remcos | 40c6b25dd6c033fde6d303ee582875d841aa8512b687cc44239c9a3b02442b6b

Analysis

max time kernel
150s
max time network
153s
platform
windows10_x64
resource
win10-en-20210920
submitted
02-11-2021 14:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

STATEMENT OF ACCOUNT.exe
Size

597KB
MD5

21bd99d63b9cd76385e029c259d1b152
SHA1

5dcee9b26fb55110b93debeaf3ca18c43b342aea
SHA256

40c6b25dd6c033fde6d303ee582875d841aa8512b687cc44239c9a3b02442b6b
SHA512

58ddce73c5a36a48f345d5cc68c0620e44688184e7b70caca72ee634a6285b762174e43228f324f5ccca04f26f89cd5ffc0449368634a52b3f3b1416a92de9de

Score

10^/10

remcos remcos microsoft evasion phishing rat trojan upx

Malware Config

Extracted

Family

remcos

Version

3.3.0 Pro

Botnet

Remcos

172.111.153.167:2404

Attributes

audio_folder
MicRecords
audio_path
%AppData%
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
luck.exe
copy_folder
luck
delete_file
false
hide_file
false
hide_keylog_file
true
install_flag
false
install_path
%WinDir%\System32
keylog_crypt
true
keylog_file
logs.dat
keylog_flag
false
keylog_folder
JRE
keylog_path
%AppData%
mouse_option
false
mutex
Remcos-HORXKI
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
startup_value
take_screenshot_option
false
take_screenshot_time
5
take_screenshot_title
notepad;solitaire;

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4400-124-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/4400-126-0x0000000000400000-0x0000000000481000-memory.dmp	upx
behavioral2/memory/4400-133-0x0000000000400000-0x0000000000481000-memory.dmp	upx

Detected potential entity reuse from brand microsoft.
phishing microsoft

Suspicious use of SetThreadContext 11 IoCs

Processes:

STATEMENT OF ACCOUNT.exeSTATEMENT OF ACCOUNT.exe

description	pid	process	target process
PID 1424 set thread context of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 4400 set thread context of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 4668	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 4304	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 5152	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 5640	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 6080	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 6092	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 6320	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 set thread context of 6740	4400	STATEMENT OF ACCOUNT.exe	svchost.exe

Drops file in Windows directory 21 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 52555f6953d2d701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e9c4637b53d2d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 81ef247f53d2d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34AB	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000bd83cc688d47f6a307f8e85566f2b0c895dfa87d118441019252a6ef0eb3db56a52d4070d6e97444493160febfb19a14935518cae91f940c088c	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 274341a453d2d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = eda47e9320aed701	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url4 = "https://login.live.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3004 reg.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

STATEMENT OF ACCOUNT.exe

pid process

4400 STATEMENT OF ACCOUNT.exe

pid	process
3004	reg.exe

pid	process
4400	STATEMENT OF ACCOUNT.exe

Suspicious behavior: MapViewOfSection 38 IoCs

Processes:

MicrosoftEdgeCP.exe

pid	process
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	1552	MicrosoftEdge.exe
Token: SeDebugPrivilege	1552	MicrosoftEdge.exe
Token: SeDebugPrivilege	1552	MicrosoftEdge.exe
Token: SeDebugPrivilege	1552	MicrosoftEdge.exe
Token: SeDebugPrivilege	1300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1300	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1964	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1964	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

STATEMENT OF ACCOUNT.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

4400 STATEMENT OF ACCOUNT.exe
1552 MicrosoftEdge.exe
8 MicrosoftEdgeCP.exe
8 MicrosoftEdgeCP.exe

pid	process
4400	STATEMENT OF ACCOUNT.exe
1552	MicrosoftEdge.exe
8	MicrosoftEdgeCP.exe
8	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

