2f3d7d6f02fbc19c0f4b974d9c9137bece8cb16b6a71b22529c02d5635867a12

Analysis

max time kernel
115s
max time network
115s
platform
windows10_x64
resource
win10-en-20211014
submitted
08-11-2021 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CLICK ON THIS DOCUMENT TO VIEW IT.pdf
Size

71KB
MD5

03ac28d2e7feea69f717c00a8f68846a
SHA1

c6bf876980bcb8c78011393db3502d6b3965992d
SHA256

2f3d7d6f02fbc19c0f4b974d9c9137bece8cb16b6a71b22529c02d5635867a12
SHA512

94ec54ad1931e5baa4ee78f96b6358dfd299088c263765b3523296b9a81a51882ea7f3246e01e4480d35158e97cd942eba9888bcb63c827eda2e009ae2422497

Score

4^/10

Malware Config

Signatures

Drops file in Windows directory 6 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exebrowser_broker.exeAcroRd32.exeMicrosoftEdge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "ca611fh"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\FlipAheadCompletedVersion = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e50539c430d7d701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "5"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\Favorites\Order = 0c0000000a000000000000000c0000000100000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingDelete	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = c09117c430d7d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B72164 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\AllComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\DetectPhoneNumberCompleted = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cf2c6c9c30d7d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 5048a21563d7d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AcroRd32.exe

pid	process
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe

Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

2368 MicrosoftEdgeCP.exe
2368 MicrosoftEdgeCP.exe

pid	process
2368	MicrosoftEdgeCP.exe
2368	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	700	MicrosoftEdge.exe
Token: SeDebugPrivilege	700	MicrosoftEdge.exe
Token: SeDebugPrivilege	700	MicrosoftEdge.exe
Token: SeDebugPrivilege	700	MicrosoftEdge.exe
Token: SeDebugPrivilege	3816	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3816	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3816	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3816	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	700	MicrosoftEdge.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

AcroRd32.exe

pid process

3288 AcroRd32.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

AcroRd32.exe

pid	process
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe

Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

AcroRd32.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
3288	AcroRd32.exe
700	MicrosoftEdge.exe
3944	MicrosoftEdgeCP.exe
3944	MicrosoftEdgeCP.exe
3288	AcroRd32.exe
2156	MicrosoftEdge.exe
2368	MicrosoftEdgeCP.exe
2368	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 3288 wrote to memory of 1268	3288	AcroRd32.exe	RdrCEF.exe
PID 3288 wrote to memory of 1268	3288	AcroRd32.exe	RdrCEF.exe
PID 3288 wrote to memory of 1268	3288	AcroRd32.exe	RdrCEF.exe
PID 3288 wrote to memory of 1352	3288	AcroRd32.exe	LaunchWinApp.exe
PID 3288 wrote to memory of 1352	3288	AcroRd32.exe	LaunchWinApp.exe
PID 3288 wrote to memory of 1352	3288	AcroRd32.exe	LaunchWinApp.exe
PID 3288 wrote to memory of 3496	3288	AcroRd32.exe	RdrCEF.exe
PID 3288 wrote to memory of 3496	3288	AcroRd32.exe	RdrCEF.exe
PID 3288 wrote to memory of 3496	3288	AcroRd32.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2012	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe
PID 1268 wrote to memory of 2016	1268	RdrCEF.exe	RdrCEF.exe

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\CLICK ON THIS DOCUMENT TO VIEW IT.pdf"
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C590C9C18963A6C8BB4B3878B7F413AB --mojo-platform-channel-handle=1632 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:2012

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=8169A386B40C6AFFF24B37C14B0C3FC2 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=8169A386B40C6AFFF24B37C14B0C3FC2 --renderer-client-id=2 --mojo-platform-channel-handle=1660 --allow-no-sandbox-job /prefetch:1
3⤵
PID:2016

