hxxps://drive[.]google[.]com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU

Resubmissions

09/09/2024, 12:40

240909-pwdxxs1akf 6

09/09/2024, 12:32

240909-pqyedazfqb 6

09/09/2024, 12:23

240909-pkwnlaxejk 6

Analysis

max time kernel
1010s
max time network
973s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/09/2024, 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	drive.google.com
11	drive.google.com
1	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2227988167-2813779459-4240799794-1000\{D1F3311A-BECE-4ED6-B99B-462D24A9D2F9}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2227988167-2813779459-4240799794-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Adobe Photoshop CC 2019 v20.0.4.26077x64 Multilanguage.rar:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1048	msedge.exe
1048	msedge.exe
1376	msedge.exe
1376	msedge.exe
4508	msedge.exe
4508	msedge.exe
4596	identity_helper.exe
4596	identity_helper.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
936	msedge.exe
936	msedge.exe
4876	msedge.exe
4876	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3896	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeRestorePrivilege	3012	7zG.exe
Token: 35	3012	7zG.exe
Token: SeSecurityPrivilege	3012	7zG.exe
Token: SeSecurityPrivilege	3012	7zG.exe
Token: SeRestorePrivilege	3468	7zG.exe
Token: 35	3468	7zG.exe
Token: SeSecurityPrivilege	3468	7zG.exe
Token: SeSecurityPrivilege	3468	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe
1376	msedge.exe

Suspicious use of SetWindowsHookEx 27 IoCs

pid	Process
3924	OpenWith.exe
3924	OpenWith.exe
3924	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3896	OpenWith.exe
3808	AcroRd32.exe
3808	AcroRd32.exe
3808	AcroRd32.exe
3808	AcroRd32.exe
1140	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1376 wrote to memory of 4724	1376	msedge.exe	80
PID 1376 wrote to memory of 4724	1376	msedge.exe	80
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 2044	1376	msedge.exe	81
PID 1376 wrote to memory of 1048	1376	msedge.exe	82
PID 1376 wrote to memory of 1048	1376	msedge.exe	82
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83
PID 1376 wrote to memory of 1596	1376	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1e9SMmskNRhaEtr30qZorQai1PrFlKDMe/view?fbclid=PAAaZn66jQ8Bwt0pAeJxnf_vhG3pZTi1RuIXYWHQoV-zKh8rWX4HsxF0ylezU
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd86ea3cb8,0x7ffd86ea3cc8,0x7ffd86ea3cd8
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1772 /prefetch:2
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2396 /prefetch:8
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6156 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6816 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6888 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:1804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1052 /prefetch:1
  2⤵
  PID:2208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5504 /prefetch:8
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6852 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15288160190529891366,5782085835881303836,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:1008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3924

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3360

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap12291:170:7zEvent16369
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3896
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Adobe Photoshop CC 2019 v20.0.4.26077x64 Multilanguage.rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3808
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:336
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=7ECF17F7F30B268864B02749F151E8C1 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3908
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=D53ACC8B2DFCD619B15D01D99EDFCC67 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=D53ACC8B2DFCD619B15D01D99EDFCC67 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:1600
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E35635BA2324B8CF07638DE326E2DB44 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:3196

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap22127:170:7zEvent31876
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\6f8bc6ac-a253-48ac-a296-d6e7fcd833ff.tmp

Filesize
10KB

MD5
ce5801d611d4388f6638c262c0f1f0af

SHA1
03f70002c257936ef1110c0e9449134bffd465f0

SHA256
4920fd88ed3151262d4a171559d449350965f4588a311a7037791bd4f571cef6

SHA512
11ba61b2748ad0fefcfea3b18fdcc02677c8cbb095d39534169e4a5539b55990159925f6d2546f7eb2fcee801964dbefe65b9dc58c1f77e102650222d56e370b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e2612636cf368bc811fdc8db09e037d

SHA1
d69e34379f97e35083f4c4ea1249e6f1a5f51d56

SHA256
2eecaacf3f2582e202689a16b0ac1715c628d32f54261671cf67ba6abbf6c9f9

SHA512
b3cc3bf967d014f522e6811448c4792eed730e72547f83eb4974e832e958deb7e7f4c3ce8e0ed6f9c110525d0b12f7fe7ab80a914c2fe492e1f2d321ef47f96d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e8115549491cca16e7bfdfec9db7f89a

