6b375dbe5a71358422e1f667e00b4c9180d657799b8f4940eefc8d14653b536a

Resubmissions

25/10/2022, 08:28

221025-kc4l1scac4 5

25/10/2022, 08:07

221025-jzze5scabj 10

Analysis

max time kernel
288s
max time network
294s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
25/10/2022, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50.docm
Size

143KB
MD5

f769f67681707e8f69ecdf9e62fb944c
SHA1

c5f6a48fa52a279e1f3424b97662b479716229af
SHA256

45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50
SHA512

779caa9c7efac57edc6078d212b04a930d66fa10b50967bb1b9131c9e240f40f09e6f81812583770e7ffac51d7d0e23b57e20e6a7719d73ab2f1673cb17943a9
SSDEEP

3072:2e3HSOTf6Mqfb041n8Vj9SmUNRzw16vDhLfByVBZsqnCVL:2eiObpS1nY9fqzjvDZoDsqngL

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	3688	4940	msedge.exe	51

Blocklisted process makes network request 6 IoCs

flow	pid	Process
191	6080	powershell.exe
194	5284	powershell.exe
217	2260	powershell.exe
219	5912	powershell.exe
224	5920	powershell.exe
225	5396	powershell.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	cscript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\dfa7b778-fb7d-4a5a-8e5b-abef49115643.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221025080829.pma	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4940	WINWORD.EXE
4940	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
620	msedge.exe
620	msedge.exe
3688	msedge.exe
3688	msedge.exe
5596	identity_helper.exe
5596	identity_helper.exe
6080	powershell.exe
6080	powershell.exe
6080	powershell.exe
5284	powershell.exe
5284	powershell.exe
5284	powershell.exe
4700	powershell.exe
4700	powershell.exe
4700	powershell.exe
2260	powershell.exe
2260	powershell.exe
2260	powershell.exe
3304	msedge.exe
3304	msedge.exe
3304	msedge.exe
3304	msedge.exe
5912	powershell.exe
5912	powershell.exe
5912	powershell.exe
5260	powershell.exe
5260	powershell.exe
5260	powershell.exe
5920	powershell.exe
5920	powershell.exe
5920	powershell.exe
5396	powershell.exe
5396	powershell.exe
5396	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	6080	powershell.exe
Token: SeDebugPrivilege	5284	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	5912	powershell.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	5920	powershell.exe
Token: SeDebugPrivilege	5396	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3688	msedge.exe
3688	msedge.exe
3688	msedge.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE
4940	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 3688	4940	WINWORD.EXE	94
PID 4940 wrote to memory of 3688	4940	WINWORD.EXE	94
PID 3688 wrote to memory of 5004	3688	msedge.exe	97
PID 3688 wrote to memory of 5004	3688	msedge.exe	97
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 1244	3688	msedge.exe	98
PID 3688 wrote to memory of 620	3688	msedge.exe	99
PID 3688 wrote to memory of 620	3688	msedge.exe	99
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101
PID 3688 wrote to memory of 4904	3688	msedge.exe	101