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=13C223F31FDA54C59BD4FC2A5D96674B --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=13C223F31FDA54C59BD4FC2A5D96674B --renderer-client-id=4 --mojo-platform-channel-handle=2072 --allow-no-sandbox-job /prefetch:1
3⤵
PID:3824

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1D7336FEA28A0666D0FFCF76FD2599C3 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:752

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=484181B77491ABA73AB101F5300BA2BB --mojo-platform-channel-handle=2524 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:1676

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=176AC7B1B07F184A0EF53E4CAC7E852F --mojo-platform-channel-handle=1628 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
3⤵
PID:3160

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://secureapprovals.blob.core.windows.net/appovalsdoc/approveddocument.html"
2⤵
PID:1352

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
2⤵
PID:3496

C:\Windows\SysWOW64\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://secureapprovals.blob.core.windows.net/appovalsdoc/approveddocument.html"
2⤵
PID:3180

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:700

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3816

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2156

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:924

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:2368

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3496

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4400

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4628

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\R3MXM8YS\bootstrap.min[1].css
MD5
450fc463b8b1a349df717056fbb3e078

SHA1
895125a4522a3b10ee7ada06ee6503587cbf95c5

SHA256
2c0f3dcfe93d7e380c290fe4ab838ed8cadff1596d62697f5444be460d1f876d

SHA512
93bf1ed5f6d8b34f53413a86efd4a925d578c97abc757ea871f3f46f340745e4126c48219d2e8040713605b64a9ecf7ad986aa8102f5ea5ecf9228801d962f5d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WELYKHOV\approveddocument[1].htm
MD5
38c488124e2208c971358d8500447e7c

SHA1
00fb7365289c15d5f3019b658ae68f4cce4f3ac4

SHA256
f9ba48ec2c6b527f455271a138b18d70d2dbafe0a11774c3699d679d51e4dc96

SHA512
b7de6d23b0475672d77ad799d6f3a5b917d61fefb76ca37a27492ad0dc3e80fc1546153a31d1a99d57c529585c1eab3a7794580999cf4eb5579c4e6e50f094e3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
bffe4d7194067c0cf5d6791c82b3f03e

SHA1
84f9afc15b0b3e5feebe3698a5af424689070fd1

SHA256
5423890073ec5fb28b0867fda4a4468d3e217850ca9ac1440e2dc3839caec70d

SHA512
b4f7f84d576642150a95de62855b732e7366a3f2f458970ca45e74f26f9f0156be0a7d717ccdc464cbc8808673285e3ee83b902806ed633d61582d2f03665bcc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\1E698CCB2C296D265AC1A253974E09FD_C2640A4791DAF1976002BAE9E7B91EA3
MD5
8f3e4d544cc6cbc9c1978b936d14a294

SHA1
d8a8d9711042bb8f5674f9db0db25badc38c25da

SHA256
a0ea04fad06c535388246b0d170aeee4567d20d98340b3dc77b7a637b62210ee

SHA512
f022d1ea7da812c5533231a39782a48102c4d21db857c3847ce4c18f15ae08040841030bfd3b5fdde245f50477aaf36db50b43e9bc2740e58a750e003039c2c4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
1babe90934314fba888fdb49916054fd

SHA1
1c1a4fb9c854678105877be80fc81ea3e1b5cd10

SHA256
5fd6491d1be07a012a6c33de52e5b8aa550ff3638d06866ea507b5d030422a0c

SHA512
c1e9c054c33e355f7b1696261bb38b26a4e24d2e5c3f0ce000450e53ed1610ba4a8c47d1a06f67ec7901d1829d7758ef57a96c65641199785696af1dd1c5bb2a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2543B5AF7D46D42E6CEED21F85143F6A_CBFA218556FD95C29FBFDD99DA4D373B
MD5
f016d2c4e70bd143b1cb61056e7efa6f

