Analysis
-
max time kernel
407s -
max time network
411s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 14:49
Behavioral task
behavioral1
Sample
бланк заказа 2022 июнь.xlsm
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
бланк заказа 2022 июнь.xlsm
Resource
win10v2004-20220812-en
General
-
Target
бланк заказа 2022 июнь.xlsm
-
Size
1.5MB
-
MD5
b0587b50aaa357457792bc508a1a2615
-
SHA1
691451044e9e8a6f5ac67a756703d068982ec745
-
SHA256
2d6daa2d0d391cdd3432a492f638980bbff386ba330bbba1035cea946176e8c8
-
SHA512
1d76bd0daa19975762a41c7d735c23c7217aee02756697874d80dcaba273c8576c1c750bd2a2cd2b9a9fc65ba3d3c079cd1a908c092c6b11fb34cccc2521c948
-
SSDEEP
24576:AnN//CUs/z2vuEGmGiKhnT7fLqHBCua1rM2pfoK52TOwlbCEf522F0n:AN/KUsrUuEGmGiQTShCLNUTZX9mn
Malware Config
Signatures
-
Process spawned unexpected child process 2 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
msedge.exemsedge.exedescription pid pid_target process target process Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1864 1600 msedge.exe EXCEL.EXE Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 1624 1600 msedge.exe EXCEL.EXE -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
msedge.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3a6df083-9c0a-44d9-89cd-201d0717b762.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20221130155334.pma setup.exe -
Drops file in Windows directory 1 IoCs
Processes:
mspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3264 4072 WerFault.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
EXCEL.EXEdescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
EXCEL.EXEmsedge.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 13 IoCs
Processes:
msedge.exemspaint.exemspaint.exemspaint.exemspaint.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings mspaint.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 msedge.exe Set value (str) \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage msedge.exe Key created \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe msedge.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
EXCEL.EXEpid process 1600 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 23 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exepid process 4964 msedge.exe 4964 msedge.exe 1864 msedge.exe 1864 msedge.exe 1572 msedge.exe 1292 identity_helper.exe 1292 identity_helper.exe 3920 msedge.exe 3920 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 2832 msedge.exe 4376 mspaint.exe 4376 mspaint.exe 3404 mspaint.exe 3404 mspaint.exe 5084 mspaint.exe 5084 mspaint.exe 2380 mspaint.exe 2380 mspaint.exe 4228 mspaint.exe 4228 mspaint.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid process 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 5112 svchost.exe Token: SeRestorePrivilege 5112 svchost.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
msedge.exepid process 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe 1864 msedge.exe -
Suspicious use of SetWindowsHookEx 32 IoCs
Processes:
EXCEL.EXEmspaint.exeOpenWith.exemspaint.exeOpenWith.exemspaint.exeOpenWith.exemspaint.exeOpenWith.exemspaint.exepid process 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 4376 mspaint.exe 2364 OpenWith.exe 3404 mspaint.exe 4312 OpenWith.exe 1600 EXCEL.EXE 1600 EXCEL.EXE 5084 mspaint.exe 3152 OpenWith.exe 1600 EXCEL.EXE 1600 EXCEL.EXE 1600 EXCEL.EXE 2380 mspaint.exe 2832 OpenWith.exe 4228 mspaint.exe 4228 mspaint.exe 4228 mspaint.exe 4228 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