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\45f293b1b5a4aaec48ac943696302bac9c893867f1fc282e85ed8341dd2f0f50.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.lumen.com/en-sg/about/legal/privacy-notice.html
  2⤵
  - Process spawned unexpected child process
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xdc,0x104,0x7fffce2f46f8,0x7fffce2f4708,0x7fffce2f4718
    3⤵
    PID:5004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:1244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:620
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
    3⤵
    PID:4904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
    3⤵
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3816 /prefetch:1
    3⤵
    PID:4632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5140 /prefetch:8
    3⤵
    PID:3956
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
    3⤵
    PID:4244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
    3⤵
    PID:1692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
    3⤵
    PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
    3⤵
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
    3⤵
    PID:2088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
    3⤵
    PID:3860
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7840 /prefetch:8
    3⤵
    PID:5304
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7924 /prefetch:8
    3⤵
    PID:5372
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:5456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff6ae4d5460,0x7ff6ae4d5470,0x7ff6ae4d5480
      4⤵
      PID:5504
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7924 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
    3⤵
    PID:5888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1736 /prefetch:1
    3⤵
    PID:5904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
    3⤵
    PID:5256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1312 /prefetch:8
    3⤵
    PID:2944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
    3⤵
    PID:2436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2920 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5444 /prefetch:8
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
    3⤵
    PID:5540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7708 /prefetch:8
    3⤵
    PID:5164
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7048 /prefetch:8
    3⤵
    PID:3968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2080,1749865414175152703,10133517544154514458,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3116 /prefetch:8
    3⤵
    PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
1⤵
- Checks computer location settings
PID:5924
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs"
1⤵
- Checks computer location settings
PID:5256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\Updater.vbs
  2⤵
  - Checks computer location settings
  PID:2076
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2260
- C:\Windows\system32\cscript.exe
  "C:\Windows\system32\cscript.exe" .\Updater.vbs
  2⤵
  - Checks computer location settings
  PID:4884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Exec Bypass C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .\Script.ps1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .\Script.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5920
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" .\temp.ps1
  2⤵
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5396

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
6c531305438e4496fee03e164b0dc22a

SHA1
0617ccf364a19ecd7ce8d2b38953fd08086da140

SHA256
9836fe03c840baa842c644aabe64d2d99e0857902084e654b9996158988431f2

SHA512
c76be3c5667c4a8dd445def5eafa51e81050fbaf1493dd8af30b60f34f7286a28b06a78c575b4c9ab29f1f766f6e13d7eff0ab59f328aa8a7ecaea185aea55d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E573CDF4C6D731D56A665145182FD759_972728B485A9F945CC2747A5739A7C98

Filesize
471B

MD5
96b3cbc3a7ad88778bcd36aedf7151d7

SHA1
15d18164fd8e11f64858fd22562c701b583b5bf6

SHA256
4a8182c79c720d9e89cff0ec6e4c195be3ecc4fd9f23c5214c3a8332f2c12541

SHA512
6a23fe520d8a8a60c5dfe658e463d21313690a843932de308d0230b5115aeacc0dc45564ad4e3d9ca178a6268c2da995243210990b7efc2c3bdf3f3e00731739

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
718496dff17a648693b827942178d3e8

SHA1
4ad288e4fddd5c4bce39edf19d36ab5b1d60c101

SHA256
8b83c61669c599574926fca8e394cf8db28fa2eea0742175dcc492962bc6a984

SHA512
a4dc6b1ceac0e271e32d19e951df45ec1c851daf83665e98217a4254cc5f89fa73338a2d11fe2bef0e0bd82fff6a761d1c143f64ef7dd08dbf90f008041b7e48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E573CDF4C6D731D56A665145182FD759_972728B485A9F945CC2747A5739A7C98

Filesize
426B

MD5
80c15bc484d61e187ede993b2a739b0c

SHA1
c3e844e094793efd69b18d3e665f5ec8d0b32e2b

SHA256
217c658fd82883212db47472a691a57b21375487af0e05a7e233d2c2bb2f8acd

SHA512
7867c82aeac99dd473afad970da47ad79586d02bbcff261cbf5381b7113d5c7ea29d42dfdabc6725e2779d3dfdf782869a0b496a11ca9b2def0fe3c413a88f40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
b9be8ab4b1a57000bfe7391b5860a762

SHA1
c18cc0aece48ec22a23a217f2e52791db1968f2e

SHA256
fcbd5f7376cafccc701c14d16e1ec90165614a97120d3484ae79a09af1c87def

SHA512
733d79b2ca8ceac6fd5bc11ea64ce29389359c10fdbfbd4f8b308d81acb538cbd95f1348c87f88425ecf8f8e488e8709d754561a6531bdc296b7eea65d5a0347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Advertising