SHA1
365ba5a7faec50554eea3aed16016300f5a7ae24

SHA256
833fab8ca20d36080bca65cd1b3c5b4cb13a6c5ad71c4d450a80adc83436a4c6

SHA512
fe330f8b133dcfb8b0380b93bcb4a49259b7d1185f934101f8fd5eb24a669136e3cb3f11900c4a37aa2131715dce7f4d86f370565026d8c049f2dc79030a7508

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\646C991C2A28825F3CC56E0A1D1E3FA9
MD5
29beadbcc2cd6b5640654c669e7da221

SHA1
de3b32b85a2f5e94615bebe36a16ce51df85dfef

SHA256
8f7a1b65aa699833edbba97a9236fd8a6f6b234abeb3e21cc47d27053f47ed52

SHA512
591efbe05ae4e00f35a09a0055aba7dd8f62ef385ec7fe2f6ee38e1eff4c721ba49e34753960e4890b5d2593d7e8753256ad826bf4239a23649221d1d5d109de

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
f8b7b348f9fbbcde0b3955b1f0e03580

SHA1
2582687c2eb4911379295e913156ad5aced3029c

SHA256
f019242426a0b48e066561eb4d74b7ef56dd006b69ad1bffe33db1919dd81a72

SHA512
6998478dc470b3ec5e975e156ac6155e359a9e641a6132947f5307645b6ce0dee52b03efd2e2e31081b678e571a886e8e75081f10de734b59ede9c2e83a4c8ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
928009575d83a99b9c3cc4904f81d6b1

SHA1
03e47b0d4ba2c9992e09bb7ebf13b4767e28bd81

SHA256
e6471409fb977f18248a96efa6e7e6b45982e0642e5fefebe724d6e42991f28b

SHA512
95833287131437aa615bb2df9ab3846e718cc6e7c83b3f7fb1cb7477324e75b1fee1f7d4948e3db0577a5d773b1dbaf07201bb232c789eec7437e8b23ae20146

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874
MD5
85503f02ce733222d271e3aa0b9d3568

SHA1
cb211d4eac94f7c650524adc97f219c29281f2a0

SHA256
75803ff8b9159221087599f641207ab1e6409fc50f95f3496715830d25ae8aff

SHA512
66d8c5a0d8eeb5fdcaba0afb0f9b0fcd9dd8471356f93f606db49f7a879ddeab6cf7f512e8e908567ed6891176cc4b7245ba6c17e0ac6442210ff2c30b52a370

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
MD5
3a765db4a7a2412f263637c1717f3014

SHA1
4d30b787bb6025eb7d4d40cb346d01821a4c4ed0

SHA256
8bc8981f82348cc220e72274afe99cae4c67d8b2e6c9af08eb6d6988dcaf7ca1

SHA512
d67c87189cd40477115716e351648393b481052a0e0da24c1b636ca596caf84bcf0acb6b3a4b2c78ea27a8423fe27a3e714cec2d1aa80c85b25e4abe50840ed2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\8A07532D6AAE6A04052D31515DB38D1D_1FC18DAFAC6786145A3324382964AC4D
MD5
eb121d26bc56d9c837e81a254fd88840

SHA1
405367d890fdb0dec85035ab30484a3ebac5b5db

SHA256
c82783c85961075d5926301032d526f3427074654ff574fb59493b33c60a5d13

SHA512
b9eb613c8cdeccdb070f89d67bca51bc7b4c2e077a01cb528b0ed3d110f61f443223f1245f12b18f2a92250bdda37c6476ffbda7f17431ceb48d27e37e999817

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_0E5F99D4EF1943DC1CCC75A2B223F45C
MD5
7f9f4bdfc48b1d6c0f8234c0e656a8cb