EXCEL.EXEmsedge.exedescription pid process target process PID 1600 wrote to memory of 1864 1600 EXCEL.EXE msedge.exe PID 1600 wrote to memory of 1864 1600 EXCEL.EXE msedge.exe PID 1864 wrote to memory of 1336 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 1336 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4348 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4964 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4964 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe PID 1864 wrote to memory of 4188 1864 msedge.exe msedge.exe
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\бланк заказа 2022 июнь.xlsm"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.com/d/rh_qJwpMj613TA2⤵
- Process spawned unexpected child process
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffeccd346f8,0x7ffeccd34708,0x7ffeccd347183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2732 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3192 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3856 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5044 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6136 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3952 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings3⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x23c,0x240,0x244,0x1d8,0x248,0x7ff7133f5460,0x7ff7133f5470,0x7ff7133f54804⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6856 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7288 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1884 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3036 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2480 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5376 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6368 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2008 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2164,506501649167299315,2881385155496746733,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://disk.yandex.com/showcaptcha?cc=1&mt=A0DD3E67E1DDAADA9AAB029C7B50C5C39E8FE8E328DD8DAE2298FFEE50339053D7C0&retpath=aHR0cHM6Ly9kaXNrLnlhbmRleC5jb20vZC9IajdwbkRlUVdudHdkQT8%2C_5a7fcb8df48ee6cd95fdc64e9aeefd99&t=2/1669819996/b66fab2711c4f51b3a99ff396e86b84f&u=25d9ce43-d90a7d27-81d07b01-6341b18&s=2c21ea711be6129c0deb6ca9be5600102⤵
- Process spawned unexpected child process
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffeccd346f8,0x7ffeccd34708,0x7ffeccd347183⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 472 -p 4072 -ip 40721⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4072 -s 10961⤵
- Program crash
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_М-122.zip\М-122\М-122.JPG" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_М-122.zip\М-122\М-122.JPG" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_М-122.zip\М-122\М-122.JPG" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\М-122.JPG" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dashost.exedashost.exe {4dcbbff2-c660-4661-957fb3eb481cdf06}2⤵
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\М-122.JPG"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81BFilesize
1KB
MD55f378c36b06f37454599ba81b2de804b
SHA17804a982533b3bbbe3a7a9701a38233f8982fab8
SHA2562007ef2ef66ce5dc3ffa59df8e0e843c6a9742663abff08ecf508d8fa7164b73
SHA5123c8667e40141fcf479b21d8341681f92a4b03f32735b733b01cd43e62ca9c81e9d0f21d529f56efd4e377a2b773c9e2e1bad19a5f84674a543d29ffc0b31dc30
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_77DA99F661FA088EBE8D771B7E655EB9Filesize
