184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82

Analysis

max time kernel
155s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-en-20220113
submitted
11-02-2022 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Size

407KB
MD5

d9c3b4e5faa03bc8d83396837bd7e23c
SHA1

fe391b8f10f99a5a9f7d3dcd49d8d0e9551b663e
SHA256

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82
SHA512

529043ab300e6fa1efbd374e429a30cdab431fbeaae8ea2a4ba1ad322bb3cf20136057059b6d095e157c69c3153093c286304ae7a83327e2f07441db802a4a1b

Score

10^/10

evasion link pdf persistence

Malware Config

Signatures

Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 4256 created 400 4256 WerFault.exe kungfu1.exe
Executes dropped EXE 3 IoCs

Processes:

kungfu1.exeKungfu.exeKungfu.exe

pid process

400 kungfu1.exe
3448 Kungfu.exe
4180 Kungfu.exe
Modifies Windows Firewall 1 TTPs
evasion

Modify Existing Service
T1031

description	pid	process	target process
PID 4256 created 400	4256	WerFault.exe	kungfu1.exe

pid	process
400	kungfu1.exe
3448	Kungfu.exe
4180	Kungfu.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exereg.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CertificateHash = "C:\\MSOCache\\kungfu1.exe"	reg.exe
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\48c85357-a201-4344-9641-2582c6fd20b7.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20220211045105.pma	setup.exe

Drops file in Windows directory 8 IoCs

Processes:

TiWorker.exesvchost.exe

description	ioc	process
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\MSOCache\BiblevsQuran.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4452 400 WerFault.exe kungfu1.exe

pid	pid_target	process	target process
4452	400	WerFault.exe	kungfu1.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

Processes:

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1346565761-3498240568-4147300184-1000_Classes\Local Settings	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeWerFault.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4388	msedge.exe
4388	msedge.exe
4428	msedge.exe
4428	msedge.exe
4452	WerFault.exe
4452	WerFault.exe
3032	msedge.exe
3032	msedge.exe
6136	identity_helper.exe
6136	identity_helper.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe
5160	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3032 msedge.exe
3032 msedge.exe
3032 msedge.exe
3032 msedge.exe
3032 msedge.exe
3032 msedge.exe

pid	process
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe
3032	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exesvchost.exesvchost.exeTiWorker.exe

description	pid	process
Token: SeRestorePrivilege	4452	WerFault.exe
Token: SeBackupPrivilege	4452	WerFault.exe
Token: SeShutdownPrivilege	5204	svchost.exe
Token: SeCreatePagefilePrivilege	5204	svchost.exe
Token: SeShutdownPrivilege	5204	svchost.exe
Token: SeCreatePagefilePrivilege	5204	svchost.exe
Token: SeShutdownPrivilege	5204	svchost.exe
Token: SeCreatePagefilePrivilege	5204	svchost.exe
Token: SeTcbPrivilege	5824	svchost.exe
Token: SeTcbPrivilege	5824	svchost.exe
Token: SeTcbPrivilege	5824	svchost.exe
Token: SeTcbPrivilege	5824	svchost.exe
Token: SeTcbPrivilege	5824	svchost.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe
Token: SeBackupPrivilege	5336	TiWorker.exe
Token: SeRestorePrivilege	5336	TiWorker.exe
Token: SeSecurityPrivilege	5336	TiWorker.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msedge.exe

pid process

3032 msedge.exe
3032 msedge.exe

pid	process
3032	msedge.exe
3032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exeWScript.execmd.execmd.exemsedge.exemsedge.exekungfu1.exenet.execmd.execmd.exe

