hxxps://drive[.]google[.]com/file/d/1VpBRnnC_erXVp06OsZPaNOCorWLbDDet/view?usp=drive_link

Analysis

max time kernel
71s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2024, 06:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1VpBRnnC_erXVp06OsZPaNOCorWLbDDet/view?usp=drive_link

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
8	drive.google.com
4	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\rbxl_auto_file\shell\open\command	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\rbxl_auto_file\shell\open\command\ = "\"C:\\Program Files\\Mozilla Firefox\\firefox.exe\" -osint -url \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\rbxl_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.rbxl\ = "rbxl_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\鰀䆟縀䆁	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\鰀䆟縀䆁\ = "rbxl_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\rbxl_auto_file\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\rbxl_auto_file\shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\.rbxl	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2416	msedge.exe
2416	msedge.exe
2836	msedge.exe
2836	msedge.exe
1772	msedge.exe
1772	msedge.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3952	OpenWith.exe
6108	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4080	firefox.exe
Token: SeDebugPrivilege	4080	firefox.exe
Token: SeDebugPrivilege	4080	firefox.exe

Suspicious use of FindShellTrayWindow 54 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe

Suspicious use of SendNotifyMessage 44 IoCs

pid	Process
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
2836	msedge.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe

Suspicious use of SetWindowsHookEx 53 IoCs

pid	Process
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
3952	OpenWith.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
4912	AcroRd32.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
6108	OpenWith.exe
4080	firefox.exe
4912	AcroRd32.exe
4080	firefox.exe
4080	firefox.exe
4080	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 1092	2836	msedge.exe	85
PID 2836 wrote to memory of 1092	2836	msedge.exe	85
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 3836	2836	msedge.exe	86
PID 2836 wrote to memory of 2416	2836	msedge.exe	87
PID 2836 wrote to memory of 2416	2836	msedge.exe	87
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88
PID 2836 wrote to memory of 2760	2836	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://drive.google.com/file/d/1VpBRnnC_erXVp06OsZPaNOCorWLbDDet/view?usp=drive_link
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaf3a446f8,0x7ffaf3a44708,0x7ffaf3a44718
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3720 /prefetch:8
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2256,7151676492901909331,3237864323557151697,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2428

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4272

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3952
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Arbuzowski_Assets.rbxl"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4912
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5376
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=07DAE3D75F47242285FD1C24A7E6A7EE --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=07DAE3D75F47242285FD1C24A7E6A7EE --renderer-client-id=2 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5520
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=2B4C51A1E3052E115A8DEDE44CCD909F --mojo-platform-channel-handle=1756 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5540
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6BA8B579FD9AFC09928BB0656D2FD55B --mojo-platform-channel-handle=2336 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5756
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5C3E53D50544FECBE5434178EC7E2B9A --mojo-platform-channel-handle=2032 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5852
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=5AFBE9A94DE6A21D0D273192E5C7A2DE --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5940

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:6108
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Arbuzowski_Assets.rbxl"
  2⤵
  PID:2976
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Arbuzowski_Assets.rbxl
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:4080
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1920 -parentBuildID 20240401114208 -prefsHandle 1836 -prefMapHandle 1828 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {87f2ec76-a8dc-4b19-8dab-bbe72f0b090e} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" gpu
      4⤵
      PID:5808
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2376 -prefMapHandle 2372 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a8421f2-9754-4fb3-8501-a685132548c4} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" socket
      4⤵
      PID:5892
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3060 -childID 1 -isForBrowser -prefsHandle 3116 -prefMapHandle 3004 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9bc15764-023b-453c-b427-76aae77a4427} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
      4⤵
      PID:548
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3516 -childID 2 -isForBrowser -prefsHandle 3920 -prefMapHandle 1232 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0a77b4ed-a0f6-40e8-a532-289f7079dfbc} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
      4⤵
      PID:5840
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4488 -prefMapHandle 4544 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01a0cec4-69a6-42b0-a7cc-e36c8f1d2ff4} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" utility
      4⤵
      Checks processor information in registry
      PID:6528
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4896 -childID 3 -isForBrowser -prefsHandle 5620 -prefMapHandle 5592 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15346355-cfda-4805-aa01-a9b45b828830} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
      4⤵
      PID:6252
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4528 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5576 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {581204f4-fe1e-4421-90b1-d4cf97767b32} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
      4⤵
      PID:6260
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5956 -childID 5 -isForBrowser -prefsHandle 5844 -prefMapHandle 5848 -prefsLen 27178 -prefMapSize 244658 -jsInitHandle 1272 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abd182c6-6b8c-48b5-a1a1-9b8a78bbc808} 4080 "\\.\pipe\gecko-crash-server-pipe.4080" tab
      4⤵
      PID:6280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
c2f951dbb4b98be71a618f3175178fc4