1KB
MD57e782ebb38dfb5addb80de6c19453dd7
SHA1747e3fabddd65e949b70f137bb54bbfd1a01fe70
SHA2560d263029b9719d035bbb8fd9928e1799e4ab761a16e84ba47bd0822d3d77b3a8
SHA5122de963c8071c9df1fffdabda74258ccbaa93c8c2a687b6e8c74e9a51acd121cc6ba535961cad06a4956f198eb5bccc145c410f4b27c6af12e0d7c143759ce47e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
471B
MD5302ccc431609cad913893a5762258293
SHA1c88d15ce7198f7296e281fd342d621618a1eddb9
SHA2563963c5a71bd7299478ffdb264b1e8d812aa9598d8d74413ab29268a0545fccb5
SHA512520870fd7d55484064ec7950fd74646140a240cec3261691807dbb857f2a6285d587ebfa34a70d122f9cb9b5d59ca0441e965648eb592333d90fa29ef7f42b18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3Filesize
1KB
MD5fbba41aaa8c5b340a8215fbbf423142b
SHA19d8c96dfa6c972ddff1dbda48d52782573640fff
SHA2568cb4e8af978b2625ac871fa717ddc122b7320d6acf240f963e6fcb4a41a965d3
SHA51294949d95a9d9023c36b5a18f7ac02609a0e35dd25cbb1376425125dc30f896571679a16e58599a167aa6b712495a9a4ca7f07e1c0e07fd7606aebbf17357083e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81BFilesize
508B
MD53dbcb07a0cd1b0849faca7da1e574e9b
SHA1fa3a85d1badabc504f52497c681fa00943e72614
SHA2562a390ffd9149e33db4ed68fc430f32dac0ed69473f20105b527d7d8011079dec
SHA5121462cba2ec246451e4d801e8a6125b2a45874f17e5681bb314df982e4ee276f704f0a4983ca9c604073677086e41fae269e77a40deec6974ce0205f709b893b6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_77DA99F661FA088EBE8D771B7E655EB9Filesize
532B
MD5ffdbfeb97198657d8b76b363209b2db2
SHA179fc330f2391c0de84ae13091e06e1cd9a2fa24e
SHA256d893184d96ddbfa0b4b2d4e70da1c10320d3116e1c7c0de03c964caed0203454
SHA512e8c403d423d25f08950ede287ab5c1080a90ed4842bbf7178360c1d17598bd57349a87d5c0a75c57ae14ed719273a83803a1d75698915173cb322215c679558e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_E503B048B745DFA14B81FCFC68D6DECEFilesize
446B
MD55e46335a1ed37213a64c6b00a3f3d6a5
SHA1dfeb242bb43e9d6cfb3c0b6fc3f0add4c1f6595c
SHA2569ee86ca1bded939ed3bd8ce12bd1dc74a2d113fa134fb8fef1465c9324036b51
SHA51218089f6b1bdcc1e05c6c1ce1b8eaa76bd42c2386f8b02508ef0a60144f321e1305d767cdbe7750c784675bbb5d5cc224d5dcdb08bb1ef94390b10d5a75cd57a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3Filesize
506B
MD553339838e5729e2080459e7d3f892a63
SHA1378d0b8f5b05b70cfe551bb796989b164ef2c9ef
SHA25612f41cf36427ad6e6f75cf2f60e5eb390a861fb7ed1f26598bd51d6979768247
SHA512306fef7d5318dc5732aac487c4e6638de430581fd755eb44b7d641061bc81d73432602ac36ca1e7be0b207f7cc8f8bd8bbc699a5f5f7316f1d989fcccca441dc
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD57b3f352bbc8046d1d5d84c5bb693e2e5
SHA1e9d1ec6341b7959453e7cfb1ec65a55bf415cd4c
SHA256471da5f4a494fb6adb027e3fd80765a6c27a3967208aad8fb55e38a3f7fca7da
SHA512c984248535cb94fc265e93b9001d5936697dd2ff3ef8dfedd014df64b5f76e031eea1a594db3085e0149794ad90802a45c6cd985035ba383d1bf80ed928ff809
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52c968eb620a865a9b9451323503e9c03
SHA1a203f45d9b90219e8e099a05f376a90cb97b11a2
SHA25692404c2ac949f1ffdd90086014ae73312a440c6e8cca8c6d0c95bbd83fc83453
SHA512c01ac079e97f5c92d9484a454cb3f8c2849bf249e1df3b75c5abf4ad700a3422f9f2ca35c77663223dbefb8f93ff12fcb85d62278e87cd4504cc7a6eed132f8c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\AdvertisingFilesize
24KB
MD54e9962558e74db5038d8073a5b3431aa
SHA13cd097d9dd4b16a69efbb0fd1efe862867822146
SHA2566f81212bd841eca89aa6f291818b4ad2582d7cdb4e488adea98261494bdcd279
