amadey | a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23

Analysis

max time kernel
151s
max time network
150s
platform
windows10_x64
resource
win10-en-20211014
submitted
06-12-2021 23:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
Size

234KB
MD5

782ab5b6ef06a5f28c96b198992267b6
SHA1

f26d24e4eff92535a5ead77e690249379e0b5655
SHA256

a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23
SHA512

4baab2e661c4722725cf13a012d60dd893a457dd6deea8bbbbd73bc8f02825c900ae9d75aed1f3b8d048afdabec8048971590d110f076224fca361a9ebf0e5c1

Score

10^/10

amadey raccoon redline smokeloader f797145799b7b1b77b35d81de942eee0908da519 backdoor microsoft discovery infostealer phishing spyware stealer suricata trojan

Malware Config

Extracted

Family

smokeloader

Version

2020

http://host-data-coin-11.com/

http://file-coin-host-12.com/

rc4.i32

Extracted

Family

raccoon

Version

1.8.3-hotfix

Botnet

f797145799b7b1b77b35d81de942eee0908da519

Attributes

url4cnc
http://91.219.236.27/capibar
http://94.158.245.167/capibar
http://185.163.204.216/capibar
http://185.225.19.238/capibar
http://185.163.204.218/capibar
https://t.me/capibar

rc4.plain

Extracted

Family

amadey

Version

2.86

185.215.113.35/d2VxjasuwS/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Raccoon
Simple but powerful infostealer which was very active in 2019.
stealer raccoon
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2056-136-0x0000000000F70000-0x0000000000FF3000-memory.dmp	family_redline
behavioral1/memory/3120-160-0x0000000000890000-0x0000000000A51000-memory.dmp	family_redline

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
suricata: ET MALWARE Amadey CnC Check-In
suricata: ET MALWARE Amadey CnC Check-In
suricata
Downloads MZ/PE file
Executes dropped EXE 10 IoCs

Processes:

D01D.exeD01D.exeD917.exeE2DC.exeF5D9.exeC.exeDA9.exetkools.exetkools.exetkools.exe

pid process

408 D01D.exe
440 D01D.exe
2836 D917.exe
2056 E2DC.exe
3120 F5D9.exe
4084 C.exe
2328 DA9.exe
2504 tkools.exe
3824 tkools.exe
4652 tkools.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

tkools.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation tkools.exe
Deletes itself 1 IoCs

Processes:

pid process

3024
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3296 regsvr32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

97 api.ipify.org
98 api.ipify.org
Detected potential entity reuse from brand microsoft.
phishing microsoft
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

E2DC.exeF5D9.exe

pid process

2056 E2DC.exe
3120 F5D9.exe

pid	process
408	D01D.exe
440	D01D.exe
2836	D917.exe
2056	E2DC.exe
3120	F5D9.exe
4084	C.exe
2328	DA9.exe
2504	tkools.exe
3824	tkools.exe
4652	tkools.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Control Panel\International\Geo\Nation	tkools.exe

pid	process
3024

pid	process
3296	regsvr32.exe

flow	ioc
97	api.ipify.org
98	api.ipify.org

pid	process
2056	E2DC.exe
3120	F5D9.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exeD01D.exetkools.exe

description	pid	process	target process
PID 3592 set thread context of 2660	3592	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
PID 408 set thread context of 440	408	D01D.exe	D01D.exe
PID 2504 set thread context of 3824	2504	tkools.exe	tkools.exe

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2274612954.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exeD01D.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D01D.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D01D.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	D01D.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1120 schtasks.exe

pid	process
1120	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\FontSize = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\ImageStoreRandomFolder = "swk4vkj"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersio = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "345608593"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates\4EEF7FAF0062D34ABE	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\MigrationTime = 25b0743d06c1d701	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\ExtensionI = "{CA243743-5FF2-41A0-97F3-E92507985A95}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url5 = "https://twitter.com/"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Toolbar\WebBrowser	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe

pid	process
2660	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
2660	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024
3024

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3024

pid	process
3024

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exeD01D.exeMicrosoftEdgeCP.exe

pid	process
2660	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
440	D01D.exe
3000	MicrosoftEdgeCP.exe
3000	MicrosoftEdgeCP.exe
3000	MicrosoftEdgeCP.exe
3000	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

DA9.exeF5D9.exeE2DC.exeMicrosoftEdge.exe

description	pid	process
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	2328	DA9.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	3120	F5D9.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	2056	E2DC.exe
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeTakeOwnershipPrivilege	3024
Token: SeRestorePrivilege	3024
Token: SeShutdownPrivilege	3024
Token: SeCreatePagefilePrivilege	3024
Token: SeDebugPrivilege	1708	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid process

