f67e2592b488ed149bb3ab3c81f50e297fc7e0c3f0a529a4a6cea17698a85ffb

Analysis

max time kernel
153s
max time network
146s
platform
windows10_x64
resource
win10-en-20211014
submitted
18-10-2021 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

choco.exe
Size

8.2MB
MD5

e261bdd2dab43cf3ff3ebf93da2038dd
SHA1

7a290458515ffbb5d95a2c35933ace1c4d9a89e8
SHA256

f67e2592b488ed149bb3ab3c81f50e297fc7e0c3f0a529a4a6cea17698a85ffb
SHA512

abd691c3900d3c02ed1eb894105a7a396a5a61dcd77902203e3de4bfd7c27fc8f6bb23ff00a14917369b7580e898f0926d2911869bf64e6655bcc7422a95621b

Score

8^/10

microsoft persistence phishing

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

choco.tmpchoco.mmGOG.exe

pid process

4068 choco.tmp
1868 choco.mm
2336 GOG.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

choco.tmp

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation choco.tmp

pid	process
4068	choco.tmp
1868	choco.mm
2336	GOG.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	choco.tmp

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

GOG.exechoco.mm

description	ioc	process
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	GOG.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\GOG = "C:\\Windows\\GOG.exe"	GOG.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	GOG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOG = "C:\\Windows\\GOG.exe"	GOG.exe
Key created	\REGISTRY\MACHINE\SoftWare\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices	choco.mm
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\GOG = "C:\\Windows\\GOG.exe"	choco.mm
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SoftWare\Microsoft\Windows\CurrentVersion\Run	choco.mm
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Windows\CurrentVersion\Run\GOG = "C:\\Windows\\GOG.exe"	choco.mm

Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

choco.exe

description ioc process

File opened (read-only) \??\A: choco.exe
File opened (read-only) \??\B: choco.exe
Detected potential entity reuse from brand microsoft.
phishing microsoft

description	ioc	process
File opened (read-only)	\??\A:	choco.exe
File opened (read-only)	\??\B:	choco.exe

Drops file in Program Files directory 64 IoCs

Processes:

choco.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaws.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jhat.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jps.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstatd.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	choco.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\setup.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jabswitch.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jrunscript.exe	choco.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	choco.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\chrome_pwa_launcher.exe	choco.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	choco.exe
File opened for modification	C:\Program Files\Internet Explorer\iexplore.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jarsigner.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmc.exe	choco.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	choco.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	choco.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\notification_helper.exe	choco.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javaw.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jinfo.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstack.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javac.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdeps.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jjs.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\FlickLearningWizard.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe	choco.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jcmd.exe	choco.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe	choco.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javafxpackager.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jconsole.exe	choco.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jstat.exe	choco.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jmap.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\keytool.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jdb.exe	choco.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	choco.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	choco.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	choco.exe

Drops file in Windows directory 7 IoCs

Processes:

choco.mmGOG.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\GOG.exe	choco.mm
File opened for modification	C:\Windows\GOG.exe	choco.mm
File created	C:\Windows\GOG.exe	GOG.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PageSetup	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 0100000085a20ed0350bb55a1f4d9d284e134236dd1c6b2439ec195d1aba3f90769c276b6c1194197e5e523c5773bc47b7401d912eb416db74c6a506b04cabae1b84472a21792446c6c6f249795a66f33a121817f050d59faf16c85b5894	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 1276246fa1c4d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{E5D51CD1-7A4E-47EF-9B73-4FA119A178FC}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8a5ebd7ca1c4d701	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

choco.exeGOG.exe

pid	process
1888	choco.exe
1888	choco.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe
2336	GOG.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

1724 MicrosoftEdgeCP.exe
1724 MicrosoftEdgeCP.exe
1724 MicrosoftEdgeCP.exe
1724 MicrosoftEdgeCP.exe

pid	process
1724	MicrosoftEdgeCP.exe
1724	MicrosoftEdgeCP.exe
1724	MicrosoftEdgeCP.exe
1724	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	3132	MicrosoftEdge.exe
Token: SeDebugPrivilege	3132	MicrosoftEdge.exe
Token: SeDebugPrivilege	3132	MicrosoftEdge.exe
Token: SeDebugPrivilege	3132	MicrosoftEdge.exe
Token: SeDebugPrivilege	2160	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2160	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2160	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2160	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3908	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3908	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3132 MicrosoftEdge.exe
1724 MicrosoftEdgeCP.exe
1724 MicrosoftEdgeCP.exe

pid	process
3132	MicrosoftEdge.exe
1724	MicrosoftEdgeCP.exe
1724	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

