darkcomet | 3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96

Analysis

max time kernel
156s
max time network
158s
platform
windows10_x64
resource
win10-en-20210920
submitted
28-09-2021 09:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe
Size

1.8MB
MD5

ef0fa837326628bff5da076ad75a562a
SHA1

e6647ac7c03b9820b2cb23ab174caf4562c3ba59
SHA256

3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96
SHA512

c38c80dd206177e6cc6b12a857b06d500c0a3564bf28ce617ef200b2ac4a16fefb32bfe38babb6870190f89ebec24b2dc733070be82af8998db6bb5eae5fd4fc

Score

10^/10

darkcomet guest16 microsoft persistence phishing rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

xExplictions.no-ip.biz:1604

Mutex

DC_MUTEX-GK7869K

Attributes

gencode
jpGnHQUvJBkz
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "C:\\Windows\\explorer.exe, C:\\Users\\Admin\\AppData\\Local\\Temp\\cmiadapter.exe"	reg.exe

Executes dropped EXE 5 IoCs

Processes:

KarmaKoinV1.3.exeKarmaCoinCode.execmiadapter.exePrintConfig.execmiadapter.exe

pid process

2660 KarmaKoinV1.3.exe
3464 KarmaCoinCode.exe
1264 cmiadapter.exe
1120 PrintConfig.exe
4960 cmiadapter.exe

pid	process
2660	KarmaKoinV1.3.exe
3464	KarmaCoinCode.exe
1264	cmiadapter.exe
1120	PrintConfig.exe
4960	cmiadapter.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

KarmaKoinV1.3.exe

description	ioc	process
File created	C:\Windows\assembly\Desktop.ini	KarmaKoinV1.3.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	KarmaKoinV1.3.exe

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 3 IoCs

Processes:

3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exeKarmaKoinV1.3.exePrintConfig.exe

description	pid	process	target process
PID 2060 set thread context of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2660 set thread context of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 1120 set thread context of 4900	1120	PrintConfig.exe	svchost.exe

Drops file in Windows directory 9 IoCs

Processes:

KarmaKoinV1.3.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File opened for modification	C:\Windows\assembly	KarmaKoinV1.3.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	KarmaKoinV1.3.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\assembly\Desktop.ini	KarmaKoinV1.3.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000f82584a9da0c988f0aa459db2dfa4c2a38a43ae20ea2cad997b4ff2b0559e185c1d72955811738a52224463d749ac356eb641bb74381205a6db7ba7f0871ca8efc2e58a6293312054c710860ac888a42a73424c80a8e6a4e95f2	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7c320e7e49b4d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{1CF4560F-1486-4777-B275-92C23F6BF820} = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates\83DA05A9886F7658	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 30c70e8349b4d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = fb229e7d49b4d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 5f3fab8449b4d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 303dbf4815bfd701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 15fd609249b4d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{A2B4DB2D-C760-4A3B-ADC2-B007114808AA}"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exeKarmaKoinV1.3.execmiadapter.exe

pid	process
2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe
2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
2660	KarmaKoinV1.3.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
2660	KarmaKoinV1.3.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
2660	KarmaKoinV1.3.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
2660	KarmaKoinV1.3.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe
1264	cmiadapter.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

Processes:

3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exeAppLaunch.exeKarmaKoinV1.3.execmiadapter.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exePrintConfig.execmiadapter.exe