3024
1708 MicrosoftEdge.exe
3000 MicrosoftEdgeCP.exe
3000 MicrosoftEdgeCP.exe

pid	process
3024
1708	MicrosoftEdge.exe
3000	MicrosoftEdgeCP.exe
3000	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exeD01D.exeC.execmd.execmd.execmd.exetkools.exe

description	pid	process	target process
PID 3592 wrote to memory of 2660	3592	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
PID 3592 wrote to memory of 2660	3592	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
PID 3592 wrote to memory of 2660	3592	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
PID 3592 wrote to memory of 2660	3592	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
PID 3592 wrote to memory of 2660	3592	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
PID 3592 wrote to memory of 2660	3592	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe	a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
PID 3024 wrote to memory of 408	3024		D01D.exe
PID 3024 wrote to memory of 408	3024		D01D.exe
PID 3024 wrote to memory of 408	3024		D01D.exe
PID 408 wrote to memory of 440	408	D01D.exe	D01D.exe
PID 408 wrote to memory of 440	408	D01D.exe	D01D.exe
PID 408 wrote to memory of 440	408	D01D.exe	D01D.exe
PID 408 wrote to memory of 440	408	D01D.exe	D01D.exe
PID 408 wrote to memory of 440	408	D01D.exe	D01D.exe
PID 408 wrote to memory of 440	408	D01D.exe	D01D.exe
PID 3024 wrote to memory of 2836	3024		D917.exe
PID 3024 wrote to memory of 2836	3024		D917.exe
PID 3024 wrote to memory of 2836	3024		D917.exe
PID 3024 wrote to memory of 2056	3024		E2DC.exe
PID 3024 wrote to memory of 2056	3024		E2DC.exe
PID 3024 wrote to memory of 2056	3024		E2DC.exe
PID 3024 wrote to memory of 3296	3024		regsvr32.exe
PID 3024 wrote to memory of 3296	3024		regsvr32.exe
PID 3024 wrote to memory of 3120	3024		F5D9.exe
PID 3024 wrote to memory of 3120	3024		F5D9.exe
PID 3024 wrote to memory of 3120	3024		F5D9.exe
PID 3024 wrote to memory of 4084	3024		C.exe
PID 3024 wrote to memory of 4084	3024		C.exe
PID 3024 wrote to memory of 4084	3024		C.exe
PID 3024 wrote to memory of 2328	3024		DA9.exe
PID 3024 wrote to memory of 2328	3024		DA9.exe
PID 3024 wrote to memory of 2328	3024		DA9.exe
PID 4084 wrote to memory of 2164	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 2164	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 2164	4084	C.exe	cmd.exe
PID 2164 wrote to memory of 3112	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 3112	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 3112	2164	cmd.exe	cmd.exe
PID 2164 wrote to memory of 3904	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 3904	2164	cmd.exe	cacls.exe
PID 2164 wrote to memory of 3904	2164	cmd.exe	cacls.exe
PID 4084 wrote to memory of 1676	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 1676	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 1676	4084	C.exe	cmd.exe
PID 1676 wrote to memory of 2396	1676	cmd.exe	cacls.exe
PID 1676 wrote to memory of 2396	1676	cmd.exe	cacls.exe
PID 1676 wrote to memory of 2396	1676	cmd.exe	cacls.exe
PID 4084 wrote to memory of 1540	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 1540	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 1540	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 2644	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 2644	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 2644	4084	C.exe	cmd.exe
PID 4084 wrote to memory of 2504	4084	C.exe	tkools.exe
PID 4084 wrote to memory of 2504	4084	C.exe	tkools.exe
PID 4084 wrote to memory of 2504	4084	C.exe	tkools.exe
PID 2644 wrote to memory of 3672	2644	cmd.exe	cacls.exe
PID 2644 wrote to memory of 3672	2644	cmd.exe	cacls.exe
PID 2644 wrote to memory of 3672	2644	cmd.exe	cacls.exe
PID 2504 wrote to memory of 888	2504	tkools.exe	cmd.exe
PID 2504 wrote to memory of 888	2504	tkools.exe	cmd.exe
PID 2504 wrote to memory of 888	2504	tkools.exe	cmd.exe
PID 2504 wrote to memory of 1120	2504	tkools.exe	schtasks.exe
PID 2504 wrote to memory of 1120	2504	tkools.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
"C:\Users\Admin\AppData\Local\Temp\a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3592

C:\Users\Admin\AppData\Local\Temp\a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe
"C:\Users\Admin\AppData\Local\Temp\a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23.exe"
2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2660

C:\Users\Admin\AppData\Local\Temp\D01D.exe
C:\Users\Admin\AppData\Local\Temp\D01D.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:408

C:\Users\Admin\AppData\Local\Temp\D01D.exe
C:\Users\Admin\AppData\Local\Temp\D01D.exe
2⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:440

C:\Users\Admin\AppData\Local\Temp\D917.exe
C:\Users\Admin\AppData\Local\Temp\D917.exe
1⤵
- Executes dropped EXE
PID:2836