choco.exechoco.mmMicrosoftEdgeCP.exe

description	pid	process	target process
PID 1888 wrote to memory of 4068	1888	choco.exe	choco.tmp
PID 1888 wrote to memory of 4068	1888	choco.exe	choco.tmp
PID 1888 wrote to memory of 1868	1888	choco.exe	choco.mm
PID 1888 wrote to memory of 1868	1888	choco.exe	choco.mm
PID 1888 wrote to memory of 1868	1888	choco.exe	choco.mm
PID 1868 wrote to memory of 2336	1868	choco.mm	GOG.exe
PID 1868 wrote to memory of 2336	1868	choco.mm	GOG.exe
PID 1868 wrote to memory of 2336	1868	choco.mm	GOG.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 1348	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 1724 wrote to memory of 2160	1724	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\choco.exe
"C:\Users\Admin\AppData\Local\Temp\choco.exe"
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\choco.tmp
C:\Users\Admin\AppData\Local\Temp\choco.tmp
2⤵
- Executes dropped EXE
- Checks computer location settings
PID:4068

C:\Users\Admin\AppData\Local\Temp\choco.mm
C:\Users\Admin\AppData\Local\Temp\choco.mm /zhj
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\GOG.exe
C:\Windows\GOG.exe /zhj
3⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3132

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1480

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2160

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1348

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4320

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2I7RRLXP\5cce29c0.deprecation[1].js
MD5
55bb21475c9d3a6d3c00f2c26a075e7d

SHA1
59696ef8addd5cfb642ad99521a8aed9420e0859

SHA256
3ceddaf5a1ed02614ec6b4edd5881a3ffb7ec08116154dff8eb9897230bf5e59

SHA512
35261ddaf86da82d27a29f39a7c6074a5f0e66f5b0a8098c7502289fb70b186371a7fe71410baab6cc6b726e9338afecee9f8bb075047a055723fb5e2f09b9c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6WR1WXXL\SegoeUI-Roman-VF_web[1].woff2
MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6WR1WXXL\application-not-started[1].htm
MD5
cf2d3879d3dcaf91bb610ea66a0f10d3

SHA1
b29d127c45eebb5a4d1f07a297046308b4a4c134

SHA256
8664d883ea9a70dbd0b63095416027ae3fa5ae393ced9a5b578e4ad4e6f26223

SHA512
00cfa18b58efda407be667dca7bbaf8d4bbf678d8b8f1d41a5c75b7f44fd758028fdc6e45f7d708d5082a2ecadc0d7bdaa85cb5b62d362c44cc3c9dbb68f7e2f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6WR1WXXL\latest[1].woff2
MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\DDKJGF4S\52d9344d.site-ltr[1].css
MD5
4c64d164db8cfd337523710735c48daa

SHA1
bf7ff820fc0a31a3f46caa30a4e0073de01fd4c5

SHA256
a5728e90fb0299119d2132d124d5b7b61d77d357c19d939384789381306497f3

SHA512
7e19b5ce95ddbf8bf1c2922f8bdbb53b708d7332a0325188b039b596a8dd4781f47ab6150d1f23367fed2d438642fe0b70f4defd454dffdddc1fd5981b881042

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EUN8W184\397a9a14.index-docs[1].js
MD5
8a6f31085c11b724c2c8202bfd1a7bab

SHA1
e39e3a23d52277594d3781946aeceddb0772eb95

SHA256
93b2764045f8fa328bf684d4066ae2327d0baa53c13e21f0e696d970aad4af13

SHA512
351c2f9676fbae31f3129bef094592f81478a82841d01d688fa97898b33f879e19be025833cc6980dcdaa4201550d9bd598c704ec865ec35a3c1448d206577c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EUN8W184\TeX-AMS_CHTML[1].js
MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\MUUTEAZY.cookie
MD5
f5e793742445bdeb34f59f78f53aec30

SHA1
0193e564109e5e20145bd5cd9706cb24c185bf9d

SHA256
74f3761570065bf287bafd148b11d14549249d635856e90da846720342a5ee01

SHA512
6d8741c7ea731ce9f72e86b1276dc6c57d6a6bec8a8c45a4cc1e80b07bad52168c5806924c5283f8f7a3a90f8f8361d1250967cfb4e0ec8089d98808db525b07

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\U5HGE0DU.cookie
MD5
f12279f6706830e634c86f0d0c08c43e

SHA1
e557a47e33bb7653e954f4a156d402024c95c059

SHA256
bd3c62dec5ffeca648679e5546b897e3922d6f6a9c583e6cd9e00c3c9cd0ac77

SHA512
66a407743855470de85d72cb004c2e3cdef8a79328e2acfa2cad5caeee86d24b361f0bbe89491f6962e8cbf0585e963ba7bcd23943ad1e77cd89d3927009dcd6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
dee7dc4de848e51cd171c4ddad813162