description	pid	process	target process
PID 3508 wrote to memory of 1840	3508	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 3508 wrote to memory of 1840	3508	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 3508 wrote to memory of 1840	3508	184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe	WScript.exe
PID 1840 wrote to memory of 2612	1840	WScript.exe	cmd.exe
PID 1840 wrote to memory of 2612	1840	WScript.exe	cmd.exe
PID 1840 wrote to memory of 2612	1840	WScript.exe	cmd.exe
PID 1840 wrote to memory of 3472	1840	WScript.exe	cmd.exe
PID 1840 wrote to memory of 3472	1840	WScript.exe	cmd.exe
PID 1840 wrote to memory of 3472	1840	WScript.exe	cmd.exe
PID 2612 wrote to memory of 3032	2612	cmd.exe	msedge.exe
PID 2612 wrote to memory of 3032	2612	cmd.exe	msedge.exe
PID 3472 wrote to memory of 2240	3472	cmd.exe	msedge.exe
PID 3472 wrote to memory of 2240	3472	cmd.exe	msedge.exe
PID 2612 wrote to memory of 936	2612	cmd.exe	netsh.exe
PID 2612 wrote to memory of 936	2612	cmd.exe	netsh.exe
PID 2612 wrote to memory of 936	2612	cmd.exe	netsh.exe
PID 3472 wrote to memory of 3648	3472	cmd.exe	netsh.exe
PID 3472 wrote to memory of 3648	3472	cmd.exe	netsh.exe
PID 3472 wrote to memory of 3648	3472	cmd.exe	netsh.exe
PID 3032 wrote to memory of 1892	3032	msedge.exe	msedge.exe
PID 3032 wrote to memory of 1892	3032	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3692	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 3692	2240	msedge.exe	msedge.exe
PID 3472 wrote to memory of 400	3472	cmd.exe	kungfu1.exe
PID 3472 wrote to memory of 400	3472	cmd.exe	kungfu1.exe
PID 3472 wrote to memory of 400	3472	cmd.exe	kungfu1.exe
PID 2612 wrote to memory of 3448	2612	cmd.exe	Kungfu.exe
PID 2612 wrote to memory of 3448	2612	cmd.exe	Kungfu.exe
PID 2612 wrote to memory of 3448	2612	cmd.exe	Kungfu.exe
PID 400 wrote to memory of 4004	400	kungfu1.exe	cmd.exe
PID 400 wrote to memory of 4004	400	kungfu1.exe	cmd.exe
PID 400 wrote to memory of 4004	400	kungfu1.exe	cmd.exe
PID 2612 wrote to memory of 3508	2612	cmd.exe	net.exe
PID 2612 wrote to memory of 3508	2612	cmd.exe	net.exe
PID 2612 wrote to memory of 3508	2612	cmd.exe	net.exe
PID 3508 wrote to memory of 4012	3508	net.exe	net1.exe
PID 3508 wrote to memory of 4012	3508	net.exe	net1.exe
PID 3508 wrote to memory of 4012	3508	net.exe	net1.exe
PID 4004 wrote to memory of 3100	4004	cmd.exe	reg.exe
PID 4004 wrote to memory of 3100	4004	cmd.exe	reg.exe
PID 4004 wrote to memory of 3100	4004	cmd.exe	reg.exe
PID 400 wrote to memory of 744	400	kungfu1.exe	cmd.exe
PID 400 wrote to memory of 744	400	kungfu1.exe	cmd.exe
PID 400 wrote to memory of 744	400	kungfu1.exe	cmd.exe
PID 744 wrote to memory of 4128	744	cmd.exe	reg.exe
PID 744 wrote to memory of 4128	744	cmd.exe	reg.exe
PID 744 wrote to memory of 4128	744	cmd.exe	reg.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe
PID 2240 wrote to memory of 4368	2240	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe
"C:\Users\Admin\AppData\Local\Temp\184196bb279106c16e67d3ae0d29bd865267b6fcda1f41c2f5fba84fc25b9e82.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\MSOCache\test.vbs"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1840

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MSOCache\start1.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\MSOCache\BiblevsQuran.pdf
4⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0x40,0x104,0x7ffa9e1a46f8,0x7ffa9e1a4708,0x7ffa9e1a4718
5⤵
PID:1892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
5⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
5⤵
PID:4708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
5⤵
PID:4884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
5⤵
PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2712 /prefetch:1
5⤵
PID:5096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
5⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5612 /prefetch:8
5⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=5808 /prefetch:6
5⤵
PID:3924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
5⤵
PID:5104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
5⤵
PID:2332

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7068 /prefetch:8
5⤵
PID:5816

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff750935460,0x7ff750935470,0x7ff750935480
6⤵
PID:5876

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7068 /prefetch:8
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2960 /prefetch:8
5⤵
PID:4352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:8
5⤵
PID:5092

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6804 /prefetch:2
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6728 /prefetch:8
5⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6692 /prefetch:8
5⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2124,4167706329837276563,11782896062312976888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 /prefetch:8
5⤵
PID:1520

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
4⤵
PID:936

C:\MSOCache\Kungfu.exe
C:\MSOCache\kungfu.exe -i
4⤵
- Executes dropped EXE
PID:3448

C:\Windows\SysWOW64\net.exe
net start gpsvs
4⤵
- Suspicious use of WriteProcessMemory
PID:3508

