ffe043f31188d2160a5aae146ecdb512f60e1a4ce401f0e2bdf3ddbffbcb3762

Analysis

max time kernel
345s
max time network
344s
platform
windows10_x64
resource
win10-en-20210920
submitted
21-09-2021 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archiveCH.exe
Size

10.1MB
MD5

7bb403307edfccdd9c0d69b527f9238a
SHA1

6eab8586e7d09c422dd58c9e9982a79455ba2505
SHA256

ffe043f31188d2160a5aae146ecdb512f60e1a4ce401f0e2bdf3ddbffbcb3762
SHA512

4538a050d80a53394058497f5e62175f85fafee53202c3f8e5c459ed1671c1e68ee8d5651c6d13f587762a4a012951c1ee87f52114cc1bba624f0f16832e58ea

Score

7^/10

microsoft phishing

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

archiveCH.exe

pid	process
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe
1924	archiveCH.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Drops file in Windows directory 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "1566"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsTime	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.msn.com\ = "32"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "I 0069 Y 0079 IX 0268 YX 0289 UU 026F U 0075 IH 026A YH 028F UH 028A E 0065 EU 00F8 EX 0258 OX 0275 OU 0264 O 006F AX 0259 EH 025B OE 0153 ER 025C UR 025E AH 028C AO 0254 AE 00E6 AEX 0250 A 0061 AOE 0276 AA 0251 Q 0252 EI 006503610069 AU 00610361028A OI 025403610069 AI 006103610069 IYX 006903610259 UYX 007903610259 EHX 025B03610259 UWX 007503610259 OWX 006F03610259 AOX 025403610259 EN 00650303 AN 00610303 ON 006F0303 OEN 01530303 P 0070 B 0062 M 006D BB 0299 PH 0278 BH 03B2 MF 0271 F 0066 V 0076 VA 028B TH 03B8 DH 00F0 T 0074 D 0064 N 006E RR 0072 DX 027E S 0073 Z 007A LSH 026C LH 026E RA 0279 L 006C SH 0283 ZH 0292 TR 0288 DR 0256 NR 0273 DXR 027D SR 0282 ZR 0290 R 027B LR 026D CT 0063 JD 025F NJ 0272 C 00E7 CJ 029D J 006A LJ 028E W 0077 K 006B G 0067 NG 014B X 0078 GH 0263 GA 0270 GL 029F QT 0071 QD 0262 QN 0274 QQ 0280 QH 03C7 RH 0281 HH 0127 HG 0295 GT 0294 H 0068 WJ 0265 PF 007003610066 TS 007403610073 CH 007403610283 JH 006403610292 JJ 006A0361006A DZ 00640361007A CC 007403610255 JC 006403610291 TSR 007403610282 WH 028D ESH 029C EZH 02A2 ET 02A1 SC 0255 ZC 0291 LT 027A SHX 0267 HZ 0266 PCK 0298 TCK 01C0 NCK 0021 CCK 01C2 LCK 01C1 BIM 0253 DIM 0257 QIM 029B GIM 0260 JIM 0284 S1 02C8 S2 02CC . 002E _\| 007C _\|\| 2016 lng 02D0 hlg 02D1 xsh 02D8 _^ 203F _! 0001 _& 0002 _, 0003 _s 0004 _. 2198 _? 2197 T5 030B T4 0301 T3 0304 T2 0300 T1 030F T- 2193 T+ 2191 vls 030A vcd 032C bvd 0324 cvd 0330 asp 02B0 mrd 0339 lrd 031C adv 031F ret 0331 cen 0308 mcn 033D syl 0329 nsy 032F rho 02DE lla 033C lab 02B7 pal 02B2 vel 02E0 phr 02E4 vph 0334 rai 031D low 031E atr 0318 rtr 0319 den 032A api 033A lam 033B nas 0303 nsr 207F lar 02E1 nar 031A ejc 02BC + 0361 bva 02B1 G2 0261 rte 0320 vsl 0325 NCK3 0297 NCK2 01C3 LCK2 0296 TCK2 0287 JC2 02A5 CC2 02A8 LG 026B DZ2 02A3 TS2 02A6 JH2 02A4 CH2 02A7 SHC 0286 rhz 02B4 QOM 02A0 xst 0306 T= 2192 ERR 025D AXR 025A ZHJ 0293"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft David Mobile - English (United States)"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NTPFirstRun = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://www.facebook.