b1606b82326077efb530a20bc339d53a9dc3c5d150cc5c67deda3acb691d05cc

Analysis

max time kernel
135s
max time network
140s
platform
windows10_x64
resource
win10v20210408
submitted
15-07-2021 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

free.exe1.exe
Size

10.2MB
MD5

06f4534d20473c1e24f52b39b45ae322
SHA1

2448f7702aa1177fdfd2a02b5a9a232f8d26170e
SHA256

b1606b82326077efb530a20bc339d53a9dc3c5d150cc5c67deda3acb691d05cc
SHA512

06548abcb901664a6f662e1182ed1ee584cb348532fdd741df54e71b8eea5bc3a148128297d6ca1e5624eca4d8b9ecf3b263fcef7ea5789a9fb645d8b2ff4071

Score

10^/10

macro vmprotect xlm

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

SystemSettings.exe

description pid process target process

PID 2952 created 3020 2952 SystemSettings.exe Explorer.EXE
PID 2952 created 3020 2952 SystemSettings.exe Explorer.EXE
Executes dropped EXE 2 IoCs

Processes:

free.exefree.exe

pid process

4208 free.exe
2524 free.exe

description	pid	process	target process
PID 2952 created 3020	2952	SystemSettings.exe	Explorer.EXE
PID 2952 created 3020	2952	SystemSettings.exe	Explorer.EXE

pid	process
4208	free.exe
2524	free.exe

Suspicious Office macro 1 IoCs

Office document equipped with 4.0 macros.

macro xlm

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{E8F76469-8F1F-4A4D-B551-1A504E80E926}.dat	office_xlm_macros

VMProtect packed file 6 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\free.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\RarSFX0\free.exe	vmprotect
behavioral1/memory/4208-122-0x00007FF75B360000-0x00007FF75BC38000-memory.dmp	vmprotect
C:\Users\Admin\AppData\Local\Temp\RarSFX1\free.exe	vmprotect
C:\Users\Admin\AppData\Local\Temp\RarSFX1\free.exe	vmprotect
behavioral1/memory/2524-144-0x00007FF75EC40000-0x00007FF75F518000-memory.dmp	vmprotect

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SystemSettings.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	SystemSettings.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	SystemSettings.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	SystemSettings.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exeSystemSettings.exebrowser_broker.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\International\AcceptLanguage = "en-US,en;q=0.7,ru;q=0.3"	SystemSettings.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000dfbca20427a40663d5cb1e87d0c37af757932901c8f0c4c164742bddda15be507cae53cc9870791f8a847abadd34ed3ec860473f9627aca67aef68baf144b5d61840b3a1505a113160e8398326aa52d18e1f0f09eb8bacf304e3264e6609d53b15130b5efb809048c894d51628453e414b6f4c0ee23cbf601df0be1c6c8205ef7fc7eccb4604dfd7f129634ff0247d19f3ef42e8ea5aa3766cb60888d3d05ad1a6fca11d800452a42248d1ea8e69f6efa84156deb7051248ded422a7b8137abef852b47a7ba23f27f68f1689e63306ca0204e3b5bc5ddef8f8ec04a9756cfc4dc6696d989cfc26bd6ba0bcfa0da2b3d3aad7ea9702837e16bd9d8dd08cf9a7f51fe21d666634b1a89119f64e64d6bd5fe35ca6ff3095d9c28a8780f5a3db4175695b00c687687ddf9e9bbbc5bbeed1405632ccc161b4e0aaec4ad2a07f33d2915075ae594bba7dae12c79eeec10c3e6a80f8141a4e0010cd078671ac171f9a22b1d0b559b1482a27843b2658134f63e7ee5024d2479917182fdb6d7fdec05d6fcc0c4e83f33411645299e7ca4dd7e21c31d93670249fcccc2c98c7b0980f0ba9c8a8fb2a3df9	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\ = "805"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "15"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "788"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "820"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "803"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\ = "216"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "60"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = edd9d8c9a179d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "144"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "216"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\ = "173"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\ = "788"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vk.com\NumberOfSubdomains = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\vk.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vk.com\Total = "787"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

1824 NOTEPAD.EXE
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

free.exefree.exe

pid process

4208 free.exe
4208 free.exe
2524 free.exe
2524 free.exe
Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exe7zFM.exe

pid process

4276 7zFM.exe
664 7zFM.exe
Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

4280 MicrosoftEdgeCP.exe
4280 MicrosoftEdgeCP.exe
4236 MicrosoftEdgeCP.exe
4236 MicrosoftEdgeCP.exe

pid	process
1824	NOTEPAD.EXE

pid	process
4208	free.exe
4208	free.exe
2524	free.exe
2524	free.exe

pid	process
4276	7zFM.exe
664	7zFM.exe

pid	process
4280	MicrosoftEdgeCP.exe
4280	MicrosoftEdgeCP.exe
4236	MicrosoftEdgeCP.exe
4236	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 27 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeSystemSettings.exe7zFM.exe7zFM.exe

description	pid	process
Token: SeDebugPrivilege	3980	MicrosoftEdge.exe
Token: SeDebugPrivilege	3980	MicrosoftEdge.exe
Token: SeDebugPrivilege	3980	MicrosoftEdge.exe
Token: SeDebugPrivilege	3980	MicrosoftEdge.exe
Token: SeDebugPrivilege	4348	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4348	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4348	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4348	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4768	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3980	MicrosoftEdge.exe
Token: SeShutdownPrivilege	2952	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2952	SystemSettings.exe
Token: SeShutdownPrivilege	2952	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2952	SystemSettings.exe
Token: SeShutdownPrivilege	2952	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2952	SystemSettings.exe
Token: SeShutdownPrivilege	2952	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2952	SystemSettings.exe
Token: SeShutdownPrivilege	2952	SystemSettings.exe
Token: SeCreatePagefilePrivilege	2952	SystemSettings.exe
Token: SeTakeOwnershipPrivilege	2952	SystemSettings.exe
Token: SeRestorePrivilege	2952	SystemSettings.exe
Token: SeRestorePrivilege	4276	7zFM.exe
Token: 35	4276	7zFM.exe
Token: SeRestorePrivilege	664	7zFM.exe
Token: 35	664	7zFM.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