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start gpsvs
5⤵
PID:4012

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\MSOCache\start.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\MSOCache\BiblevsQuran.pdf
4⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa9e1a46f8,0x7ffa9e1a4708,0x7ffa9e1a4718
5⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4012466501290455480,18315986489844348792,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4012466501290455480,18315986489844348792,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
5⤵
PID:4368

C:\Windows\SysWOW64\netsh.exe
netsh firewall set opmode disable
4⤵
PID:3648

C:\MSOCache\kungfu1.exe
C:\MSOCache\kungfu1.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
6⤵
- Adds Run key to start application
PID:3100

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
5⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\reg.exe
reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v CertificateHash /d "C:\MSOCache\kungfu1.exe" /f
6⤵
- Adds Run key to start application
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 572
5⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4452

C:\Windows\SysWOW64\net.exe
net start gpsvs
4⤵
PID:1776

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start gpsvs
5⤵
PID:1772

C:\MSOCache\Kungfu.exe
C:\MSOCache\Kungfu.exe
1⤵
- Executes dropped EXE
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 400 -ip 400
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
PID:4256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4700

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe a5e084bd728e06ed52338379c7aa101a jZBXN6E8tEePh2uHcCVyBQ.0.1.0.0.0
1⤵
PID:1776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5824

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\BiblevsQuran.pdf
MD5
d4dc3b84e57f20221abd9029d948ad03

SHA1
d9ca35777088e2496c9f697b29e45f24a9dfb8fc

SHA256
519b22268ab6c9121f750df2942fb4557cd24a581011440ed159b500bb9abf31

SHA512
80d77f9e1bed346e99d3f2664f62df6f4866c5611f1e29ca0553ed8a203aeb7c8f312a2dcced316790485f4ea7b285bbf86b52cb50343ae6c67fb5aea1afc0d5

Download Submit
C:\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
C:\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
C:\MSOCache\Kungfu.exe
MD5
ec760838ab731860054cf43b59a7d72f

SHA1
9b373e7213a064df2a9f07e14c831580a7ec6da2

SHA256
3038ecf1ac6efa37175fb9fed9729830fcaaf9193ccdfbe995cc91d387b52a0d

SHA512
c8968a182c217b75b9017c42206a1be84d27f5cafb8ea4324c3fc57d5e7f23c99cd9ff096d9d1da40db25cedea65c1325e90648e660cd2d43557bc9f54b7d953

Download Submit
C:\MSOCache\config.ini
MD5
1aea87f454883de1e9b5bb9ab7d2a2a1

SHA1
1e80dc9476eacdf949f13cc44e3a3533a00d8361

SHA256
4960c3e9c4290f7c75ad28cf9c62680751ae482485780c489974c19979a56912

SHA512
7734285341af3ee21af32f565805d3a905d3c7e0c011f26ba112dd6e1dab8cf7b18eeb5dd3565b4bf6d1dfc948511c9723d7996d48be8e96947aa1bcaad3f6bb

Download Submit
C:\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
C:\MSOCache\kungfu1.exe
MD5
9ef3677054efe5ffc30fbbbfe2f833d9

SHA1
87106f7474a00f98fb2fc86d128f37541ade6c3b

SHA256
1083637f5a5aee1d0ea9768c372533da4fe28096eac35e71dd568429ee4086c3

SHA512
1d0cba5bcf921c58315429cf23ad82a31d9f804ac948577b05ade6b6245e038961fac3c8f1672f2f7e1d7c599c9143741f175d6190496d1b13b49c4b9f089a4b

Download Submit
C:\MSOCache\start.bat
MD5
7fa4b5494ec2037bf837ddd92fe80f75

SHA1
09e48046d10460f4917b07ebbbb57364419871b5

SHA256
b3cf5eaea45d127c5e4c82953f5c97cc37768e219a87353f6ba5cc659ad2ebbc

SHA512
8ae99172b1f189c26c73e5a3520bbe5870d096c1d0b776c6540696821c41fb99752b7470bd2e7457d5606d59a3ea35bd289950b686c1f7c7f12554c78cf12486

Download Submit
C:\MSOCache\start1.bat
MD5
cf73766dc2da3a50f091da6974c50fa4

SHA1
be5e4446e769233e215edc30647efbc483149aae

SHA256
c7da1f593473d922992191b715f2db96f14ce291d7043cffaa6a49ec3864a6a2

SHA512
3f39c34cd28cbdd4cc5cc64a3e33f33140956702a893acbccc9fdb199324e88bf331b654855226dc1065f37164e199d91f2f539001373a87d096d7ca99908df4