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "652"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "860"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\NumberOfSubdom = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "SR Engine (11.0) Text Normalization"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000d3d61ad14b265f3261d2122214f7e515830952b92c5e4dbb38bccc75568e6a350054dd57644d7300fe7ea0fb1996b27e9c4ba55bf2378204964fc3bbcd7364e414c3ae0d3ca1a3c4f4a25479e2ca0937faceb3eb0f4e8c37382cb638ea7e4be689c25a76274238b9dcdfb199ecb3fe3cff32bb84c6c170d471f198ff70cec94073f3f4b86a504fc085d5374c3472d29b2718ade14eb25206b03f55745f83f51f1af5c8603ceb371e16246f424a25ceeb7c1eddea933f610372b7b92644bdef32f467e6305733ba00626ca45ea2ed051e36e52f4e188a593f84f7e742f99b35695aebec05c04867d77f4de3a249ebde97de0d8d2be6b1d56811a1a08e903f35f213201fc98a4a167d256788ba203d2ea0b7362dcf54d6c23c5653ebf92fc89f9395a5c972fb5934316a5ab678ff041f1c8200cb798517e22580aea2b94356a34d5c1c741ca795b15c86c5347a8560d79b740cf73d2a96a1aa3b5321fb9b08414e2d24ce22ed1e102e904a5461577216b45af8b6e7637213b3c3e0381ec200f536c05c9759df148400a688da9809588bb065655ffb9eca2c956b8579c85d6faec03f23841ed5b25cf1	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f2e0c2e0ec4374c4e4c69b60cf39229452ed8708c0ae9bc981d6010a471b9be2fb185cddd7bba2294affa1f0b880b1078d164be14845ad2f7b41	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 + 0008 * 0009 1 000A 2 000B 3 000C 4 000D 5 000E a 000F ai 0010 an 0011 ang 0012 ao 0013 ba 0014 bai 0015 ban 0016 bang 0017 bao 0018 bei 0019 ben 001A beng 001B bi 001C bian 001D biao 001E bie 001F bin 0020 bing 0021 bo 0022 bu 0023 ca 0024 cai 0025 can 0026 cang 0027 cao 0028 ce 0029 cen 002A ceng 002B cha 002C chai 002D chan 002E chang 002F chao 0030 che 0031 chen 0032 cheng 0033 chi 0034 chong 0035 chou 0036 chu 0037 chuai 0038 chuan 0039 chuang 003A chui 003B chun 003C chuo 003D ci 003E cong 003F cou 0040 cu 0041 cuan 0042 cui 0043 cun 0044 cuo 0045 da 0046 dai 0047 dan 0048 dang 0049 dao 004A de 004B dei 004C den 004D deng 004E di 004F dia 0050 dian 0051 diao 0052 die 0053 ding 0054 diu 0055 dong 0056 dou 0057 du 0058 duan 0059 dui 005A dun 005B duo 005C e 005D ei 005E en 005F er 0060 fa 0061 fan 0062 fang 0063 fei 0064 fen 0065 feng 0066 fo 0067 fou 0068 fu 0069 ga 006A gai 006B gan 006C gang 006D gao 006E ge 006F gei 0070 gen 0071 geng 0072 gong 0073 gou 0074 gu 0075 gua 0076 guai 0077 guan 0078 guang 0079 gui 007A gun 007B guo 007C ha 007D hai 007E han 007F hang 0080 hao 0081 he 0082 hei 0083 hen 0084 heng 0085 hong 0086 hou 0087 hu 0088 hua 0089 huai 008A huan 008B huang 008C hui 008D hun 008E huo 008F ji 0090 jia 0091 jian 0092 jiang 0093 jiao 0094 jie 0095 jin 0096 jing 0097 jiong 0098 jiu 0099 ju 009A juan 009B jue 009C jun 009D ka 009E kai 009F kan 00A0 kang 00A1 kao 00A2 ke 00A3 kei 00A4 ken 00A5 keng 00A6 kong 00A7 kou 00A8 ku 00A9 kua 00AA kuai 00AB kuan 00AC kuang 00AD kui 00AE kun 00AF kuo 00B0 la 00B1 lai 00B2 lan 00B3 lang 00B4 lao 00B5 le 00B6 lei 00B7 leng 00B8 li 00B9 lia 00BA lian 00BB liang 00BC liao 00BD lie 00BE lin 00BF ling 00C0 liu 00C1 lo 00C2 long 00C3 lou 00C4 lu 00C5 luan 00C6 lue 00C7 lun 00C8 luo 00C9 lv 00CA ma 00CB mai 00CC man 00CD mang 00CE mao 00CF me 00D0 mei 00D1 men 00D2 meng 00D3 mi 00D4 mian 00D5 miao 00D6 mie 00D7 min 00D8 ming 00D9 miu 00DA mo 00DB mou 00DC mu 00DD na 00DE nai 00DF