Filesize
24KB

MD5
4e9962558e74db5038d8073a5b3431aa

SHA1
3cd097d9dd4b16a69efbb0fd1efe862867822146

SHA256
6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

SHA512
fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Analytics

Filesize
4KB

MD5
196d785ebbb4c59a4581a688cf89f25a

SHA1
5764ba17b0f0eff3b3ee2feaa16254c7558ea231

SHA256
785f870959e083ea25f61ed88d3a6e87467a25449c5c34bac6da9e6aeec4ae40

SHA512
b53262aa2986cb523b26fda77efa921d394826068a9a66e60d3ca6de58b7f14b5f5451bb8e85809539fbd04ce420e8ee374509023835788b8ab9f95ae5df1ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\CompatExceptions

Filesize
660B

MD5
900263477e1368869fbf1be99990c878

SHA1
e56e199aa4119f3cc4c4d46f96daea89bbf9685a

SHA256
7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4

SHA512
1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Content

Filesize
6KB

MD5
94c183b842784d0ae69f8aa57c8ac015

SHA1
c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

SHA256
aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

SHA512
5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Cryptomining

Filesize
1KB

MD5
8c31feb9c3faaa9794aa22ce9f48bfbd

SHA1
f5411608a15e803afc97961b310bb21a6a8bd5b6

SHA256
6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

SHA512
ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Entities

Filesize
68KB

MD5
d976a6a2df47aff5f7b6c91f8b11f0e8

SHA1
332c9e8cf5b61aa1025372fdbe6fa282ee9604a2

SHA256
cf839583b2b0430edd947eb02210e6a29dbdd3024bc94157f02a201308a91972

SHA512
ef05f3d1b984563055f773a7458178c13e26af799e96d1eb26ecfe44ff4ef2adc8eb8aa3be926167cafe116a7eb1e189ef899a88d4c48a9093f90460a28128df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Fingerprinting

Filesize
1KB

MD5
9c7457097ea03210bdf62a42709d09d7

SHA1
1f71e668d7d82d6e07a0a4c5a5e236929fc181fc

SHA256
9555aa7dc9216c969baf96676de9182692816d257cec8f49c5620225357c4967

SHA512
e00b3b66e0999dd4b035183adf9f741ff14087085c5d2a240a16e5f25abf18c93454824cd3473c2f122914dab9920dec8163aafd9e3db19a27301d7f58a38b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Other

Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Social

Filesize
355B

MD5
ec39f54d3e06add038f88fa50834f5cd

SHA1
d75e83855e29d1bc776c0fe96dd2a0726bf6d3c4

SHA256
0a48c92dcb63ddaf421f916fe6bb1c62813f256a4a06a4fe9f6df81e2a43e95b

SHA512
91548200f6556f9872f87b8a244c03c98f8fc26be0c861127fcebaa504f31b7d72ef543d84db1ff7d3400bbd4500a1cb92d1b0b3a925378b8c56d526511d0d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Advertising

Filesize
917B

MD5
1f3b083260019eef6691121d5099d3e8

SHA1
44ffccd3293b17344816b76be4ede5a58ac7c9a5

SHA256
ecdfa6251eab1b8928ca8d9cd8842f137c1ce241c7e9bbbc53474286b46d9600

SHA512
ab5d9097fe90d596d69c33e0e51c155624027e05bb9c85eb0388b2acd86debbffcd2c1c58496875906c97ff3e8a7547040799a35f5277a12bfc4f60597c52c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Analytics

Filesize
91B

MD5
70e7fb4d4f0bfd58022da440f4ff670b

SHA1
1e3aeb8d627db63aa31f19a1d6ec1e33571f297e

SHA256
e7be4221cf5029e817e664829ecb5e6d2d2fe785505214a8c00c75f86ac59808

SHA512
6751d4a176a2e2394364f12c28506e6568b928d76f35c27529b7e0c8b0bff5941c2ead5036393a3b24846f5293b6e2a920505da7d125a1f374f9a68cce1318d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Content

