c1209aa5fc47bfb1

SHA256
d31ff8906d9d8ddc3171aca8ee25256981727227ac2dad953424aa61a6384506

SHA512
737a5bbd840ef4cfdf6896749d31aa679db48a26a2d743061d675fad41fcd0c9a0765914d66afe5c1e2feea22c15886bfb5005d10e8d0dd33877b3ed2182c5de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
365bf2234f11997d03eefd04fa3132e0

SHA1
d8c3ee584fd6804f17fd1fd322ff9eeff99e3ac5

SHA256
c6922c8ceba027855f6f2a1306869da3f7c46cbe69ff56ca7583d2275ba0a101

SHA512
7b8ac48f931104465fa40d12b68bee9d0545badd6e60062fc10c269c745ff6cf6599b2ab474b1af77acd26e5ce2441f830907eab5ea016fd0f12e30dbe4dec88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c27b2d46e3da4595651483b4f7711496

SHA1
7ad7219074b1375d78e7c3e8511af07bd106d8ed

SHA256
4b55d09868c6b1d4b8d8f0dd44d6bd965b0d7d6a91830e6ef4b1080642926e3a

SHA512
0f1459341ab822649a3d02e1fa5e0cf55af2f2c1883d46a21c2a8991653280675660d8dc11f82a467894baad08d5152ef7d2bbd71ae79c95049d5b937ebed094

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4138f66eb6884671dd108a90dbef90db

SHA1
a08c0a37202bf5bf1083459ca1c47c8a853fb8e0

SHA256
3f38967daff62f575ec337fda033f147935d8cd0f9387c5687089a52116ed955

SHA512
afa22cac9b14afb9e1b05ce69ab05d2b78a060607693bfd5f43468fce838f06c1f23e74f25ecba6375a1854fddd8f97d334804319f0227cf07e7a90199c2a145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
46adb9f7ca166b8b5aa2459b34705477

SHA1
733be77423879f8df2ee27402b5cc265622cd3c1

SHA256
b4dc3f54fca2b0320204568907c65c539775917e495f6fe3346d1ecf46de8ab5

SHA512
dd2df8ef173058f25555df5c3cf28af85f2eecd49578f0d3564b7bf6318f3581b6b55979a6d1417d86a22d058b536f0d92b0e47b5714101a65c58ca80ea9a9c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
71c4255f4ecd842da216f9a533c686c9

SHA1
ab478621a77a480c5da9eb8d9d98b81e5eae172f

SHA256
6e65d8f131bca173ad4678932ef110d073772aa70c90184b65154ab2e868ad94

SHA512
338ef8fcd0387cd4cd1db0bacb521a4353bfd61004d30b49bbf2fa448416abc23814c1b041cf3dd5a9e04c5d9298bd048dd339845ee6adb6792933d198fbe252

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5e28055ff40d9c584b44fb1912432e87

SHA1
000ffd2d5371d9203aedc878d955ad6d546bf12c

SHA256
ee0503b9519c6c67315287b5c3f71372f93c97588bfbf2a068b983407a1328cf

SHA512
9807d00f89b4ea68980c0e5485d0d01009de1dd95800c1b1a3c5fdefe376bb09984ea16a4440279c273ff17964a551d265455be5213ef9d0637ea5d1524b554c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03856d049885e6a8f1ec18048cc71570

SHA1
eef2905ef5a791a2aff232e887e5198828521bf3

SHA256
93dafc316a2ebe81f9abdd5b54b23c3afa2c9d5f34ac410e4f0d214aae0dbcf6

SHA512
d65b2bb86c2b87a31fa1a0b06db90f689fc423dc78cb08fe5698352707c046ca816db148382e9564e8057ba3628bcc2049ea1aff9bee70133fd2238050c60c20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
0af673a73d642856fa21e0608a176adc

SHA1
4a66d64498a1110b5272fe1d7f9d12b32db59b50

SHA256
13adc7d9e0d6b65ccae9e3d6f8fcf8bea6accf7eeafd047f833b0fa7b49f5077

SHA512
de254ed069e097535e18ce254f5ba53e0fe4b0d3472e7988b0b0dead9e21c973ce35ce69ff5c19bb34c670cc132d112d7e49322a3de78d8c043103cd8cec56f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7ca657611198a167dd20bd2dab4552f5

SHA1
aaec45ef51e7145d4c81afaeb963216d660bd28f

SHA256
8cc859dd5f96fa5d7e0db47ee9fd629c6b5ff7ce7862664ef67f4fc1c0c2c322

SHA512
c0c2592087acc6b1f095693ef86dd566b3f8657fc6af0f174500beb494d42c44679dfb79113c27be5e86e3ec5ad3c56bae7918b49a56b7a71191a72ad02ee12d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
408d8b6ab7715e1d8610b1c6cf1578d1

SHA1
107b0613245101ce7aa9fbef67fe6896853beb53

SHA256
8adac5196ed4b6b21829020257cc114f9a5f172879b2496128074390acc4de7d

SHA512
1aa407aef42e2a3ee1a2e580455b959fc2baa44f055ce0822a863375967323b228cab7a420ce0f2be151ca56db3ec7ea3997791bcf11a9e7b082750314a70646