STATEMENT OF ACCOUNT.exeSTATEMENT OF ACCOUNT.execmd.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 1424 wrote to memory of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 1424 wrote to memory of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 1424 wrote to memory of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 1424 wrote to memory of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 1424 wrote to memory of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 1424 wrote to memory of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 1424 wrote to memory of 4400	1424	STATEMENT OF ACCOUNT.exe	STATEMENT OF ACCOUNT.exe
PID 4400 wrote to memory of 3140	4400	STATEMENT OF ACCOUNT.exe	cmd.exe
PID 4400 wrote to memory of 3140	4400	STATEMENT OF ACCOUNT.exe	cmd.exe
PID 4400 wrote to memory of 3140	4400	STATEMENT OF ACCOUNT.exe	cmd.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 2764	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 3140 wrote to memory of 3004	3140	cmd.exe	reg.exe
PID 3140 wrote to memory of 3004	3140	cmd.exe	reg.exe
PID 3140 wrote to memory of 3004	3140	cmd.exe	reg.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4612	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1300	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 4604	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 8 wrote to memory of 1780	8	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4400 wrote to memory of 4668	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4668	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4668	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4668	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4668	4400	STATEMENT OF ACCOUNT.exe	svchost.exe
PID 4400 wrote to memory of 4668	4400	STATEMENT OF ACCOUNT.exe	svchost.exe

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1424

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNT.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
3⤵
- Suspicious use of WriteProcessMemory
PID:3140

C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
4⤵
- Modifies registry key
PID:3004

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:2764

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4612

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4668

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:4304

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:5152

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:5640

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:6080

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:6092

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:6320

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe
3⤵
PID:6740

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1856

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4604

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4716

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4052

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4608

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:2908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1860

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5184

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:5868

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:6116

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5316

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6336

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6560

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6748

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6980

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FM578MSH\46dad2a9.site-ltr[1].css
MD5
2eacc646e35375e060addd225bed5c5b

SHA1
f8fc72f65d59690aebf7ef4a820a0e65470a153c

SHA256
52e5a9e6f84d59e9b7660c465c0c20a9f1a1ccb8801f46278043a8a422c985c0

SHA512
1fd6c8f5b80c65e6e38cddeadc4ea57179d79dc0edc601178f9881ad0bc24c581959c2bb19ad858a8c172138c7bb7495af1b100c69fff2851c420768b6de2f7c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FM578MSH\application-not-started[1].htm
MD5
76a581b356433e96cf47c775b46d81ba

SHA1
641e70ce4ad4e4e38a921f68f30d393f9b121858

SHA256
99c67801bc690f6cd51bfce0caa953aea8bdd90251a56ad2894a3d9cc6b572b7

SHA512
25e0c03986d784c675b924ead47c64be22e484cd3a96e53f95b0f192d212a8c59ee2cbdf1c229c9be2cbe48b91ffbc3ab4f613abbdad3a9ec5aefc449f54f379

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FM578MSH\repair-tool-changes-complete[1].png
MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FM578MSH\repair-tool-no-resolution[1].png
MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQCNA9EC\12971179[1].jpg
MD5
0e4994ae0e03d9611e7655286675f156

SHA1
e650534844a7197b328371318f288ae081448a97

SHA256
07b979b12f1cb506df7675efe227a2e78accfa1f5954af2b7bb66295e5cf881c

SHA512
07aaae5347fa8e82f86d0ba7c28127fac952d84bad3dce119654b5ba1cd2550c8d064770473f34f89fc383847b2f1594b3600d9fd01e6275d67868c41638e34a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQCNA9EC\24882762[1].jpg
MD5
ca711d527e0e1be012a3105699592812

SHA1
f02534ce002f6d734a897491a1ebcc825da565c7

SHA256
e68e548a3cc404e84af3fd7529c21d64a238ba5d0857feb8fa1652b439b36e6f

SHA512
a56a1266a76ee7c95424f5beaed9d65ea569e7d187beae3c4bc1fb3a018ac728f419a2b08b62c51a70e18ee82d54e1d7714092e609135bb455060ab7d01830b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQCNA9EC\2672110[1].png
MD5
7dc91895d24c825c361387611f6593e9