description	pid	process
Token: SeDebugPrivilege	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe
Token: SeIncreaseQuotaPrivilege	2704	AppLaunch.exe
Token: SeSecurityPrivilege	2704	AppLaunch.exe
Token: SeTakeOwnershipPrivilege	2704	AppLaunch.exe
Token: SeLoadDriverPrivilege	2704	AppLaunch.exe
Token: SeSystemProfilePrivilege	2704	AppLaunch.exe
Token: SeSystemtimePrivilege	2704	AppLaunch.exe
Token: SeProfSingleProcessPrivilege	2704	AppLaunch.exe
Token: SeIncBasePriorityPrivilege	2704	AppLaunch.exe
Token: SeCreatePagefilePrivilege	2704	AppLaunch.exe
Token: SeBackupPrivilege	2704	AppLaunch.exe
Token: SeRestorePrivilege	2704	AppLaunch.exe
Token: SeShutdownPrivilege	2704	AppLaunch.exe
Token: SeDebugPrivilege	2704	AppLaunch.exe
Token: SeSystemEnvironmentPrivilege	2704	AppLaunch.exe
Token: SeChangeNotifyPrivilege	2704	AppLaunch.exe
Token: SeRemoteShutdownPrivilege	2704	AppLaunch.exe
Token: SeUndockPrivilege	2704	AppLaunch.exe
Token: SeManageVolumePrivilege	2704	AppLaunch.exe
Token: SeImpersonatePrivilege	2704	AppLaunch.exe
Token: SeCreateGlobalPrivilege	2704	AppLaunch.exe
Token: 33	2704	AppLaunch.exe
Token: 34	2704	AppLaunch.exe
Token: 35	2704	AppLaunch.exe
Token: 36	2704	AppLaunch.exe
Token: SeDebugPrivilege	2660	KarmaKoinV1.3.exe
Token: SeDebugPrivilege	1264	cmiadapter.exe
Token: SeDebugPrivilege	424	MicrosoftEdge.exe
Token: SeDebugPrivilege	424	MicrosoftEdge.exe
Token: SeDebugPrivilege	424	MicrosoftEdge.exe
Token: SeDebugPrivilege	424	MicrosoftEdge.exe
Token: SeDebugPrivilege	4120	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4120	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4120	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4120	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4792	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4792	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1120	PrintConfig.exe
Token: SeDebugPrivilege	4960	cmiadapter.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

AppLaunch.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

2704 AppLaunch.exe
424 MicrosoftEdge.exe
4072 MicrosoftEdgeCP.exe
4072 MicrosoftEdgeCP.exe

pid	process
2704	AppLaunch.exe
424	MicrosoftEdge.exe
4072	MicrosoftEdgeCP.exe
4072	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exeKarmaKoinV1.3.execmiadapter.execmd.exeMicrosoftEdgeCP.exePrintConfig.exe

description	pid	process	target process
PID 2060 wrote to memory of 2660	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	KarmaKoinV1.3.exe
PID 2060 wrote to memory of 2660	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	KarmaKoinV1.3.exe
PID 2060 wrote to memory of 2660	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	KarmaKoinV1.3.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2060 wrote to memory of 2704	2060	3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe	AppLaunch.exe
PID 2660 wrote to memory of 3464	2660	KarmaKoinV1.3.exe	KarmaCoinCode.exe
PID 2660 wrote to memory of 3464	2660	KarmaKoinV1.3.exe	KarmaCoinCode.exe
PID 2660 wrote to memory of 3464	2660	KarmaKoinV1.3.exe	KarmaCoinCode.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 3888	2660	KarmaKoinV1.3.exe	svchost.exe
PID 2660 wrote to memory of 1264	2660	KarmaKoinV1.3.exe	cmiadapter.exe
PID 2660 wrote to memory of 1264	2660	KarmaKoinV1.3.exe	cmiadapter.exe
PID 2660 wrote to memory of 1264	2660	KarmaKoinV1.3.exe	cmiadapter.exe
PID 1264 wrote to memory of 2200	1264	cmiadapter.exe	cmd.exe
PID 1264 wrote to memory of 2200	1264	cmiadapter.exe	cmd.exe
PID 1264 wrote to memory of 2200	1264	cmiadapter.exe	cmd.exe
PID 1264 wrote to memory of 1120	1264	cmiadapter.exe	PrintConfig.exe
PID 1264 wrote to memory of 1120	1264	cmiadapter.exe	PrintConfig.exe
PID 1264 wrote to memory of 1120	1264	cmiadapter.exe	PrintConfig.exe
PID 2200 wrote to memory of 808	2200	cmd.exe	reg.exe
PID 2200 wrote to memory of 808	2200	cmd.exe	reg.exe
PID 2200 wrote to memory of 808	2200	cmd.exe	reg.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4120	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4072 wrote to memory of 4424	4072	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1120 wrote to memory of 4900	1120	PrintConfig.exe	svchost.exe
PID 1120 wrote to memory of 4900	1120	PrintConfig.exe	svchost.exe
PID 1120 wrote to memory of 4900	1120	PrintConfig.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe
"C:\Users\Admin\AppData\Local\Temp\3717bcafe138127143c62d0dee487defbe451a3c818f98f5e8c9d0f43bbd6e96.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\Desktop\KarmaKoinV1.3.exe
  "C:\Users\Admin\Desktop\KarmaKoinV1.3.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\Desktop\KarmaCoinCode.exe
    "C:\Users\Admin\Desktop\KarmaCoinCode.exe"
    3⤵
    - Executes dropped EXE
    PID:3464
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    PID:3888
- - C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
    "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /d "C:\Windows\explorer.exe, C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe" /f
        5⤵
        Modifies WinLogon for persistence
        
