joker | 5362e897b9825bb3ad230ed44d0811cbe1f121c1dae11be1a9a8afe24a2d7f9e

Analysis

max time kernel
1001s
max time network
1028s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-11-2022 18:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSERT.exe
Size

119.9MB
MD5

87760937585aab015532429fbe79efbc
SHA1

39a2dd36a0c0b518f4bc9bc7436275b15aa2b15f
SHA256

5362e897b9825bb3ad230ed44d0811cbe1f121c1dae11be1a9a8afe24a2d7f9e
SHA512

628726cecf3df90c24fb9b7572704709438a965087aa01050a5a03245a5720927feb85124e1734e924656753a838ce83287fbd501e7c4b5241d2831f59cd7da5
SSDEEP

3145728:bqtJE9xP4QNIobwsD3L8mcMIHvCDRWQbKHGOyy:au9l4QNIwcMIH6l3bK5

Score

10^/10

joker discovery evasion infostealer persistence spyware stealer trojan

Malware Config

Extracted

Family

joker

https://gustollc-com.oss-us-east-1.aliyuncs.com

Signatures

joker
Joker is an Android malware that targets billing and SMS fraud.
infostealer trojan joker

Registers COM server for autorun 1 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32	MSERT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	MSERT.exe

Loads dropped DLL 2 IoCs

pid	Process
1588	MSERT.exe
1588	MSERT.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run	msedge.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	MSERT.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{81573131-F768-4A4A-8DF3-EED0DFB6226F}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{BDC8D209-A460-4ACF-9D10-30511CA90EE2}.catalogItem	svchost.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\0b0a9fdf-2c59-4704-8f42-7bd1fcf4674c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221101192216.pma	setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\msert.log	MSERT.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32	MSERT.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
1588	MSERT.exe
3596	msedge.exe
3596	msedge.exe
3976	msedge.exe
3976	msedge.exe
4736	msedge.exe
4736	msedge.exe
1852	identity_helper.exe
1852	identity_helper.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe
1080	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1588	MSERT.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe
4736	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1588	MSERT.exe
Token: SeBackupPrivilege	1588	MSERT.exe
Token: SeRestorePrivilege	1588	MSERT.exe
Token: SeSystemEnvironmentPrivilege	1588	MSERT.exe
Token: SeSystemEnvironmentPrivilege	1588	MSERT.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4736	msedge.exe
4736	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 4736	1588	MSERT.exe	108
PID 1588 wrote to memory of 4736	1588	MSERT.exe	108
PID 1588 wrote to memory of 4100	1588	MSERT.exe	110
PID 1588 wrote to memory of 4100	1588	MSERT.exe	110
PID 4100 wrote to memory of 2220	4100	msedge.exe	112
PID 4100 wrote to memory of 2220	4100	msedge.exe	112
PID 4736 wrote to memory of 3920	4736	msedge.exe	111
PID 4736 wrote to memory of 3920	4736	msedge.exe	111
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4100 wrote to memory of 932	4100	msedge.exe	114
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115
PID 4736 wrote to memory of 2660	4736	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\MSERT.exe
"C:\Users\Admin\AppData\Local\Temp\MSERT.exe"
1⤵
- Registers COM server for autorun
- Checks computer location settings
- Loads dropped DLL
- Checks whether UAC is enabled
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=139454&name=VirTool:Win32/DefenderTamperingRestore&product=13
  2⤵
  - Adds Run key to start application
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xf4,0x130,0x7ffd7caa46f8,0x7ffd7caa4708,0x7ffd7caa4718
    3⤵
    PID:3920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
    3⤵
    PID:2660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
    3⤵
    PID:4588
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
    3⤵
    PID:4304
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
    3⤵
    PID:3088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4320 /prefetch:1
    3⤵
    PID:1960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5416 /prefetch:8
    3⤵
    PID:2184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5528 /prefetch:8
    3⤵
    PID:3692
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
    3⤵
    PID:4196
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:2472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x254,0x258,0x25c,0x230,0x260,0x7ff785ae5460,0x7ff785ae5470,0x7ff785ae5480
      4⤵
      PID:3200
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
    3⤵
    PID:4548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5812 /prefetch:1
    3⤵
    PID:1776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1344 /prefetch:1
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
    3⤵
    PID:3320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6092 /prefetch:8
    3⤵
    PID:5108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4272 /prefetch:8
    3⤵
    PID:1152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
    3⤵
    PID:1848
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:8
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3048 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1100 /prefetch:8
    3⤵
    PID:5100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5876 /prefetch:8
    3⤵
    PID:4232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 /prefetch:8
    3⤵
    PID:444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2172,17283603166470307243,1742843850927069191,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
    3⤵
    PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://go.microsoft.com/fwlink/?linkid=139454&name=VirTool:Win32/DefenderTamperingRestore&product=13
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd7caa46f8,0x7ffd7caa4708,0x7ffd7caa4718
    3⤵
    PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,2171291734396688467,9574137075665382589,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
    3⤵
    PID:932
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,2171291734396688467,9574137075665382589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3596