C:\Users\Admin\AppData\Local\Temp\E2DC.exe
C:\Users\Admin\AppData\Local\Temp\E2DC.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EB97.dll
1⤵
- Loads dropped DLL
PID:3296

C:\Users\Admin\AppData\Local\Temp\F5D9.exe
C:\Users\Admin\AppData\Local\Temp\F5D9.exe
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:3120

C:\Users\Admin\AppData\Local\Temp\C.exe
C:\Users\Admin\AppData\Local\Temp\C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
2⤵
- Suspicious use of WriteProcessMemory
PID:2164

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3112

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:N"
3⤵
PID:3904

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
2⤵
- Suspicious use of WriteProcessMemory
PID:1676

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /P "Admin:R" /E
3⤵
PID:2396

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
2⤵
PID:1540

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
3⤵
PID:3140

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:N"
3⤵
PID:3916

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
2⤵
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cacls.exe
CACLS "C:\Users\Admin\AppData\Local\Temp\60bb09348e" /P "Admin:R" /E
3⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
3⤵
PID:888

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /f /v Startup /t REG_SZ /d C:\Users\Admin\AppData\Local\Temp\60bb09348e\
4⤵
PID:3820

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN tkools.exe /TR "C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe" /F
3⤵
- Creates scheduled task(s)
PID:1120

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
"C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:3824

C:\Users\Admin\AppData\Local\Temp\DA9.exe
C:\Users\Admin\AppData\Local\Temp\DA9.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2328

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1708

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1668

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:3000

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
PID:3932

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4172

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4508

C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
1⤵
- Executes dropped EXE
PID:4652

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4704

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\66FFF4NI\MathJax[1].js
MD5
7a3737a82ea79217ebe20f896bceb623

SHA1
96b575bbae7dac6a442095996509b498590fbbf7

SHA256
002a60f162fd4d3081f435860d408ffce6f6ef87398f75bd791cadc8dae0771d

SHA512
e0d1f62bae160008e486a6f4ef8b57aa74c1945980c00deb37b083958f4291f0a47b994e5fdb348c2d4618346b93636ce4c323c6f510ab2fbd7a6547359d28d5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\66FFF4NI\SegoeUI-Roman-VF_web[1].woff2
MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\66FFF4NI\application-not-started[1].htm
MD5
3ef0c71f4f8c82d7708ad300641112fc

SHA1
68d24e309214e791607e2163ffe7fc130f52be51

SHA256
ad4fa522ce28f3c98690232301cbc61a0bbc00939df5fbd506781936d69daaa1

SHA512
50d50f985b4d48978049ffaac91e7d59fd54c68adecd1a152ab7b146cb48e8c7a58a54f0fad4eaf2229867009de0a92105dbe209d6579eacbfb1286499d31d01

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\66FFF4NI\install-3-5[1].png
MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\66FFF4NI\latest[1].woff2
MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\66FFF4NI\ms.jsll-3.min[1].js
MD5
073493e703a67e61abc18567e9bb787a

SHA1
b46ee2eccfb359222433aed922d1a5d444541e2f

SHA256
d5814d56551a4b9908fb679d8b9e832e92b5f00ac27ea27d6c866883d1352f63

SHA512
3e83664df1b4492f415b0eca611e20bda0e0b1aa05d00153dd1863d90172df9a54312e28b0c236b70683cbcaf9e01da7c028b89f9aeebef99129e90fc5d5c3d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLTFP6E1\TeX-AMS_CHTML[1].js
MD5
a7d2b67197a986636d79842a081ea85e

SHA1
b5e05ef7d8028a2741ec475f21560cf4e8cb2136

SHA256
9e0394a3a7bf16a1effb14fcc5557be82d9b2d662ba83bd84e303b4bdf791ef9

SHA512
ad234df68e34eb185222c24c30b384201f1e1793ad6c3dca2f54d510c7baa67eabdc39225f10e6b783757c0db859ce2ea32d6e78317c30a02d1765aee9f07109

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLTFP6E1\acda1c6.site-ltr[1].css
MD5
930877b46dbe6a9de9770365c75fc8da

SHA1
a890de5c8952c12f9fd39b64aa8f3ecfa0fecb0f

SHA256
5774fbb7ac42f0aa733d9926f2b2cd36413b4784e24d3084efd8ce1b12f6e4bf

SHA512
3e382168e9fd07bb518e89ac588e9ef2738afc2e9654587da8c477e0c5a4c639df4c0b33c0804f361065a1ff10e6f267125b9b0272616e3d48fe7626d6371d0f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLTFP6E1\repair-tool-no-resolution[1].png
MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FLTFP6E1\wcp-consent[1].js
MD5
d520121921338b5165b5996adf16931c