SHA1
3a76f963f2354316498ee15290a739996226e295

SHA256
6b6cfa78eef9088d14dc36f372fc1d0a8f2c65a2b9ea6a216d7eb559e7ec05dd

SHA512
109fb0d65314b3e7a6d1a9d063783a67b14cc75cbd8d6975936c21c0cb197fb328fb1f666e0e709d9a8672473d5dc0278e61ffdec505ce78a8073e9502942fb1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
6a5a79da62494051e17117d75b7c2c45

SHA1
77900a08a9600a84bbbcd517375d6b608e9d044c

SHA256
d7a1295c04ec65c3be51651aed2bcfc6d814218f15eca023eec9f5d7dd2be200

SHA512
42110c1f2027ed3fe47c7326e51c61e27c828540c84649a85f678fb55c4690360c142c019d6dcd88bd2ab6de39fd4ce1a9a8e07f6665f4d2f4f5c2bae51ded4b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
5878ec93d58b82e2259274d4bfd39af5

SHA1
5dd4ab54c46d0341ed7b8ca0bd37802e23d44a73

SHA256
736e4118c8f584427920f5a2a840422e832873d5c70714eb152acc1a736092de

SHA512
140f6a7ebdafcff8b8ed834ef23bf21d14dc34b08537bdce38829b970b1a0d6b522f090d6b8253b157ccef4a7cd2ec9e5878c926abf5ad3ecb7747f095b70326

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
db7bb0c28a92a807a457e029b1e12804

SHA1
51452004cad218e28feb510e648f1fa752acb82c

SHA256
578c05f9d55d352c4e1011ca747caa586186779d2e479b993de516bc41c0e5ad

SHA512
1ba7578412619330aa4aebfac7cb31db65fc46a54a8b5ecbcafc6ba190eb665940d3a0bd04c49238bcba0e6d04e826418d0cd90620e976f6bbde73c352c8889a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
392a39e7fa6b8cbaf66c16bde6815bda

SHA1
6a42cdc7e3bd33dda69ca284f83d4a16bf606531

SHA256
0c6ec1f07822e203c1fb1b6cdf329d21eb96aa736bb54119e8b29d52bdbab39a

SHA512
82dfc00836492f7979be31ebc130459a61c5d5260c2c55c6f914966b7cae532245cbf944e49d31bac59435c2c1cf6ceff50db94e6e31e8b736659a4e3a79d636

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
6104dfee2a04031bc4be1547cdb1d58e

SHA1
4e7f9adfeee9b42ff861bd541bbc313afbf19501

SHA256
affaad874465c7ca8016b67a24c7b2c543fd2a225859f753cd6bda31ec941297

SHA512
ba0d497871fb57e2c58bb293d607ed0b8eac0798673ab9d5855d8e502cc0aeefb7d3ce55a7ca7ca2722fd88204f45ad9f76b149b527c11968ce27164b9bf5d2d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
e9dbec26816933fff6c10ca63f256c6a

SHA1
13b4982a9bc4f5fc99a630f1275fa4e5d1501002

SHA256
4a67fabf2ac7dd76867fb7fd6f4f96e8c3cb6d5a4e89b520857ce867f007a75e

SHA512
22ff4b7d304a97c89dcb6512e09bbca9396598ebc0fac0ef66c6ae144a1682b164b60f68371d69f06cf66269b0efb149fbc8f518ef517ab269d472b04dd592ab

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
1d03577b031aa7126a80598b06527a80

SHA1
c120a480670ec22054e57108ebf891086247e4f4

SHA256
480345a42ca182c82fe7a884fc12f04f025c8d74f379134c2634c91ded1fdfc6

SHA512
fe9f285c2d954824a0dea08d5695a4062635ddc46250373d01128152971fed2e42b2915f1c8af96b34080b38c02c7a08b51c9fbb7465125dc2f68ac5719a075e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
1d03577b031aa7126a80598b06527a80

SHA1
c120a480670ec22054e57108ebf891086247e4f4

SHA256
480345a42ca182c82fe7a884fc12f04f025c8d74f379134c2634c91ded1fdfc6

SHA512
fe9f285c2d954824a0dea08d5695a4062635ddc46250373d01128152971fed2e42b2915f1c8af96b34080b38c02c7a08b51c9fbb7465125dc2f68ac5719a075e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
717a46aac2af3e857000ff6e4fecc974

SHA1
dbcff1f4e896729f9ceba8ec0124de330b406c75

SHA256
607cdb3712b753fb1e408bc06ecdab85e4fe4e08870a37fe71889280bea2c1c3

SHA512
2b66f7ffb14c58910f6b46b13b16b54c11e668fad9c1b2283d3d9d48ea8f39861bb0bac591e2dd36bbc47adc2e9964aa626c2d44ae90804727e3ce294887d89e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
d7bbdc2bc99a955ccccabc20c5d3bdc8