SHA1
a537ca0debb2491c32dd2fbda54e7834b95a289f

SHA256
f3ebd1d7824022d0196ceee8529fe5729268862a6c559b72cc831fca4a8e4b01

SHA512
5038cc2d43c99830b6368aa5ba1a20b0d2ae76fc21e6afdd6581144e75b4dfa768d64fc0a7786c4e7a90a415cbf1dda4fe7072216d3830665150c1f2d34eb0e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\9FF67FB3141440EED32363089565AE60_EFDEE73C395FBE652C4FEC993433E8C8
MD5
2632e35322bb34eb4e5b3274e8c37f4d

SHA1
8c264ed758b026cef7307d79d74e9b4eff6ebf89

SHA256
adb4f6048a0c1c119e184957a975777fad50eba4ba5381e0fa06e2063d1dc443

SHA512
52d81e529c2b2fdfa8ea183ad53d637501a565a2dd0cbd0f6475e174ab2792eced26ef8715ec1a6341c0d20e14fcade3d4c5005bc82cb86ee25dce24c6af812a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_4643E2F01AB2AF262C11881642F53436
MD5
ae9f69b4100c1047f0ca52eddc8e27fd

SHA1
a789547ab5fc7cf327784a44e3ab4c1237ecba83

SHA256
f6af19f9427a33dc859011d9fc86e7691d75152982ee1be919e4f14eb4170122

SHA512
7d6690a102af9e1455f8652ccd6e34665354c6f678bef9070f5f3dd9f990793a4a375f5f81dc4187accd1a059d20ba9ad3769fdb635b947445a6d4b6a0b29718

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
32ba61bcdb358f4a09defbbf404e7bc6

SHA1
af4986d2de5d3837574d09c48ddabe3c39805a30

SHA256
9ee2db64f4ae4eb72271b46371663bc8e754e0ed2b69ba0c2229ea3d3afb006a

SHA512
e4fca5b0188e643328ae26f92d5dd0e8647a6a680eda0505aa2e3d48c0d656270b678d6d9cc3ab24336205121502fc1b514b934cf65ce33ac5140abed633cdb7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
64e9b8bb98e2303717538ce259bec57d

SHA1
2b07bf8e0d831da42760c54feff484635009c172

SHA256
76bd459ec8e467efc3e3fb94cb21b9c77a2aa73c9d4c0f3faf823677be756331

SHA512
8980af4a87a009f1ae165182d1edd4ccbd12b40a5890de5dbaea4dbf3aeb86edffd58b088b1e35e12d6b1197cc0db658a9392283583b3cb24a516ebc1f736c56

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D
MD5
dfd8fb51db952be5267fef90b282b9b9

SHA1
0a3f640f6ebe109ded730c9c1346ad8cc9c931e5

SHA256
99367692687186a87ca7055dfeba30a5cefecbc0a64c2461304cdc9afc1ea368

SHA512
04a6e8dd4ceafa91815e7de28ec878cd5c166062ba62b167a9d393bc7f0225ca5e8a32731c38f7e9bf7a7d50af8ebae409579b09fe46cb5a02e54544ec1243cf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\1E698CCB2C296D265AC1A253974E09FD_C2640A4791DAF1976002BAE9E7B91EA3
MD5
680ecf6c6133332e617c10bfa1d21500

SHA1
46de9cd1bed0cefb0aafce9f69367664d5075710

SHA256
2f5fbbba028e3f5f78546504ba42de85129305d056389c5acf89af0e4561a4ca

SHA512
a140069df1675a6d40599fa6d94154cecdae482ebd45ef036d3f65b3292c0fb9ece88808bdfab744f61873f744e1b6a4bc97e83db102eccd8d852a7b81e51730

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
MD5
e68dc5148f38da70a1b2928b6f0ec1db

SHA1
1ec54ddb530689c09c532166c941b8c5bce82ed3

SHA256
01a48b4649ccf337ef899902f1b21f33103490240ad4f453b47353911d7b39bb

SHA512
7e5cbb0ccd5f33a3869d6f404079c23f052943245b76f358d62afc2fd7c133369877f9e1f83f1b4bee6296c3aa593272d97c38bb401879c458ad860bb7154a31