SHA1
1ff8aa1aa748e786560ef4c136d1b129628b6087

SHA256
919dca34db91911735f214ed2cff5e08f37459d94a364afb3df187baf1f77aff

SHA512
3747ef7783b71cf5a59f95af860ae7d75612b434224d49bf303262cfec09faa89de317f75e8926cab6809b0cc22633294391ed0a643fd30bca05c46f0523fd36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IZ0RIQ6D\12971179[1].jpg
MD5
0e4994ae0e03d9611e7655286675f156

SHA1
e650534844a7197b328371318f288ae081448a97

SHA256
07b979b12f1cb506df7675efe227a2e78accfa1f5954af2b7bb66295e5cf881c

SHA512
07aaae5347fa8e82f86d0ba7c28127fac952d84bad3dce119654b5ba1cd2550c8d064770473f34f89fc383847b2f1594b3600d9fd01e6275d67868c41638e34a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IZ0RIQ6D\24882762[1].jpg
MD5
ca711d527e0e1be012a3105699592812

SHA1
f02534ce002f6d734a897491a1ebcc825da565c7

SHA256
e68e548a3cc404e84af3fd7529c21d64a238ba5d0857feb8fa1652b439b36e6f

SHA512
a56a1266a76ee7c95424f5beaed9d65ea569e7d187beae3c4bc1fb3a018ac728f419a2b08b62c51a70e18ee82d54e1d7714092e609135bb455060ab7d01830b5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IZ0RIQ6D\2672110[1].png
MD5
7dc91895d24c825c361387611f6593e9

SHA1
fc0d26031ba690ac7748c759c35005fe627beb8f

SHA256
f37ad9b56d806d06267f9a290196dfe4200edb7729b41d789b8f1ec8adc5cdbf

SHA512
ba27fdbf02294cc78ede7972f20da383c20027ab172a4ea6ad5006ff58e404032d92f875e642dfe73985428c28bbbe1befc546c2666a672afacf23195425d7c2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IZ0RIQ6D\31348972[1].jpg
MD5
c09597bbae67e58e38228f9e8fa06175

SHA1
85aec568955ad5d9165364d37a9a141dd899eca9

SHA256
f62142fd084d46df32d9d8a340855fcb17b14376c36549b825670451ea7cae73

SHA512
b7592dcf34487e3ddbffd32e8d03cb5665330f8f687e10f39f16c67673238e340cf4633b8e921932c65e3c891286349378bb70ad9a8026046653c4cf8fa2efff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IZ0RIQ6D\app-could-not-be-started[1].png
MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\IZ0RIQ6D\repair-tool-changes-complete[1].png
MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z5QYOM0W\12257d68.index-docs[1].js
MD5
6db27f07a68f89e6980d2053cf059c45

SHA1
79f00c7df78eba2121abb2233c6216a7027eb5c7

SHA256
bcc4ba755cf459c118ec399acdc32e1ea7fbb001626ca97bbd9bd4c80d5c9dc0

SHA512
fd26026122b4753e84e9fb0b0747c384bb104766c84f35dd6fea38a734845839a411279f997db36649b08e2a00ffadece281c43d35faee1f5bcb87bbf1dfa4fe

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z5QYOM0W\5cce29c0.deprecation[1].js
MD5
55bb21475c9d3a6d3c00f2c26a075e7d

SHA1
59696ef8addd5cfb642ad99521a8aed9420e0859

SHA256
3ceddaf5a1ed02614ec6b4edd5881a3ffb7ec08116154dff8eb9897230bf5e59

SHA512
35261ddaf86da82d27a29f39a7c6074a5f0e66f5b0a8098c7502289fb70b186371a7fe71410baab6cc6b726e9338afecee9f8bb075047a055723fb5e2f09b9c7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z5QYOM0W\docons.e48f4bac[1].woff2
MD5
d8c9bad9e347a27dbc1c81520b2558cd

SHA1
d494ba6a92e2b3165f4475182f2a796ff6bbc89e

SHA256
331cd4ec79f010b95376078957fa8adc10fb8aba11b0d029b83b0994b466f59a

SHA512
0785cb9c0020381b819dc79e46bd3b588b200f6c5117794dca3392818a7eaecaf6c7107e1430709f185c25cbdd3e226dde9e800483ceb44bfcabe0efa5aaf7da

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z5QYOM0W\repair-tool-recommended-changes[1].png
MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\4RUGWKHI.cookie
MD5
28b6de1ebf012a55bca77d118c8c2e88

SHA1
4116967f72c147c720b8f7f05aa19cd5a54173c0

SHA256
ca43b8a4b534ef2aaeb14048ea8f71e97713adc9b2b84c5963711e9c7b8af0ca

SHA512
154cf7b60c581d19144c18350ddd559fa8b32d07b5925f09dfc9a88cd59350a73eaf13694a4173b003682f8ebd505e22306369fdd04cf1e6f8a97c36f1e838e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\8F7G07G3.cookie
MD5
c9a734e50886abeffa777473c03517e4