SystemSettings.exe7zFM.exe7zFM.exe

pid process

2952 SystemSettings.exe
4276 7zFM.exe
664 7zFM.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

SystemSettings.exe

pid process

2952 SystemSettings.exe
2952 SystemSettings.exe

pid	process
2952	SystemSettings.exe
4276	7zFM.exe
664	7zFM.exe

pid	process
2952	SystemSettings.exe
2952	SystemSettings.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeSystemSettings.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
3980	MicrosoftEdge.exe
4280	MicrosoftEdgeCP.exe
4280	MicrosoftEdgeCP.exe
2952	SystemSettings.exe
4616	MicrosoftEdge.exe
4236	MicrosoftEdgeCP.exe
4236	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

free.exe1.execmd.exefree.exeMicrosoftEdgeCP.exeSystemSettings.exefree.exe1.execmd.exefree.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 364 wrote to memory of 2884	364	free.exe1.exe	cmd.exe
PID 364 wrote to memory of 2884	364	free.exe1.exe	cmd.exe
PID 364 wrote to memory of 2884	364	free.exe1.exe	cmd.exe
PID 2884 wrote to memory of 1508	2884	cmd.exe	explorer.exe
PID 2884 wrote to memory of 1508	2884	cmd.exe	explorer.exe
PID 2884 wrote to memory of 1508	2884	cmd.exe	explorer.exe
PID 2884 wrote to memory of 4208	2884	cmd.exe	free.exe
PID 2884 wrote to memory of 4208	2884	cmd.exe	free.exe
PID 4208 wrote to memory of 4552	4208	free.exe	cmd.exe
PID 4208 wrote to memory of 4552	4208	free.exe	cmd.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4280 wrote to memory of 4348	4280	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 2952 wrote to memory of 4232	2952	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 2952 wrote to memory of 4232	2952	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 2952 wrote to memory of 4232	2952	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 2952 wrote to memory of 4844	2952	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 2952 wrote to memory of 4844	2952	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 2952 wrote to memory of 4844	2952	SystemSettings.exe	SystemSettingsAdminFlows.exe
PID 2204 wrote to memory of 4320	2204	free.exe1.exe	cmd.exe
PID 2204 wrote to memory of 4320	2204	free.exe1.exe	cmd.exe
PID 2204 wrote to memory of 4320	2204	free.exe1.exe	cmd.exe
PID 4320 wrote to memory of 4404	4320	cmd.exe	explorer.exe
PID 4320 wrote to memory of 4404	4320	cmd.exe	explorer.exe
PID 4320 wrote to memory of 4404	4320	cmd.exe	explorer.exe
PID 4320 wrote to memory of 2524	4320	cmd.exe	free.exe
PID 4320 wrote to memory of 2524	4320	cmd.exe	free.exe
PID 2524 wrote to memory of 1380	2524	free.exe	cmd.exe
PID 2524 wrote to memory of 1380	2524	free.exe	cmd.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4236 wrote to memory of 380	4236	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\free.exe1.exe
"C:\Users\Admin\AppData\Local\Temp\free.exe1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2884

C:\Windows\SysWOW64\explorer.exe
explorer https://vk.com/mrachwidbypass
4⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\RarSFX0\free.exe
free.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 6
5⤵
PID:4552

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller
2⤵
PID:4232

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" LanguagePackInstaller
2⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\free.exe1.exe
"C:\Users\Admin\AppData\Local\Temp\free.exe1.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX1\start.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4320

C:\Windows\SysWOW64\explorer.exe
explorer https://vk.com/mrachwidbypass
4⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\RarSFX1\free.exe
free.exe
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 6
5⤵
PID:1380

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat
2⤵
- Opens file in notepad (likely ransom note)
PID:1824

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\free.exe"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4276

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Ahiev.dll"
2⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:664

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:1252

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3956

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4144

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:4420

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4616

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4236

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:380

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\087526af895c900bb9e5ce08b4f04f73.e7dc9956298825fabafb[1].js
MD5
97555161d7682d833114379f316bf4d9

SHA1
35ac5f1e54c0689be990f25cdece0ab8dd716442

SHA256
043f6bd2aea84486e042f6ea50ae64e0b9e5dadd83618b3fb55e864e55637cd2

SHA512
31c230759281924ffa863cf5fe340addb7e6e434c48da2178f4ab33753ce2863ffac69b225e918f5cf978d390acf5ff7a8b36a64684e2fccdba1cda3d1476bdf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\291a33328af5e5ffc982f744fa49e488.4cbf808c89c3bff69c97[1].js
MD5
a1bd6c4d98a0327bd9590325df9f3645

SHA1
175bf12323f132d4ae4f5f75fc103933dcc7a9b6

SHA256
a43dee77aba9ebd9c7cb38b0100de61a5e8cc5b468e30cb6b9d8f6cc584408ad

SHA512
c6d19f8f45ab5f081d991665313a4899fb9cc7f29756928cecdc20b679457ec5d3482c6f33e4efe23d8148f4e4eaeaece7d6322ad90cb4898805302540fd8675

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\3c97bdd8db1fcf0e87dcd600a8711674.3b59753d4e26ee12feff[1].js
MD5
0f2a3f334c860200222cfd1933857da6

SHA1
094e9c4bf7927f77d64916b3dbed03170c948633

SHA256
3473fea82675990c6992eeb29fcf711456d42f420bfa41a286efda639ce55e80

SHA512
2dcaf297282c201886e3911dd691c3203fbc295212380f01c70e70ea63df928438b35a6936b31f0bbd27b2828e5827c270eb335403abb09702f49a649d1833f3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\6a9431ec9ca0ff9fec2129f879a3bb1c.e95364f1751113d61ba0[1].js
MD5
4eb50153537fa38c1794bc7ba1121a75

SHA1
c4e24e18134be3765ba6549a427f3ff7a531f550

SHA256
3200ad21f4d788074429a72bd402f693c163732aeedc4dac9035a9b7500a9195

SHA512
951fb1627569c09c250759c71f16b7a18e84f541bb5b5b8885b3d16bec53cb9aa602b3b74ce096c409da3f10a3cbc696db17162e04713e7843d651bc6426e57f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\8c7cb80fc750b3d5a6ad025449fb24a3.75ad1fb97f33dda88972[1].js
MD5
f60912c3dc40b6456bbe5aeba07bdfdf

SHA1
972fe0cd40058a266c2965fc4fbc9af109c8f879

SHA256
64afe233114fe6b57b2debb02bb3d296c344e2065f04b192e4596c3378aa0cf4

SHA512
297ef84d44fb3fa0259face5bc6a5b5fe0e9c5c692e36bc8558967982e112762e35c4ad09f855ab8a6efae39097f91da26d4c2647d05f8e0214c3c0c3617f893

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\common.95456f305da26b4aa558[1].js
MD5
b3ea4316f8f4b3ce5210895014fa202d

SHA1
b074aeaaf35a9e103df249b2cfaf833add3bb62a

SHA256
c666e8f7a872250098af6053a0d0ae321656597fcf0f5d00a723214bd34796e9

SHA512
b62dac63b954eabc1d8a7ba405e11c030105958dfd55c9fac3e64f586968ae845423b8bf931b9d8593a184975c515a2df2c66560f82042be30c29a4b21dccc7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\common_web.3d3668c58c2724386590[1].js
MD5
a8d8a8bf22cfa3b1936468b2562086a8

SHA1
44c9a8bdaab96f29efb18acdb249d6e58fd9f621

SHA256
652771590e6911b10e9a7050b5378d5c76e00b1b20729c30a93e9e452725e707

SHA512
37e9a8ade599d001947d654a093846d60c6bfff7d68155ec18f319bced62e8157a7e8a536a671475d3f4fa79f6dd0237f780fca4423e4902fc66b8ff6d770a47

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\groups.4165e125abc6ee40cb8f[1].css
MD5
9a9405ff46dd237461001aa72d337ec8

SHA1
b1a52fc9998e1da70c1e43807abd133979eff3e5

SHA256
33e7a6b87be624a075828a712e08e6fdafa158a584ca02e6a05f8bf3d1aaa9fb

SHA512
fedbb6e31268df6ff3e45c0b7cdec6cc683a39b336cf28abaa03a435cc3aa8975b9625c7771c77ce249369a07230a4a2d11e5ca80725b6340bd21ca639491550

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\groups.66e7ea8f5c1913833f3d[1].js
MD5
ec89f1e669153c6e8d6d75001fadda74

SHA1
1c78094a5ff7c08709c519429d727cbf60d4a02b

SHA256
d9a3479ddd8587edf3ad2f84b8d0dc997b3b2e57bfe3e97b5ae0f67a741a13e9

SHA512
653aefbc0c4397768eb21e6a0d3551a46ed17c9e6872b37f775dcd528a67cfafa8ab057170b2068bb2d959a1b4f680a0fb1101e84e7b3a6c8948635a8735fb45

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\language.e29acbe20be111e849a0[1].js
MD5
cf778bbc589f12a43f57693f24ab6be7

SHA1
d421cace4b7021d81b40b724ec0848863da0e961

SHA256
71f83432794c939b63850caf3fbf6bfeb3c93a3d0ac70a34281c7f30001c4635

SHA512
7cbecc75e966888bd801cf96f4b2b29c3a8f7b9fcb2b8bae07560e7370e43607ee6668a42d5e3fecd5e779132408a2e7adb628e3f735f43400ea2bf43dc29fa9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\page.bfda64e57d846d763bcd[1].css
MD5
968f81e5cb13f2886aeb9950e706bdfa

SHA1
3ab9c6ac6e45407bee0472831bfab5e2bf147c57

SHA256
2386dbe4149a1da0ca93e64f629d705135fac41eb6d2bcd838df7429f1a7c55c

SHA512
ce18edfeda520095f2168288421188007e119f3e60977de904bfaa319a4ffc1777da6c300dad79057a98fe8e80985790e9c587ec6dbaa2c3e26a35829b4fc9d3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\palette.9916a3961e103e72e6ba[1].js
MD5
4ef6b5c91277b086b4fc23658d9c4fbd

SHA1
dcdaa2d242227d4b5068a0ece81ce39432f97e22

SHA256
1846e9c5e75b64de84798936f9d3520583ff9a853a3445b82e9c4de3cb67d812

SHA512
4a0886ac09de3fc8edd51182586137e8619451f0867a59ae2b741e561274afdf63ecf6001fce4f033794b8f47ba98d851afd42aa548c9f9871fe89c1a70ff1de

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\px[1].js
MD5
d8e2d40de34f54b587630b4bb4f716cf

SHA1
9f5141a91b8033719d4fa462594ff62e8c03a7f0

SHA256
1ae610d3b462c4df8fa1ec3a0fbb3d19bf2b7fdaa3fb4ae34e7e9c2e682cddc1

SHA512
664c1656af6a6fdc9032775bb2be1916acfb258962e9a1fff8e5d2232838daebc020fd56cba895d5575eb13890022c69ea1948157738078e1072886e27994546

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\stories.11082a0eebdcbd9c2026[1].js
MD5
86d60422cdcafe653a534fa0ddc98ff1

SHA1
6eaab9283e1ee1c0002d73327a605ee8c3958b51

SHA256
eeeddadd0dd72201a8d7548fca06ca3047c150e1348d4c1608d576c6ce79e4f3

SHA512
c91f3052df28d33315bf8a3ab52366fc767b0a318a54121bf9458a7a8ad8a9c0f06a20d998f3f41023305d3bb174f2e50add341cc4022c5f098b2139d5dc6794

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\stories.2ca127ebf6b0902985c6[1].css
MD5
c8213823847f9b2ef3d6860841333da5

SHA1
7114dfdf9c99b2c79900873ba6ad699bd64909a7

SHA256
b8a3ac2c628b7936ba86cbb4f01afd4d65ecfdd7e0155a30f80a2e903c4be612

SHA512
eae51f1c9103f65e190507d0fb770fe1b7fbf11b01847591c0a9775cbc6fd6849fe2b234a7bfc52ae0e9d47ca47709d0150a8f847912858557eedfe68aeb8261

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\5KHP8I2F\ui_common.0f6087957e3a041dbee0[1].js
MD5
67699ada1c73e658738d21102d512b31

SHA1
272d603d561dbeda57b7d7e5af1bd131d8f86ee0

SHA256
2ce65d13c532ccf65a1a87a9bea6d7922f048b687a18988e6cc16559c747dabd

SHA512
cf9f441575ce5886bc08d57132671b293deb528a86f9049f9b7b5d40d7698372526f77f64de68281b0b05d5bbc7b2daa0e1759bcf70058dc82156905bf203b8f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MSP9T93T\357d86c29236f9e0b370e05bc45991c9.27104be9e67d1099819a[1].js
MD5
af44754a255882ed77d7b04d1cbb34d4

SHA1
b1bd41284efaa7a4e6f2c4ea0cce61948804c353

SHA256
fcf4adb2cf563a4a28bffc9ec24b3a8d7853d6688cad0b54ec8848551520156a

SHA512
707252ecc06bdebc28b6642fd0d812c68083818c4600147e94732275b9d0877d9a28645f07839a1fad922770dfcbef04ae0771a2a9d37ad80034294602ee4ef5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MSP9T93T\join.962088c6ed7d4683ab91[1].css
MD5
aa572ab06befe107bfce805e8b28bc1a

SHA1
77dfc87c82b337392b2d14e8aebd4c8eec03a437

SHA256
c1a567381c94476651f3067194a9bea55c64fad79de78a07c53271daf20966e7

SHA512
a405209aba7c534de685ad60ebabcab7ba10a90651ea352181b2773ce0f872f3819151a2976e6d9350b5b57a61f53ae3c3aef0a5e7f1027bbc9ffcdb8222d2c4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MSP9T93T\module.c558b414c80edff0d4cc[1].css
MD5
71007d07051e8c8efefe2b3b96df1ebb

SHA1
e443caec7bb6ed83cdef2c4d11506a53ff98c509

SHA256
a8b911dc8eb90df935ae881289909689a2d755a25db59521d08d9dbfcf3e5aa1

SHA512
45242212c27e3c1c4b2066d6262dd713ca1bcb48120872b153cb0d57daa0215924d1fd1ec5af5939b3db4cd16465aaa86656d1b3d73825ec708ab0938a441cee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MSP9T93T\post.f2f96bfa7a6874969b20[1].css
MD5
01604f86426709829af63eef32b88d47

SHA1
3a642a12abbadb86bef12674f859ad461e38de47

SHA256
6427c09196c40769bf6d11c337ae4045a31a29c5dd10024b600fd899d689cd05

SHA512
82505923f89e22b9f962b1a91024a8bcc0cc2f654da3be8503df65849db8d13acfda74f766122643f88b8ef5bc111ad847a43c407c237a71a605d281eef44a5e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MSP9T93T\px[1].js
MD5
d8e2d40de34f54b587630b4bb4f716cf

SHA1
9f5141a91b8033719d4fa462594ff62e8c03a7f0

SHA256
1ae610d3b462c4df8fa1ec3a0fbb3d19bf2b7fdaa3fb4ae34e7e9c2e682cddc1

SHA512
664c1656af6a6fdc9032775bb2be1916acfb258962e9a1fff8e5d2232838daebc020fd56cba895d5575eb13890022c69ea1948157738078e1072886e27994546

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MSP9T93T\ui_controls[1].js
MD5
a227102935bb0c5370bc4c5a3b168667

SHA1
b18bb94872eda04b6a85a4d8a09e62a59408dadd

SHA256
36c65040b9dc1e9574ae07f5ed8995807b0dc9bea0f9d19bb33380a28e2430b7

SHA512
3d54acda182e4a19d4528b1307641344a1c555205f4e5aa804368576b644db7d93fe64fe491065622d9f9527428fac36186109a14e55cea5d8b01da57da39d0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NE34NJX9\audioplayer.9876ecffc0617fed460d[1].js
MD5
5ea84dadf7cec4510cd21afb82389f3c

SHA1
fbcdef45286e69a3177a3416562a4b8655bc65c3

SHA256
811aad9c9774989d70985e456f05824677f317a4f85532b59ac84f0d99e75f13

SHA512
ae6c0dee8e64a80a3165b0b122898c84ca21c63fa769e49db9ab051aed0cdf121929a0e52c5e6641c8e5ae4861b18de6d611dd6cdb39286fa488edec5d924919

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NE34NJX9\evbus.db620810d528de983a46[1].js
MD5
7fc978d67be9627f15bd157150692dc0

SHA1
c3ad84cb150fa9859fbaf26738ea0ca6f95eeb02

SHA256
f110329c737c90867dd8f6f1c1943a68092c569ed2b018f88010ea29299cbc9d

SHA512
6b669a487baa9e3080b1a9237fb33f7bc83f58e2ffd235ecded59844bfa470a584b02effb2c86ce474f01a30224183a9c31c4698456cbab4ef6e6b171912a86d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NE34NJX9\fonts_cnt.844006a53604399a986b[1].css
MD5
65d9abd682439c1be31133b99dae0ee2

SHA1
cc448a20dbfe51ba71baaccbbbf5e7536803e455

SHA256
8707378f19e520c786b4ca1dfdcbf1b4a47aea815742fc943a91424fc22fc247

SHA512
3506314869ff46fcc68fedd3d02b7e8d1e2c67fc15ab7e5fe66fed6e70a1b3b812ca4335daed249172aee19decb273a7eda546f5d4b1b5af8bad809416a42b61

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NE34NJX9\index.53930564d38e73adf415[1].css
MD5
4470b594333fa567e76788641d32d717

SHA1
832e7ca08a51b0e32e3796cebf5f9d2c3abeeb8d

SHA256
1cee4963f50500711b6d23553ad0b25d09af9e02e60f2f359deb35f97013916e

SHA512
da7ca2a0b38d379a055e31c43ad438d7f4bd7953dc44218c7f72e94048b5b1703c0d248d842a5a0908661cc1c2bd2e8beb059fa6192a0a55639cbb3479fa85a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NE34NJX9\lottie.786b1fc6717e2a8eb385[1].js
MD5
2e1da5829d50a57b7570a82c01c529fc

SHA1
939effaeabb2c082866ceb54f50f90314a67b702

SHA256
0ab50ae923eddf52cacdf98a7505b88671709a523f9d190963b0298fee94c343

SHA512
a76529744bf1230eec20bc9292dcc89c7d1a747a9f158b1aeabf33a02aa95c03b7c9f664bfdeb408e625f7a9e223d8bc09f0bcb1f981a073a3f24efafc91807d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NE34NJX9\raven_logger.8dc198fb289dbc30ddc7[1].js
MD5
5c5eaa74d3be3f69cf8920f249014306

SHA1
ff9953452bd1f2c9b11f8e3ceb7717ee9bf3ba3d

SHA256
9480fbaf85f398dc503f24d9f03f07f9df8330662df243ba07484f3960adbe88

SHA512
a50af4b6dca4dfd4b1a4b552552f91e62650adb7f45fbdb27bf3aea37a734554007519b48825b40b66a2ffc301abb2fbb9982db7c9011e98b5351c5c944e5f7e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\NE34NJX9\ui_common.d9de11dd9c0121806b89[1].css
MD5
4da4576a1bd800d8504c66d05fe3f98d

SHA1
e3d60db6e6f51a41cae9291c3482c4f66049dd82

SHA256
958184b0bc95b36b6003ff75285ae1aeb2ca4ca983157082218e39d647ee2737

SHA512
88f17ed046899a3ab1b679ca2930e97b0663f936d815f6b0c2c355e5cf0faf73a5d7bc592fa9adf80d9fa27c184d0fe44462ebb43ff0a5f17a98d07a7c5b81ca

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\52f230a3bec93b0483a692e290bc83e5.7d30feef16ecfb3e1fba[1].js
MD5
a4470dc99d17e73d850ce4d24ec70bb1

SHA1
a7cfb44282314ff1f4d454794d8ea167ec7bc61b

SHA256
191fe1c11dc1f72a5cfe27068c709778d780d7f653024e1e635495907afd894a

SHA512
6630fa929402119e318abe0a6e886ce282f6369f18155528fbc1340b7602b99d64c5c33d45950b66944394b7c0c23e44748218a14dcf284517925c4ef6e3415d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\SimilarGroups.b5419b002938d732ee93[1].js
MD5
b8ce79c03ee86720ba01fd54b553279c

SHA1
d95cc1ef76c98371caa5def30fb149a80081da36

SHA256
b5821bd7ed7f031f34465315c9f42e6082ec30a74c0987e134363e3ce1945ddc

SHA512
a4bb0399b45d166bf81707214b34b5dcd0c65102809695370d982f36bbb11386056edda623694c89236f49144f4ec3618b2f10b517abd6b9c5757442d44cd3f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\base.42fabf54d8a6bf6e091f[1].css
MD5
b7af87975c0c49b223b7a33ca67f8cee

SHA1
c6f9259512b9021bdfc9051f4e609f91379e944c

SHA256
969984ac125a757d4c892455cffe3e32372fdecacdd6c1d030b2b23960a91db0

SHA512
13c7cb8233021a98ab66810806b50001a515b15c85e884454ab6ad20eb9c21eff371abefc17ad75dc0e4c1ab39115c96c015ed23760f3a03541a516cd9a76de8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\c6eb0dba07752785289cc49ab4c9d046.74aa62c2572e9ea9f3a5[1].js
MD5
1cfb2f81c04c25f35ab6a7a3574612ee

SHA1
d75478b1e65b25df2b5971f2f47b776ef196c77b

SHA256
e3659ef5b93daa9fddc74d71cec777886d644780f66c96e3a10db9bce2f3db3d

SHA512
f75efc3efeec46b25c21372139d27bc4772b21b7d1403a92354154acab33da7c9346ea3749757691f17419ec123cd1d4a3053f5139d73b7b5b166d0421916ac2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\common.6d85dc9455aca08925c9[1].css
MD5
b5e181c4b368b22b16f316bd6c8d4ece

SHA1
26de32a583c951c38b4a6471c459a57a2806fe41

SHA256
3b72e8c5c31262c3956de9edf261c1ae47d586df2be9c01580ce39c7464a702a

SHA512
f957eb16f0a23aacf1d6728bbd50670aedef63f357d734eb9b9ce2edbbbec71f9e08311239d702d7ebd9287f953caaa1c14761d4f037b0f3309bebd9a2200ce4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\fonts_utf.28c78210ed2708e599a9[1].css
MD5
617ba3ee1d39f05cbd8325d0beb7871c

SHA1
f70de84712be5810ec9866d0243be9f706e5e362

SHA256
260c514d2fd9a10c514244e6dfb7405c2fa0a884956feb0cb61527dafadb428a

SHA512
0ec1e8078d96aa2a4d0145830d2a6060ad8864539ad9ad4b408127645b39fc2790fe9b0e3e49db568450725924bbe8549b7b65683f59d19c8e7370df5462b82e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\index.ac385ba561ddb89a0bba[1].js
MD5
5dd837f4f913c2c14b2119541fd2bad2

SHA1
4c29a59492ef696cff05e97f6e7d75b5de74b84d

SHA256
8c71a38106b48b9c92c7244b8fe65115ca2a462e3aae6b500846bfde0b436368

SHA512
9c7b6d40479011a70639c07b6f13471e2f4b026eac0029e975c399a948c32deec4d2c322fe5a8266cae19cef760c7f96e032333d4c5d5627303c29b161c3034e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\join.5b0bbe216622e555aa0a[1].js
MD5
e7c00629135b99ae7e3ed2e59486c3d3

SHA1
db7df50e998e2b453e7ea18c8b21e9a703ccf3bf

SHA256
018fcc6a51ce44a4b69b5a10fc3acdfdb37c6598ea9dabfb0843ea606545d37a

SHA512
57f0017d3e4499c3333587a280117ea2b67e648febdff2f12f5b591f9726d07a97cc7e36b18e6686e606669b4c45c794b3cb54fa85a14497335401e394c9e57e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\page.5038416469f73ec4deb8[1].js
MD5
a2e456be716dd9d8f19016e103d66b22

SHA1
88d4cd3a71d670349542db32d76df9d49d2c2135

SHA256
86ba545950eae6ce36b55fd4d595833a14e0821b5a6a5023a8f85d773442ae7c

SHA512
b70731016cbf9d79ad3739e415998ee3fdb3327fb8d509277940e45b66d062a16ed42e385a2b031f2eb6ab270123e86626223bab23faaf90aee958f1d5edf97f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\ui_controls.34bef7c8ef12163fd433[1].css
MD5
f0c929fc8cc6fbd82f2e8c4a7e2117ba

SHA1
f49e545c142c9a009aa9b488c644133fd0c9f5c2

SHA256
d7cd79af25ddf708eaedd6da095e3d3718e2ce01bc9369c27e8baf64665ff2ab

SHA512
989b19444393ac4628b05210bfb4a6ef332038c04d52220319e88f72d9baa4ac388e3fcf5c325fdd58eb8e6c444024c6c2cfc9908a22dedb0c1554af4e7656f4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\upload.0df889e036c71ac290eb[1].js
MD5
41f88f596c5d237fc0b4997daf203cb3

SHA1
aa9da405276019d6f1f5db6cda0966e3b261e39b

SHA256
a94ec9adb596929b9c3e9c7477c9fcaa6f11ff8772bf2ba7a8728afb473d5cf7

SHA512
d3b0b8040d4bebe13a6ded6bc408e0ee2078777deb7bb6409f827313f251b61fe54225cae03572d934fa46b53e313e45e27b0f238d92cc9c5048347453c9ba48

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\QSL1WKF5\vendors.35f9569e6c3af4c5166f[1].js
MD5
060f97928bd8979dfb6d6a9aac74b005

SHA1
f286fdb2e205e295c89afde25c3729cba43cccf0

SHA256
12c834a53cf960c942508aff95624ef1143e51597c66a0fe2dd06b71533fd68c

SHA512
180be08a024ec88c74ffd6acfd4326c589ac029978d7d88e50b961700780104ea5c40a113e28ecc074148f26ec0b8d7eebea0e8ed596afc04ded7b1b7f6c93ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_C45D2B3CC095AC73470E8D04AB7CD450
MD5
02837b39d3656c406053c1bb7513b6c4

SHA1
c0a663c0d3a14310560703d922704110df6201f8

SHA256
2990fbed6ec12bda850d4b0258d1b173636a385e6580b41f68149f0224f69398

SHA512
9f6e815ef8a130faa8ed3e55fa9cc6df5716e299adf01ddd0b3f95244cd1b9e6ea14d221219659935102d3db4e11ae498d103a935158d2b9901115128eb43797

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
MD5
2324a8c4e28996dc86efb7b13f6c2998

SHA1
998a340a203aa05bf7355a2531e8aaae010dcf7a

SHA256
1e7e223d39f7affaa794554f0458fa7f8d1f34d6d232d1380877cfeef7110e49

SHA512
4084eeecfb284fddac8780053dbde9d7025b2e6983f0e8773a2a427df32f3d55a7d04d3adfa1b525f63fa9a5d4d4d351acbd839624e40a1dd92a3f434e9d4f5e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\AFE5B2D9899D09358DB5FB50E020E964
MD5
04d32a8c95f8e0797c31d0f1010dc03a

SHA1
73b0f7088d3579e0ac916a892650680a906378dc

SHA256
04b3f58a538e7217e6025528e8e559c7e132e76baea7222b7d6ecb2ad88a7a92

SHA512
05f13917675bf99f2da1292699c11da057cab683c119733892a01c3660f152ed8f1728d33caf43c67d3644aec60f19da2acfc11951db5b32fd89316144b8146f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
MD5
1b4f1c6cea51cd6399d8ea59fba8d4d9

SHA1
559e7024b8f691cee048ba41bdfa87a33571f91a

SHA256
79fb44353ef2c40438dd1aeddbc8a7748f1e20a3471ee5e6f4461e1568907c72

SHA512
1f939ad35587739c4e6b283c3fdd5ba167d155aa91c972f5796c9b4251a9b9355d3995547f825281a27572e564eba18bd3331241aabc4a38c55e2ba16801b9f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\ED4F554C7CF7C6C89C09D0EFE779118A
MD5
8459321f80f1fbc608394ec3367f5247

SHA1
c7ed48fae9e86a6f667e1badc6c4d4dc6c79e0be

SHA256
9c8631a939abb54fc36fe6bd12fd64e6756b767a05ecd34c35acf5959811ad19

SHA512
d86ebdc8b581748ddc50ffd1c8b7f1430684c32b6948b5c34760afc4a088c176de49579c7119168575e5245a84f135ce90fa4b001ffd8632830f9e357b71f539

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_C45D2B3CC095AC73470E8D04AB7CD450
MD5
8034c73bc80ebdb09cbaa2f3c9c6c393

SHA1
dae06e25970215efadc63e922a4b4cd8daf0c3ec

SHA256
4b9a16d64fc5f03da392db9452d6f9122f17fa1d15975d9c83ef8f11e59f145f

SHA512
1afdf92f04569e90c8b0730917a5fb3140a7269b0385626011db064c2939aa75ebe279a0ce725d02ca89de8b45dc6065906f08846c8af291661f225769aad0a0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C
MD5
7519a0a11e21d23e4cd9d9119eff7c07

SHA1
3dba5f82eb1ed86fbb7744860f091d3321ea371d

SHA256
c59c7ad3e5360c8872dfca7960bee73d986ee3c86aacb269096616ad87b4a370

SHA512
8a76424be9015c5820e4357cec8d514718ae9bd0eae0a02c6f569eb3980ae392b4adccec20e370010b773598831c500126937c5808988c35d5c7a94e33fd8b66

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\AFE5B2D9899D09358DB5FB50E020E964
MD5
11f14640fb4e42cc42a9be0d894c0c8a

SHA1
e868ca569bf73bc775945c8307b5a78216149914

SHA256
632fe823b5ffef4746910f76ff08a63702dcb1378835e58d9bee20d96fe251df

SHA512
0eac72faf84d9acd23434974f1a315b9359887f7619451da2b0e5894fcd104789613ecb61e991675c5177e177a0dd58e438e18034cc1183a89914d424f8c58a9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3
MD5
b80c3761633e2e33ea3e6f2d85f36464

SHA1
b8d1522dd3a4dbda66aa3dbbce1b42a6ab92ced1

SHA256
38b22aa896b16fcf3de2b7339313635691924d50df4631a770766b861844c035

SHA512
a38e13ca84502588617e0bfb500e5809a35c6df8f8bbeaf1a484c084d9b228e00bf29d2e766f1307c6dbb373448d2216f52c591b59a80f7cf7612fc6c0e5d26b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\ED4F554C7CF7C6C89C09D0EFE779118A
MD5
55e775e6800f37718f0a9fdf61dbc11f

SHA1
b4e74a94e4218bf55377703e16a6bfbf3e5dde19

SHA256
281dcb10c812d80c3bb48cced21842dd29d9dd1b23dc0a15e956bab14637c849

SHA512
740e3316c7dd73af434d847a687a0e13d8e17e3da78338e572881df5d626383978526a80c5234d3f8e8d4fd8517cb5ad2bb62a134ffa50a71cc4ed5a22daa571

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
MD5
cc40052547237fc8786eed6d8bf9ca70

SHA1
c529c0c8c738704f7975434ab209f6ea093b72b6

SHA256
4d707c7415d8090e44e7cdd00489c3dc2584a7ee6677a825a0ba934b5acf6b12

SHA512
da756f90b6c72e147d8e20d4f1b9719c1f87c1226624338ffb914654121177bcdefdaa714f778b1ef03dbb0e4f048bc5985774edeb9ae5cd2a0972c002e3fbde

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
MD5
cfb728871cca5cca8cf7d02c77333055

SHA1
39f18d5ec30e1983f83cf5d6d9c5fb67117ca940

SHA256
6444040fd2746da9c2cb8051da42d442091343bb55d80bf45f02b8ae428eccb6

SHA512
bbc13c3319eb05aa09b8ccc1ae00db1d8c70e028bb5afd763125dbe50e2829866ceaadf59a506177d027359ba5f694471b153b3865a8457e4838cf607002472a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5
c222af62c89977f7668e60b4fcab2662

SHA1
8d7002f2e517f04a93db138a1eeae0506dc49a5f

SHA256
0465ce9c48bb2d56e480158c8d327ae3ff41f4a326135c37ec20ff78933f4497

SHA512
a284ba37a0a1e44d5529ca0de66f9145c9e53c26ea5a4633df982ab84913abe54eb5c353cecdf43347d26b3075d2ffad7d38d657ec095f8f84e90a6000b5cf96

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
MD5
e35abc0e9759c4bd6f9a05a46b498933

SHA1
35dfd66cbe342e09590724e0e86ff840ec78ac8f

SHA256
a786255d51ac923d40a68a79af33aa0972af4e25408312246a5d7082db6fd2b4

SHA512
09fd8e529447c70dde07acd080b9e8128d0eb9ea1237d4b41c42f68f7e05c9c2dedc6ae091bf309fd18c685ac972752798c437126bbba270663e6f0f7bdcdd35

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\76d6s4p\imagestore.dat
MD5
06e20fef67437ad70faf445f51106c08

