hxxps://www[.]mediafire[.]com/folder/3is42kz6mwjhj/Files

Resubmissions

03-10-2024 20:05

241003-yt3b6stgmp 10

03-10-2024 20:01

241003-yrpnastflq 7

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 20:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/folder/3is42kz6mwjhj/Files

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5204	S0FTWARE.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	S0FTWARE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2268	msedge.exe
2268	msedge.exe
1280	msedge.exe
1280	msedge.exe
876	identity_helper.exe
876	identity_helper.exe
5608	msedge.exe
5608	msedge.exe
5300	msedge.exe
5300	msedge.exe
5300	msedge.exe
5300	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3860	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2500	7zG.exe
Token: 35	2500	7zG.exe
Token: SeSecurityPrivilege	2500	7zG.exe
Token: SeSecurityPrivilege	2500	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe

Suspicious use of SetWindowsHookEx 31 IoCs

pid	Process
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
3860	OpenWith.exe
5296	AcroRd32.exe
5296	AcroRd32.exe
5296	AcroRd32.exe
5296	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 2456	1280	msedge.exe	82
PID 1280 wrote to memory of 2456	1280	msedge.exe	82
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 4812	1280	msedge.exe	83
PID 1280 wrote to memory of 2268	1280	msedge.exe	84
PID 1280 wrote to memory of 2268	1280	msedge.exe	84
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85
PID 1280 wrote to memory of 2548	1280	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/folder/3is42kz6mwjhj/Files
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb53e546f8,0x7ffb53e54708,0x7ffb53e54718
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2308 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6904 /prefetch:8
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7560 /prefetch:1
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7680 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7396 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1744 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6096004811325846316,6330306374396945424,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4060 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3092

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2044

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3860
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\S0FTWARE.rar"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5296
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5744
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=0FAF17E1AC5FA46A8176F114AD54A4DA --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1648
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=898DD51A9D0F6D2BE144CAD21E999B48 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=898DD51A9D0F6D2BE144CAD21E999B48 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5100
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D6A458875E2EEC4BD46DE85D4F83414F --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5460
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8AA1385BBEEF18CC7A4B281B8F807860 --mojo-platform-channel-handle=2356 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5516
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=D42D8BA1B70F5B8E04CEFD5E6BD09E58 --mojo-platform-channel-handle=1900 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5440

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\S0FTWARE\" -spe -an -ai#7zMap29267:74:7zEvent32520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2500

C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe
"C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0c1c73612d3b6d1ee7e94e6c966127a5

SHA1
48e9d19b81e3a08123afb38e4e93fdf6d5edc667

SHA256
05f999840dc66733baef1ab4f400495a10017608cd720ef0230d29eec2f6a855

SHA512
87c122d3f3ddc3a64c4493ca9b8e5b998a949cca462e7bc8cc8be91d756c0f720a41fb36dd212ddb4ee672f03e734f907bbcd8d6f274e82bee6cafdb435687d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
a833d295eafa6fb3a1addcf9656330c0

SHA1
830ca27849365a3ad2f7d53c6d7fe2952676148c

SHA256
db21aebe6f4a111faf0a40d577e39944d5a2c1b4783fd778466bcb302f9fde59

SHA512
5be97767991d14c6a5b34fab2e684c8e481053b5e89f9449735d27b4f4557bb252b98cefc4c217c09a97ca6582ceaf017451a659961c014eee94aacff0d09a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
5df4daa39d3f1c191e9ebf47f66452cd

SHA1
a9ee40ecb3e95742eef6943d164c80bf1bce135b

SHA256
5f0c435011a6acdd80375fe4ef471c656c8dff92842b3eaba4ced5c60f5893fa

SHA512
5d8a5bf017480616757aa88d473ef4bf9438f7e0bf4f7bb3c3d5de81920b2ae293b65d2982964f215c83693502fefe23c8e2f6d381c68fdd7bd36f752ddf361e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
b7df57b014ff5eb75d369397a095d379

SHA1
ef220ddac64cd1a134d6fac0e2f92a79a6b20a3a

SHA256
88c605617674bfa399e4e46662c58b77aaf3b5bf79455a53a84938e6ec6d8105

SHA512
7964d033b2df5cd82ce5e2232dd60a5fab556b72bef7e47e116f34370bd28ba5f214820c1e3934e64e89ed75c6e5568f56fa0e575f35de3dbd939948ca44d06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f1f70fe6aceebebd783fe11c13849a2d

SHA1
5fe76d43bc41aa3344a9bccd7df2d2b42df78595

SHA256
a6d98de11b2ef7c806631885e4e54de036272603946f81029d6e6129529b4c6a

SHA512
8800ae05e27eba57420e18e261f42dd3414c5b2955abc7033d5c77f30a29bc73ea4657cbdd8021699ae7fa9c46d6864f79789fe7fc8ab5e76333f5f99dbe2c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
536d2720677e6b2b244cb91cf9a6a606

SHA1
696d96d39b4f0c92a9257b97216c9ba685c42734

SHA256
849673d935e3b185d6f764398c22bb9767dee93e6195c9b93d5dfa760d7284b2

SHA512
0cc03e80aeac397c58386651764ae6e2b6c0b85e7f767cc9cde1689baf650ca6cb09b55553e6eac78e69e86d089761adcab8cf705e670d50473823f9818dc408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
e29c0b2808728a0ff74e5de8651db820

SHA1
8640de72877c1d4d3f1fa220dc1f74f25ca81f40

SHA256
b99c2be2e3f7455373e49a2a05d36fe12cad0a1c6ab8960129d7eba8ac3fd37d

SHA512
a847755f761e7e942eb5b906dc6db2d625f758aa140acc866e4642080786b5d49f3c89057da5bced33ccd8ec1021deae31361bb8d9eb543c73ed104ddfbc2c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
d9106543e77a242d82c27589b379a412