SHA512fcd76bca998afc517c87de0db6ee54e45aa2263fa7b91653ac3adb34c41f3681fbe19d673ae9b24fdf3d53f5af4e4968e603a1eb557207f8860ac51372026b2e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\AnalyticsFilesize
4KB
MD5196d785ebbb4c59a4581a688cf89f25a
SHA15764ba17b0f0eff3b3ee2feaa16254c7558ea231
SHA256785f870959e083ea25f61ed88d3a6e87467a25449c5c34bac6da9e6aeec4ae40
SHA512b53262aa2986cb523b26fda77efa921d394826068a9a66e60d3ca6de58b7f14b5f5451bb8e85809539fbd04ce420e8ee374509023835788b8ab9f95ae5df1ee7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\CompatExceptionsFilesize
660B
MD5900263477e1368869fbf1be99990c878
SHA1e56e199aa4119f3cc4c4d46f96daea89bbf9685a
SHA2567f660d9db521646e9c6510d844b6c6ea26716b620c46f34edaf7ce318a9473e4
SHA5121035b388b4b00c744824d13c5ef48118d88abbb53e9d76896a2d96a2a127a7739c119e781d7d5f0b8d910e10539c0c502c9f937fc2487747c65e7285f4b1e6d2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\ContentFilesize
6KB
MD594c183b842784d0ae69f8aa57c8ac015
SHA1c5b1ebc2b5c140ccbb21cd377ca18f3c5d0b80cd
SHA256aa5c4d50684aa478d5982e509cbf1f8347fbc9cc75cb847d54915c16c3a33d25
SHA5125808ddb81657acf4712fa845c95aacbab32a414ffda3b9d1218637e2d53bd3e0d6b95c872779ead6eaa13b4d2d563494ad5587337958bd17f1e791fad5d822fb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\CryptominingFilesize
1KB
MD58c31feb9c3faaa9794aa22ce9f48bfbd
SHA1f5411608a15e803afc97961b310bb21a6a8bd5b6
SHA2566016fd3685046b33c7a2b1e785ac757df20e7c760abe0c27e1b8b0294222421d
SHA512ba4b5886c04ba8f7a7dbb87e96d639783a5969a245de181cf620b8f536e3ac95bbd910cd2f1f6aae6c3cd70fc1ef6209dc10d2b083ec51861b51d83f95811baa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\EntitiesFilesize
68KB
MD5d976a6a2df47aff5f7b6c91f8b11f0e8
SHA1332c9e8cf5b61aa1025372fdbe6fa282ee9604a2
SHA256cf839583b2b0430edd947eb02210e6a29dbdd3024bc94157f02a201308a91972
SHA512ef05f3d1b984563055f773a7458178c13e26af799e96d1eb26ecfe44ff4ef2adc8eb8aa3be926167cafe116a7eb1e189ef899a88d4c48a9093f90460a28128df
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\FingerprintingFilesize
1KB
MD59c7457097ea03210bdf62a42709d09d7
SHA11f71e668d7d82d6e07a0a4c5a5e236929fc181fc
SHA2569555aa7dc9216c969baf96676de9182692816d257cec8f49c5620225357c4967
SHA512e00b3b66e0999dd4b035183adf9f741ff14087085c5d2a240a16e5f25abf18c93454824cd3473c2f122914dab9920dec8163aafd9e3db19a27301d7f58a38b55
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\OtherFilesize
34B
MD5cd0395742b85e2b669eaec1d5f15b65b
SHA143c81d1c62fc7ff94f9364639c9a46a0747d122e
SHA2562b4a47b82cbe70e34407c7df126a24007aff8b45d5716db384d27cc1f3b30707
SHA5124df2ce734e2f7bc5f02bb7845ea801b57dcf649565dd94b1b71f578b453ba0a17c61ccee73e7cff8f23cdd6aa37e55be5cb15f4767ff88a9a06de3623604fbf0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Mu\SocialFilesize
355B
MD5ec39f54d3e06add038f88fa50834f5cd
SHA1d75e83855e29d1bc776c0fe96dd2a0726bf6d3c4
SHA2560a48c92dcb63ddaf421f916fe6bb1c62813f256a4a06a4fe9f6df81e2a43e95b
SHA51291548200f6556f9872f87b8a244c03c98f8fc26be0c861127fcebaa504f31b7d72ef543d84db1ff7d3400bbd4500a1cb92d1b0b3a925378b8c56d526511d0d9b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\AdvertisingFilesize
917B
MD51f3b083260019eef6691121d5099d3e8
SHA144ffccd3293b17344816b76be4ede5a58ac7c9a5
SHA256ecdfa6251eab1b8928ca8d9cd8842f137c1ce241c7e9bbbc53474286b46d9600
SHA512ab5d9097fe90d596d69c33e0e51c155624027e05bb9c85eb0388b2acd86debbffcd2c1c58496875906c97ff3e8a7547040799a35f5277a12bfc4f60597c52c4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\AnalyticsFilesize
91B
MD570e7fb4d4f0bfd58022da440f4ff670b
SHA11e3aeb8d627db63aa31f19a1d6ec1e33571f297e
SHA256e7be4221cf5029e817e664829ecb5e6d2d2fe785505214a8c00c75f86ac59808
