5e8bcf11fbb185fc540920ce15517dba53efee0cc5423cc731b6aea705b74e0b

Analysis

max time kernel
35s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Recreation Engineering & Planning - 1min wav.pdf
Size

64KB
MD5

76eda277bd6fb7044146f6881ff31d09
SHA1

bebc7d029494c85ca4e95e4ab38c4dae4585efa8
SHA256

5e8bcf11fbb185fc540920ce15517dba53efee0cc5423cc731b6aea705b74e0b
SHA512

8eec0fcd8c783d5b70c8ebcf3868c1941cc6c274cef2b1f70035a3bbce4c1d47db34d680acac9b58b562bc115c4f883d497773adf8c6d08aa5b747900303a814
SSDEEP

1536:uXmu4IgmP+pAWEQxe/UMcWljoAFBexWSJzd4FmppDeAKCQJw9Z:CZ2iQk8MGATeDfsmppDFKChZ

Score

5^/10

microsoft discovery phishing

Malware Config

Signatures

Detected potential entity reuse from brand MICROSOFT. 1 IoCs

phishing microsoft

flow	pid	Process
96	5176	msedge.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\sw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\hr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\et\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ko\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\cy\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\dasherSettingSchema.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\si\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\manifest.fingerprint	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\offscreendocument_main.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ka\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ca\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\mr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\sv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\128.png	msedge.exe
File created	C:\Program Files\msedge_url_fetcher_5516_231379064\GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_90_1_0.crx	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\cs\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\hu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\be\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\en_GB\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\en\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\iw\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\is\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\page_embed_script.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\af\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\da\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ta\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\fa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\service_worker_bin_prod.js	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\pl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\hi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\zu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\en_CA\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\te\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\my\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\eu\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\fil\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\sr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\km\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ml\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\gl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\mn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ne\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\az\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\fi\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\de\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ar\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ru\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\id\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\lv\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\sl\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\uk\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ro\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\tr\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\zh_CN\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\kn\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\pa\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\ur\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\es_419\messages.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping5516_1414814076\_locales\no\messages.json	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133875859323125561"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{2401DF00-6C57-4C6B-A940-C115B669E685}	msedge.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
5516	msedge.exe
5516	msedge.exe
5516	msedge.exe
5516	msedge.exe
5516	msedge.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4272	AcroRd32.exe
5516	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe
4272	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4272 wrote to memory of 2464	4272	AcroRd32.exe	93
PID 4272 wrote to memory of 2464	4272	AcroRd32.exe	93
PID 4272 wrote to memory of 2464	4272	AcroRd32.exe	93
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4344	2464	RdrCEF.exe	94
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95
PID 2464 wrote to memory of 4304	2464	RdrCEF.exe	95

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Recreation Engineering & Planning - 1min wav.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4272
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=8A0854FAF10BE31337E3EDF1A25BE2A4 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4344
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=BF8FDA1D42031AB51E98631DFAA25CD3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=BF8FDA1D42031AB51E98631DFAA25CD3 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4304
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=352C5A58C1606927EF4B973A722E3AF6 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2756
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=BC4A5168975F77D16A91FAB0350D251C --mojo-platform-channel-handle=2316 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5284
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=003F92BD5B50FF4C452F5D283A9A001C --mojo-platform-channel-handle=2416 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3936
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B68BB7A9175AD269B83929718C02BAE7 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B68BB7A9175AD269B83929718C02BAE7 --renderer-client-id=7 --mojo-platform-channel-handle=2400 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mwronline.net/%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%201/
  2⤵
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:5516
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2ec,0x7fffdbc8f208,0x7fffdbc8f214,0x7fffdbc8f220
    3⤵
    PID:388
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1752,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=2212 /prefetch:3
    3⤵
    - Detected potential entity reuse from brand MICROSOFT.
    PID:5176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2588,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:8
    3⤵
    PID:1164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3500,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1
    3⤵
    PID:3612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3508,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
    3⤵
    PID:1392
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5036,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=5080 /prefetch:8
    3⤵
    PID:4580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5012,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:8
    3⤵
    PID:1316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5484,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=5492 /prefetch:8
    3⤵
    PID:5132
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
    3⤵
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5588,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
    3⤵
    PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6052,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:8
    3⤵
    PID:2128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6056,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=6072 /prefetch:8
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6196,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=5812 /prefetch:1
    3⤵
    PID:3960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5848,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=6232 /prefetch:1
    3⤵
    PID:5248
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6240,i,15600312215910709305,12673790229507631901,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:1
    3⤵
    PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
b46075ef122001cdc8809406369131b8