nan 00E0 nang 00E1 nao 00E2 ne 00E3 nei 00E4 nen 00E5 neng 00E6 ni 00E7 nian 00E8 niang 00E9 niao 00EA nie 00EB nin 00EC ning 00ED niu 00EE nong 00EF nou 00F0 nu 00F1 nuan 00F2 nue 00F3 nuo 00F4 nv 00F5 o 00F6 ou 00F7 pa 00F8 pai 00F9 pan 00FA pang 00FB pao 00FC pei 00FD pen 00FE peng 00FF pi 0100 pian 0101 piao 0102 pie 0103 pin 0104 ping 0105 po 0106 pou 0107 pu 0108 qi 0109 qia 010A qian 010B qiang 010C qiao 010D qie 010E qin 010F qing 0110 qiong 0111 qiu 0112 qu 0113 quan 0114 que 0115 qun 0116 ran 0117 rang 0118 rao 0119 re 011A ren 011B reng 011C ri 011D rong 011E rou 011F ru 0120 ruan 0121 rui 0122 run 0123 ruo 0124 sa 0125 sai 0126 san 0127 sang 0128 sao 0129 se 012A sen 012B seng 012C sha 012D shai 012E shan 012F shang 0130 shao 0131 she 0132 shei 0133 shen 0134 sheng 0135 shi 0136 shou 0137 shu 0138 shua 0139 shuai 013A shuan 013B shuang 013C shui 013D shun 013E shuo 013F si 0140 song 0141 sou 0142 su 0143 suan 0144 sui 0145 sun 0146 suo 0147 ta 0148 tai 0149 tan 014A tang 014B tao 014C te 014D tei 014E teng 014F ti 0150 tian 0151 tiao 0152 tie 0153 ting 0154 tong 0155 tou 0156 tu 0157 tuan 0158 tui 0159 tun 015A tuo 015B wa 015C wai 015D wan 015E wang 015F wei 0160 wen 0161 weng 0162 wo 0163 wu 0164 xi 0165 xia 0166 xian 0167 xiang 0168 xiao 0169 xie 016A xin 016B xing 016C xiong 016D xiu 016E xu 016F xuan 0170 xue 0171 xun 0172 ya 0173 yan 0174 yang 0175 yao 0176 ye 0177 yi 0178 yin 0179 ying 017A yo 017B yong 017C you 017D yu 017E yuan 017F yue 0180 yun 0181 za 0182 zai 0183 zan 0184 zang 0185 zao 0186 ze 0187 zei 0188 zen 0189 zeng 018A zha 018B zhai 018C zhan 018D zhang 018E zhao 018F zhe 0190 zhei 0191 zhen 0192 zheng 0193 zhi 0194 zhong 0195 zhou 0196 zhu 0197 zhua 0198 zhuai 0199 zhuan 019A zhuang 019B zhui 019C zhun 019D zhuo 019E zi 019F zong 01A0 zou 01A1 zu 01A2 zuan 01A3 zui 01A4 zun 01A5 zuo 01A6"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Microsoft Zira Mobile"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLsVisitCount\url1 = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.microsoft.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "19688"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{F1441F24-3119-4358-BBA1-A097B82CEE91}"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\Total\ = "23"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "Near"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\bing.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 13 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	2844	MicrosoftEdge.exe
Token: SeDebugPrivilege	2844	MicrosoftEdge.exe
Token: SeDebugPrivilege	2844	MicrosoftEdge.exe
Token: SeDebugPrivilege	2844	MicrosoftEdge.exe
Token: SeDebugPrivilege	2256	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2256	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2256	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2256	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4196	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4196	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4196	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4196	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4812	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4812	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