        PID:808
  - - C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe
      "C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1120
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\System32\svchost.exe"
        5⤵
        
        PID:4900
    - - C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:424

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4072

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4424

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5104

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2592

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1948

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\cmiadapter.exe.log

MD5
c748e8ca8696cef7e06115966216593a

SHA1
de51083153bc4e802050a6f3f8e2d273ea36e564

SHA256
b83056f659f6c279f69432c96fcf4d90adde41c8a3798d3105e26fe8b864759d

SHA512
d29689f58a3c672c5c2bc1a13d9b7ce7cf147f95364f54265f40783817b66e112e81e72a4e215e745a66d3ebfe57985c38d98b484646bfb01a7e92e805660ca2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CQ5KMSFV\4474c202.site-ltr[1].css

MD5
56c823adf59262ca5bcb5636591ce96b

SHA1
26637817c1d4fa1d029a80feb5dca076c1909544

SHA256
0de758b8035b8983d0fe461bd1b2a03a9489a7eefd987217f79d045f00f16c6f

SHA512
19de6309876ee31c1c7676fbe2b83f817922d969d950b5edb005c1c149083603dc7ec30f44a4d1132ffdf634e1fa30685ece53965964d21264572a694a912ba5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CQ5KMSFV\app-could-not-be-started[1].png

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CQ5KMSFV\docons.fa060c7a[1].woff2

MD5
5d062f872c1600833f39feb797a9e7db

SHA1
3fef40e5e5a99058821699be07e35a4328e255c4

SHA256
78dbf0f234ec92b20a4354ff1391709f63ba3dc973f14b0e7e3fd52f12a10a4c

SHA512
7fac8479c7b7a1fb954c1ac311b2f4a7019f8bfb5c601f099a562de7af777b5e14ec3816b9425a0bf07250a12adf811a0bb700e0d1f37d9f9f3c3d69576aac45

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CQ5KMSFV\repair-tool-changes-complete[1].png

MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\CQ5KMSFV\repair-tool-no-resolution[1].png

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DB6GZKVD\install-3-5[1].png

MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DB6GZKVD\jsll-4[1].js

MD5
211e123b593464f3fef68f0b6e00127a

SHA1
0fae8254d06b487f09a003cb8f610f96a95465d1

SHA256
589303ca15fba4fe95432dbb456ff614d0f2ad12d99f8671f0443a7f0cf48dff

SHA512
dad54d7941a7588675ea9dd11275a60fb6290e1582d1c7a4acb50642af3c2a4aa35e32edd8fa9dd01ce7fd777247d2706d5672a201633bf918b525936e93b14b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DB6GZKVD\latest[1].woff2

MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DB6GZKVD\repair-tool-recommended-changes[1].png

MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EGE52O9L\36da565a.index-docs[1].js

MD5
e2930a0bd7661dd3217f2cfa9a5bbada

SHA1
ce4255979ef15dff82136d92647a1e6611fd152c

SHA256
3715cabddb58d38685f7116b16853447e10d7d9454c8d41509209578b5308ffc

SHA512
dfc8c23d4ab6122cf3056602a911531371bcad71c20063b2247803bfa520f1edbe8947bf222b495df014dca7bb79294ec81e4741d906cea6cbcac441e953866a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EGE52O9L\SegoeUI-Roman-VF_web[1].woff2

MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EGE52O9L\TeX-AMS_CHTML[1].js

MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EGE52O9L\application-not-started[1].htm

MD5
dfe1edd6cbfd37a7191eccaad97c6475

SHA1
c35fbbc60bd06bc1704566957694f1be02d91f5b

SHA256
edb0002f524d7eb91d3202641a544e3c82479fedecc55165ee8d0b534abb2e09

SHA512
873bfa387101d81d6ab4b32f5715a9135a6b6a4abdde5b500409d36a6359be9d790ad2ddb80e209a3c86ffdc11e7067f2fd17cce52893b447b1cf9ce02a94af9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EGE52O9L\wcp-consent[1].js

MD5
38b769522dd0e4c2998c9034a54e174e

SHA1
d95ef070878d50342b045dcf9abd3ff4cca0aaf3

SHA256
208edbed32b2adac9446df83caa4a093a261492ba6b8b3bcfe6a75efb8b70294

SHA512
f0a10a4c1ca4bac8a2dbd41f80bbe1f83d767a4d289b149e1a7b6e7f4dba41236c5ff244350b04e2ef485fdf6eb774b9565a858331389ca3cb474172465eb3ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PIYKT544\12971179[1].jpg

MD5
0e4994ae0e03d9611e7655286675f156

SHA1
e650534844a7197b328371318f288ae081448a97

SHA256
07b979b12f1cb506df7675efe227a2e78accfa1f5954af2b7bb66295e5cf881c

SHA512
07aaae5347fa8e82f86d0ba7c28127fac952d84bad3dce119654b5ba1cd2550c8d064770473f34f89fc383847b2f1594b3600d9fd01e6275d67868c41638e34a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PIYKT544\24882762[1].jpg

MD5
ca711d527e0e1be012a3105699592812

SHA1
f02534ce002f6d734a897491a1ebcc825da565c7

SHA256
e68e548a3cc404e84af3fd7529c21d64a238ba5d0857feb8fa1652b439b36e6f

SHA512
a56a1266a76ee7c95424f5beaed9d65ea569e7d187beae3c4bc1fb3a018ac728f419a2b08b62c51a70e18ee82d54e1d7714092e609135bb455060ab7d01830b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PIYKT544\2672110[1].png

MD5
7dc91895d24c825c361387611f6593e9

SHA1
fc0d26031ba690ac7748c759c35005fe627beb8f

SHA256
f37ad9b56d806d06267f9a290196dfe4200edb7729b41d789b8f1ec8adc5cdbf

SHA512
ba27fdbf02294cc78ede7972f20da383c20027ab172a4ea6ad5006ff58e404032d92f875e642dfe73985428c28bbbe1befc546c2666a672afacf23195425d7c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PIYKT544\31348972[1].jpg

MD5
c09597bbae67e58e38228f9e8fa06175

SHA1
85aec568955ad5d9165364d37a9a141dd899eca9

SHA256
f62142fd084d46df32d9d8a340855fcb17b14376c36549b825670451ea7cae73

SHA512
b7592dcf34487e3ddbffd32e8d03cb5665330f8f687e10f39f16c67673238e340cf4633b8e921932c65e3c891286349378bb70ad9a8026046653c4cf8fa2efff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PIYKT544\5cce29c0.deprecation[1].js

MD5
55bb21475c9d3a6d3c00f2c26a075e7d

SHA1
59696ef8addd5cfb642ad99521a8aed9420e0859

SHA256
3ceddaf5a1ed02614ec6b4edd5881a3ffb7ec08116154dff8eb9897230bf5e59

SHA512
35261ddaf86da82d27a29f39a7c6074a5f0e66f5b0a8098c7502289fb70b186371a7fe71410baab6cc6b726e9338afecee9f8bb075047a055723fb5e2f09b9c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PIYKT544\MathJax[1].js