SHA1
6b0b51cffc7a1f983186effe37f9eb4675d40ab1

SHA256
40f381e886e152370e2b0f568fed6fb58b86f4aa3a9fcd861ae22a715fc1b516

SHA512
e55b939cd83e4f6bff736f527d06da2bb338a9a61251bb92ceb60808577b0082b38a97bf0d3b6199f84ff68aca68aa9a70814712478b1ae11decef63f15b7c0c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{038B8374-6A7E-44F5-9BBF-AAA0538C73A3}.dat
MD5
01e55955db722f932b398dc7f8583a0e

SHA1
898fa3276fafac6be9463aae157cc9ddcf30db40

SHA256
9c4e9976eba1e6ac4aa1180bd5d8861426037d80dbe9735b78533334371c4412

SHA512
dfe09a2546ccb2bd5cdd79fce68434b4517a044d6517f8d7dec6eafb1db56c46cf1d3d50acb869706629552ce020019954e2cb0d5fa14b1218b352bc37548075

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{E8F76469-8F1F-4A4D-B551-1A504E80E926}.dat
MD5
12d61410a23ae7f464c97414da8a2bae

SHA1
9c64668fde0711896becf5914ec88ea2bcd16707

SHA256
aa9c8f51a97c455afdb8779920358a75f45d87871e1bb647eccd9f5f1ecea333

SHA512
3c0e256d8dd63e7a863c6ca21b0aa0b9905531c755eff7e6b1583c566b72b7a362ce42999471578b7f51fcefaebcd6da3801d2ea308844d603f1f848599a668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\free.exe
MD5
e0ad7f7cae4d088c4746a3fa8afe888e

SHA1
c679d34458c7d5a5663cdc21a44d7ce9d20e1f6e

SHA256
2b4ab4f8bffcd04fa84a3fb1d955b61678fa2e7a828c09affdb0f074e2b556d9

SHA512
0c5b29d911def87c8de503aefca5e5387887a870846ea99fff98612423667ade94952b53822490861f489ce51d55bc3faad4b01ccb30e9d19a556e279e513a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\free.exe
MD5
e0ad7f7cae4d088c4746a3fa8afe888e

SHA1
c679d34458c7d5a5663cdc21a44d7ce9d20e1f6e

SHA256
2b4ab4f8bffcd04fa84a3fb1d955b61678fa2e7a828c09affdb0f074e2b556d9

SHA512
0c5b29d911def87c8de503aefca5e5387887a870846ea99fff98612423667ade94952b53822490861f489ce51d55bc3faad4b01ccb30e9d19a556e279e513a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\start.bat
MD5
e04b0df4d0787884c89f3b9b59e41e48

SHA1
5a62388c383bfd5f9e0ea4c60b431bc1908366ec

SHA256
ea8d830bb10d9391770668e593e166121c9072cd47231fe9a3d55af543eeadd4

SHA512
5b5a763afbf2d3c71489868b15d88ac7349f42e7ea88a596376735d7725cf755dc0e26dca114a419442406332ff8ab6dd92be9a1c2d6002980e05400aa93bf0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\free.exe
MD5
e0ad7f7cae4d088c4746a3fa8afe888e

SHA1
c679d34458c7d5a5663cdc21a44d7ce9d20e1f6e

SHA256
2b4ab4f8bffcd04fa84a3fb1d955b61678fa2e7a828c09affdb0f074e2b556d9

SHA512
0c5b29d911def87c8de503aefca5e5387887a870846ea99fff98612423667ade94952b53822490861f489ce51d55bc3faad4b01ccb30e9d19a556e279e513a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\free.exe
MD5
e0ad7f7cae4d088c4746a3fa8afe888e

SHA1
c679d34458c7d5a5663cdc21a44d7ce9d20e1f6e

SHA256
2b4ab4f8bffcd04fa84a3fb1d955b61678fa2e7a828c09affdb0f074e2b556d9

SHA512
0c5b29d911def87c8de503aefca5e5387887a870846ea99fff98612423667ade94952b53822490861f489ce51d55bc3faad4b01ccb30e9d19a556e279e513a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\start.bat
MD5
e04b0df4d0787884c89f3b9b59e41e48

SHA1
5a62388c383bfd5f9e0ea4c60b431bc1908366ec

SHA256
ea8d830bb10d9391770668e593e166121c9072cd47231fe9a3d55af543eeadd4

SHA512
5b5a763afbf2d3c71489868b15d88ac7349f42e7ea88a596376735d7725cf755dc0e26dca114a419442406332ff8ab6dd92be9a1c2d6002980e05400aa93bf0c

Download Submit
memory/1380-147-0x0000000000000000-mapping.dmp

Download
memory/1508-118-0x0000000000000000-mapping.dmp

Download
memory/2524-145-0x00007FFEF3B60000-0x00007FFEF3B62000-memory.dmp

Filesize
8KB

Download
memory/2524-141-0x0000000000000000-mapping.dmp

Download
memory/2524-144-0x00007FF75EC40000-0x00007FF75F518000-memory.dmp

Filesize
8.8MB

Download
memory/2884-116-0x0000000000000000-mapping.dmp

Download
memory/4208-122-0x00007FF75B360000-0x00007FF75BC38000-memory.dmp

Filesize
8.8MB

Download
memory/4208-123-0x00007FFEF3B60000-0x00007FFEF3B62000-memory.dmp

Filesize
8KB

Download
memory/4208-119-0x0000000000000000-mapping.dmp

Download
memory/4232-126-0x0000000000000000-mapping.dmp

Download
memory/4320-130-0x0000000000000000-mapping.dmp

Download
memory/4404-132-0x0000000000000000-mapping.dmp

Download
memory/4552-125-0x0000000000000000-mapping.dmp

Download
memory/4616-133-0x00000239A4620000-0x00000239A4630000-memory.dmp

Filesize
64KB

Download
memory/4616-134-0x00000239A4720000-0x00000239A4730000-memory.dmp

Filesize
64KB

Download
memory/4844-127-0x0000000000000000-mapping.dmp

Download