2844 MicrosoftEdge.exe
1920 MicrosoftEdgeCP.exe
1920 MicrosoftEdgeCP.exe
4196 MicrosoftEdgeCP.exe
4196 MicrosoftEdgeCP.exe

pid	process
2844	MicrosoftEdge.exe
1920	MicrosoftEdgeCP.exe
1920	MicrosoftEdgeCP.exe
4196	MicrosoftEdgeCP.exe
4196	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

archiveCH.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 1812 wrote to memory of 1924	1812	archiveCH.exe	archiveCH.exe
PID 1812 wrote to memory of 1924	1812	archiveCH.exe	archiveCH.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4196	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 2256	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1920 wrote to memory of 4916	1920	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\archiveCH.exe
"C:\Users\Admin\AppData\Local\Temp\archiveCH.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1812

C:\Users\Admin\AppData\Local\Temp\archiveCH.exe
"C:\Users\Admin\AppData\Local\Temp\archiveCH.exe"
2⤵
- Loads dropped DLL
PID:1924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4196

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4916

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4480

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\T2RY7SOV\Py2Exe%20Binary%20Editor%20v0.1[1].7z
MD5
cef4de63a8375214432b6389a94fce29

SHA1
fb49599513ba91b3daf4a84d00d8b0548093e080

SHA256
0e85c5d6fc0ddc6fc2d46851ddba77560dd6e6ef12d9cea997fec6a59b8dfbb5

SHA512
6c367262c0919c51fcf8a387bda2cea11349f95b5c53bb67aebdd331cb4f08a0aa5baf964a1d58b544962f74c450b5037e1fa33115fb1723c1c64f05df0d1c02

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
63ef1f9b98b4f24be6c648bdac24af0f

SHA1
dc8d726447bc22d2977ddd4456ad36708ed61871

SHA256
de262389deb3bbd4f1f7d234aafd7c29499a7b2553be43df79af4bc1ecf8ef08

SHA512
2730588d52781971e72fc131a314bae0831b6b365f652a94709c04d08422ed48dfc957c3153b80a07758d67b775ec40272b076875be8da2aa754fd3d8db3f70f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
0062794fa62b22c483a3dbb6515f1770

SHA1
7d6a2f0ac48b2521fd428011b26d6313758ae9b5

SHA256
65d41a45837be14e343d8dafb3d154dd9812d2f166045aaa9c3c5bb826e0d581

SHA512
a122486a139cfaf509f5ca29e51999d32af906c1e676b5d3f9081e3ef84e26e6e33f5c38384fdd82e4d757acb33f92cfb396581ca68883b321e28a9e5035ca7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
9f492bf2bddc9ad0606b516a7203c09b

SHA1
8e268da71825a95daabf426124821d11eed8b8b6

SHA256
56f4dba000fc5dc7ecba58f5ba8b43adc3654eaddf562f119aaad3c9f2e9f410

SHA512
ba43a812472ab03548edae1fd797e27dc6c87a267d5e6258c023fa77a16443268f08c8e20be81f7297aa42e4bf92dfba8e1058457dbc052e0179a3c0554061e0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_ACB084F1532E23E916946A083A45F6BF
MD5
c0dfcf0b84782da75ffecd9a90db2a30

SHA1
11d42d5a3d7c97622135a7d1fd49c2660f4c1965

SHA256
562afd1f6fde827da14b662e9319a7b05ad1803e526c8f347eb3e5377e308a14

SHA512
826a86691687a610a7e715676e378dad0c17690f09226d831a024ae71aa154665b407290ea53800fed480b73f491c351c39de4fa4d2bbfd1a6b48c7a4b5dea6e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
2d15ff662a849b8fb2869ce12e4f90b0

SHA1
fd1a92b09213105540867dd406a07e08c239405b

SHA256
3a5a68119d21efff6707ac0ad46a33ec629af1eac796da4eaf538205652263d6

SHA512
8bb9635c9886a8251cedfd03fcccb545f321f03531dc99573dc64484b8cbe4ed0ea0c1920ba6bb48c62e3793bcc27883cd7b32af17ffdb6c98ff7341bc345a1f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
784f1fe6b269e030dcbfda6e178ed234