SHA1
fc0d26031ba690ac7748c759c35005fe627beb8f

SHA256
f37ad9b56d806d06267f9a290196dfe4200edb7729b41d789b8f1ec8adc5cdbf

SHA512
ba27fdbf02294cc78ede7972f20da383c20027ab172a4ea6ad5006ff58e404032d92f875e642dfe73985428c28bbbe1befc546c2666a672afacf23195425d7c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQCNA9EC\31348972[1].jpg
MD5
c09597bbae67e58e38228f9e8fa06175

SHA1
85aec568955ad5d9165364d37a9a141dd899eca9

SHA256
f62142fd084d46df32d9d8a340855fcb17b14376c36549b825670451ea7cae73

SHA512
b7592dcf34487e3ddbffd32e8d03cb5665330f8f687e10f39f16c67673238e340cf4633b8e921932c65e3c891286349378bb70ad9a8026046653c4cf8fa2efff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQCNA9EC\5cce29c0.deprecation[1].js
MD5
55bb21475c9d3a6d3c00f2c26a075e7d

SHA1
59696ef8addd5cfb642ad99521a8aed9420e0859

SHA256
3ceddaf5a1ed02614ec6b4edd5881a3ffb7ec08116154dff8eb9897230bf5e59

SHA512
35261ddaf86da82d27a29f39a7c6074a5f0e66f5b0a8098c7502289fb70b186371a7fe71410baab6cc6b726e9338afecee9f8bb075047a055723fb5e2f09b9c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQCNA9EC\SegoeUI-Roman-VF_web[1].woff2
MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\HQCNA9EC\app-could-not-be-started[1].png
MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Q69KCFGB\MathJax[1].js
MD5
7a3737a82ea79217ebe20f896bceb623

SHA1
96b575bbae7dac6a442095996509b498590fbbf7

SHA256
002a60f162fd4d3081f435860d408ffce6f6ef87398f75bd791cadc8dae0771d

SHA512
e0d1f62bae160008e486a6f4ef8b57aa74c1945980c00deb37b083958f4291f0a47b994e5fdb348c2d4618346b93636ce4c323c6f510ab2fbd7a6547359d28d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Q69KCFGB\install-3-5[1].png
MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Q69KCFGB\ms.jsll-3.min[1].js
MD5
6d27324aadadac5dd57dd14f942870a2

SHA1
ca4c761f19c15f9252f443b921aa800996980751

SHA256
7a05a878ebad7153b928d6a0e9f5b5e78fb356ffbe6c2f311adf46452ec5a7ea

SHA512
c3ab55b6b1cb22d4b3db37f010bf28c4ecaa6c22401ceab0164bdb49ece11e5e80d7ee7d83abbb4703da690574aa68c21e0a21c9f1f5ec3dca3aede685c6f1b8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Q69KCFGB\repair-tool-recommended-changes[1].png
MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Q69KCFGB\wcp-consent[1].js
MD5
38b769522dd0e4c2998c9034a54e174e

SHA1
d95ef070878d50342b045dcf9abd3ff4cca0aaf3

SHA256
208edbed32b2adac9446df83caa4a093a261492ba6b8b3bcfe6a75efb8b70294

SHA512
f0a10a4c1ca4bac8a2dbd41f80bbe1f83d767a4d289b149e1a7b6e7f4dba41236c5ff244350b04e2ef485fdf6eb774b9565a858331389ca3cb474172465eb3ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\W1TYS6Y2\TeX-AMS_CHTML[1].js
MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\W1TYS6Y2\bb2ae21c.index-docs[1].js
MD5
10bdb2f94ed2d9bdf612629a8daf6b6a

SHA1
91044f75c3f9c794e8f75c1b4cba274196dbbc79

SHA256
b08b612e80cb1a3cb104d83460ee151e18ec5ddfa9d633d1aa77603a519074f8

SHA512
0266b3b9d44504354b670d03796d0650e41999a5f5eea369dc34168c88408eda86cf7cc982f6d5cbea6b706b8391ccf73ead3fc0b5096186b1a88751ce620980