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
471B

MD5
fac021678f9ebe8d09b82454e386afd2

SHA1
3df774cb6c7658db2cfcbef89e0a030bd0390f57

SHA256
9aaf238de19331a89acd9ee7e03b7cefb2d718b814fe9e9f147c745f6345ccff

SHA512
268900ed1f00383ae1cdf709d9320b0b675bef3b3ab37573e6099c82e70e90f766e8c0fddf2011f0724b088a48b49b8c50ab68308e4b51391fba5ce7c8bf8bf1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
471B

MD5
974ee261138c713cd6f9e6111af8ec61

SHA1
5b286d806b458bb191d79c2f9ad5e7893d3c3028

SHA256
3d784fba98eed80a627ccf7c9b9af2f3c5d9d14d4a5d3962c50c5587150bfadd

SHA512
7657585c64b146a94bd768a912c5c90c37aeff0526d2924b62ffb256ae4cb29d8843d20e408b1bacf42af663ba17bf005c38bb7a6036d272c792741dd0e46dc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_C0427F5F77D9B3A439FC620EDAAB6177

Filesize
442B

MD5
1db166691045dbe59afd2e8acb5a0883

SHA1
a154c4d8c35acb500e56540746e3e6661a43d4ee

SHA256
fdb6a8f7f1fbbd00a540d3415d2f81ad34c3227d29cb53b217ddf97bc3e0d95e

SHA512
2656dfd76161597e7111ef57c556babde35cf40e0544dcb4ae85e06ada879a649cf88a8bba51692fac78352bd5adb0548791cc989463cf42447b6dd8008acfe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECE

Filesize
446B

MD5
03eb9fc98548f70868eb0616284ae701

SHA1
c72930d2a0b5b313361294033bd9d6e835a8f1a6

SHA256
b9403fa1c10cfa5c6f1996722716d3b777b4a5b531ea971158f301f4063e1f5b

SHA512
102d9c399d197d3a903185f12cee5e856b0105bceb8613403a6934464237d3a84369d6e9272f77e700c3e6c6ef25d073b774c9bca204e6e79725d9286b4f3881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1661723f09a6aed8290c3f836ef2c2b

SHA1
55e08c810da94c08c5ee54ace181d4347f4e2ae5

SHA256
a6527662d502234a1a9847973eb8e39e817aa145c43514229ba720150f74a2f2

SHA512
dcd1e6320510594dd86568608d905ad5aacd4fa2b3369ac4daa1b938f7f0597da64747875a3567e5c05e5de34f77d87f5effdfda8091d01354699711f4bc12ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7b3f352bbc8046d1d5d84c5bb693e2e5

SHA1
e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c

SHA256
471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da

SHA512
c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
65481126c602e164ab0f8b972aaaa30a

SHA1
151edb0ccb4abbde205629cb8b2d362f2598b215

SHA256
3c474020338df79ca74865587b4d807873f6507e0a4a7b22e607ae71027e0022

SHA512
3f571945069511ee790e7af6e0d6befba5bea44a7c1f6998ed3198201182bf23f2b6cc03d151fb403741820f85f8ae7e8467e590bee420186ca791089f5a54d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
0f94a711d3274136405239f20d108eab

SHA1
ec6552e84168309dde52df7fa6178b324d4982df

SHA256
921cda7ecfda68cfae098418f162e31ef26c7dce8958130f907ef37cab574738

SHA512
fcbbc7f9b1387fd217b59d5a8a4755fdbb791a630fa35f696e662f6320228d58d05acba144323bfcaaf2489021c57fdd93ec2ed86c6fd80ca1a681bfae5d7f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638029229985735118