SHA1
d1eb5c8263cbe146cd88953bb9886c3aeb262742

SHA256
dfa9a8b54936607a5250bec0ed3e2a24f96f4929ca550115a91d0d5d68e4d08e

SHA512
851207c15de3531bd230baf02a8a96550b81649ccbdd44ad74875d97a700271ef96e8be6e1c95b2a0119561aee24729cb55c29eb0b3455473688ef9132ed7f54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4cebb087-8d08-4b6e-a714-3d0d8e0b4b37.tmp

Filesize
3KB

MD5
766c2b840d80cb09ce88d37113314d39

SHA1
af8ce6b88fdc84f4c495b4a09a8c4ffb4c365e16

SHA256
c21b7a735dad07a016be8db60c3f542f20972a1515503751125ed080fd92f0cd

SHA512
d3868d2117f39a2b2d360716e2a8b871b298c22d581e403c3bfa9e6fdc58aea6a665e879f3c77c409c6354194222171a12b04ca8001b383bc03b7211b53a26ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
960B

MD5
fdaecf3776d06493708632978b01d3c5

SHA1
1bff9dc14388caa1efeb43d6e86e24e465cc2f39

SHA256
4abe863d0856cb8f5508f9fb63412486b0a59318b246eb250e37232bd2e0d7e5

SHA512
89df7a490b39791019994df5547766a2ff65d73e393f44900fc63cdd44419c0e6ebb82e9214c9cd5cb9232238d1b48bedae5a79de0e6c8bd18ab6a01844c8524

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
8e6b180ffa549e8f53105fb928eee443

SHA1
988c24ce2031a29d709e88623e3bb6984f45b49e

SHA256
0e964c1fdea6445edf7f133ce26e8521cf1833c5508e9388c3a2cc592ed9a120

SHA512
89788c6eee40fc693b2db3eaadad61d08b171828a6d05ceb9fbadf36bcf863fd66b7b59228d729d77609fe25248222cfda64fffc5c6d94ca8ced0ff65046a1a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
ac0c48c11c54478e6e52d2f4bd56a5a3

SHA1
98863aab1fa5778774f7917914ea0b9dfa156305

SHA256
8c3f47183ee29ee6f5cb4f31f7d2ab1020deda0d80a027ff90964397163c43dc

SHA512
95339c47a2d556b26e5af833c877c14ccd358e5a6e1a2ba2d4ba7c825360ff706cc703a40f86ae9472edf468b0371beb1cd13e410c57501d290fd2e373d30976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
3b39f6e3924d79b06530253a7d72e12e

SHA1
c3439bb6bd0a2c47efc16b0ed4ba665a78ee4cec

SHA256
9a07d010387bf5ade18f84871a96158fd6a2def3f3733b393d5426384ce21e02

SHA512
1433478d6728cc4767efc3da31fb3a1086dd0de73fc39fe5231aac68174a750fcbb6451352f571bd165b08b9d56646aa37bcbbc127ce49949a7114016c7ceaea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2f3893297a37d7cd1c690097143260f1

SHA1
9eb76ea5257721b474b0ff4a054870d9d282f693

SHA256
4aea139b9ee1acde2d8ef340fa67d5449334c383e4ef1be768b9ed6e8e8db149

SHA512
b68f2bba1cf501bb3a954add8859285139d7577a2af89db2657490890a8b232c630ae61d51a3a3415b22687d86a5a4fb6ea2351cb2f4aebb5155fd70f543dfc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
afb1a19df77b9d022e1b3e3797fb74cc

SHA1
3ab1ee1beca535eb84fe9448756410c0904e87c6

SHA256
7db75f3b5c8e9eccaf181aedb1cdd9b581b596d5c8d262468296e4d427d3d6e8

SHA512
a1aa21b101eed4675ab5c23aac2111453fba1d558a4f09c732c77c9e8de99929835b55bcd1c7d61bf643f5ef26762d127a65d8f1501f8a78188feb8a05f55e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
ce0e98ad234e4e2b40a9b081f71f2b8b

SHA1
0e446e48d245d4ebf330ca6b15fff4ddfd8a5b84

SHA256
7c0ecf30dff02ba64454619a9f798e00b0f64c8f4ebd21565ba5d5a5676a336b

SHA512
ebc2626fd2ffbcee87d4e19fb6cf55e6a089bf1ca92d0e97281de02516a08571a8275a03c9cfae23b1c725101b1f82114cdf13871efcd373d993f45727bff3b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
08b8bd77964a70a424ce4c1c7669860b

SHA1
638ac4927dd53b4cf6034d7351a0e2265fbd5735

SHA256
1dd437e5b9a03392628d9ef0a5d692cd358de9ed3fad2cb441617fe441380191

SHA512
7d773c94b45f1b371691ef8cc9a5baed28353063bf751de0b8c1818aada039775d685933b59390bca4d82bbf3a0064d31f3b105f0e6146b3dcf1ae3c05f12771