SHA1
4c6249617effee670ba67da40c4c50737f869bd0

SHA256
8d5fe169f4bd92c781a3dc1cdb58a044a37de435384554f705ef9a3b54744fa4

SHA512
da3bdb543d6d15cd83b9e66ca8581e7e32621c1900c57f142aa042c2377f429744a0641246f10d60d55959c06b7f1bb1d041d1857f1f20bc038ff7a3788c9370

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
408282e6931014c119fd4ea03cc53214

SHA1
e36a32c7e1ac4c0a53f1acc14edc56b3b6f305cd

SHA256
b68c2a7ff2c21f5ef25a9e8e17ea8e6a01472b2ad8ecff70d5c52b68c9bcb430

SHA512
8313ba7e05fe510d9a3814395f237129c302d3a2e66f38e26e56ba2996bf8bdaa895c832dd0ac2e0aa3750c3e5525c54d36c62c18c52f2c830ead00613e99fa9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
c069a75cb7485c5ceca8b0985534870c

SHA1
5df62327e61e7bfe7f99d866d57b7e22cbe2c4e1

SHA256
41a16cca75b9163b0c9ee1c12f71671cb396699642897de5e647bfb51b88daa1

SHA512
6c154f312ace3f36c3a63618ab2870a845c6da9355d0c1a229fbb131b8aaf633886563152c0aab9f55339e34f92197349c0785f90424982ba10cfe483e79dbfb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
8b1c06b9b32b557d965a55433054aa7b

SHA1
4fead0bd496d53ced0277b91b9be7f1ef9a8df14

SHA256
716dc356b945e400999d92e4c2cc1722b171e7d4b031f48a7bc893dcadfbabd0

SHA512
7dcd9bd5ae5cc5fa308ba766dadeac5f3634380093e3c4c0678fef5060cc22e74d48fc81873502fd50bc301a11f0cae937ab2d9918a4a9d907f35f98d9de23e8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
095811a8199e6a512cb2e257dddc8bcd

SHA1
722629458d887ddaefd8f224e03fc940b267f711

SHA256
e7e6234bff24cb8818132105cb570abd74d1a7d254f55ac0713112fd08e0f9a3

SHA512
676fa8cd8894de6b1c750f7cb6f9e9782097dc7d77e74048a68be87d8e10326cb95cba9b9b07a016f7376ead29505d24442df87315af30495da5fe1440be9031

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.mm
MD5
f4a5dca3f8977124e18bcff3531dd4d9

SHA1
a950e639d63e294f66240b7c364f8a739b2b6222

SHA256
cd4828867658e5b7ef0d8cfe8ded00be5642418e9fece4d5c3e89f2971d0c448

SHA512
fe4434b6233decb67ff3f7295474ac735656d7896d418aafb18e0fe9d6e905dea0b1e1093f57ea9dd48fa833636dd998b132f149b92294325ca5fc37dc4a015a

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.mm
MD5
f4a5dca3f8977124e18bcff3531dd4d9

SHA1
a950e639d63e294f66240b7c364f8a739b2b6222

SHA256
cd4828867658e5b7ef0d8cfe8ded00be5642418e9fece4d5c3e89f2971d0c448

SHA512
fe4434b6233decb67ff3f7295474ac735656d7896d418aafb18e0fe9d6e905dea0b1e1093f57ea9dd48fa833636dd998b132f149b92294325ca5fc37dc4a015a

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.tmp
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\choco.tmp
MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Windows\GOG.exe
MD5
f4a5dca3f8977124e18bcff3531dd4d9

SHA1
a950e639d63e294f66240b7c364f8a739b2b6222

SHA256
cd4828867658e5b7ef0d8cfe8ded00be5642418e9fece4d5c3e89f2971d0c448

SHA512
fe4434b6233decb67ff3f7295474ac735656d7896d418aafb18e0fe9d6e905dea0b1e1093f57ea9dd48fa833636dd998b132f149b92294325ca5fc37dc4a015a

Download Submit
C:\Windows\GOG.exe
MD5
f4a5dca3f8977124e18bcff3531dd4d9

SHA1
a950e639d63e294f66240b7c364f8a739b2b6222

SHA256
cd4828867658e5b7ef0d8cfe8ded00be5642418e9fece4d5c3e89f2971d0c448

SHA512
fe4434b6233decb67ff3f7295474ac735656d7896d418aafb18e0fe9d6e905dea0b1e1093f57ea9dd48fa833636dd998b132f149b92294325ca5fc37dc4a015a

Download Submit
memory/1868-117-0x0000000000000000-mapping.dmp

Download
memory/2336-121-0x0000000000000000-mapping.dmp

Download
memory/4068-115-0x0000000000000000-mapping.dmp

Download