Filesize
2KB

MD5
ddcef89a60e16157ec92669bb9b82c92

SHA1
5ce1e080a5904fa345cc6019b739e7fd8010f3b3

SHA256
e2d76ac91468541a8f1a21c602258f965eb961c6c4574c07dfaebc7344942ab8

SHA512
240f32a1701e412e55b4ab4d0bef432a3bda0b18721a69ad5ddefc431e3b71d37a2420d92d2a15bc335a76e2e2b6ee3f676520696566284f5a09d3a3fc411a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Advertising

Filesize
24KB

MD5
4e9962558e74db5038d8073a5b3431aa

SHA1
3cd097d9dd4b16a69efbb0fd1efe862867822146

SHA256
6f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279

SHA512
fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Analytics

Filesize
4KB

MD5
196d785ebbb4c59a4581a688cf89f25a

SHA1
5764ba17b0f0eff3b3ee2feaa16254c7558ea231

SHA256
785f870959e083ea25f61ed88d3a6e87467a25449c5c34bac6da9e6aeec4ae40

SHA512
b53262aa2986cb523b26fda77efa921d394826068a9a66e60d3ca6de58b7f14b5f5451bb8e85809539fbd04ce420e8ee374509023835788b8ab9f95ae5df1ee7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\CompatExceptions

Filesize
660B

MD5
900263477e1368869fbf1be99990c878

SHA1
e56e199aa4119f3cc4c4d46f96daea89bbf9685a

SHA256
7f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4

SHA512
1035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Content

Filesize
6KB

MD5
94c183b842784d0ae69f8aa57c8ac015

SHA1
c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd

SHA256
aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25

SHA512
5808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Cryptomining

Filesize
1KB

MD5
8c31feb9c3faaa9794aa22ce9f48bfbd

SHA1
f5411608a15e803afc97961b310bb21a6a8bd5b6

SHA256
6016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d

SHA512
ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Entities

Filesize
68KB

MD5
d976a6a2df47aff5f7b6c91f8b11f0e8

SHA1
332c9e8cf5b61aa1025372fdbe6fa282ee9604a2

SHA256
cf839583b2b0430edd947eb02210e6a29dbdd3024bc94157f02a201308a91972

SHA512
ef05f3d1b984563055f773a7458178c13e26af799e96d1eb26ecfe44ff4ef2adc8eb8aa3be926167cafe116a7eb1e189ef899a88d4c48a9093f90460a28128df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Fingerprinting

Filesize
1KB

MD5
9c7457097ea03210bdf62a42709d09d7

SHA1
1f71e668d7d82d6e07a0a4c5a5e236929fc181fc

SHA256
9555aa7dc9216c969baf96676de9182692816d257cec8f49c5620225357c4967

SHA512
e00b3b66e0999dd4b035183adf9f741ff14087085c5d2a240a16e5f25abf18c93454824cd3473c2f122914dab9920dec8163aafd9e3db19a27301d7f58a38b55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Other

Filesize
34B

MD5
cd0395742b85e2b669eaec1d5f15b65b

SHA1
43c81d1c62fc7ff94f9364639c9a46a0747d122e

SHA256
2b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707

SHA512
4df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\Social

Filesize
355B

MD5
ec39f54d3e06add038f88fa50834f5cd

SHA1
d75e83855e29d1bc776c0fe96dd2a0726bf6d3c4

SHA256
0a48c92dcb63ddaf421f916fe6bb1c62813f256a4a06a4fe9f6df81e2a43e95b

SHA512
91548200f6556f9872f87b8a244c03c98f8fc26be0c861127fcebaa504f31b7d72ef543d84db1ff7d3400bbd4500a1cb92d1b0b3a925378b8c56d526511d0d9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Advertising

Filesize
917B

MD5
1f3b083260019eef6691121d5099d3e8

SHA1
44ffccd3293b17344816b76be4ede5a58ac7c9a5

SHA256
ecdfa6251eab1b8928ca8d9cd8842f137c1ce241c7e9bbbc53474286b46d9600

SHA512
ab5d9097fe90d596d69c33e0e51c155624027e05bb9c85eb0388b2acd86debbffcd2c1c58496875906c97ff3e8a7547040799a35f5277a12bfc4f60597c52c4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Analytics

Filesize
91B

MD5
70e7fb4d4f0bfd58022da440f4ff670b

SHA1
1e3aeb8d627db63aa31f19a1d6ec1e33571f297e

SHA256
e7be4221cf5029e817e664829ecb5e6d2d2fe785505214a8c00c75f86ac59808

SHA512
6751d4a176a2e2394364f12c28506e6568b928d76f35c27529b7e0c8b0bff5941c2ead5036393a3b24846f5293b6e2a920505da7d125a1f374f9a68cce1318d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Content