SHA1
90c489b8b584c45160f73e48b62f92576251c303

SHA256
dabcfc6c18bbf6086fbdb5b13468fdb4792375d87620c678f52c5371cafb426d

SHA512
31142e134a09420cbc5daf30692c3d5124e4b27d073f6ecd0f7986df3394bb402fd8e0957f8140449472ef2292055b3e86a447199fe799bacd8330c476f70aec

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
MD5
cb0c091156c7126b6844b7d819f1bf18

SHA1
29f84139b8e8755a26607c1081d1e0440e90e1d4

SHA256
26dd668894d215428cb916c8f350c73b5eacc0915f5a23a9b79001d44ec23587

SHA512
74b7409d3146bfe1f5fd418c3b531b303eca9f610a4c958540f1c1a0f1009a41501c73f00f7048da33298fce6b243e8852d5e31bc97a86413e90f2c46da7a9f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_D975BBA8033175C8D112023D8A7A8AD6
MD5
63da132c7a048ad2cf9dbbaa08f9e396

SHA1
f01fe3e6f85099f96552412d2f233fa8ff666c76

SHA256
1dbe932d0cb4979d972f12a9ed74a1a5888bbb04f10fef3b2e7ad0aaacffe159

SHA512
3d6f3cfea0f012a2871f23774c9c111796a6e88a945699f60d4b66fde4b09619a2325f043035b9bb7231f46f8898a79bbc49941559e377ab78f4934d49d3d8e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_ACB084F1532E23E916946A083A45F6BF
MD5
7d54a9c32fe1293586a18c123c627376

SHA1
af3c0c56cf8cd5739f1d07790beb59854609e193

SHA256
ac3f713110418559417fc30cc17084f11bb0bb584d70bef4b79905506b7ee7c6

SHA512
f39ad74c154aeaba5ccb4d34c873da5f494b610345ee990cb01793335c19df038f2fca3a684ba311671da10a9b566662879436b7ad4dddbe4a30a1aecc08bdf6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
03c1fef9e3a2759b2d9b0ffd6e569703

SHA1
24ee2e6a489fade1d2d877acc5066c7cffa1a33b

SHA256
763a5c62c66f40a9ad4a2a0327d055c33e312db0b3c4b7c31bb61ca0316c537a

SHA512
c425036872281ab7c8ac4a78e4dd900cb47921d2221800d30a1221c3c2da0f6a065b5220333ae49919e81435daf11c3db1567cf1b9cf540f44d5233663ad1e44

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\VCRUNTIME140.dll
MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\_bz2.pyd
MD5
499462206034b6ab7d18cc208a5b67e3

SHA1
1cd350a9f5d048d337475e66dcc0b9fab6aebf78

SHA256
6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e

SHA512
17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\_ctypes.pyd
MD5
b74f6285a790ffd7e9ec26e3ab4ca8df

SHA1
7e023c1e4f12e8e577e46da756657fd2db80b5e8

SHA256
c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a

SHA512
3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\_hashlib.pyd
MD5
60f420a9a606e2c95168d25d2c1ac12e

SHA1
1e77cf7de26ed75208d31751fe61da5eddbbaf12

SHA256
8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c

SHA512
aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\_lzma.pyd
MD5
bc118fb4e14de484452bb1be413c082a

SHA1
25d09b7fbc2452457bcf7025c3498947bc96c2d1

SHA256
ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3

SHA512
68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\_socket.pyd
MD5
0df2287791c20a764e6641029a882f09

SHA1
8a0aeb4b4d8410d837469339244997c745c9640c

SHA256
09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869

SHA512
60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\base_library.zip
MD5
c44a3ca4e0f98fc5670aa8aff60595e7

SHA1
98ebb7bd452bdc05c8fb9d3ea5667c8d90d5849a

SHA256
ef0cc7a111517d181a5440364799ff058e68d7fcca803baf7161d6e17b61ad0a

SHA512
0616cb62f2f35c528f34e9f3a27a29f45bb8e5752b85083067782ccd2f7c0bee8eb3c17569f6e833efccdc630eb36949bed9fd4d9cc2cfd282f7fca148e0e41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\pyodbc.cp39-win_amd64.pyd
MD5
0aa8d408bb1d1ab434d67718decc64a0