SHA1
6aad9e7f3548e08c3a02afdd1701407617ebd430

SHA256
755129187fafc4593b6812739589e2f1944f16b7c09a2f57cce75d3a5f4b815c

SHA512
984acc9fa6ca85161a6ad148bd2ada2d55957a6c275c8b7cd85dd325f26384bcedbba7263218c443fdc22251f5e74c50ecf319c354cbf012a37a17418abfce4e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\P4ZSVPWY.cookie
MD5
5374dce3902a87b8541dd22fc5c74f88

SHA1
9e320731f6a4cf12052994140453823976edf5c9

SHA256
0174fc10b8c0be5283564f6e1b474b302654c0a141e846b01cb7b7e1af874ce4

SHA512
1ac0f82b9a4a9034855c22deac5fa63aa1f878bb503cea4c4cc0500215b481923a174b8b0bd3680e1ab933d23a3e6b9f45c0c3163a73b65d0f2efd06e62757f5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
7963990ed8efda0ec28b286203d0a8d8

SHA1
23c519411f4ba6d74758841163f4cee8779087df

SHA256
c30f3c4730a1d62f32ec821a0e0ec6a5ad44554d2a4b1c97ba4e39b118cd84b4

SHA512
2220bb764a98ba1b70a6d68a4f668f2c53e3adbe3de8168076493fef188452b6eb97f7cba5515348e7d9c375845ef853d953079a4afebe5a4551243f86df29b9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
cb3eb82da102e959723b109d94336371

SHA1
d46bb25b0241483b883666161a1daff7e8bdc0a6

SHA256
697c6c54bb3f42473dddea061da93865969dbfab03740a3a5e3750e1af866fb7

SHA512
ca8695bf61ba357b07c6387a12d9d857e29ccc3963151696185e7bc564307ec7ccf8e92c751b2be681c16be05803243488ce6b2ffd6fa34b0440725613e39a52

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
47798eeb1e0d3e12026ab6353f930541

SHA1
18c0459ae97af8d425b0fec11d3898adebf98cf7

SHA256
2179ecbe169690930dab86d9409893df2f20ac889472d221e834cbac2c6d9193

SHA512
4e4135b405418699d38f7b746506e3bc1bc694c99c4a492bdf70fdfbfb6718393285f7ca3dfdf0d58c82bea9887c2aa21b0b246b9fb756ff7a5b57c71c9a7782

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
d736025bdbbdb3926313693de4124154

SHA1
d083cdf3f89eee15423f72589ad920780819f789

SHA256
82fcd4a4cebc068e5dd2dd8f8a61008bb2e949d761ead057fa764abc77cb2e49

SHA512
302e9424a17c9c29cb1b000b546dfdfe91fde6e7138a437ecb42c474224968690fc04a2c27d91589e5b074c4fa1385cc2888739ca5433b3c7ada1c275b112412

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\12B578593FDE07EC53D020B1D5DEBF3B_5D74C2DB556F94499BCD6D74A36958A3
MD5
6c5c73add4d3e180f0beccfb5017e964

SHA1
a825343037d122bf8c41e795b9f93e4c5f7e38d4

SHA256
7f48740d9094de749a13ec1093df5c64ff92e66449783342923ad4112be3c138

SHA512
6f946428855ea19f32064fecfa646446a9e167aedc6400991aac9ab225e9de6fcbad7da930c92780761b74f8334504651a59075e719dcf94c61f13feaea2aa29

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\2A7611428D62805A3E4E5BC4103D82E4_D0FA13DADFB59BDF00C474952E166CC1
MD5
64e6958d5dfe858f6143d82edb3c1872

SHA1
52cfe48efcd7f0acf6f3a7a62386d117e57a2a0b

SHA256
bbae03588a359d79b0809a85c51d3d841e8507cad641ca63455ae6122f0b5dea

SHA512
5e0a0fed7dce19fae7ff96eaf302025bd5ece82d543bb5fab6a2e5438b19796291ca49db2b5d4bc7663e243141f1fb697f73ad0219de04da79e5e8e1c19a0a2b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_711ED44619924BA6DC33E69F97E7FF63
MD5
c71698b01f1983c515a3646d9fcb9a26

SHA1
faf09d0e8a8987ee505cc69b5eed808149a7d763

SHA256
69a9888a4cc3ddcdfb2a780ecda6bb00031b00fd1b8ac88e181e6124c25e9671

SHA512
25d1c3646b56a800fd0ff9d0d2c94256269876ed093b1d6cf661baf82a15188da86562565f14512d3413b1231746d465de3e1eabdd67c3bc5b3a081f2b295812

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\EDC238BFF48A31D55A97E1E93892934B_C20E0DA2D0F89FE526E1490F4A2EE5AB
MD5
a93958579519eb2786c413552e99a786

SHA1
c80befec7fb12843fbbde30767079b48d8df15fd

SHA256
0a434cee4b76889945bc5d1ca284149cdd029ca97901946457b9746079a1b10f

SHA512
3a13d8e21631d0e35f116a3513ecc8c8adba819efc3873102c628ee03ad62586db0a5577d7c3caa4125cb44a59e2dcd3baeb349ecedf7a74e66775c83898acd3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2274612954.pri
MD5
0db264b38ac3c5f6c140ba120a7fe72f

SHA1
51aa2330c597e84ed3b0d64bf6b73bf6b15f9d74

SHA256
2f6955b0f5277a7904c59e461bfa6b06c54fece0d7c11f27408fa7a281a4556d

SHA512
3534c243516cef5cee0540d5efd5cde1f378e127e6013b5e309a2e0be8393417bfe458706564b4b955f92132a51e2772c67f9fd90441476cc3512a5d9f910d84

Download Submit
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\03795181499162622812
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\60bb09348e\tkools.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\C.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\C.exe
MD5
2a03cd34f26826a94fde4103644c4223

SHA1
b86cbf66e1087ee7e0fb5244e3a046e5aa3fdb21

SHA256
bf5b55dd90d317000bdbdc2eb08bb3ce3c0263cac10aedb67d65f01fd39c95fd

SHA512
7b01998bc2547ff48eb861b76552844369f5532416764bad0d4f98fc5cad3e56a4a69c9be28b5e9adc2db054eda30382d133e7c03c1fedec88456f1374c37ebe

Download Submit
C:\Users\Admin\AppData\Local\Temp\D01D.exe
MD5
782ab5b6ef06a5f28c96b198992267b6

SHA1
f26d24e4eff92535a5ead77e690249379e0b5655

SHA256
a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23

SHA512
4baab2e661c4722725cf13a012d60dd893a457dd6deea8bbbbd73bc8f02825c900ae9d75aed1f3b8d048afdabec8048971590d110f076224fca361a9ebf0e5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D01D.exe
MD5
782ab5b6ef06a5f28c96b198992267b6

SHA1
f26d24e4eff92535a5ead77e690249379e0b5655

SHA256
a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23

SHA512
4baab2e661c4722725cf13a012d60dd893a457dd6deea8bbbbd73bc8f02825c900ae9d75aed1f3b8d048afdabec8048971590d110f076224fca361a9ebf0e5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D01D.exe
MD5
782ab5b6ef06a5f28c96b198992267b6

SHA1
f26d24e4eff92535a5ead77e690249379e0b5655

SHA256
a110d9e9153268ef7a2c12c9f4d13ddce838079ceacb39f2fdaad527555c8f23

SHA512
4baab2e661c4722725cf13a012d60dd893a457dd6deea8bbbbd73bc8f02825c900ae9d75aed1f3b8d048afdabec8048971590d110f076224fca361a9ebf0e5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\D917.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\D917.exe
MD5
bce50d5b17bb88f22f0000511026520d

SHA1
599aaed4ee72ec0e0fc4cada844a1c210e332961

SHA256
77e40ca1c6001b2c01ef50b84585d68127eeb5691c899b049a9948fb60b13455

SHA512
c7dea899ed181efd0474a8b181b8fd8e91c734703a03ac71381e072684c93dd6d002629ffcfeefb15b6ca79ba1cf8cc62acd2b16fe7e0faed444c6f3eebb7536

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA9.exe
MD5
2381eacc7d9d9c944c4e1b1c92bc6d29

SHA1
7f87854fa9dd8eb8effb126d7dc24e641d2baea0

SHA256
b27d56f626c48618d92a7c47b6e3621432f8210f6c0daaa06477afed3ad8923f

SHA512
44c95aea3a9be686f64c670e46c46da179ce9db2dd028e1e45fb1e72e190435b1a152e3f2447a2fd4938dd6fb974521ff83f75fb9d034d5fb109bfe52beb10a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DA9.exe
MD5
2381eacc7d9d9c944c4e1b1c92bc6d29

SHA1
7f87854fa9dd8eb8effb126d7dc24e641d2baea0

SHA256
b27d56f626c48618d92a7c47b6e3621432f8210f6c0daaa06477afed3ad8923f

SHA512
44c95aea3a9be686f64c670e46c46da179ce9db2dd028e1e45fb1e72e190435b1a152e3f2447a2fd4938dd6fb974521ff83f75fb9d034d5fb109bfe52beb10a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2DC.exe
MD5
8d3dcfb2adbb29ccdf6f6e15958c8c14

SHA1
659efa9597bbc44d66d1f56859fff637973b3845

SHA256
c8ee4f813016ec8b590b4e588817c16fa7e8cea9a1b0365254254a5b01d898f6

SHA512
4da46b66f372575b8df9d36264fb22bb596f8eb80e797f0b9696540e3d5fefca3702c672eb19ca6eb380c633b1b9e6707b3dbbce60f07e1659b0bf7782851022