Filesize
36B

MD5
7f077f40c2d1ce8e95faa8fdb23ed8b4

SHA1
2c329e3e20ea559974ddcaabc2c7c22de81e7ad2

SHA256
bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf

SHA512
c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Cryptomining

Filesize
32B

MD5
4ec1eda0e8a06238ff5bf88569964d59

SHA1
a2e78944fcac34d89385487ccbbfa4d8f078d612

SHA256
696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5

SHA512
c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Entities

Filesize
9KB

MD5
643a118f249a643d00a0e0ba251c2558

SHA1
5dbb890960534df2fb083bec1f5a5d3dbc83e47e

SHA256
5dac8767cc89776637ba4888bd39b57044f6c12d35ed8ed8ecf717e3d1b39d66

SHA512
a7f854a091540a83dccf4acf138c3443ce74025a3c3f24cb38bc41752b49924ddf4377afbfc901f38d7da395e2e83a0dce50fc45e8a6eb6a2a3f87163a183d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Fingerprinting

Filesize
172B

MD5
96fd20998ace419a0c394dc95ad4318c

SHA1
53a0a2818989c3472b29cdb803ee97bb2104ce54

SHA256
282a71ac3395f934ba446a3836c1f1466743f523a85186e74c44c1aef1b596c1

SHA512
d59ed718eea906fc25f27e0efe0bfe45fa807ef7050b9c7065c076996885890837eb51579aa79d0121586aa9cecc292d4e1b1e6a7236dbafe90c5601d5401545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Other

Filesize
75B

MD5
c6c7f3ee1e17acbff6ac22aa89b02e4e

SHA1
bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b

SHA256
a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4

SHA512
86ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Social

Filesize
2KB

MD5
37a70ee6ab90aa2fd3dd7416e76675a6

SHA1
e57ff483f1085d428ec6e22159c1547a2b3d2718

SHA256
c73e3c71829a98d11e48924e4df126e0c265f21b62b1aa7ac27033f7554abcb8

SHA512
e335f6c350ed839911ef1b3cb9b2d12744b37a5bdfd5e7c1535c473d2383b2a5f1dacb5b341474732e9fbb46cc59db5bd371e6bc5dd785b1015d5aa42dcb3f3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\Staging

Filesize
3KB

MD5
2e020f44ed4f057648d549c24ec82b15

SHA1
d8e0bd6a321e1700c90a54f79dec6d26af7df438

SHA256
c33bcaf2f4ff8a8da96d4b6d7493751c5bbbefaacb6a9737b77e3395f5007dfe

SHA512
13748044eb4c2eb11011a2967451cabb97a56363b106abf3bf4e6b8ec9c6e71134b5610ba4d1f722c02b9f9d275bbff22468c64d27a6fcf2c9d8980d001ab79f

Download Submit
C:\Windows\Temp\71E9C1AF-B259-10B4-BCB7-1CB698339135\MPENGINE.DLL

Filesize
16.3MB

MD5
84570ea14103c81d00308c11aa128cca

SHA1
f2099ebeeca48bf7e52f1a1f0e8c74a7d0d738e3

SHA256
1c45d266bf17c5c96baba0a95978c6f25291393127b1718ce595ae1b65cf1df5

SHA512
31d9adfebf8542d69acb95a547d91d9d673135ccdcc4ecff8c61993275de2d00036587de75ccaef740124f47f1975af7b447407251ea7b13336df54943c6ae31

Download Submit
C:\Windows\Temp\71E9C1AF-B259-10B4-BCB7-1CB698339135\MPGEAR.DLL

Filesize
607KB

MD5
a0c4ac6378ce0313955dccfd2d9208a6

SHA1
7ee2f0f3bf4504f4f7bbc63cb5fa883711c13801

SHA256
abbe3285c58c830314f9f0ad2ddc769139c0d808e27893290adc69a535b996b1

SHA512
72ea9f0d7399fa5d6865f3f887ffa07098b883b1428b33dcb552a40bb22ca6a461a546736667ca1aa97e5f06dffd10dab765c7f6e3e827dd0335b562b27d2fb5

Download Submit
memory/1588-206-0x0000023B4ABC0000-0x0000023B4ABE0000-memory.dmp

Filesize
128KB

Download
memory/1588-166-0x0000023B5A490000-0x0000023B5A4D0000-memory.dmp

Filesize
256KB

Download
memory/1588-178-0x0000023B56B00000-0x0000023B56C0D000-memory.dmp

Filesize
1.1MB

Download
memory/1588-179-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-180-0x0000023B56B00000-0x0000023B56C0D000-memory.dmp