Filesize
36B

MD5
7f077f40c2d1ce8e95faa8fdb23ed8b4

SHA1
2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

SHA256
bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

SHA512
c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Cryptomining

Filesize
32B

MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Entities

Filesize
9KB

MD5
643a118f249a643d00a0e0ba251c2558

SHA1
5dbb890960534df2fb083bec1f5a5d3dbc83e47e

SHA256
5dac8767cc89776637ba4888bd39b57044f6c12d35ed8ed8ecf717e3d1b39d66

SHA512
a7f854a091540a83dccf4acf138c3443ce74025a3c3f24cb38bc41752b49924ddf4377afbfc901f38d7da395e2e83a0dce50fc45e8a6eb6a2a3f87163a183d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Fingerprinting

Filesize
172B

MD5
96fd20998ace419a0c394dc95ad4318c

SHA1
53a0a2818989c3472b29cdb803ee97bb2104ce54

SHA256
282a71ac3395f934ba446a3836c1f1466743f523a85186e74c44c1aef1b596c1

SHA512
d59ed718eea906fc25f27e0efe0bfe45fa807ef7050b9c7065c076996885890837eb51579aa79d0121586aa9cecc292d4e1b1e6a7236dbafe90c5601d5401545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Other

Filesize
75B

MD5
c6c7f3ee1e17acbff6ac22aa89b02e4e

SHA1
bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b

SHA256
a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4

SHA512
86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Social

Filesize
2KB

MD5
37a70ee6ab90aa2fd3dd7416e76675a6

SHA1
e57ff483f1085d428ec6e22159c1547a2b3d2718

SHA256
c73e3c71829a98d11e48924e4df126e0c265f21b62b1aa7ac27033f7554abcb8

SHA512
e335f6c350ed839911ef1b3cb9b2d12744b37a5bdfd5e7c1535c473d2383b2a5f1dacb5b341474732e9fbb46cc59db5bd371e6bc5dd785b1015d5aa42dcb3f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Staging

Filesize
3KB

MD5
2e020f44ed4f057648d549c24ec82b15

SHA1
d8e0bd6a321e1700c90a54f79dec6d26af7df438

SHA256
c33bcaf2f4ff8a8da96d4b6d7493751c5bbbefaacb6a9737b77e3395f5007dfe

SHA512
13748044eb4c2eb11011a2967451cabb97a56363b106abf3bf4e6b8ec9c6e71134b5610ba4d1f722c02b9f9d275bbff22468c64d27a6fcf2c9d8980d001ab79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
90e81190df5aba9dc80804f09565aed7

SHA1
4fc09c7c9a75741836b6d2aad14676b7e6fb47cb

SHA256
3cf145296c1ff0a89f8d30b2f4a4ab980e626fcfe885eda9e3aea755adda5703

SHA512
5ba9dc5e61456a88015da6ca4da0dc0cdd41e7e431d33a122dd0fbd5cd36f3d81d4f7f91a1ca55b83b145dc5555148b6148a8379ba29f442340a4dda55c5f4ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8380556a8aef050798c2124986530e9

SHA1
3de6f5f9d873dbf4c3b779ac8446fcccda019792

SHA256
46c0f05c297ebc8d97878ff799ea7b6ead2f5efe671d9fa187dd11bae8ccc704

SHA512
336966c5a52a6cbd30274d969bf614cccbfb7b2fd29c7d408a02ea34cb190d7c3ae3a13ea8e015fdc14faa92abc0108e2e0c385ca9befcc60f40f904508a32d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c8380556a8aef050798c2124986530e9

SHA1
3de6f5f9d873dbf4c3b779ac8446fcccda019792

SHA256
46c0f05c297ebc8d97878ff799ea7b6ead2f5efe671d9fa187dd11bae8ccc704

SHA512
336966c5a52a6cbd30274d969bf614cccbfb7b2fd29c7d408a02ea34cb190d7c3ae3a13ea8e015fdc14faa92abc0108e2e0c385ca9befcc60f40f904508a32d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
343e8c39515fd6160eef93ba3258c8e9