Download Submit
C:\MSOCache\test.vbs
MD5
65b3843fe5eff1df7d0dac47ea541a45

SHA1
f19bcd40eef3d526101fc3bbba0a88a68138bb77

SHA256
c76a603f6abdf273375d2ac0e3e9cc693bcdc3142e75243f99335ad530d0ebcf

SHA512
028fad888adce166e8c71f31393f616740d6fea248b8217564d10564d58065e321d5a12e8afabd5b3a999853c9561ecbf9c0400232c1bd62c6a45565568d8a4d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
37b02c69e731ec989348431c5e50ca7d

SHA1
56757849fac697bd8f0c661dc76b32d8689767a6

SHA256
12b2dd6c96489f6b8603a4a882211e997cf317565f492df2476e7815ca51b0d3

SHA512
9434883520a06d353c3f3129e10f5624f62134d5af593e851e19a333016cd6a19f2ec0e574c04674d7ee96c8577e5779e6b5c040f021a1462c87534055eaa2b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE
MD5
5be1290b43960d4bd2431028ecb36aae

SHA1
15ae08509ec36cb48a95291c31de4770ff00edf7

SHA256
9bb9c392aac4f8449ce9ff4bfca16462a34fd91c357d832225a1a70f97e09393

SHA512
94cd40c57c3a6d8d50bc6189b8a083adb06ae578cafb5a28c79089e996b67e9422ce7bfa2714758f5f89fa4b0039fed01d09b8d61b51f07b19efb2ea8605a236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
78afdcc28744f3ccc897189551e60a14

SHA1
6408c2447363d821dc659254a324456ed16207ec

SHA256
ad06579bc070fec03adb35db5fcba1015c52ac2c5dd2ffec9ecff4301bfe70c7

SHA512
8e6e1433fef7868a51e78fe1f899afe608e1dc2dcf86a02f21fe579fa4b4eef36a9a63628a443067203e19cd31971d6599cccd091b74e1d5fca5d2aff4428078

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
MD5
de477c625e69a07beb047419ff93d06a

SHA1
e843c5967dffa6ebd94c3083da5a14b60233de04

SHA256
ef9f3d593299cd93c5af6d5fa2e78c891fee00cf101fa440723e8edafe09d552

SHA512
ba7acbcec1b157f9d326d4bf9e1a2c8c1bad7f6e44e2dac0531a95562cfd9de599ea5cf8617a0b3856b456d34073002f258468afd42fba2e0fbc44300f4c3b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5
a99ec463df19a1cb5f7b46f71a2c8e32

SHA1
9eba2c76e98b4980e68b11fa6bb4355e1f1dce12

SHA256
d41a36d7ba3d16878fa2a47b1afe9d6a79dd5988fcd59d3322ccdc22db2ea2ce

SHA512
a0a52a20e64ff38f7a67d106333615440fb0cc75821dc63d4a9683c6b2c835caa79440c586700191636c67d6ae0126e59cbad8af3d63f2400fd983798e9be10c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5
05551046bcca6aefc9b52d0d37f8900b

SHA1
079b5b3d2a0b97093ce9b5e8f6e04f944fdaca6a

SHA256
d16182f9f794e0c395dadc859e4e9d2cb9c3993ce0cfc9383498fb7de04265c7

SHA512
bd7309f9efd6807934819638d603514ce3641a4e4881568430cdb8af0a63302fe2041af58de54bda98a3243e3a5275e62de7ced68c7a642783fa5b8a2e6e814a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
MD5
05551046bcca6aefc9b52d0d37f8900b

SHA1
079b5b3d2a0b97093ce9b5e8f6e04f944fdaca6a

SHA256
d16182f9f794e0c395dadc859e4e9d2cb9c3993ce0cfc9383498fb7de04265c7

SHA512
bd7309f9efd6807934819638d603514ce3641a4e4881568430cdb8af0a63302fe2041af58de54bda98a3243e3a5275e62de7ced68c7a642783fa5b8a2e6e814a

Download Submit
\??\pipe\LOCAL\crashpad_2240_AJONPNOCSDKPIJEQ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_3032_UIRJXMMKSCQVDKNC
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4408-147-0x00007FFABC560000-0x00007FFABC561000-memory.dmp

Filesize
4KB

Download
memory/5204-172-0x000001D536F70000-0x000001D536F74000-memory.dmp

Filesize
16KB

Download
memory/5204-170-0x000001D534360000-0x000001D534370000-memory.dmp

Filesize
64KB

Download
memory/5204-169-0x000001D533B90000-0x000001D533BA0000-memory.dmp

Filesize
64KB

Download