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
86d48ff4107db148a3e9766d31f1e76d

SHA1
6888c95050843dda37c69aafe447c97810dac5a3

SHA256
2f551021261a89ddb3d3aadef8e4f6062ca25b6a7efff0223b475d317ed87901

SHA512
40e537bd0da767d18b05c306b7ca52c989795596c0c3d82bc9cf5f5eca6dc69d80555c37cd2f6ce46690b8bf7e8b69510cb79eace6d96db66968b9848f31e425

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
708469f71170482b6dae5eb496be8bdc

SHA1
6fd5b21847882582751362110aa6253a915339f5

SHA256
05fa82c9dac7d365fc6414d7c31daf1f7639e4a3aadbb1d7b56513a739699d04

SHA512
559eec83b2df0fcc40d0f0b19f09418f45cab08198266f956a11c06acceb2480d0f5a81f46920119d1bac6c2790068f8b187cbadd0d78811e61a48b9fd220412

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
e3ac78bcd4aff2355015f230f28fd6b9

SHA1
d0e58bc2676c901a314dbb1a7d3229f74aaf0038

SHA256
9c434075ceeab106a1e1307efdb2a5472d9770f61325ac46450427d91d8b8fc5

SHA512
93c41c25027d060b40e069bf574f6045e896ce7d850156e57eae955f09d83da2662ae41ad12a15d0423258ee6790d4fb59db348f5eb75098e0526567bf64024a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58659b.TMP

Filesize
48B

MD5
5337393e7577a5cc9f8c2a7fd274de36

SHA1
370f5eaac38381dc3e93932db473f7a8adab6e34

SHA256
4336aa27359571d65cf3bfdad0eb9bfcee803c8bd47a24f779e3449464f458e3

SHA512
2732d5e8fbdb7ab4c60e971d42cdcf12314d2b7cf8ae60257f204eca0833b427e05422132a9acbfbe3dea11ed8760ef8e8bb92898558e5064b6fbb5f8450883a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b6e699aba330ca8909aeb0b2a59f382c

SHA1
4372d2012eff9d8cf2268cf04bf82de371f9eabb

SHA256
ac73b04cdea7026acd423882c260aee39098149d9fd5e1554b28551ace3b50ee

SHA512
9523dded0adb4ba39cc59b32977149a6e5e7376029d974bfc46cf12f817ca1ca173f5f0690c1535198abb3943c9316a330d20a5f18bd1f08bdcd896a7ab77dcc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
37db39d6ae2110934b8c53330f55a2ef

SHA1
ca8c859661b3da5b09d6c50ba48a3edb2e6a6d5c

SHA256
2c86245c91bbabc7b38426b8a06e3510d65e05ba73c4171a4062acee17cfc8dc

SHA512
98401c6923dc55d9856aa5c453e6a5334d2a192854188de422800815a0634841bc095ec8f64ddd1b96195d35cc76dac5720deb87eeff204e75d9d830aca894f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63aba03598a75208156cbd320014e244

SHA1
6eef3fb685c3f388950c3772953c5c36c21a8b38

SHA256
0d4982d15b2b1f6903124a7e856f7b97f24e980fd0bdd9b7c6f648958d6c53ed

SHA512
d1a449bd829e2df311463e6ed4c6d23b478aa819290e7a88ca95711d932594cf0735f41356047bcc9c09f8c85ed8d25d18c2abf7218f9fdf1420469ff9c91177

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
58604ad7b1ce70312a49d749bb68f971

SHA1
03855a83c3992613731f7e8a18b2cd0a4738d9d2

SHA256
622782cbd242c050f0d6a569798fee4efee9fd3fd0c9e1a01c577ab7141a240d

SHA512
8b5bfa6fbd043e5844d17c67fc7b70329165c21fd60ace3b9027e6ec8d42fd2a47b0f2942cef5b14a79da5cd5b354f43bca05afa7eb0fc3ec51a7fb3d26326ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c63f19eb22678cafcba2cdfa3d11a13e

SHA1
47b1af2cc36e0dcc42ed296315fdc5bbb1d280ec

SHA256
de36108222e00f7dc3a3f8807d6d3bc436f4d0889eb0e67796b638d8e29e3521

SHA512
91c13f346bc26f74d9cc5d1c9c366be91657b02a5adc2d7d89fb2376ce66e613f00bde4bd1f3647c7e69200fcd138eb1410b156b8f986d486c04661d69790af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e058d6296a254abb1e54b11992b684b

SHA1
05dd89aeb579abaf25e0282fb1eaabcb569d2e45

SHA256
29bcdd860a16472bca77fe16def5edbb3e6158f8de61988a6638aaa17cd2ddb3

SHA512
2c15a83b98af90471ab61fea2c9352a7233239adaaed42f852e73127ec68b8ecb8d5f7da5b2049b2f119c1436c0a1cf9e280015eed0a84b858287377e0f8f6d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
868ada7496aa59e15206d59428a7f47c