SHA1
4c8e2264b548adf1c162d6feab873945a3067427

SHA256
a27463b01d54aed4543a25d9eda5c0285ee54d9ce809742994e62cc60de7929d

SHA512
588042e76baf73282f867bd9bd3f7480339ce596a6fd460ae13ad704eb6523f62b27d097fc06fd26d99395cd9482905e572a8fef535f6cfffcf42d3013ea020c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\python39.dll
MD5
c4b75218b11808db4a04255574b2eb33

SHA1
f4a3497fb6972037fb271cfdc5b404a4b28ccf07

SHA256
53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2

SHA512
0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\pythoncom39.dll
MD5
778867d6c0fff726a86dc079e08c4449

SHA1
45f9b20f4bf27fc3df9fa0d891ca6d37da4add84

SHA256
5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a

SHA512
5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\pywintypes39.dll
MD5
72511a9c3a320bcdbeff9bedcf21450f

SHA1
7a7af481fecbaf144ae67127e334b88f1a2c1562

SHA256
c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80

SHA512
0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\select.pyd
MD5
a2a4cf664570944ccc691acf47076eeb

SHA1
918a953817fff228dbd0bdf784ed6510314f4dd9

SHA256
b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434

SHA512
d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18122\win32api.pyd
MD5
99a3fc100cd43ad8d4bf9a2975a2192f

SHA1
cf37b7e17e51e7823b82b77c88145312df5b78cc

SHA256
1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7

SHA512
c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\VCRUNTIME140.dll
MD5
7942be5474a095f673582997ae3054f1

SHA1
e982f6ebc74d31153ba9738741a7eec03a9fa5e8

SHA256
8ee6b49830436ff3bec9ba89213395427b5535813930489f118721fd3d2d942c

SHA512
49fbc9d441362b65a8d78b73d4fdcf988f22d38a35a36a233fcd54e99e95e29b804be7eabe2b174188c7860ebb34f701e13ed216f954886a285bed7127619039

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\_bz2.pyd
MD5
499462206034b6ab7d18cc208a5b67e3

SHA1
1cd350a9f5d048d337475e66dcc0b9fab6aebf78

SHA256
6c2bbed242c399c4bc9b33268afe538cf1dea494c75c8d0db786030a0dcc4b7e

SHA512
17a1191f1d5ca00562b80eff2363b22869f7606a2a17f2f0b361d9b36b6e88cb43814255a5bac49d044ea7046b872bac63bd524f9442c9839ab80a54d96f1e6b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\_ctypes.pyd
MD5
b74f6285a790ffd7e9ec26e3ab4ca8df

SHA1
7e023c1e4f12e8e577e46da756657fd2db80b5e8

SHA256
c1e3e9548243ca523f1941990477723f57a1052965fccc8f10c2cfae414a6b8a

SHA512
3a700638959cbd88e8a36291af954c7ccf00f6101287fc8bd3221ee31bd91b7bd1830c7847d8c2f4f07c94bc233be32a466b915283d3d2c66abed2c70570c299

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\_hashlib.pyd
MD5
60f420a9a606e2c95168d25d2c1ac12e

SHA1
1e77cf7de26ed75208d31751fe61da5eddbbaf12

SHA256
8aa7abe0a92a89adf821e4eb783ad254a19858e62d99f80eb5872d81e8b3541c

SHA512
aaf768176cf034004a6d13370b11f0e4bbf86b9b76de7fa06d0939e98915607d504e076ad8adb1a0ebfb6fd021c51764a772f8af6af7f6d15b0d376448aba1a7

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\_lzma.pyd
MD5
bc118fb4e14de484452bb1be413c082a

SHA1
25d09b7fbc2452457bcf7025c3498947bc96c2d1

SHA256
ac0ceb8e6b5e67525b136b5ce97500fe4f152061b1bf2783f127eff557b248a3

SHA512
68a24d137b8641cd474180971142511d8708738096d865a73fb928315dd9edf46c4ebf97d596f4a9e207ec81828e5db7e90c7b8b00d5f416737ba8bffc2887bf

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\_socket.pyd
MD5
0df2287791c20a764e6641029a882f09