Filesize
1.1MB

Download
memory/1588-181-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-182-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-183-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-184-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-185-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-186-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-187-0x0000023B4ACA0000-0x0000023B4ADAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-189-0x0000023B4AAF0000-0x0000023B4AB10000-memory.dmp

Filesize
128KB

Download
memory/1588-188-0x0000023B4AAD0000-0x0000023B4AAF0000-memory.dmp

Filesize
128KB

Download
memory/1588-190-0x0000023B4AB10000-0x0000023B4AB30000-memory.dmp

Filesize
128KB

Download
memory/1588-191-0x0000023B4ACA0000-0x0000023B4ADAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-192-0x0000023B4AAD0000-0x0000023B4AAF0000-memory.dmp

Filesize
128KB

Download
memory/1588-193-0x0000023B4AAF0000-0x0000023B4AB10000-memory.dmp

Filesize
128KB

Download
memory/1588-194-0x0000023B4AB10000-0x0000023B4AB30000-memory.dmp

Filesize
128KB

Download
memory/1588-195-0x0000023B4ABE0000-0x0000023B4AC00000-memory.dmp

Filesize
128KB

Download
memory/1588-196-0x0000023B4AC00000-0x0000023B4AC40000-memory.dmp

Filesize
256KB

Download
memory/1588-197-0x0000023B4AC90000-0x0000023B4AD9D000-memory.dmp

Filesize
1.1MB

Download
memory/1588-198-0x0000023B4ABE0000-0x0000023B4AC00000-memory.dmp

Filesize
128KB

Download
memory/1588-199-0x0000023B4AC00000-0x0000023B4AC40000-memory.dmp

Filesize
256KB

Download
memory/1588-200-0x0000023B4AC90000-0x0000023B4AD9D000-memory.dmp

Filesize
1.1MB

Download
memory/1588-201-0x0000023B4AB20000-0x0000023B4AC2D000-memory.dmp

Filesize
1.1MB

Download
memory/1588-202-0x0000023B4AB20000-0x0000023B4AC2D000-memory.dmp

Filesize
1.1MB

Download
memory/1588-203-0x0000023B4AB20000-0x0000023B4AB40000-memory.dmp

Filesize
128KB

Download
memory/1588-205-0x0000023B4AB60000-0x0000023B4AB80000-memory.dmp

Filesize
128KB

Download
memory/1588-204-0x0000023B4AB40000-0x0000023B4AB60000-memory.dmp

Filesize
128KB

Download
memory/1588-176-0x0000023B55C10000-0x0000023B55E10000-memory.dmp

Filesize
2.0MB

Download
memory/1588-207-0x0000023B4ABE0000-0x0000023B4AC00000-memory.dmp

Filesize
128KB

Download
memory/1588-208-0x0000023B4AC00000-0x0000023B4AC20000-memory.dmp

Filesize
128KB

Download
memory/1588-209-0x0000023B4AB60000-0x0000023B4AB80000-memory.dmp

Filesize
128KB

Download
memory/1588-210-0x0000023B4ABC0000-0x0000023B4ABE0000-memory.dmp

Filesize
128KB

Download
memory/1588-211-0x0000023B4ABE0000-0x0000023B4AC00000-memory.dmp

Filesize
128KB

Download
memory/1588-212-0x0000023B4AC00000-0x0000023B4AC20000-memory.dmp

Filesize
128KB

Download
memory/1588-301-0x0000023B4ABE0000-0x0000023B4ABF2000-memory.dmp

Filesize
72KB

Download
memory/1588-134-0x0000023B48C30000-0x0000023B48C34000-memory.dmp

Filesize
16KB

Download
memory/1588-136-0x0000023B572B0000-0x0000023B572F0000-memory.dmp

Filesize
256KB

Download
memory/1588-135-0x0000023B4DF80000-0x0000023B4DFC0000-memory.dmp

Filesize
256KB

Download
memory/1588-175-0x0000023B568E0000-0x0000023B569ED000-memory.dmp

Filesize
1.1MB

Download
memory/1588-174-0x0000023B55B10000-0x0000023B55C10000-memory.dmp

Filesize
1024KB

Download
memory/1588-173-0x0000023B55C10000-0x0000023B55E10000-memory.dmp