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0c6c4f1dcd4377803d0c9132639afc87

SHA1
c6eec2b14ee553beeb19ff295cf69fc3a50920a2

SHA256
554ae2f1964be2f641c5812bd0cbb129edd9e91416a728c1a2dd9279e148ac71

SHA512
56be1b21b5b8276c96e271d2be82d8d74a42b3a603eb68321bdc712093a32ff28605d8a4562d36757d4418606e04b8e9b718016d0753db39b6ca7a921e626183

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
64163130032bdfebe55aaa6c68777c0b

SHA1
8d7981c780ce2ea358956dd053d7c4cab43b615d

SHA256
09c78fd4788f86942adef60fb37f6f8a14a22081a29a4b8735e05727abd1497e

SHA512
9ac9cc26c6c7ad93b5fd72a26fede97005ab35bdc81780403efdbbaa91e53d1ad10af79dc61fb62eedf0a7aa0da2f9b5fbc507665308d143585bc6c3a43887e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
8ff18b8a823bb91a320ebf8ecd69ec46

SHA1
cb19660fd28ed9d35091bee4fa1e0da3fb3cc90f

SHA256
73e06063b79cadd52afc4b10ad945c60227c7bab747d800ff11b83b33e2a5dd1

SHA512
863bb0458ce5ad90f65c6c7055cf72f25e1d8a8945be7e4fc7e2ee293f7204b2134d1990681ca34e8d8686560dfdabf7a64fb3c61e69c0d6ad74cd5be5054980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
97afce415fc2edff6433e6980f204aba

SHA1
7fe767989525969fe77c327484b1de2c9358aedd

SHA256
29736af59a63cd062bc7ce9b1b8176b1233fe4c6cebabff592313974db2a6462

SHA512
911ccc8ce7d91aa3dbe457ee1a935ff35fd4251365982c62d00190e44693917f0509e311306a5ec56bac2fecb2fbf06210fd747e6bf3b03a1d62530a91b955ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4103495e5ddf5c6457b14d00cdec53e1

SHA1
9b9aca1bb0844f2d7821a9a830ce410c4889c83c

SHA256
0fe514ec71b403b4b5247f47d99391642bfd1b54dc590ad219c36339b0166c5f

SHA512
c19ce8ab32c17dbf3934008f780bd6def2fe784fcd83b623538a5a988f853cad2be12582318c1d02b3b3aa91fccfb0b9dc45c66fcb5aaa8267367e1aa99c6912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3cdde7673a6f33141ea4ed6a003a3e40

SHA1
fa435971c9d10ea61e7e9e93d735c60e8084924c

SHA256
11533ff7d3cca9d30b7a4979be97416130e5d6830583a104fcb7c3d341e08679

SHA512
2895c367fe4be9e0eec9340cc9a583fadf0ca5021f84fc89239da4b55582d1fc4e91698ec804190ded98664b25296ff4de9b50cfe8393f17ba9d6a3dfe760e91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d1212cedc4d3f4b23a172978d477116

SHA1
d46142d5026c597f3d95b9040f06d8c465aa0c30

SHA256
e368b64f4d93dfbad3388f17c103d22562cf433b82b52d2dfd70ccc5063f0a9a

SHA512
041a5d54a1455fd6b4230f6bd2220963ebbe933f75a0f138fe3d30bed84ec80332ee276383b9ae3fdb32362c7f2a059bf4fa750fef0ee5bd65026d12edb3d377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a3638b00e10960c41bb5717f06acc91

SHA1
d36d99b2bcce483fa50af47a3805c9ca21d36c1c

SHA256
02666d51fef78186c129c67a1d78226b4564b307b74cd849fba41116bd051de9

SHA512
e668b2d04112e2b64e5f56c1deb4d51d73a8183997f4abe8abb0e65fda47d8bde4b4475174db340198944fdebb1ea4ece9dd5efa3d5fcbbdcdf484fb580c814d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fe5b90a53e23e4d42adcddfe62664b6c

SHA1
1aaa3e43761a47a872560e34c27d92d45731ebaf

SHA256
da56bf169e995134c8e7831f008562571046852d2579530027c4345501306045

SHA512
6cad2628773aab874b3787816e76c9ae0655d0d16e167bc000a1d250b80a000953c9b4781a192ca84ef76ec4df31b6bcdf64cac54b0373f9f956919b45d78c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a92a8bf354a9a548526dac61876c5729