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2543B5AF7D46D42E6CEED21F85143F6A_CBFA218556FD95C29FBFDD99DA4D373B
MD5
fe13e37f37ee891759d97ee2f4a68717

SHA1
53acba66380a2b389248b94784079d94eb184b5f

SHA256
81d6e86b587f8506ff7b1cde98c767b1deaf002c6426724ce25d8ce47ecd7b62

SHA512
bab9d7b1e52a64bed77dd1ff9e8686444bfd52bce89b3e04f230b8cb38275cbd2ceae4ea4a1b28891205cfd5cacbefb4a98c13a4d240c908f14d86f1573a9d20

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\646C991C2A28825F3CC56E0A1D1E3FA9
MD5
e8225d889dea68a23a0f529e6062e4b6

SHA1
08f5ec2823b4fe425c59b677b07e8632e7701d82

SHA256
f3a3f638e1dad90ab8b9f97cad541a89c164d9925b65a0678c7d6c26374544e9

SHA512
62ef036390805e3f10084885f41d87d27938926e36d408ec0db78ebda78e08b37c439924110da87f37328a3f486ba70dcabf80e86e258fc732d1cc912cc19d7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27
MD5
323db97dbe4e0bc5e2ee444cdca620c6

SHA1
16cf8532101d6e91d7cac49ff8e05951ba605380

SHA256
147b7bde9003bbc6db07bb8eddb936df8a9079f35ed96279e5142d61e9ba6402

SHA512
4368489812e1d682a761a890dfdd0b8da48ecf1fcb06aea69ebbb88e9fe6a670e3b1a92c43624f39720e4ab72d9b047765d6f4a66aa0db0f9b2f43fd7e845e1b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
1173fe7c74e238ab4a24e6f2ae3323d1

SHA1
64d808402b76f023bdd04f8923c3de5d3dd0f766

SHA256
8f99e9505d7bc384ce9554691e987fae2c6661f4751a80fa12b12ad6567867ed

SHA512
c10dd3e7a9e2859465d1c336061ad6dd74affcfde5d0bb004cc82dfe8a9ae843077bccc523a55b759a0e368fd9284728d4277b8b8fc6995b28af49424604db1c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_EE9DB89C3D6A328B5FEAFF0ED3C77874
MD5
83eff1bfba17ce2f474df6209ee0a2d0

SHA1
c6b4525fb92f2722f52e3f550632252a6cfc2800

SHA256
453a7ed6d6a4f886d8c5e4186664c038f6900eeb9d61919e9925bbd7c2021293

SHA512
b670a25550e1e3b3d52bebb85c9f4c23e8f40b88f2b7762f8760b2411ee0fe59f31566de0f3375b9b366f6428cec7caaa794ef1ee7b76d3eebc6c96664855d60

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_A30EA9B4E1BC5DBF09A8EF399E086D27
MD5
6567dccc787ce1ace25d213e60005d55

SHA1
b0b6a6aee72cebc31235876d5c9491c1724eb67f

SHA256
95e65c6d2e4a86b2856631fd81c9fba59d5e397a48be248b2f963c433ab95a99

SHA512
f50f7d04ee95ac7408eebe917663392ff638fce3de93c4973ccd1db161a49e0940ba29d701ef57d285a26a7704696ed76c2946fec863dc4d9ffb0dfa3e21d7f2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\8A07532D6AAE6A04052D31515DB38D1D_1FC18DAFAC6786145A3324382964AC4D
MD5
4e8a9cb277cdd0bc1bd266b094bbc173

SHA1
4aaa7c3a3ed7580a8b2a5a9a9238bc00bc6702f2

SHA256
10375009f0db67675e202707b845939da7a5db64208023d8e2cb0647922979b4

SHA512
7c62ba7d88f659147adb00e98b05605a555a873fb3cfe4573d75b1eba24ce7cb6537c76a02ee3d4e8a48eed9427ae4edfabcf45e17b1870dbfbcbe7f87d8d8d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_0E5F99D4EF1943DC1CCC75A2B223F45C
MD5
a642aff450661a270b2e8c74e90feed0