SHA1
a30791a0789af15602a8bf86cf79c50cb4f3aade

SHA256
be16f396aacebca05f220313f9761b09f7564cf815e2e0ae26ad522df35330b7

SHA512
8c8d8b91c26bf663b90ef6e2231764990024ab43d54edf1076dc9d9ca4298fda64cff69d7c4561179d79a317f788f7ef0d111d6bf164031dc8e1caa24ce31521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe583488.TMP

Filesize
707B

MD5
67ee891d88c116f898d461c64f7631c2

SHA1
97b1afa6289c43f847c378203cd3f46d21b069a1

SHA256
29d86a4f292767278da4d88c6213b9deaae5498b4489803c8cc3cd6d937f1ace

SHA512
db5f3794a48b30436e52db7778663d97fc4d3201e6d6b638cb67a8d7d5a3c0ca31095984f46db7242671fb8b137c4e8a8b84807b3690e12149a866a31ebdf203

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
2116739691456ab2d97f7f9229e18a24

SHA1
a059671dba859b5d505d3262c0f305e374d63fff

SHA256
5ebf067ec2fbbd43e15030dce9bd49ee2d97655c3b4ea7519ea3099a6d11d573

SHA512
15bff0348f5d5229e8201c2f827d0e4bed49d53d03ad1d8035238d40c1e0b2ca79a7de0fe4e7ade5b639851517ea76b25b28fabfa28e052ec71ddef3a55f2459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3d775f407fef61b7836154e7c3c45ef0

SHA1
61b13543494327d1785b91063808377b3635079e

SHA256
39e618a6cf83cc8e19d204193ab0b0f32b4854759a9d88f087b8bac47d9cdb3a

SHA512
a67a905e6a7a459dcca66911f519a1dafa9305e447204e139f0295e87359154c67e7a194886c21c43c275b704082661f8fd37d528e82f1ae2c1482677dfdabc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c6e6b3d88e43ea33e039a163d75f97a8

SHA1
69794999bc7d53d4939dedec270b7ef730ec8b88

SHA256
42cf42451ed92d306835b0d4886226796ae0093826269ec3b620c6407f1a0f1b

SHA512
710ffce3fa2495abf5eda6509327bffc0c8fe4af4d2d7e4f2a29e1f9664805783cdff5c0bf57e48f7ce09fd72a5396d5f0c5b985b9eddc927871f2a8a9e2220c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fbfb35f357eb6cf3a00c1c7a1ad4483c

SHA1
1ee2c11279797ac221b1e214f2ba391bfa72d204

SHA256
1dbaeaad3076c67dea87683276cb924debe288a283909795b1a91f904a90177d

SHA512
05344a7e283b4445ed1fe55f3b529199cf7a3651269ef139e79981f85df3c58472e2331ae708e654f9b20e6f02d615dc93b7b47baea26ba4a4811ab47e2e33bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
09ab6f856664ee17a35619ad9202abb1

SHA1
41d8107a4b0840b28b0d5b43babc6ddb234dc122

SHA256
e0e038a6b2c79eed1aa1d42491b821026b222274eaef49c24bcb44cd0e32af49

SHA512
f5b5ce68640ee558b8dbfc523fd698f42231e73d236889de0bb5fa1fb50f9258c85a4b3fb26049d27bff912e6ed2b4738db683578bf6a6e64de562d141c4e80f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.exc

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
0d4cb55e52dd333db4ed6976e7d74514

SHA1
24461b149b9b735aae36189d8d3e4bcfa5bfb8bc

SHA256
1fca726b00bded40ce5ee56ae9809e243817ddee1b739faebbf3fa6e7c791ac1

SHA512
a3750bb921f05703abe382012e88da65029989ae6dba9a6dfb09e97b550ac703bbafc2079de0ce6c1ab077fae04bccb22f997d5c04f6599217475608e6433692

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
3ea7fa365cf77d66c86e336e2d3b75cd

SHA1
6904712cb67e8f1c1bd552ab44a3b1d2be2fbdf4

SHA256
481489add3383eea88d27780e25c7a9da7088c0b3d1c42710246c00941fe3baf

SHA512
b3fe281c4ea7f8e57c2149ae6596fcc444392aa416acce25d79e0eb68931ddd04f99d04520d7d9e7c55dcf703b06ab1a52c87813e456d9cbec550370b6d196d2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 134639.crdownload

Filesize
3.8MB

MD5
46c17c999744470b689331f41eab7df1

SHA1
b8a63127df6a87d333061c622220d6d70ed80f7c

SHA256
c5b5def1c8882b702b6b25cbd94461c737bc151366d2d9eba5006c04886bfc9a

SHA512
4b02a3e85b699f62df1b4fe752c4dee08cfabc9b8bb316bc39b854bd5187fc602943a95788ec680c7d3dc2c26ad882e69c0740294bd6cb3b32cdcd165a9441b6

Download Submit