SHA1
e32fb8ad9b07ef912f290ad6d794a8974bb53e34

SHA256
f7366c71dd040e4cbd0970842c9046d80e80c6790ddb2bb762afed5645b97ddf

SHA512
0c54d7df10ee04375da15b87ca02bba2e65f4d3b5e507fe5a8f77b9e6c3530b70754fb538a954eae8c94af9293de292c02aa4bfc7f791e1a3651b0dbea973585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0e253f9f63781414666741a8df1244ac

SHA1
f19c4c203a68eeaf36403f6d1edbb9adddbc5c68

SHA256
516827424fa138c63e6787ea24710660c8baef711ce27c9d7df3353758a52736

SHA512
25c14225f261e78e377d81472b129fe1d7f828ca38794c72f0afe5e72793a39c4e004b411c6f7e9ea3760a2edcdb56196aa574f00937de7731040d3876eeb954

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bf653.TMP

Filesize
874B

MD5
df2471d98b56feab855555322230e727

SHA1
c7c1fe34a9d9ff8f1088a60a1f33d307beebf067

SHA256
fa472fceae63d4704f2e55d3589d3a235b299066f118b9cd89c96cc39daaec3a

SHA512
633cf0eb388996ee44841bf2f21bb436d913793e7ff04a7c88f8d4c09e0ba2d8b88557433e90b938683d6020acb53ee314f01e110445f754ed33e89aad52b9df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d3b89f8b-6953-4f54-9266-ae4b669511bb.tmp

Filesize
3KB

MD5
af39d0c5f22a35b3d9565c7c7c732cce

SHA1
093cf195571c7613ff877d88965c748c3f96c438

SHA256
9f93df58a230730ffb0576c8d0cb4f9eddb5a07b6a85102482c76acb46d088aa

SHA512
d7d68cd146012f143664347d7cacfb1f190b0943a3f30b05c1a575de66e54e3b946b26aaed74ed3fe2dc3168d35e1d6e1ea4b3d07d53b053009f4c6c982800e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0c34326d3bebd525a297cef441a6ebdd

SHA1
ed1f0536e595214b36ef142c87e82efb8020ced5

SHA256
617009f6ddcebee31df402725c7264e8fd9f6e5ef17d1e02114da0ef9cca9078

SHA512
db845286142b7c5e34e90c65c874e53e4fd03a7f9ba17c2f940fe8811e0ed354bc76e9fac79ff0e7ba3242ba35a7502054977c448fa2288cad889f969ee11716

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
641f617c26911ce0caccd0dd138bdf48

SHA1
25c430af6c4ce378afa18e669d47ef1a52e2d84a

SHA256
161dfcca7052b1ef6b7ce8ca9f34ec8b2dbf7a2072a7c273eff8521ab197e0ed

SHA512
f5886e372e5f61c912dcb1d3154815f1d6122e7b1a7adf3bcb59f66b3d0aa84dae627d0ebf4f6ee6129f2c7fec47ca0e7e26793e3226ebbf7afaf14592bb62f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c4c456267c9075092e74fb3bc5c5fdd4

SHA1
8277bcefea806478c0200259e045829d0db273a2

SHA256
fabad71829646b29cd417adf7e5bd67b76f2dcfcc7dfc49580955cd883c318f3

SHA512
099db7a598d1a299cb6010c501aa81cda9045924b4bb56b6f1dd4fbfce03a91b2c89f95f812462cd9828753e8f9b807169e4df4b8fd014b657a4978bb0942df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4c6d38cba0461983d062da2c1d5db051

SHA1
89514c1a062528714a3ea724621bdf5e1b6d8426

SHA256
a005edab2a669f5c54fe0fa010455d6866d7dd66062ce751d357f72c8cc340bf

SHA512
891810d13d9c020ed0e8e6f8abeee3f2fb3bd054d95e065d0665e88fcb0296177e61aab9c43dcbff5ec69b3f0de7919635a894ed10128c7b8dd84d9e320fe895

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
a7f391566ceb7d310b04c1376aa66a07

SHA1
eda88e9134d3de209152481c9e8aa02054d4c2eb

SHA256
8ecb81fa22792fa6bb09abc86b9b5afb50773e2c5537def45dd8ba297f6c714e

SHA512
163bad20eaa9108286367367e6a54a9ac612026954ee2466b8f88f732a992695fe160d3fb5f092976ef15c1c1b71400e577a9a4833dfa616d7c9ee6a8237033c

Download Submit
C:\Users\Admin\Downloads\Adobe Photoshop CC 2019 v20.0.4.26077x64 Multilanguage.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit