remcos | 5fa711a4d33c6a814f57c9396245a924d8761b0c336da3e924d6cf866c84a9d4

Analysis

max time kernel
155s
max time network
156s
platform
windows10_x64
resource
win10-en
submitted
20-09-2021 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
Size

1.2MB
MD5

0d9247623d85ba75b83f909d98caae11
SHA1

1377ea7e6b909283bb4b4457aea6801aca70d552
SHA256

5cddd352c21b35aa01f2353d74e3dedef3bde4b4dee56e61c696319ec9237b36
SHA512

c451a33bbacc1e0b2f1f9dc01f7fc684835fb57a5b17384a161f88ab531411648927b74fe3dc8b4f2c56d88cde6bb81fd24715e11b6793645b7d9ca80767cacc

Score

10^/10

remcos crd2 microsoft evasion phishing rat trojan

Malware Config

Extracted

Family

remcos

Version

3.2.1 Pro

Botnet

crd2

103.114.136:2405

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
install_path
%AppData%
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
keylog_path
%AppData%
mouse_option
false
mutex
win-9PIVYS
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
Remcos
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 10 IoCs

Processes:

AW QUOTE 21505 HQ1-Scan-068703_PDF.exeAW QUOTE 21505 HQ1-Scan-068703_PDF.exe

description	pid	process	target process
PID 4684 set thread context of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4824 set thread context of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 4280	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 884	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 5412	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 5812	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 1180	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 3720	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 set thread context of 6328	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe

Drops file in Windows directory 21 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a4e0ae99f6add701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{3CA0FFFD-340F-45BA-B58F-89C26C7715FD} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\LastClosedWidth = "800"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 304dff88f6add701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e1090a8df6add701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\InProgressFlags = "262144"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1b491883f6add701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000001a26c0d15bae564eb8f5d9426257d461000000000200000000001066000000010000200000006e3ce691b0c3bc445d0ce7d9aa927b774a6476b74f8a7ac132f40f019f84430e000000000e8000000002000020000000d2a4c6f81a88a2d5951ce1c33f5f9d2af54727ccf586af87b3123407cf9d085b200000000bda39494aa11a0564dca80e64099d6c4262078f85db848bb974d8e408855ec440000000d80a007e5e3df66ec523f8cd3ab5e9d64d62fd78af7413cd3130a3476d6a131979734769dc5dbc9f6e9f20efd0da43949ba05ffe99235a4232beca0eeb831f81	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ebe1819df6add701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\AllComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

4960 reg.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AW QUOTE 21505 HQ1-Scan-068703_PDF.exe

pid process

4824 AW QUOTE 21505 HQ1-Scan-068703_PDF.exe

pid	process
4960	reg.exe

pid	process
4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe

Suspicious behavior: MapViewOfSection 32 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	1836	MicrosoftEdge.exe
Token: SeDebugPrivilege	1836	MicrosoftEdge.exe
Token: SeDebugPrivilege	1836	MicrosoftEdge.exe
Token: SeDebugPrivilege	1836	MicrosoftEdge.exe
Token: SeDebugPrivilege	4024	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4024	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4024	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4024	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1836	MicrosoftEdge.exe
Token: SeDebugPrivilege	4188	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4188	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

AW QUOTE 21505 HQ1-Scan-068703_PDF.exeAW QUOTE 21505 HQ1-Scan-068703_PDF.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
1836	MicrosoftEdge.exe
4264	MicrosoftEdgeCP.exe
4264	MicrosoftEdgeCP.exe
4408	MicrosoftEdge.exe
3152	MicrosoftEdgeCP.exe
3152	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AW QUOTE 21505 HQ1-Scan-068703_PDF.exeAW QUOTE 21505 HQ1-Scan-068703_PDF.execmd.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4684 wrote to memory of 4824	4684	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
PID 4824 wrote to memory of 4860	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	cmd.exe
PID 4824 wrote to memory of 4860	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	cmd.exe
PID 4824 wrote to memory of 4860	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	cmd.exe
PID 4824 wrote to memory of 4872	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	iexplore.exe
PID 4824 wrote to memory of 4872	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	iexplore.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4924	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4860 wrote to memory of 4960	4860	cmd.exe	reg.exe
PID 4860 wrote to memory of 4960	4860	cmd.exe	reg.exe
PID 4860 wrote to memory of 4960	4860	cmd.exe	reg.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 3212	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 2452	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3152 wrote to memory of 648	3152	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4824 wrote to memory of 4280	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4280	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4280	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4280	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe
PID 4824 wrote to memory of 4280	4824	AW QUOTE 21505 HQ1-Scan-068703_PDF.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
"C:\Users\Admin\AppData\Local\Temp\AW QUOTE 21505 HQ1-Scan-068703_PDF.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\AW QUOTE 21505 HQ1-Scan-068703_PDF.exe
"{path}"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4824

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:4860

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:4960

\??\c:\program files\internet explorer\iexplore.exe
"c:\program files\internet explorer\iexplore.exe"
3⤵
PID:4872

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4924

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:3212

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4280

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:884

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:5404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:5412

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:5812

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:1180

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:3720

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:6328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1836

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3492

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4264

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4024

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4408

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4032

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:648

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2452

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4188

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4876

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5128

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6036

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:4792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4852

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4192

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6552

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\23B6XTB3\12971179[1].jpg
MD5
0e4994ae0e03d9611e7655286675f156

SHA1
e650534844a7197b328371318f288ae081448a97

SHA256
07b979b12f1cb506df7675efe227a2e78accfa1f5954af2b7bb66295e5cf881c

SHA512
07aaae5347fa8e82f86d0ba7c28127fac952d84bad3dce119654b5ba1cd2550c8d064770473f34f89fc383847b2f1594b3600d9fd01e6275d67868c41638e34a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\23B6XTB3\24882762[1].jpg
MD5
ca711d527e0e1be012a3105699592812

SHA1
f02534ce002f6d734a897491a1ebcc825da565c7

SHA256
e68e548a3cc404e84af3fd7529c21d64a238ba5d0857feb8fa1652b439b36e6f

SHA512
a56a1266a76ee7c95424f5beaed9d65ea569e7d187beae3c4bc1fb3a018ac728f419a2b08b62c51a70e18ee82d54e1d7714092e609135bb455060ab7d01830b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\23B6XTB3\2672110[1].png
MD5
7dc91895d24c825c361387611f6593e9

SHA1
fc0d26031ba690ac7748c759c35005fe627beb8f

SHA256
f37ad9b56d806d06267f9a290196dfe4200edb7729b41d789b8f1ec8adc5cdbf

SHA512
ba27fdbf02294cc78ede7972f20da383c20027ab172a4ea6ad5006ff58e404032d92f875e642dfe73985428c28bbbe1befc546c2666a672afacf23195425d7c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\23B6XTB3\31348972[1].jpg
MD5
c09597bbae67e58e38228f9e8fa06175

SHA1
85aec568955ad5d9165364d37a9a141dd899eca9

SHA256
f62142fd084d46df32d9d8a340855fcb17b14376c36549b825670451ea7cae73

SHA512
b7592dcf34487e3ddbffd32e8d03cb5665330f8f687e10f39f16c67673238e340cf4633b8e921932c65e3c891286349378bb70ad9a8026046653c4cf8fa2efff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\23B6XTB3\jsll-4[1].js
MD5
211e123b593464f3fef68f0b6e00127a

SHA1
0fae8254d06b487f09a003cb8f610f96a95465d1

SHA256
589303ca15fba4fe95432dbb456ff614d0f2ad12d99f8671f0443a7f0cf48dff

SHA512
dad54d7941a7588675ea9dd11275a60fb6290e1582d1c7a4acb50642af3c2a4aa35e32edd8fa9dd01ce7fd777247d2706d5672a201633bf918b525936e93b14b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\23B6XTB3\repair-tool-no-resolution[1].png
MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\23B6XTB3\wcp-consent[1].js
MD5
38b769522dd0e4c2998c9034a54e174e

SHA1
d95ef070878d50342b045dcf9abd3ff4cca0aaf3

SHA256
208edbed32b2adac9446df83caa4a093a261492ba6b8b3bcfe6a75efb8b70294

SHA512
f0a10a4c1ca4bac8a2dbd41f80bbe1f83d767a4d289b149e1a7b6e7f4dba41236c5ff244350b04e2ef485fdf6eb774b9565a858331389ca3cb474172465eb3ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6QXTEPJQ\MathJax[1].js
MD5
7a3737a82ea79217ebe20f896bceb623

SHA1
96b575bbae7dac6a442095996509b498590fbbf7

SHA256
002a60f162fd4d3081f435860d408ffce6f6ef87398f75bd791cadc8dae0771d

SHA512
e0d1f62bae160008e486a6f4ef8b57aa74c1945980c00deb37b083958f4291f0a47b994e5fdb348c2d4618346b93636ce4c323c6f510ab2fbd7a6547359d28d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6QXTEPJQ\SegoeUI-Roman-VF_web[1].woff2
MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6QXTEPJQ\app-could-not-be-started[1].png
MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6QXTEPJQ\latest[1].woff2
MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCZA20LT\TeX-AMS_CHTML[1].js
MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCZA20LT\application-not-started[1].htm
MD5
9ecf7d824e732de1dabb55e628502402

SHA1
98076e3cecba8ae885bb517b258df6a70df40322

SHA256
85abc2f4746e5c9b3a49e3eb30d851c86cf4cb6fe48db55a266f099304851a03

SHA512
69999e93ae7c7afc569f704339dc50c1252313bd68b03e1844a0638df8d29df4f6f60c6b576ac57804a845dd7a27f5e06ec76a4259a9b1ada4b3f8c07a41eb4e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCZA20LT\install-3-5[1].png
MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCZA20LT\ms.jsll-3.min[1].js
MD5
db1c580cd28422b73814f0620aad00d9

SHA1
4dadd769be89f5b7c1843bd79434914132ec1c1c

SHA256
59e18de81c8c868b6d6276807f51a2b27e6a29ebdf44f55b520c11d5aac867d0

SHA512
2a8d4752a317990bc8bb5a98ac11d6b270c4d52fd3f3476870cb6f02fdf849999ab6f7d92645f217b1f83161fc21b475396083c04a5e42af476f337b0b3b7c83

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FCZA20LT\repair-tool-recommended-changes[1].png
MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJ9N56TS\5cce29c0.deprecation[1].js
MD5
55bb21475c9d3a6d3c00f2c26a075e7d

SHA1
59696ef8addd5cfb642ad99521a8aed9420e0859

SHA256
3ceddaf5a1ed02614ec6b4edd5881a3ffb7ec08116154dff8eb9897230bf5e59

SHA512
35261ddaf86da82d27a29f39a7c6074a5f0e66f5b0a8098c7502289fb70b186371a7fe71410baab6cc6b726e9338afecee9f8bb075047a055723fb5e2f09b9c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJ9N56TS\c525a9a2.site-ltr[1].css
MD5
c41b93c6b685b6201e4d9690ae09acca

SHA1
bd8fb9d957fc941c9b5d0d19d799d5a6204c53fe

SHA256
9f7c87a6b80523bb7d3462fbd6ffd5830592b457744b43eb1a9541061e6428b5

SHA512
154af23c7462a23f57788cff4d905a9cbbd103be2782ef11a693610e1c78f3e7230d47c7c8bd10971536075635a3eede2a046e16cd3e5b590dc0e83fccbe2356

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJ9N56TS\d1fe8758.index-docs[1].js
MD5
9cc8d7c7834f12d78aa10ccd8998635c

SHA1
459fe291b4540a722244fd1367d39bcaf6569123

SHA256
fcb53781930b59575ee13a89794a5a9363c5eff0ad6126cfa10b6460e573c13b

SHA512
838f4b410f3a1be2b74b981a91c2bed03ff9598964d9228878754d99e6842c2cb36b55be34ec6ddf1976f964d651df9df8b3c61c9e9f501ed91aab4d3aaee0e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJ9N56TS\docons.97a9e7db[1].woff2
MD5
5d062f872c1600833f39feb797a9e7db

SHA1
3fef40e5e5a99058821699be07e35a4328e255c4

SHA256
78dbf0f234ec92b20a4354ff1391709f63ba3dc973f14b0e7e3fd52f12a10a4c

SHA512
7fac8479c7b7a1fb954c1ac311b2f4a7019f8bfb5c601f099a562de7af777b5e14ec3816b9425a0bf07250a12adf811a0bb700e0d1f37d9f9f3c3d69576aac45

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PJ9N56TS\repair-tool-changes-complete[1].png
MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\2WITMDTC.cookie
MD5
12e59f7c0a69c494d0a3d0e9d40068e8

SHA1
6090940fe549fe0e55e3dcb5fad32cee0d8ea088

SHA256
53f4819b09d9ea3307a6e320df0f70cc03819c4fa6617864f4e2eaa1214807a3

SHA512
8539d9e6b8f6b0765aecf173f908bdf3c28ac1430e9bd7ae357d610ca044c9c7c5eaad863d5bae5d1aafa9bb959a90554e700fecc5e1f37c6759a4a164d649bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6R1HQ7AM.cookie
MD5
c1871037cfb0f92a6256307546dd18fe

SHA1
70786e876adf731ee1b43265eb17f32d10f614ce

SHA256
392c55fb4959b59bc417a2ff2baf739ea19cc65d462647d328cf3a46580ead89

SHA512
5992911bdc9caf7025da9867482e5d24bbb3af69ad8730f04b7d6ba7cff94868e558a4b27a64392c6c753baacabd7d5ab9c89ac265c3ea5541b4cf8167bf6df3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\893R82GN.cookie
MD5
7baf2a9a077e678368326453a1604640

SHA1
107fe31f29a1a2ca82138fb2cac0767c5794f7af

SHA256
2d58736ed518d7a74cde8b2f86f1519207ab040b546313e8ba1171da207263d9

SHA512
a0eaca23296ea27dbc9ae00677b7c54430e279cefcfbc382bd8d2ada83f30f100e53d9568837c289f55a0003c4980e7afbaa4b3378c812fe01fc57431c4c55dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
1d18a59ba00457e48a6991ef0609d984

SHA1
0f1c1a360502c66215375107eea22b1f9244d34d

SHA256
fc1f75272783a3db2ff99760c7199f0f27b1ad4ff951f5ba2fc95f49679fbc65

SHA512
c7d812de0fdc72fa52388937b8e8bf9e77f8a53d7588eb8a32ced162ea54188bdf8b6350e13c7d01f5bf743f4b8085b73796f41a8c3c8196be8aa3c9dcd440fc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
1071aa8cc3a6ad3ca8b0ddb7c6bc7212

SHA1
602ab5e29381bed0006f213c1c8041a9e329a144

SHA256
72dd0a38fea4c345e70ffdb06f026ea6ba2802ca2ce4eca2aeaa4363b3539ec4

SHA512
c0aa20ace09a1465f67cc573cdb9667410afe3bfe50108affa2c0ffc48aefb49c61e9a81e3c0a9115176465f78a94a0afdc8264217484a6e5576dd3992f7859a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
d36a9739d67d2ed28883c6b15178c09f

SHA1
f7934e133600461adf6273c2a29b54018a262d2b

SHA256
60ed02b7b4a6a3216c6092c65f45538203a388fefedd28f42ee5aa7b65f91a20

SHA512
cc2ef6efa0182f4912df4b49043164e8984b25f0af5ea83470e65dbe0eab98b20807724c1122e3cfdbc43fc7db8d5a617376f5c9c9dba8cb3b59b35788933f4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
b0102b478018efad4ea67b67563bda8a

SHA1
01e624a942b19520776ca26c912936fe5c294a7c

SHA256
86a0b1a26c3e013b8d29f96262f8b879ca41a08a7eb3a7517f85c338a2de33c6

SHA512
2cbc2336c265892c0fefae6c20beb5ae05286fc0acc50939957b6ca69f443ceffbee094f5fdc3719a9316c40f65703f3fe88d130ec8caf589d291b32d991aad4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
9886a0eeef4e4de16d55ddc65e9f58f8

SHA1
29e2fb15e0e4a084f86aceca92ba9b419f9943ac

SHA256
f382a785e245b1577a7c7a58753f2eebc023aecd22b28d4bb6bb7f9ee58680de

SHA512
6543a4b7fce52859779b262c482066a7ef1a0898e3b3e65d875171e9e6fd099372090a6147a31982e2b8ee266a5620b2ff38816fe27caafbbdc0e3c896cd0ef7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
869854d603cd7cf6ea3efb8f808122a6

SHA1
d0fb288c87ba040f77130390aa91de71354e4fe6

SHA256
51225f35317a6de45959cdf123e06c64e73534e443404504ece1e6ded67ba7be

SHA512
72f5ab9315aaeea2b377edb25bc59f7eadf4ce8ef3aab89a1de6beaf5d04fdee1f6b5255ebbf8f492022b1d9222b05c697f15cf42fc0861a665f7268517fd99d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
e9270f794b39a75130857d7d869bdfad

SHA1
6f65ecf0d017d7735a9ed0befdc33c7b10c2a27c

SHA256
582b35a58ad2332aa89070d76001d544861710f8d196ddaf324c3e0188dead3c

SHA512
9308870f17e834b575bbebb2b30f9eafdb480c7a7feebbc2a1d22cb9f623505e8952194dce6eb8e7ada7fcdbab3b4af16b2375cccb070588f46a3855b6a85a95

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
70d74955510b2c71cc69892de85c381a

SHA1
4be0a74b8bcfd26dbd3d42c5ae311b7df061ccd4

SHA256
77e33d40fffd406bba119080634e41acc7a1743bf2bf7f5e12958fe5c3e7aae9

SHA512
c4ce0fd793261ff3097ada51723e00220e89c1daea443b6846c92217adc5617f269179d7e45294ee9b6f0f1d06a08645415a90754110a009e15f47f1402bd0ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
0833e933405aa7259f542c9b0243686b

SHA1
ecdc245d2008fae07f0c81594b2159aad09c4e1f

SHA256
33195eb62a7d96451f164c21166a417fd82d1206b80495e9cb9c7293f33974ca

SHA512
4935d00e464e8b352ccaf11ac39610b7391b3a798ea3fc98244349f909d704d8caa8a54d30d1011d8d3b9b57d3f415d9870dfa961d3805976d39baa1d65a7553

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
598adfe095c3fe1ade9a33371bc74b71

SHA1
e241b7735e1e897a3759130d951fecbac0adb57d

SHA256
13bebbbf2ffeff43f521c83ffa50ee75ad3c31e3d8e8cbadc7b3b3727f33097f

SHA512
749e88d62e641f73c3b414bfecc1dfb06677d1a1ee02ce9398dee21ee075c8249af144ca21ed7ad9ff697c2a67779e367da761e683f9120d2d4c2cfb2adbda3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
b93a3a2a61e23d9ceec2c8201b0c8d9e

SHA1
da3803394196b3a4bc336138a0147194f317894f

SHA256
674fe31562861f42292d8799a7a12b2039ed57d1eaeb659b9922018ebf756c82

SHA512
e405cf3c7d6dc850f421d70fb4db86873ebb4bea7113cc904fdcf5921815d6175d998755c81bdd711d80a7194c9c7c6864e3a66cf3611b7937650cfbae3bae82

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
305420c3b1344dd4f6f95f2e82802739

SHA1
29dce564476c9311bbe26f5a7486fe1ac5659907

SHA256
7f6fddb9119e3b89eb848a711db3dc540399aada83fc2e6af58440d83f120b26

SHA512
d2712a5f7eda1bf23a6ec8ca249df77dd60054b2c785b2c8f9a446dc763edadbb969c67bef678e93d3080500ca2e07b4f1b73306ea35a67a6e1feb8093bd1853

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
7f12fbc46c4daeac0f6a76ec94184901

SHA1
5b261b7def91f0c65ced9fc93437ee628fd0dd23

SHA256
a75e250e485ece01f5de31556a5595c98a9e17c1ce16f210c43f6289690ef1d5

SHA512
3cdbd6fe4fdd81a2da2c7bfe231ccc12a58ebba94178dc4eb0863ca6bb0f5c8caecd063c2750568be936e7ca75d78fc93244718c5712ee8546700321841656a1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
d3f544f0aa289e62007a322101456243

SHA1
230efe59bda63c373f6beb3cb17bb333fbc1da4a

SHA256
7a255f97a1ab7603b26445fedfa94f05b7b7073b49671bcfdadfa0515d5232e6

SHA512
95a1a17606bc61da659cc1a363862bc148965b220256c10395cf0bd85a9d5214a5ac06ac7aeacfeda2ddbafa885836c50448a5e55bbe0ab098516a716468c24d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
MD5
7d588f261c649ebbfe2c81e5f47045f3

SHA1
33429d214d74b2bde53d3751737724797dd0c983

SHA256
04c216b9c8155652353ead3a20360d3a8440ba6d9381b71a36d1bdc87514e73c

SHA512
b05d0aa490fa25524ce56e2278ae3b2079a2c4213d167fbf72ce43182e7f622cbac28d6f3237b147bf8d4dabfbde868ffd1021316e07fea889b402b003734b79

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
MD5
97cb5ed63391cc41e5de6379593c73ea

SHA1
95d450407ac4e313b01f358e2c719cef2342a835

SHA256
3bbf43657ccc938b33cb0186f564c10417bf52a4753e7737c39c1e2440915e33

SHA512
78ec4a7bb50d5054d934f72d9f5aa40ea6b0297fe205e7d94756d0b799a75dd0fa7e54dbfba4e31abdae14432ed86a5983cb9618659873b82b1aba950ed3cf8c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5
597db686308caed40d3c2a8948a80be4

SHA1
2bc7820de5a1fa3ed5f228f579494eee06a50e6b

SHA256
03db8394ae87bd77c8a9c743ca64ba794f977bfd9b44bb2d088c8b0790281e16

SHA512
3963b935a2d587e1a41ddda6504f35bd641acad724c9101261ff93788483322661f7dddec4637c81e6d95b2a3fb56e1bb72d1486a35f331947a38c774ad7adb9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
MD5
9c14c4191cfe655cfd8ecc4e245a72f7

SHA1
57ebaed38b95d1c714cc9387d89d56691063c28b

SHA256
ba1b23d41ecac4e00655fc9f04902428baa17591914f71cba904e5a12837e36a

SHA512
3455d87545956382b0a9b120c691337a5d5ad32bf7e609355c824b0b6fe16f8c58af956742897b9ac0c3d1ebbebc0adc5cbc9941f5e088805cf0940c02be688d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{3461306C-55BD-4F01-BBBD-ADD0013E6AFC}.dat
MD5
3d1f0309c9d91b7546cb7a544c10c069

SHA1
b8040b87a21bccf2d494cf63dffcae91afddc361

SHA256
7bec542a3eb93cf36a4b0916706f09907c9b3a31b107112cffd542bcb80115b1

SHA512
693131bd7c029d59c170ea372156e4dc44e3234121f9ac8a948cbf8777b8cc7bae6513ab82c7171cf7d9436208a6588559aa22d2a8eb61f494b0e91c85bc13cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{44DF7DC0-3918-45AC-A203-99DF01F41E8D}.dat
MD5
aa1990b8ea3d482f9bade9bbc7cf2a12

SHA1
c954685bca70b1e337b990271aa7100374cfc125

SHA256
65c74666e3b40ba7648b645601f010523b4ca1eaf731343358f9d2ff1e658343

SHA512
3a733d59be28279e763c0603a6f5ed43c26d8c890b89b5261d1dddf71479695bb6c92cd54b92521ece78f625866438f675d864fe37821d65191feb447df715dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
memory/884-193-0x000000000053FBF2-mapping.dmp

Download
memory/1180-211-0x000000000053FBF2-mapping.dmp

Download
memory/3212-148-0x000000000053FBF2-mapping.dmp

Download
memory/3720-223-0x000000000053FBF2-mapping.dmp

Download
memory/4280-187-0x000000000053FBF2-mapping.dmp

Download
memory/4408-139-0x000001D381C00000-0x000001D381C10000-memory.dmp

Filesize
64KB

Download
memory/4684-125-0x00000000097C0000-0x00000000097CE000-memory.dmp

Filesize
56KB

Download
memory/4684-126-0x000000007F000000-0x000000007F001000-memory.dmp

Filesize
4KB

Download
memory/4684-121-0x0000000005810000-0x0000000005D0E000-memory.dmp

Filesize
5.0MB

Download
memory/4684-120-0x0000000005850000-0x0000000005851000-memory.dmp

Filesize
4KB

Download
memory/4684-119-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/4684-118-0x00000000058B0000-0x00000000058B1000-memory.dmp

Filesize
4KB

Download
memory/4684-122-0x0000000005810000-0x0000000005D0E000-memory.dmp

Filesize
5.0MB

Download
memory/4684-123-0x0000000005810000-0x0000000005D0E000-memory.dmp

Filesize
5.0MB

Download
memory/4684-117-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/4684-124-0x0000000005810000-0x0000000005D0E000-memory.dmp

Filesize
5.0MB

Download
memory/4684-128-0x0000000009AD0000-0x0000000009B45000-memory.dmp

Filesize
468KB

Download
memory/4684-115-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

Filesize
4KB

Download
memory/4684-127-0x00000000099E0000-0x0000000009A83000-memory.dmp

Filesize
652KB

Download
memory/4824-131-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4824-130-0x000000000042F71D-mapping.dmp

Download
memory/4824-129-0x0000000000400000-0x0000000000479000-memory.dmp

Filesize
484KB

Download
memory/4860-132-0x0000000000000000-mapping.dmp

Download
memory/4924-134-0x000000000053FBF2-mapping.dmp

Download
memory/4924-133-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/4960-137-0x0000000000000000-mapping.dmp

Download
memory/5412-199-0x000000000053FBF2-mapping.dmp

Download
memory/5812-205-0x000000000053FBF2-mapping.dmp

Download
memory/6328-229-0x000000000053FBF2-mapping.dmp

Download