SHA1
d7bfd37a777e40020e44aa36be2673da99ad4e9b

SHA256
ad679814eae830d02a98353f6ba9532b4db79cb9f80e6caa4f51f489aa77e41a

SHA512
3b7e9974c99155bfd89d3ae8c19182df36d60b3752b79ce1b23ea65aa50c9202b189f1ae1c29ff5e58c998408da61679b4229a6607b38ba4784abe377f1a828a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
33c19c50d64dbb296ab6e38adbdd8c62

SHA1
8a80f7b5c872e52d0562cf5353f423b1452a52b2

SHA256
84558e7d5bff9a79fe5199b2af786c99eab4bca072756604c891247fb3f8185c

SHA512
3176df555dc473e0af960e979fc67e22882e4abfd595be32095be42c1cc17214b87eede304bec78abd4f23131acc6af8027fdadcb52352e522c96077ee26565c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
6635b5bc679ad90c2d9a6f87cd92d212

SHA1
2d865de800ef649ff156758d162e24306f37420a

SHA256
ae5ee1423cb7a2fac4a5de8f9847401b28c2e4c301ac715aae6a53de0d51972a

SHA512
a796ff0190616b4c719c9353c2729680a392ac22ac58237821ce15a1e99d23da4ccd6a7aa0301ed4e1424eaaa479564786c37f33a66705269c99e1107033dcab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
079c39dd894ad92da9f1eb13140ca054

SHA1
b9dff1fc97fd941c6400a5a2d3795f974b0f63ca

SHA256
0601da6c02158706fa44f9195d5ccd87fa966a99266d369f3ff007dcb2d9f097

SHA512
b300a57ac449d8a22182421548d0d1639ce19344e34a20c62246855c3b0ec34e6de0a3dada6b58688d116bc0c216af6ca54044dcc5e8fb8ddcfa43bd493757ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66cb1d478972ca9dd20fe521e46631a6

SHA1
6300d0d435d898935abeb64732784bc13bea4715

SHA256
a220286c7c9a651022ec5768638bb1a241ad73cee65481b89257fad2fdd68a75

SHA512
cdb607dc20d92a32bfacef77df1a6c4b72df3d82cc93d062e5636d55d99460b412f76e6a5ec3ed588fa5939d6742588f341753f59601a143d93fdbcc78f99cbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f3644bc0ca01d7f6d2d73ad637a8dbc0

SHA1
c9611605302b7c2b9ba92231df6a7805f7f8de7b

SHA256
f8f83bd90f89fdef13cdb96c2b43b42b56cb02dae89d7a82addb6b0ccac63249

SHA512
d34f89dfe13800f94b50728a2013848664d83f55b670a3291d675fe709ce7e0f961c079d9490cab854fd8b74f3a3dde1cf00dbafb66bbef8c08621ff9aa503cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cc1f233df928c988c370aa9a37174b0b

SHA1
560a6fa5483dbb767c855bd9ae7fbca61af3de75

SHA256
b8515e53aec70bbc6c4accf7849a57ca36ef51a73b6da5eb59242a922feff481

SHA512
cedf389b819c3be4c7d2df31e38eed7399e3b31daa61591c25d4d560e4a158112310e06d649a8dd1baa579972a115c13a6c1e7102248c7af226565e8c637b111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fca2a40869fc581573678a0db1b60a38

SHA1
1e57aa460c58826668a2710678b7efa049e0defe

SHA256
e84822d748e4318b9c47f6e1e9249f23e5fcc22498103259773b3712b61a6729

SHA512
48c7c613113bfb7625c7a0f04bc428a78ada7661996864edc2c93ad68a8c284178d4d0524451af4152e08b4a8198ab850067e5a0b1fcfd98bdf243316ba5c6b8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\activity-stream.discovery_stream.json

Filesize
27KB

MD5
564e8c1672263f7864e5b83a2ba0cc0d

SHA1
a01b963d60d9bf3dbfc8e2393fae705cb94f803f

SHA256
41cfbdac2a94a71591b62e9f8aab8b4a7eec8e7b875c4552060e7bf77e50a4d7

SHA512
94abb87e60e49801c8f1121af9c6ec35da3ea5c36858a1fdd667bf4d065f1dd2705268d087aec3d09385f9a64807613a42906315b180661196b90971da017be9

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\g9per00b.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
15KB

MD5
96c542dec016d9ec1ecc4dddfcbaac66

SHA1
6199f7648bb744efa58acf7b96fee85d938389e4

SHA256
7f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798

SHA512
cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\AlternateServices.bin

Filesize
6KB

MD5
3eb48a1ad057c23fb47f5c3ca2d3a0a4

SHA1
877c2a5f8bf5cc67d5e7d6e4afd3bb7a14a8ab71

SHA256
8b4ae4986d0f17dda3ebd3116c997199e7bc10518baa4c287b47fe8b6df834ae

SHA512
6e71408d00f5e2d493ee35d30390e24bdc4cea9c33fccb38f1aa631dbcbd8d22502815e48c02a82ff3f20c7e96acbc226f63a9fdf9d3db25bdd9b78461529bc4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3a49125eb27e3ea30c6e9d0174acdd4b

SHA1
035036617d48e5ab4277961a9cab5d3fb609f712

SHA256
c406b732a496639137aca5804170f98927831bf02f9f0c38584ec7e3e74337ae

SHA512
bee0abd6c2d986ba87611e2804c03a72e58f64c9f6f12eab0828f0a78483e9c6e55b817d1cbb8b053da4db5d6df394c36ec80bf9d32891684ed82a96429bd5b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\d4d53552-926a-4dfe-a9af-357bd16e0957

Filesize
982B

MD5
ba84b92017e8c31cf31edf3e92d60a06

SHA1
921f7491dbe19cc492c5627b19887a4663dddb4e

SHA256
8fe32d0a26df3337f06e972d392c77a201c3fbb2c7972596f08cc3e4d607608a

SHA512
7d22ff74cd20638ee69135f3dbba78589332264da66e68073294a41b31ff8af297380ee735f539ea0325fef9f11eb718916c9ecb8191d00e86643fe8cca478b2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\de5a4a77-70a0-476f-96d3-4bca631b84b4

Filesize
27KB

MD5
a6c98e061432b03a04fbf47f39495266

SHA1
c8334d66006ddcfa0aee6da2b150aada616ea871

SHA256
149ed2a9221a3770a89e72795cb46b66ab72d196ca082a26631d507207419d89

SHA512
d83b9cad5d319ef20e1ec5210565c4424030c62a11a1b9d186ece98c4068c814a0f43c4c7601572f1b9255646551421a6c38d6a077413118576c8fe4246369e0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\datareporting\glean\pending_pings\e160f8ef-d40a-406e-8bdb-0fa27d3b91fb

Filesize
671B

MD5
52910015d8b36d84923c36553ebd90be

SHA1
08dc791d324b19f3cf0de8c8009e75ae3ab5360f

SHA256
9fb2acc287ef903a5d87150980c152fd8730d430401cf60de807a87e932dc4f4

SHA512
598f69f8a616ad5297ead9160fe5c68699e07d4356afb752165ca54d6c24722066862e850184ddccfd6428f91cab621f1b0663da0e840bf653f6b3c7392bf589

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\g9per00b.default-release\prefs.js

Filesize
10KB

MD5
51ce66ae2497d368b8ae047989680616

SHA1
f55c3629ad9ec0d2a4ed9568708b8ddfbd176a6b

SHA256
23e5940a4cfafe399c4a9525a00dc50ff39958e69273cf5d9edad7b690344ed9

SHA512
adbf6dd2a0acdb41b62757d794478373cbe2f28c74cde99bbc08c934dbfe32e1f501c7caa41f96da356bc4ea28efd9e07207026055f192005f721de3fdc1a400

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 928237.crdownload

Filesize
253KB

MD5
796d66d723ece77bd5d2f9e6dec41b03

SHA1
04969cb5552b90f8b44a04f1557855e26d6901a5

SHA256
448b29eb01ca755fcbed0406a6ddd3ccc5b62676e6c157ff75ca29ecaaac7917

SHA512
1f67021965369d3b81e773047adc12e7775f43392fc51cbe7b076ee147e05bd7ba3707e7699c51bb1f0fb1dbd1489d8448c9913067eca221c048b2453507936f

Download Submit