SHA1
e83902a9cc9447e9ce8299e26368595c69581806

SHA256
54aa664e1592965e4915c2cf22a4328d802f8f4787453b2058459e698e9104c3

SHA512
779e06bd6271bc539b6792e99abe66961bcb6b3211ed01442aeaf9e45709a626531ad9ee01886ae837008eb6e97f288cc0bd518c15adc206436bf3573d3afac2

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
699a2e6fc832816dc8f6a1b37466826d

SHA1
d69cf48c33595a20bfb25d22adac8fac8a7a993a

SHA256
7e3d342db519a17e3dd6cee9f5d1e6a43ede279330d6509000e6069cae017d82

SHA512
d5aa12bebbb444c4282f33f6b25708ea6774f8d23d5213ffc69e1ef134e8eaacd0d714ed489a211e7dff49bed1876977009851954bc963bb61f144d90abf9279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
f51cd4c1b193631c532023b360a02f5b

SHA1
ab283a95069ac9bfa7dfb91f2342e9c68610ef47

SHA256
a2f2e4cce3ca130c94c8dcae7f4a32c8b7d901c8073fee8ed2e428f7066f9e89

SHA512
00546743bc0f1dc17e6463289e45454f43e93f049deced276b908a8d76f15237e0b1e46a9fd9f8f52036395cd9ef4c1f1c4d97bd820ca715e2bbad8b8363b48b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
2eeff15357faa63bb62f146373370840

SHA1
be4f3c986fa122f73b5766f09378cc89e3915d5e

SHA256
253dfec0ee8facf984f274337d7253fc97f74719bcf8245a8fb41dea82f0ad5d

SHA512
177bfaba46a710e80ee1e97f617f9e6fcc8df1d2be26025e78d6a121fada87739d2a7cc8909396f9f5d85edce155f482332ae6f7433bca85015f510cce5127b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
44245e0ab17a63660d540ca4853aa3ab

SHA1
42a0df8e6aa10c21bb81ac9c82832a4a6736a58c

SHA256
724b51634fcca6b8d77fc362a3bbc0d74be41de5b22265df343fcb2bfb5b59a3

SHA512
c69ea290bfdef0600c29de306e9f72602617c0569b4375e8edc9a345ae2685957d73d8532cbf755ceee51193e326e2bf50a78472a7ce012b618647556be9efe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
c3e32520115cccadf1ea65892ef0931b

SHA1
b9927c08ea75675aa993eebb48d7fcf069d3d0ec

SHA256
b2cf7d8ba34f17eba2409c9c7eb2547fb48454cbd6eec9ab334f9c40725be7ee

SHA512
1ae1b78c263e70d10b915369e0e26c97db95b988ea6dbeb7cb2df43084842ce38e0796914335bf1238a58cc21ff7662d5b812e3a42591948301a716aa6881e87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
89344a4e4f8d600e7135957e9e38b85e

SHA1
bf85e59eec576ada0d8c5821a6d59e0c71b93d77

SHA256
0c2b373ec868fb37a49c0bb01d9dd3c613eabc439b9b0fd8f0cf8172a7bf6b20

SHA512
168307681a90b59d11c40c4aea5476e5af54dc1965a3d43a5964fe17f9c1450389b4bccc0c8d87471d2181d425919fc4f3c34bfe147c880ee4e59d4a2fa463cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe58179a.TMP

Filesize
392B

MD5
d285ea85057db24bc3b73daddc5f4716

SHA1
d927e3af71b626a2857976f2166e419795133f20

SHA256
1e3cde356ca402c288632cb42f60bd2b362cca6b9c8f82f949becca254a450d8

SHA512
af9f2ec7a606ab1275a1fb8de9b1ea1a177df08a2da5f8a3dfeef0288b6b93eb084304e27bd2f7bc2ce439dd5a913401e4de5e38edfa2b15f78a9ac8fb063b12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
00464fb0271caac1893917ebbea2eb20

SHA1
f0a111070da22eb4417731d953e38b06ed1679e2

SHA256
37318029638d340a924ee3dbcb128a948b25d6a91bf2eaa538b7bf4c1c30ad82

SHA512
9644f6efe57097676d5e1eae37ac4f7fb8effde86d87b9ed7547e4a766a67ac7df3fe00c5796e203f3be4ee151b5ca9e77eee2f10d61ac3bcc39c575661fa9f5

Download Submit
memory/4272-626-0x000000000B7C0000-0x000000000B90D000-memory.dmp

Filesize
1.3MB

Download