MD5
7a3737a82ea79217ebe20f896bceb623

SHA1
96b575bbae7dac6a442095996509b498590fbbf7

SHA256
002a60f162fd4d3081f435860d408ffce6f6ef87398f75bd791cadc8dae0771d

SHA512
e0d1f62bae160008e486a6f4ef8b57aa74c1945980c00deb37b083958f4291f0a47b994e5fdb348c2d4618346b93636ce4c323c6f510ab2fbd7a6547359d28d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PIYKT544\ms.jsll-3.min[1].js

MD5
db1c580cd28422b73814f0620aad00d9

SHA1
4dadd769be89f5b7c1843bd79434914132ec1c1c

SHA256
59e18de81c8c868b6d6276807f51a2b27e6a29ebdf44f55b520c11d5aac867d0

SHA512
2a8d4752a317990bc8bb5a98ac11d6b270c4d52fd3f3476870cb6f02fdf849999ab6f7d92645f217b1f83161fc21b475396083c04a5e42af476f337b0b3b7c83

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\1H41XYR1.cookie

MD5
2951dc00d285e43818eba2ca0342bc0e

SHA1
56ebc55d33a77014385240700b78f571624e9c2d

SHA256
29a99d827cb982dda9491a01bd9d7318d6c8f85a918db9353714933a98c76f4c

SHA512
0e8003fd617339d8590e44332405644d3e01b27a3dd783114f50c14e2abdec6ec966ca4e677203fb9a721724dfc3d5098b0e99ba8ff9e9f15cf3e378f0e366a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\PSH1HT6K.cookie

MD5
e0850645b0c1a3824cdb3d2e49cd6ad3

SHA1
9473a9b7642277cb30433316009d9130801cd0aa

SHA256
d11815c4f01d29c8d1dfcbd3177645a077725be7e7c5117558f12ec3bb67349c

SHA512
4e15e8b8df1dcd52944041b94fc60f382e7f4fe4d1d236eba8c78c700cad919b8a70174b8e68e8eeea6e77e50d6cf4a0793cc85739e3832b6bb75195ea5bfcb2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\Q4PNFJ5R.cookie

MD5
ceb9dcb54be98b877fc698d11c311225

SHA1
d1bee608f2a0365a745b820f057adde3f2ff2275

SHA256
d1a8f6f7b6d9705012c4472185624e3a15bd47df59c30876b320bc174af40b97

SHA512
c1e5ba82524d9ee5ede21dad93547083ae534300d3f9422f83d0e1c477f312bc1474c2676d5b37ff54f36e95d2ca178ede34cb1ef0b89bfcab8d9831b5dfbbf2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3

MD5
46ba2f2361539d25868cba63fff09ef9

SHA1
420dba3794680bfb4968a1d2a267406accbec159

SHA256
7de539781ad152330fbe57c89b5f9f6d3eb876e583cac8fcc05c00fdbe880a8f

SHA512
6536cad647e946def4eeb3426caeef8467882c4a471ed4df2d7942e863937e3def81e163de81ee604c670f9d374d2bf250e32b0442221810b163d34d668f8f02

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1

MD5
da811827e1d313dd128ade470c8db6eb

SHA1
fda6e6ea690f18de669054d5d13783ae0ee6e40d

SHA256
37da7b11403eecb0cd4d4a25a32a9e1c5511bc9c49381af1f923bdb1abe90e19

SHA512
43ed06767f11f6e6242d2dfc30eb71197786dd567b9bc87d2219f61915c3dd171a11eaa5bc18ed4f186d95ad7ee6a51dde3bfeeb813d7bb2321c190046406de8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
02e24515453e6d449aabebac3542c130

SHA1
54190fb59a10fa3d85394337fe08035b8c539001

SHA256
5fde343dae6d3ea0d5336d8057fbf34ed8f8c80adda7ddc75f1507f3b8fa327b

SHA512
a3ad9bcd774a7e00a4ddb094a5d892216a9a003aca7a4e38100329b678ae3c2a71da448a9c7f6fb20285683ef40e85f4ba4ccd400590110539b10c4bad225e1f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
0dc5bce660f7a342c7867dfcca362bbc

SHA1
e44a6a3dc0acf2de3b274413275144b5829fa2f4

SHA256
68514875eaf5e4f16499d0380dec6a062775ec8372ea4e0a01a3e0dc347c6831

SHA512
7e0d21d2f15d66b2cbc5a926321b5de9f1fb72f8de43eecb07bbfb2ad87171b8d1e448e9a27c7896ccef0029af10e6ef052ef75638abda395884bee405d8e50c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3

MD5
caafc1151b7714db704ae742ee3478a5

SHA1
6a4652c5a2497beec64448cded0778830a00cdf0

SHA256
b13e91c50eef9c743c259ebfce9e6babd6b7498514ad9822f2e4856f6563d5f9

SHA512
affe362c70427519515eacac519ecd1415391bb69b4bb16686a2cc334c15cd8be2e4162e5eb041101916b5d65996e891e27850b5775b17e6f121bcaf75a24dd4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1

MD5
651fa9f14e2c4e1c004b1cc4b44b6fce

SHA1
11639bb1fa3b5f33cab5981bb4005fa391b69fc6

SHA256
15e566cdf8dadf41a2caf9b1f4b96b45feb434e9bcf90223d0ff80e9eec3979c

SHA512
31c7931a3afefbc4c64c318cfe54d41f29660c6744a7174914e8e3f33f4eb997a93fd2be62a7484b5e335b230bfce70962bf54aef2e298ab9233dbc0755baf1e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63

MD5
0be18057b089e6fd7c778d52eac0334e

SHA1
2e6d1879aa53b4edfe7cdae852c20b0066cbb25a

SHA256
f12d29bac48728f14f04a839482b43b36761f4dd8acaf834fa87230d708632f8

SHA512
1cc602c7d69a6825cc4ce27df904a88a71f90e7583033fa55ebd4156ea853f03b4ef4b56bbf408926c9a0af5d1cd68028ddfd2fc0845f601eb200eaa70635d29

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB

MD5
23188061798848a351a7cf3d26d44173

SHA1
85f8e21e6180a70c739f3c5e45df150f0676ea58

SHA256
e48f7ba8dfb6e12ab20dbf7e2cb27436e56bb747d99ba20894b6e5c2100b8599

SHA512
4ccd01d421c8c3d48728f9f21dd0cef7c44370eba3ba65e8a3de52f9e2592abfcb0971d167c8cc55250790243799d6189974c79070a0a9b8c9cf808499e4f814

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri

MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe

MD5
2357384541f6a6c7c55bdb0cc5acf123

SHA1
f095f825e6a925a6d2d909ec34847e7c1fdf0879

SHA256
be46f9d3b9ac1bb680b503c9f67f4d579424601e401eb8a7fa84e92d1cd4017b

SHA512
1d782d7eec63367ad46e9e0a1b33df6c3f660dc979cb29ea5b4a5e850d8fb7586238185aa33a44335b804ae6cf43e5992c51d72a4942cbce833f8c2f8005f8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\PrintConfig.exe

MD5
2357384541f6a6c7c55bdb0cc5acf123

SHA1
f095f825e6a925a6d2d909ec34847e7c1fdf0879

SHA256
be46f9d3b9ac1bb680b503c9f67f4d579424601e401eb8a7fa84e92d1cd4017b

SHA512
1d782d7eec63367ad46e9e0a1b33df6c3f660dc979cb29ea5b4a5e850d8fb7586238185aa33a44335b804ae6cf43e5992c51d72a4942cbce833f8c2f8005f8ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cmiadapter.exe

MD5
c6c51cca0adc05ece4e02e83476a50b9

SHA1
dee0bc2c12ef7e5daec14939556b436d626eff25

SHA256
af5a14f516166a547c8918005d1a7bdf411e248ae9b49d90ee7b50773cd24db2

SHA512
389c42c8c43e60b92427195c572e68e42e56bbf47f21b9fb4d5d4ca5d3ff6d7d69f06538b6852523ebc8b4a3fd0a561f1d962c493890c539c08217a7a22a5dc0