SHA1
e50f32b2524d3fea266aa382f8d4c5c89c2e0b07

SHA256
5103333092c003862cdd89826aab1d63d6f079364198a600ed13ac508fc2c043

SHA512
75fe47ce039471ee03398afdc42829062fdb97427b24416cf9690c91acd1d700587b83c6b181978311957f8d6998acfd5f31250e747df6351452b94791513a81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
0748fb2383ee5b584a2ed06a395182a3

SHA1
799dcfa90cbf1fb015fe632c5e08705eb775e364

SHA256
6068de437b751217f8804d10ca177e65979eeaeff10dcbb62c80c1f1eeac32cf

SHA512
36628e14563005c18ddcd8540d96561ae7865e0a06cbf366aebf3e849a81ccc6c64be92aec04f8af6bcbfb7627a3a924e2d9446c43fab72568d761981871d295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
24a034ab05f3cb195c4039d047207bee

SHA1
84643bc7260df614d749ebd58d610a68f3b625f7

SHA256
010ce9ae1e19238f3f1a0aa5e63ef8d14b206ebba9cc3f0219a386937e0dcc96

SHA512
417c1c4e8bfe2a14c38741b5cfe502ccf4f94fc3485cd395c89cd3f54edbaf377cc79b658a2032720558904dd29536f0bbd7f45051b1c2dba99d3a65fa984829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1df38b8ca2de3014fe76f8ca3ec5d492

SHA1
978f6f2f4bd460cca00e1ff135601fd483b60bc1

SHA256
69e868832c3ea7879c0eb3e480967484e6db2f37d548a5467b6214b721d95b46

SHA512
5f8570542bf49ad57e83e2a4a3601746c335ab7dd5d4850295d999d041579fb249bdd7a2963b43a7b9c30fc00ca782fed91a5724a19f1f025c7806a30a01d24c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
cac82c2b67f8268d1a77da8a687be2b8

SHA1
e3d55697bb2164815dbb9212f5a6567c3cd41083

SHA256
ba8b1e2dde26e7532f75c9fd2782593c965a2d2278ca35571feea1a7d9eeb751

SHA512
f00564b4653143ef44d25a70a69e35ed97f9bdb2af384adde4e1e50628e9cae69940036b0046e9373fbe1097e089dff2e84789d47337ec76fad3bf772cc9af32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58146d.TMP

Filesize
1KB

MD5
a5cce85e0d81eff16c5e17673fb728dc

SHA1
394e4af889c21235d153ee76c60be3c8d9d4e5a8

SHA256
66b918c240d91184871081606840e1043f0591dde59d98ca2fcc3cf555b36ec9

SHA512
0700409771b1e46683a38ce19a0320db47e3eb7456c9cf8ccc77883d6aaba0f91ad8eb7ded63271baff2ee5fad2ddc745ed5bb260f42e18f0b68f406c3c32b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3340605438f2599b5413fc18ef6400bc

SHA1
1c9bdd47df99ca501fb9088c462665fb7dcc77eb

SHA256
71851ac565948623b5305c5f45312551d62b8557b5e7b2502f992861b022a014

SHA512
26a0983680d1ff2ce19bab9fa26ecdad73d0a099b07e53bcfb0fe25e954e67d1d9044f83bfcb0baaa4504293c5bd13d6023947bf6b24cfcf3147ba537ae4592a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5c9e3e5caedca4dc5e0b613bbd5c12bc

SHA1
96ebeda0194579f7084fcf56022cfbdd14a2fdd3

SHA256
d12a2a78e8bc4cd860f8aa359bd527e606d463f4a67dea7a03055e8a9fde8d34

SHA512
8da8addf93597ac5d123b0ee790b588cdadf26ca139d5a09aacb9629e8822f631f0231e7a0ea49d233d7966ed4ccbb75329301563422d74c89cd9fd4bb992dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
78a7bf50c3be4974d1be7abc74e34971

SHA1
920e064497c63ebc1c2cdabbcbe3368a3971741e

SHA256
2bc4069c011ad16c4d99d3c8678168ae81eb0a7c01f89b837f1d2404faec3c21

SHA512
bb924888cc282a499210bd70574c4e9e4d8869b8f760cce5637cf0e9aeb51739788de547c08d28216673e13f1da43fa53236c7a246547cdcb703f6f032e8aede

Download Submit
C:\Users\Admin\Desktop\S0FTWARE\S0FTWARE.exe

Filesize
17.5MB

MD5
1603ae955d010896283442534a8ad39c

SHA1
90101b5164c138f227d7add871c1f629bd6d083d

SHA256
34d99b2a6ed62e5080c9448ab3728066c6db5f997212ef71bd2705c79b19fc09

SHA512
e1c8d2ba780d98ff7a845543d35fdf7a2f2092d66295d82cfa07a0d6b64dda58db913967e4f595538f43ac94e88d97e3bfb762205f5588a675ba9abd2ceadb9e

Download Submit
C:\Users\Admin\Downloads\S0FTWARE.rar

Filesize
21.0MB

MD5
0e224047d792804c332b20bff47e0698

SHA1
bfd2d0b0d4eda8da547a7d0524a7f0430048f034

SHA256
8ff9ed4f63162eeaba8ec4780ffaa95e347dec462929f636962e2c2005582365

SHA512
1c23a95adf412841ed62f901b93193c5ffa8287b8ba02e244f8a34b6f6685c2632bf16b1f2ad9892b6ea4e11f91ce2ba64ec5af0199d3d54fea8a579c668f24e

Download Submit