SHA1
1a857661cf09d648faf90d0019680e132f37d7fe

SHA256
faf460a92bcff08e43a717683a021c404580da439685b1352fb4f145c9916ec7

SHA512
77637a41cf78c8134247671c6b8a3d59d0cfd226e9f939366490abb40c8a9bd9c91a74604c0dd4df94b66456bb2e1a8744de70c15a8209bed480662f007c760e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\9FF67FB3141440EED32363089565AE60_EFDEE73C395FBE652C4FEC993433E8C8
MD5
85cc05d6cb6d35bb32532304680e2d79

SHA1
8fadbd4d47c34622ebe45e6c40f6944c769fb630

SHA256
b15d55abe920cb264e0b9253fa730ede9144d1ee7ef8af49c66bcd5799ef4aee

SHA512
468ed9e78c4680a8ad8b641ee967daaa5b18269f216edc4a43ffac11891af8b0d11dbd611bbca8085e1cce376d19ee5d58bfb13a1542d5bc05f2b16482574b42

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_4643E2F01AB2AF262C11881642F53436
MD5
46a3b9f29a913c6000e354d62b6945f2

SHA1
bda89cc03cde1468c95477f822688eb3e81a2622

SHA256
69410f361fea045d419a2ba0c2c29e6ecdcf7ebd9343fbd53fe677d02859f87d

SHA512
b877f4de08d2bd605a22de28e956ccfd1f1b32b81ff16554c6daaf1a9276c029c619b8386d4d82266fdb8703fc15bf48696436863ff02b9f9eafd631badc33e4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
MD5
3b8a10b2a161c144089bf6c31467a7de

SHA1
06142da2437691b80471debc6ca65c7ac3414b23

SHA256
c5db49792b1a95b574ed7e74c35e86a6f52695f46b372daf065bfec31c2ff11e

SHA512
b4a93466de3238534096a7ac35e4c9a4906d087c0b062bda429185a73c43c81df460af8bfa91188795c6ead2144c10b214840d160b8e2d37fa27b9c74ce54d92

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
MD5
0eb7a64c799b59d1926e3665818f3b9e

SHA1
1d5e14ea8c2271240ea766f887aeefeffa4282f8

SHA256
229b263db1de9ac946c1b54c917e5898f213cdbfe42b6ad958f0582a77b96b05

SHA512
383575b4fc61a6597856c95a34cb965c3f73106a64b9ddbfb0777a19e972a802cd7386009a6a9adc66329b2ea1b87ddd13dcb133357a8402b13b35e8718d4568

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log
MD5
56699a5c0b9463f5bd860b2507e021c0

SHA1
11683e2bc496c0716fcf1d1fce3de94986ac359a

SHA256
b2c11124756012d4c374671c3d13b58e96ced47b85bc080f586a930f858ee96f

SHA512
d05a685db691239cdc38eb96c6a00f281aefee315b184042263f81d012c01509601c20fbebf738de22d7069f6abcc4b347a0f99543680c895247d9e377e07ce3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk
MD5
d6c5f8dfe0413b8729ee4e0bd23cf235

SHA1
18966a5afb11db3eb8ba4a18d16ade6b0d51214e

SHA256
8a7715446c1151a75b3ecc05c6cff41a5ba96e0c1c2c62c2c5a25e50b8de4002

SHA512
6d1a1575e8a328c31e1a3ccb2b9f0b28d5dd5fc8c40622bae01c9064904c085f2bcd7d5c16e5ea7e1ecff1d1ca6a0b10299885c0e9a2ba93ab0802a5e533197d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb
MD5
27cba58d65a60117cd12adc9f1bdcefd