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2DC.exe
MD5
8d3dcfb2adbb29ccdf6f6e15958c8c14

SHA1
659efa9597bbc44d66d1f56859fff637973b3845

SHA256
c8ee4f813016ec8b590b4e588817c16fa7e8cea9a1b0365254254a5b01d898f6

SHA512
4da46b66f372575b8df9d36264fb22bb596f8eb80e797f0b9696540e3d5fefca3702c672eb19ca6eb380c633b1b9e6707b3dbbce60f07e1659b0bf7782851022

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB97.dll
MD5
c2326f5c2286b6272f7acde3e2d2915b

SHA1
0f283ca3c4041e3f915af729371405bec94c50b8

SHA256
714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd

SHA512
ac4592dcda03337016b25a3723d094c2dcff1477d2fea67140bec329af89d4760a602dd1e35e951856d9698655ffcc3fe87ea6680e77fe70c82d4583956f63ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D9.exe
MD5
de3bd8182e64745b40d259a79772b282

SHA1
faecc3a01b05ed96003069f61343836c561b1103

SHA256
128e62e08fd48d591f2745f7584a88750b24a7d0dafbd4f8b39ae6ad21072c43

SHA512
cbde7b7cd198e63851030bf408971ef3b4b16e2222a79b3b0b5967a659167894dc4888ec4b259283e3c76c50ed1489283ecf28d4eab7095011fbe4a26a5aad13

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5D9.exe
MD5
de3bd8182e64745b40d259a79772b282

SHA1
faecc3a01b05ed96003069f61343836c561b1103

SHA256
128e62e08fd48d591f2745f7584a88750b24a7d0dafbd4f8b39ae6ad21072c43

SHA512
cbde7b7cd198e63851030bf408971ef3b4b16e2222a79b3b0b5967a659167894dc4888ec4b259283e3c76c50ed1489283ecf28d4eab7095011fbe4a26a5aad13

Download Submit
\Users\Admin\AppData\Local\Temp\EB97.dll
MD5
c2326f5c2286b6272f7acde3e2d2915b

SHA1
0f283ca3c4041e3f915af729371405bec94c50b8

SHA256
714616fe3515adc2c2b44781aed900a9e8e37cc4e7239be92f1ca668f40945bd

SHA512
ac4592dcda03337016b25a3723d094c2dcff1477d2fea67140bec329af89d4760a602dd1e35e951856d9698655ffcc3fe87ea6680e77fe70c82d4583956f63ac

Download Submit
memory/408-120-0x0000000000000000-mapping.dmp

Download
memory/408-123-0x0000000000659000-0x0000000000662000-memory.dmp

Filesize
36KB

Download
memory/440-125-0x0000000000402F47-mapping.dmp

Download
memory/888-223-0x0000000000000000-mapping.dmp

Download
memory/1120-224-0x0000000000000000-mapping.dmp

Download
memory/1540-206-0x0000000000000000-mapping.dmp

Download
memory/1676-199-0x0000000000000000-mapping.dmp

Download
memory/2056-141-0x0000000000F70000-0x0000000000F71000-memory.dmp

Filesize
4KB

Download
memory/2056-144-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/2056-133-0x0000000000000000-mapping.dmp

Download
memory/2056-136-0x0000000000F70000-0x0000000000FF3000-memory.dmp

Filesize
524KB

Download
memory/2056-216-0x0000000007150000-0x0000000007151000-memory.dmp

Filesize
4KB

Download
memory/2056-137-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/2056-138-0x00000000773B0000-0x0000000077572000-memory.dmp

Filesize
1.8MB

Download
memory/2056-191-0x0000000006080000-0x0000000006081000-memory.dmp

Filesize
4KB

Download
memory/2056-139-0x0000000000EB0000-0x0000000000EF5000-memory.dmp

Filesize
276KB

Download
memory/2056-143-0x0000000071D00000-0x0000000071D80000-memory.dmp

Filesize
512KB

Download
memory/2056-194-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/2056-195-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/2056-196-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/2056-215-0x0000000006A50000-0x0000000006A51000-memory.dmp

Filesize
4KB

Download
memory/2056-183-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/2056-146-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/2056-147-0x0000000004F60000-0x0000000004F61000-memory.dmp

Filesize
4KB

Download
memory/2056-148-0x0000000004E00000-0x0000000004E01000-memory.dmp

Filesize
4KB

Download
memory/2056-152-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/2056-153-0x00000000762C0000-0x0000000076844000-memory.dmp