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\W1TYS6Y2\docons.2e4974ff[1].woff2
MD5
8f5dd9a59b2085224a61a65bcf628883

SHA1
46e0d208a432636cc7c3e4d306a2f189941053f0

SHA256
19d065ad4470800df127ab06d2fe32dd9570c099dcfd4664ac9de9b66ce68703

SHA512
9202775b6f7f6f1622f7ee4c1326bd547de1e69664718a0ae414e0112d81a63415b7109529ee2a4b06d7d3072730f909ebd2636f77392dd6a55d2012bcc1c4a1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\W1TYS6Y2\latest[1].woff2
MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\OI7UCK81.cookie
MD5
9f387df13b02976ae860a674373d2910

SHA1
495e012c346a2f98cb1ee7109988e0aa8f44d11e

SHA256
3d109612d7779a27a0ea28876d2acd0e4747c08ee763f528b3d2ba054dd2db63

SHA512
0a63bc513c982820319dcbe379d4fa9d10cc9865e9ade9d6eb40eedcdac3ef2eda33c19a57192a85b5aa78555e300a0f4f0f101416dfeb73ad05d47bba0ca26a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\P7O1KN8R.cookie
MD5
b0b868f24f99cf39b9c681c948196c00

SHA1
402b28bc35d88df2463611edaf9d9c2ca2e4ea47

SHA256
62790722eba125bf0d2bc299e6fea4857a194c570a3ecacc4288ee91f2a4cc25

SHA512
7e791f17ede1a04810845411937a8535e809d0693e500b35541c5bb9507ef0770bee4ac62cd0565ba4513ed72822f929ba78afd40b7c67028b4986ea8e3ff8e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\XRDYNRA6.cookie
MD5
28e9b634907ccbbbf0edfa0fac4bc927

SHA1
f216d4e436b931f9e8468a14c0a2df90c3ae724d

SHA256
0afe9c42fbc3a4208bb57302d694df675dd3709ae9b219d28446589de89b3273

SHA512
9cf000e032171fc25e70d656a6e02bd11ca21baa90dc9afd6e6c814dab6f888b59634568685187e13fbdc3db900f3fb06a1fe55d863aa47e8bc6ee44fcab0a86

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\Y3BPYA4V.cookie
MD5
c6c4950e35b73284bccd1ae807d42ffc

SHA1
6acb28416cf42902568c03a29a7efde3124ed413

SHA256
20a60e08ab7ef57ad14f751e18db318c1c0ad07a8269a31b57f2de578c3f6153

SHA512
6b51183a09cb317e508ff1783e37bb6c2203c3f719c3e6904d03e9e507705e3a57039b65b7b732e71c9dd542aa4ed03ed4d07c89e1b226ed3eee796a8b4acc94

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
e0ec824a378e5db4d989ad2343db5d5c

SHA1
3c48cc44522db4a42c6b775667d4c5cb45874c6b

SHA256
405b17e3e6dad1be539479d5b0fd7f8e80c2c6175299a4d9cd21d0b0c5685caa

SHA512
3424c240b52620519ce2d87e922041cbda18675dc3b19583d68f3e699034798ec0859226febbb69b946558621362b0e4d30fb0ae28e3064fe83219fb60ef7461

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
bdc25004d1d5ec7f43a576700d1c741a

SHA1
aee96cb31583a0e384a6aaa720b1c313ef038d47

SHA256
9c805220699d3af3bba817098ca0de3ecf357dfcc565e82c5c01e56aa7720318

SHA512
32724f58ab80df20d3595a62d5bf05de67c3ae15c25509bc4467371e39aef6bb18a4a7654f8452f02464d9e9348ed87bb68fd386d1c973a966d49f78536ef2ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
bcf1a6cc2b1d9fb1f0ab8d21c301cc50

SHA1
90fb33cb1b2c1d026d1c44398e1225e6373d0ab2

SHA256
2f8575ded97c0796337840e7d710e3c423f4cead39032c57c1c84da6b80bdcc7

SHA512
e960053f94b8840767e3a42c7b764bb884db1de62a3fa37965ed0bcaa3e68a60530aa67fb9dad36f52812192da781371654a0d6a0551ea9b49eb7aa6878d0689

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
9309f075416adefe4e8cbede92f0ab65

SHA1
95f9c0d0eb2a5d7425b54527e070fffc5863b334

SHA256
9c66c62c56dad086f084f62fbd08452f3721f67c8ff50a699e7de6406f59ddf0

SHA512
0a75d7a1eb28223a5572a82c9032325348989d8717d72dad3a39c34b3f4e61322ce9140aa56ca54ba8618db2d07c837b68b93f5eed0bbb664d93ef0dd4543a53

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
fe4e7a3e2d78d29335901b00157f5fa2

SHA1
85351e5655bda44aa7dbd565ab1dab490a3af8e5

SHA256
13e6ff543df54de2d4b8c9e85d0f87875639e60c65e44bab7ec22c1d3c810713

SHA512
4d95fe66633fa8c54cb255ba4789e6386a5b60de4c750f921f292543f1f4c31939b596ce5ae330ed3bafb6784bea512c398c73fe58918cdf350c781c7abef373

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
a933b82f70f4307a3456cc3336fc758a

SHA1
1b713523d65fd337dd46de01f94e30102266b896

SHA256
32ad61e935298b9612f94ea1803c59d5e26d18a057f2759cc2361271046e1bda

SHA512
b2af571bdb584435066ce431ff61a8f7e2c754668b08a27f648dc316899effa0d27585eb05f271cd8caa1281522748f3ef39bcd6c9e9311375c991a22300ada9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
6078ffd39a797978b7b08e8e36b6f525

SHA1
7c3fd3bf856106b9526b544860e9083bc04d44ba

SHA256
8a0c4b69700e0f1a5504f82ba74b4a63550b534fcdcd2ed64af455de3bc98112

SHA512
759cfa835dcede75be0e25ee55f441a337b15df25642a5811ecdc0e17c1b446f5e699b71f302211cf7c2eb2a2997a5ea28a512d0ac7b2bf35344d50c0605776b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
f0e58d5a453567e7c26945891a5f675b

SHA1
bf60de4932f4533e46882ad6f34a64010354feb7

SHA256
ba964f4c039a7a1167f910f3daa001f2238442283a71da028b06800526d7fc56

SHA512
66c6c96d6bf4fe4458ca607bee44e5228cb941ed7721d87ac8c0a9d2a857d7a9c88a97bc28eb8ec4c49476eda1655e1fc140557fddadce629a2f473998783c8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
cd8eeea0f147006183039e5724eca9a0

SHA1
6a9ad33a71cb96555cc44f1f23e2a2fe12566533

SHA256
cb73210903edc803423d6571d60686fbe4f99155c16890d26e557e02f91cf80a

SHA512
0758cb7cd6e58cc0292556be7b1a3d38c804db1315baf534ff94a7b54d49821bf1a8f3163962dccd7db1d760b9ae1a8963fb075b124f50484b3ee7f9aa42f4ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
f2550c88f8e0963548904d21fb62cd41

SHA1
606aba862bbfa2a88579b33bfa9a6000eb73b0fa

SHA256
67d49800af4401db0e13388ad5eb8e3146228693e31a19bce55fc1acb83d74fa

SHA512
d30835b68d3c32c85ccff8ba95401af3c1881d5482dcca07816eba0d1765684010d7a754bb5d846b05031bfe6b5f2f1a39f24e87d25e8e5ceaf4cc16668531a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_AD319D6DA1A11BC83AC8B4E4D3638231
MD5
64618ff0cb9a980c32f63c1c1f763dde

SHA1
910f6d71e436f740d48fb30fd48274244c57c701

SHA256
ab54de82164d44f5169e5a17d558979382f3323d0ad917f191f406ce2d5a4be7

SHA512
5111988049c5ac133e8f0d562ce829ff4ce8956e1208e179272b8598df6997a3a043edd8beb92939ab1e55e9f65e37f57d7f94319d870e57821f37d739d99f09