Download Submit
C:\Users\Admin\Desktop\KarmaCoinCode.exe

MD5
6e9ae1add01edc9937c73888c6216594

SHA1
a85bec988395e954c1ec9635161f1d869d4b367b

SHA256
15c42e8686454d9e50f48140750a366cae0e1a806d7262c8aa684d9b7b54a239

SHA512
651a34a99756f536b2f102c8c8679647983856c2054b117f06532b25df92246912bec4596c1ea4036889f9af05a1086ca6338152227410cd7b3607f17c0d1e27

Download Submit
C:\Users\Admin\Desktop\KarmaCoinCode.exe

MD5
6e9ae1add01edc9937c73888c6216594

SHA1
a85bec988395e954c1ec9635161f1d869d4b367b

SHA256
15c42e8686454d9e50f48140750a366cae0e1a806d7262c8aa684d9b7b54a239

SHA512
651a34a99756f536b2f102c8c8679647983856c2054b117f06532b25df92246912bec4596c1ea4036889f9af05a1086ca6338152227410cd7b3607f17c0d1e27

Download Submit
C:\Users\Admin\Desktop\KarmaKoinV1.3.exe

MD5
2357384541f6a6c7c55bdb0cc5acf123

SHA1
f095f825e6a925a6d2d909ec34847e7c1fdf0879

SHA256
be46f9d3b9ac1bb680b503c9f67f4d579424601e401eb8a7fa84e92d1cd4017b

SHA512
1d782d7eec63367ad46e9e0a1b33df6c3f660dc979cb29ea5b4a5e850d8fb7586238185aa33a44335b804ae6cf43e5992c51d72a4942cbce833f8c2f8005f8ec

Download Submit
C:\Users\Admin\Desktop\KarmaKoinV1.3.exe

MD5
2357384541f6a6c7c55bdb0cc5acf123

SHA1
f095f825e6a925a6d2d909ec34847e7c1fdf0879

SHA256
be46f9d3b9ac1bb680b503c9f67f4d579424601e401eb8a7fa84e92d1cd4017b

SHA512
1d782d7eec63367ad46e9e0a1b33df6c3f660dc979cb29ea5b4a5e850d8fb7586238185aa33a44335b804ae6cf43e5992c51d72a4942cbce833f8c2f8005f8ec

Download Submit
memory/808-148-0x0000000000000000-mapping.dmp

Download
memory/1120-146-0x0000000000000000-mapping.dmp

Download
memory/1120-149-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

Filesize
4KB

Download
memory/1264-141-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1264-131-0x0000000000000000-mapping.dmp

Download
memory/2060-115-0x00000000014F0000-0x00000000014F1000-memory.dmp

Filesize
4KB

Download
memory/2200-144-0x0000000000000000-mapping.dmp

Download
memory/2660-116-0x0000000000000000-mapping.dmp

Download
memory/2660-121-0x00000000014C0000-0x00000000014C1000-memory.dmp

Filesize
4KB

Download
memory/2704-123-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2704-119-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2704-120-0x000000000048F888-mapping.dmp

Download
memory/2704-122-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/3464-124-0x0000000000000000-mapping.dmp

Download
memory/3464-137-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/3464-140-0x0000000005600000-0x0000000005601000-memory.dmp

Filesize
4KB

Download
memory/3464-142-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/3464-138-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/3464-134-0x0000000000AD0000-0x0000000000AD1000-memory.dmp

Filesize
4KB

Download
memory/3464-143-0x00000000053D3000-0x00000000053D5000-memory.dmp

Filesize
8KB

Download
memory/3464-139-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/3464-136-0x00000000052D0000-0x00000000052D1000-memory.dmp

Filesize
4KB

Download
memory/3888-128-0x00000000004B307E-mapping.dmp

Download
memory/4900-186-0x00000000004B307E-mapping.dmp

Download
memory/4900-185-0x0000000000400000-0x00000000004B8000-memory.dmp

Filesize
736KB

Download
memory/4960-189-0x0000000000000000-mapping.dmp

Download
memory/4960-192-0x0000000002F70000-0x0000000002F71000-memory.dmp

Filesize
4KB

Download