Filesize
5.5MB

Download
memory/2056-154-0x0000000074070000-0x00000000753B8000-memory.dmp

Filesize
19.3MB

Download
memory/2056-156-0x000000006FF70000-0x000000006FFBB000-memory.dmp

Filesize
300KB

Download
memory/2056-155-0x0000000004E40000-0x0000000004E41000-memory.dmp

Filesize
4KB

Download
memory/2056-140-0x00000000756D0000-0x00000000757C1000-memory.dmp

Filesize
964KB

Download
memory/2164-189-0x0000000000000000-mapping.dmp

Download
memory/2328-211-0x0000000006570000-0x0000000006571000-memory.dmp

Filesize
4KB

Download
memory/2328-184-0x0000000000000000-mapping.dmp

Download
memory/2328-207-0x0000000006450000-0x00000000064FC000-memory.dmp

Filesize
688KB

Download
memory/2328-197-0x0000000005830000-0x0000000005831000-memory.dmp

Filesize
4KB

Download
memory/2328-208-0x0000000006540000-0x0000000006541000-memory.dmp

Filesize
4KB

Download
memory/2328-187-0x0000000000D10000-0x0000000000D11000-memory.dmp

Filesize
4KB

Download
memory/2396-200-0x0000000000000000-mapping.dmp

Download
memory/2504-222-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/2504-221-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/2504-212-0x0000000000000000-mapping.dmp

Download
memory/2504-219-0x0000000000768000-0x0000000000786000-memory.dmp

Filesize
120KB

Download
memory/2644-210-0x0000000000000000-mapping.dmp

Download
memory/2660-117-0x0000000000402F47-mapping.dmp

Download
memory/2660-116-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2836-130-0x0000000000728000-0x0000000000777000-memory.dmp

Filesize
316KB

Download
memory/2836-131-0x0000000000650000-0x00000000006DF000-memory.dmp

Filesize
572KB

Download
memory/2836-132-0x0000000000400000-0x0000000000491000-memory.dmp

Filesize
580KB

Download
memory/2836-127-0x0000000000000000-mapping.dmp

Download
memory/3024-145-0x0000000002780000-0x0000000002796000-memory.dmp

Filesize
88KB

Download
memory/3024-119-0x00000000007A0000-0x00000000007B6000-memory.dmp

Filesize
88KB

Download
memory/3112-190-0x0000000000000000-mapping.dmp

Download
memory/3120-167-0x0000000071D00000-0x0000000071D80000-memory.dmp

Filesize
512KB

Download
memory/3120-163-0x00000000756D0000-0x00000000757C1000-memory.dmp

Filesize
964KB

Download
memory/3120-209-0x0000000006900000-0x0000000006901000-memory.dmp

Filesize
4KB

Download
memory/3120-157-0x0000000000000000-mapping.dmp

Download
memory/3120-161-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/3120-164-0x0000000000890000-0x0000000000891000-memory.dmp

Filesize
4KB

Download
memory/3120-166-0x0000000000E20000-0x0000000000F6A000-memory.dmp

Filesize
1.3MB

Download
memory/3120-176-0x00000000055D0000-0x00000000055D1000-memory.dmp

Filesize
4KB

Download
memory/3120-160-0x0000000000890000-0x0000000000A51000-memory.dmp

Filesize
1.8MB

Download
memory/3120-162-0x00000000773B0000-0x0000000077572000-memory.dmp

Filesize
1.8MB

Download
memory/3120-175-0x000000006FF70000-0x000000006FFBB000-memory.dmp

Filesize
300KB

Download
memory/3120-173-0x0000000074070000-0x00000000753B8000-memory.dmp

Filesize
19.3MB

Download
memory/3120-172-0x00000000762C0000-0x0000000076844000-memory.dmp

Filesize
5.5MB

Download
memory/3296-149-0x0000000000000000-mapping.dmp

Download
memory/3592-118-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/3592-115-0x0000000000609000-0x0000000000612000-memory.dmp

Filesize
36KB

Download
memory/3672-214-0x0000000000000000-mapping.dmp

Download
memory/3820-225-0x0000000000000000-mapping.dmp

Download
memory/3824-227-0x0000000000484E2E-mapping.dmp

Download
memory/3824-226-0x0000000000400000-0x000000000048A000-memory.dmp

Filesize
552KB

Download
memory/3904-192-0x0000000000000000-mapping.dmp

Download
memory/4084-180-0x0000000000798000-0x00000000007B6000-memory.dmp

Filesize
120KB

Download
memory/4084-177-0x0000000000000000-mapping.dmp

Download
memory/4084-181-0x0000000000590000-0x00000000006DA000-memory.dmp

Filesize
1.3MB

Download
memory/4084-182-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download
memory/4652-264-0x0000000000630000-0x0000000000669000-memory.dmp

Filesize
228KB

Download
memory/4652-262-0x000000000068E000-0x00000000006AC000-memory.dmp

Filesize
120KB

Download
memory/4652-265-0x0000000000400000-0x000000000045E000-memory.dmp

Filesize
376KB

Download