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C5130A0BDC8C859A2757D77746C10868
MD5
4cfdbc8f493cd6484aceae1ab9c3e247

SHA1
873f94fc6c8c60987b927679c92cf46dbb2ed8d8

SHA256
3aa5d1afa34a81830f3acb1621fb5526512480dc7d063bda582eaf8611eed116

SHA512
8bca27cf950bcec99a4ec483137a0a4593c0d93160280197c5c0058d1b80d4f5eb10ab7ae2866c7a6c02740380513aae5f45b06b8f0d21013ecd1a56af37044b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04
MD5
847a05c73fb0ceb63435f650ac6fd4a6

SHA1
9023e2f77c9e205e071e65bc11b95aadde9eda61

SHA256
9bc2508db2aa35c487c33e6ec56aecbf43a896dea10b1089342ce572734fc171

SHA512
99d833a9396011bd8e37ec842b39a441953cc6a2f9b628a082db0684d4fbb8d7ef1a3852159928d26c4344145198e59e6e3f518295a8f4d7c896d43f82002fef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
6855ea330c46aa84058dfaf2e99df6b2

SHA1
74c2b9c9a6ddfc0fe31221b703955b7ac69c9f2e

SHA256
d427ef03645b4d561629e503a78a6bd1759b113da051fd4c7ec8019b52d70024

SHA512
c16feb9d22bcef7b31b956ce6d4db83c4df84b9d2af3925dd4185415e233dc8a8d515aab81d842ac79957846d7824a5b624b303630f8b9099d55cb9aff5314cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
memory/1424-123-0x0000000008CA0000-0x0000000008CFB000-memory.dmp

Filesize
364KB

Download
memory/1424-115-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1424-117-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/1424-118-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/1424-119-0x0000000005570000-0x0000000005602000-memory.dmp

Filesize
584KB

Download
memory/1424-120-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1424-121-0x00000000058C0000-0x00000000058C7000-memory.dmp

Filesize
28KB

Download
memory/1424-122-0x0000000008BA0000-0x0000000008BA1000-memory.dmp

Filesize
4KB

Download
memory/2764-131-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/2764-128-0x0000000000400000-0x000000000049A000-memory.dmp

Filesize
616KB

Download
memory/2764-129-0x000000000047AF76-mapping.dmp

Download
memory/2764-130-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download
memory/3004-132-0x0000000000000000-mapping.dmp

Download
memory/3140-127-0x0000000000000000-mapping.dmp

Download
memory/4304-184-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4304-183-0x0000000000C50000-0x0000000000C51000-memory.dmp

Filesize
4KB

Download
memory/4304-182-0x000000000047AF76-mapping.dmp

Download
memory/4400-125-0x000000000047B9F0-mapping.dmp

Download
memory/4400-133-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4400-124-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4400-126-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4612-136-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4612-137-0x0000000000F90000-0x0000000000F91000-memory.dmp

Filesize
4KB

Download
memory/4612-135-0x000000000047AF76-mapping.dmp

Download
memory/4668-179-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/4668-178-0x000000000047AF76-mapping.dmp

Download
memory/4668-180-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/5152-186-0x000000000047AF76-mapping.dmp

Download
memory/5152-187-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/5152-188-0x0000000000940000-0x0000000000941000-memory.dmp

Filesize
4KB

Download
memory/5640-190-0x000000000047AF76-mapping.dmp

Download
memory/5640-191-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/5640-192-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/6080-194-0x000000000047AF76-mapping.dmp

Download
memory/6080-196-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/6080-195-0x0000000000B20000-0x0000000000B21000-memory.dmp

Filesize
4KB

Download
memory/6092-198-0x000000000047AF76-mapping.dmp

Download
memory/6092-199-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/6092-200-0x0000000000D60000-0x0000000000D61000-memory.dmp

Filesize
4KB

Download
memory/6320-202-0x000000000047AF76-mapping.dmp

Download
memory/6320-203-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/6320-204-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/6740-206-0x000000000047AF76-mapping.dmp

Download
memory/6740-208-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/6740-207-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download