Filesize
2.0MB

Download
memory/1588-172-0x0000023B568E0000-0x0000023B569ED000-memory.dmp

Filesize
1.1MB

Download
memory/1588-171-0x0000023B55B10000-0x0000023B55C10000-memory.dmp

Filesize
1024KB

Download
memory/1588-170-0x0000023B52A30000-0x0000023B52A70000-memory.dmp

Filesize
256KB

Download
memory/1588-137-0x0000023B572F0000-0x0000023B57330000-memory.dmp

Filesize
256KB

Download
memory/1588-169-0x0000023B584E0000-0x0000023B58520000-memory.dmp

Filesize
256KB

Download
memory/1588-139-0x0000023B57370000-0x0000023B573B0000-memory.dmp

Filesize
256KB

Download
memory/1588-140-0x0000023B573B0000-0x0000023B573F0000-memory.dmp

Filesize
256KB

Download
memory/1588-168-0x0000023B584A0000-0x0000023B584E0000-memory.dmp

Filesize
256KB

Download
memory/1588-167-0x0000023B5A4D0000-0x0000023B5A510000-memory.dmp

Filesize
256KB

Download
memory/1588-138-0x0000023B57330000-0x0000023B57370000-memory.dmp

Filesize
256KB

Download
memory/1588-177-0x0000023B59DA0000-0x0000023B59EAD000-memory.dmp

Filesize
1.1MB

Download
memory/1588-165-0x0000023B5A450000-0x0000023B5A490000-memory.dmp

Filesize
256KB

Download
memory/1588-163-0x0000023B5A3D0000-0x0000023B5A410000-memory.dmp

Filesize
256KB

Download
memory/1588-164-0x0000023B5A410000-0x0000023B5A450000-memory.dmp

Filesize
256KB

Download
memory/1588-162-0x0000023B58420000-0x0000023B58460000-memory.dmp

Filesize
256KB

Download
memory/1588-161-0x0000023B583E0000-0x0000023B58420000-memory.dmp

Filesize
256KB

Download
memory/1588-160-0x0000023B58390000-0x0000023B583D0000-memory.dmp

Filesize
256KB

Download
memory/1588-158-0x0000023B57EE0000-0x0000023B57F20000-memory.dmp

Filesize
256KB

Download
memory/1588-159-0x0000023B57F20000-0x0000023B57F60000-memory.dmp

Filesize
256KB

Download
memory/1588-156-0x0000023B57E60000-0x0000023B57EA0000-memory.dmp

Filesize
256KB

Download
memory/1588-157-0x0000023B57EA0000-0x0000023B57EE0000-memory.dmp

Filesize
256KB

Download
memory/1588-142-0x0000023B57430000-0x0000023B57470000-memory.dmp

Filesize
256KB

Download
memory/1588-141-0x0000023B573F0000-0x0000023B57430000-memory.dmp

Filesize
256KB

Download
memory/1588-143-0x0000023B57470000-0x0000023B574B0000-memory.dmp

Filesize
256KB

Download
memory/1588-144-0x0000023B574B0000-0x0000023B574F0000-memory.dmp

Filesize
256KB

Download
memory/1588-145-0x0000023B57CF0000-0x0000023B57D30000-memory.dmp

Filesize
256KB

Download
memory/1588-155-0x0000023B58200000-0x0000023B58240000-memory.dmp

Filesize
256KB

Download
memory/1588-146-0x0000023B57D40000-0x0000023B57D80000-memory.dmp

Filesize
256KB

Download
memory/1588-147-0x0000023B57D90000-0x0000023B57DD0000-memory.dmp

Filesize
256KB

Download
memory/1588-148-0x0000023B57DD0000-0x0000023B57E10000-memory.dmp

Filesize
256KB

Download
memory/1588-149-0x0000023B57E20000-0x0000023B57E60000-memory.dmp

Filesize
256KB

Download
memory/1588-150-0x0000023B57F70000-0x0000023B57FB0000-memory.dmp

Filesize
256KB

Download
memory/1588-152-0x0000023B57FF0000-0x0000023B58030000-memory.dmp

Filesize
256KB

Download
memory/1588-151-0x0000023B57FB0000-0x0000023B57FF0000-memory.dmp

Filesize
256KB

Download
memory/1588-153-0x0000023B58170000-0x0000023B581B0000-memory.dmp

Filesize
256KB

Download
memory/1588-154-0x0000023B581B0000-0x0000023B581F0000-memory.dmp

Filesize
256KB

Download