SHA1
eaa73a1b22a6bba9bdff8a7782ca028fb4d471b9

SHA256
abdcea65479ac28fb3027e1686d83f37ec21fc864a629a85d2e7f48b0a67e3d4

SHA512
412d3805df8b16d7adb46ee17b80a2fe3e17bb6810eb074e84963ed0aec2f303de1908c6954b05eaf925d46e1621767eb93ad8d634082624f60b804eaf956dfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
174f2f1c920d0b80718e1e79c367cac9

SHA1
1d771e2c773cc531ed68762ef8bc32237c008df2

SHA256
6e71be8328d2afff33493cd15149649d10fab82751d9479199cbba7401398786

SHA512
40147da28ebf5b953e5e20461ef939cee7c9972e9100abc859d0650d9ee2671db5dc8f1f30cb56c5e46b766938d5bf204b576aa9000b61d2b8c7f5be3d2b5842

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Script.ps1

Filesize
15KB

MD5
a3c14604fb4454ba5722f07f89780e73

SHA1
ed7b9ddbaee794cecb80fac794b0e6cb0ae073b5

SHA256
bda4484bb6325dfccaa464c2007a8f20130f0cf359a7f79e14feeab3faa62332

SHA512
3c70940829620ea283e6830d1ece89efbfb83ffd0278496ba356d37bb2a30ce885a565136f7e7911cd6a6dd8f93190c42418e2fc9e1b0f4d232fffc6260db123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\Updater.vbs

Filesize
1KB

MD5
5b5464c5b0643161cb368f7a00900eef

SHA1
8bbb9ae8311ce3c87f478457ca8d3c47677d21ee

SHA256
92765a0cb0953d8df9484b5af79cd9b2e1e6248a7ec23ba0d977ff7082156a01

SHA512
78eb6b9183f447ba59bc41cddbc3d95a076684ba2beacf350dedd01e50dbb5c2c85dfa46aefe55fd7443aef11f606c30ca4a5876a97e4dad0a5925625a6c3995

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Update\temp.ps1

Filesize
11KB

MD5
c3aedb781a5b96674764cd43ef076d10

SHA1
86da0100bb6a07a89eaa4dc3ec220e9dbd6ecf71

SHA256
16007ea6ae7ce797451baec2132e30564a29ee0bf8a8f05828ad2289b3690f55

SHA512
01021427a290a493c80b5c490811bd04f8743978c1b02c5565349a9309808e90f85ae606abdad638c941dd7097f54bc9f849755ad02baab797f1df2aa6032f58

Download Submit
memory/2260-206-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/2260-208-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/4700-197-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/4700-192-0x00000187F0410000-0x00000187F0454000-memory.dmp

Filesize
272KB

Download
memory/4700-194-0x00000187F04E0000-0x00000187F0556000-memory.dmp

Filesize
472KB

Download
memory/4700-200-0x00000187F0460000-0x00000187F047E000-memory.dmp

Filesize
120KB

Download
memory/4700-193-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/4940-135-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Filesize
64KB

Download
memory/4940-134-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Filesize
64KB

Download
memory/4940-136-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Filesize
64KB

Download
memory/4940-133-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Filesize
64KB

Download
memory/4940-137-0x00007FFFBB660000-0x00007FFFBB670000-memory.dmp

Filesize
64KB

Download
memory/4940-138-0x00007FFFBB660000-0x00007FFFBB670000-memory.dmp

Filesize
64KB

Download
memory/4940-139-0x00000282FF950000-0x00000282FF954000-memory.dmp

Filesize
16KB

Download
memory/4940-132-0x00007FFFBD930000-0x00007FFFBD940000-memory.dmp

Filesize
64KB

Download
memory/5260-221-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5284-191-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5284-189-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5396-254-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5396-252-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5912-216-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5912-215-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5920-228-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/5920-229-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/6080-183-0x00000278FD090000-0x00000278FD0B2000-memory.dmp

Filesize
136KB

Download
memory/6080-185-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download
memory/6080-186-0x00007FFFBFB90000-0x00007FFFC0651000-memory.dmp

Filesize
10.8MB

Download