SHA1
de17ebe180b63e96923bbf3ae336ebcdef87c15f

SHA256
31e8e2ac81e6d2ab8e2e02fb727529e2299c2d2234aedc1c12dd587ec5a604ff

SHA512
749b087f35c73ca5c0472c6a54e7d1153059676ec6231d481042700400fdee4bc1e04409318c35540f4dcd95d63d81726d36b730100e8d61fda5947dc8916e90

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm
MD5
cce58589a4d213bcea54bd4162343a0c

SHA1
2ffe8fb30b0babd0217c887dc2a9c4349d346019

SHA256
936fc81f0347c52a20d8a13b5ee518103f839a82c2f6547241bf42f473b3d53e

SHA512
afd4913c1696048e31da95c8751040e3733b57610b679ed8a3f89669cbc42fa511f9df8dddc89e4a73c155d950e9ae464161fd3a19e52e8290868657e9ee3d21

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{903E4DD3-5F2B-48E3-AB3F-664A590B17EC}.dat
MD5
ca1060cdebc2db8603135aef570e588a

SHA1
765d510d567d218ba59a6ed5202b5fc58afcee2f

SHA256
a4a9ec0a7a5328cc1bdc481cd9a47030500e800a03064b2c2942bbe83be1844b

SHA512
a71bc25052c67c07daf53a2f346bdb8c79b26b6e7703d946cd97eb4a616e725423e7aaeed43d2480fc0ef1df4bb9f14e07be0ad658b1354bd0017562292e5cc2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{EF1469CE-DDB3-4141-AA84-1AEBDE78AB9F}.dat
MD5
8a98a631e3f7406b42e66b33be485363

SHA1
862e5fc5edcc33b7dbe64768546c679c6acd06a2

SHA256
062798d8c5b2ea3c6026157e36b734432f00643451c00a17638273932ad248af

SHA512
b1c13511e25046251e79ed3146a3ccbaffe2bf14109aff6a8103aa556d341cb96e84444cc476bf640ece6f4313f759899a1a90a6eef55ae0d8257ef0de51e66f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
memory/752-134-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/752-135-0x0000000000591000-0x0000000000592000-memory.dmp

Filesize
4KB

Download
memory/752-136-0x0000000000000000-mapping.dmp

Download
memory/1268-115-0x0000000000000000-mapping.dmp

Download
memory/1352-116-0x0000000000000000-mapping.dmp

Download
memory/1676-138-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/1676-140-0x0000000000000000-mapping.dmp

Download
memory/1676-139-0x0000000000BFA000-0x0000000000BFB000-memory.dmp

Filesize
4KB

Download
memory/2012-120-0x0000000000000000-mapping.dmp

Download
memory/2012-119-0x000000000169E000-0x000000000169F000-memory.dmp

Filesize
4KB

Download
memory/2012-118-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/2012-121-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2016-124-0x0000000000000000-mapping.dmp

Download
memory/2016-122-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/2016-127-0x0000000001590000-0x0000000001591000-memory.dmp

Filesize
4KB

Download
memory/2016-126-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2016-123-0x0000000001572000-0x0000000001573000-memory.dmp

Filesize
4KB

Download
memory/2156-147-0x000001CAA8D20000-0x000001CAA8D30000-memory.dmp

Filesize
64KB

Download
memory/3160-142-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/3160-143-0x000000000194F000-0x0000000001950000-memory.dmp

Filesize
4KB

Download
memory/3160-144-0x0000000000000000-mapping.dmp

Download
memory/3180-146-0x0000000000000000-mapping.dmp

Download
memory/3496-117-0x0000000000000000-mapping.dmp

Download
memory/3824-128-0x00000000775F2000-0x00000000775F3000-memory.dmp

Filesize
4KB

Download
memory/3824-129-0x0000000000B5E000-0x0000000000B5F000-memory.dmp

Filesize
4KB

Download
memory/3824-130-0x0000000000000000-mapping.dmp

Download