SHA1
8a0aeb4b4d8410d837469339244997c745c9640c

SHA256
09ab789238120df329956278f68a683210692c9bcccb8cd548c771e7f9711869

SHA512
60c24e38ba5d87f9456157e3f4501f4ffabce263105ff07aa611b2f35c3269ade458dbf857633c73c65660e0c37aee884b1c844b51a05ced6aed0c5d500006de

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\libcrypto-1_1.dll
MD5
cc4cbf715966cdcad95a1e6c95592b3d

SHA1
d5873fea9c084bcc753d1c93b2d0716257bea7c3

SHA256
594303e2ce6a4a02439054c84592791bf4ab0b7c12e9bbdb4b040e27251521f1

SHA512
3b5af9fbbc915d172648c2b0b513b5d2151f940ccf54c23148cd303e6660395f180981b148202bef76f5209acc53b8953b1cb067546f90389a6aa300c1fbe477

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\libffi-7.dll
MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\pyodbc.cp39-win_amd64.pyd
MD5
0aa8d408bb1d1ab434d67718decc64a0

SHA1
4c8e2264b548adf1c162d6feab873945a3067427

SHA256
a27463b01d54aed4543a25d9eda5c0285ee54d9ce809742994e62cc60de7929d

SHA512
588042e76baf73282f867bd9bd3f7480339ce596a6fd460ae13ad704eb6523f62b27d097fc06fd26d99395cd9482905e572a8fef535f6cfffcf42d3013ea020c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\python39.dll
MD5
c4b75218b11808db4a04255574b2eb33

SHA1
f4a3497fb6972037fb271cfdc5b404a4b28ccf07

SHA256
53f27444e1e18cc39bdb733d19111e392769e428b518c0fc0839965b5a5727a2

SHA512
0b7ddbe6476cc230c7bdd96b5756dfb85ab769294461d1132f0411502521a2197c0f27c687df88a2cd1ab53332eaa30f17fa65f93dac3f5e56ed2b537232e69c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\pythoncom39.dll
MD5
778867d6c0fff726a86dc079e08c4449

SHA1
45f9b20f4bf27fc3df9fa0d891ca6d37da4add84

SHA256
5dfd4ad6ed4cee8f9eda2e39fe4da2843630089549c47c7adda8a3c74662698a

SHA512
5865cb730aa90c9ac95702396e5c9f32a80ff3a7720e16d64010583387b6dbd76d30426f77ab96ecb0e79d62262e211a4d08eae28109cd21846d51ed4256b8ea

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\pywintypes39.dll
MD5
72511a9c3a320bcdbeff9bedcf21450f

SHA1
7a7af481fecbaf144ae67127e334b88f1a2c1562

SHA256
c06a570b160d5fd8030b8c7ccba64ce8a18413cb4f11be11982756aa4a2b6a80

SHA512
0d1682bb2637834bd8cf1909ca8dbeff0ea0da39687a97b5ef3d699210dc536d5a49a4f5ff9097cabd8eb65d8694e02572ff0fdabd8b186a3c45cd66f23df868

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\select.pyd
MD5
a2a4cf664570944ccc691acf47076eeb

SHA1
918a953817fff228dbd0bdf784ed6510314f4dd9

SHA256
b26b6631d433af5d63b8e7cda221b578e7236c8b34b3cffcf7630f2e83fc8434

SHA512
d022da9e2606c5c3875c21ba8e1132ad8b830411d6ec9c4ddf8ebd33798c44a7e9fe64793b8efb72f3e220bb5ce1512769a0398ecc109f53f394ea47da7a8767

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18122\win32api.pyd
MD5
99a3fc100cd43ad8d4bf9a2975a2192f

SHA1
cf37b7e17e51e7823b82b77c88145312df5b78cc

SHA256
1665ad12ad7cbf44ae63a622e8b97b5fd2ed0a092dfc5db8f09a9b6fdc2d57e7

SHA512
c0a60d5333925ce306ceb2eb38e13c6bae60d2663d70c37ecfc81b7346d12d9346550cb229d7c4f58d04dd182536d799e6eff77996d712fc177b1f5af7f4a4f2

Download Submit
memory/1924-115-0x0000000000000000-mapping.dmp

Download