SHA5126751d4a176a2e2394364f12c28506e6568b928d76f35c27529b7e0c8b0bff5941c2ead5036393a3b24846f5293b6e2a920505da7d125a1f374f9a68cce1318d6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\ContentFilesize
36B
MD57f077f40c2d1ce8e95faa8fdb23ed8b4
SHA12c329e3e20ea559974ddcaabc2c7c22de81e7ad2
SHA256bda08f8b53c121bbc03da1f5c870c016b06fa620a2c02375988555dd12889cdf
SHA512c1fb5d40491ae22a155a9bd115c32cbe9dbcba615545af2f1a252475f9d59844763cd7c177f08277d8ef59e873b7d885fda17f2a504d9ec2c181d0f793cb542b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\CryptominingFilesize
32B
MD54ec1eda0e8a06238ff5bf88569964d59
SHA1a2e78944fcac34d89385487ccbbfa4d8f078d612
SHA256696e930706b5d391eb8778f73b0627ffc2be7f6c9a3e7659170d9d37fc4a97b5
SHA512c9b1ed7b61f26d94d7f5eded2d42d40f3e4300eee2319fe28e04b25cdb6dd92daf67828bff453bf5fc8d7b6ceb58cab319fc0daac9b0050e27a89efe74d2734e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\EntitiesFilesize
9KB
MD5643a118f249a643d00a0e0ba251c2558
SHA15dbb890960534df2fb083bec1f5a5d3dbc83e47e
SHA2565dac8767cc89776637ba4888bd39b57044f6c12d35ed8ed8ecf717e3d1b39d66
SHA512a7f854a091540a83dccf4acf138c3443ce74025a3c3f24cb38bc41752b49924ddf4377afbfc901f38d7da395e2e83a0dce50fc45e8a6eb6a2a3f87163a183d6a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\FingerprintingFilesize
172B
MD596fd20998ace419a0c394dc95ad4318c
SHA153a0a2818989c3472b29cdb803ee97bb2104ce54
SHA256282a71ac3395f934ba446a3836c1f1466743f523a85186e74c44c1aef1b596c1
SHA512d59ed718eea906fc25f27e0efe0bfe45fa807ef7050b9c7065c076996885890837eb51579aa79d0121586aa9cecc292d4e1b1e6a7236dbafe90c5601d5401545
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\OtherFilesize
75B
MD5c6c7f3ee1e17acbff6ac22aa89b02e4e
SHA1bdbd0220e54b80b3d2ffbbddadc89bfbb8e64a8b
SHA256a2f9f27d6938a74979d34484bced535412969c2533dc694bfa667fe81d66d7d4
SHA51286ed28ffdd00b4a397a20968792fcd30dd4a891a187a7789c00c88b64689b334a11fa087eb54ccee813c181cf891b43184dde7af9a6f33caed2a71e2c445a7b4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\SocialFilesize
2KB
MD537a70ee6ab90aa2fd3dd7416e76675a6
SHA1e57ff483f1085d428ec6e22159c1547a2b3d2718
SHA256c73e3c71829a98d11e48924e4df126e0c265f21b62b1aa7ac27033f7554abcb8
SHA512e335f6c350ed839911ef1b3cb9b2d12744b37a5bdfd5e7c1535c473d2383b2a5f1dacb5b341474732e9fbb46cc59db5bd371e6bc5dd785b1015d5aa42dcb3f3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Trust Protection Lists\1.0.0.23\Sigma\StagingFilesize
3KB
MD52e020f44ed4f057648d549c24ec82b15
SHA1d8e0bd6a321e1700c90a54f79dec6d26af7df438
SHA256c33bcaf2f4ff8a8da96d4b6d7493751c5bbbefaacb6a9737b77e3395f5007dfe
SHA51213748044eb4c2eb11011a2967451cabb97a56363b106abf3bf4e6b8ec9c6e71134b5610ba4d1f722c02b9f9d275bbff22468c64d27a6fcf2c9d8980d001ab79f
-
\??\pipe\LOCAL\crashpad_1864_DZDWPKQZWEVNAONAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/396-181-0x0000000000000000-mapping.dmp
-
memory/1196-173-0x0000000000000000-mapping.dmp
-
memory/1292-175-0x0000000000000000-mapping.dmp
-
memory/1336-140-0x0000000000000000-mapping.dmp
-
memory/1572-168-0x0000000000000000-mapping.dmp
-
memory/1600-137-0x00007FFEB5DC0000-0x00007FFEB5DD0000-memory.dmpFilesize
64KB
-
memory/1600-138-0x00007FFEB5DC0000-0x00007FFEB5DD0000-memory.dmpFilesize
64KB
-
memory/1600-135-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/1600-132-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/1600-136-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/1600-134-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/1600-133-0x00007FFEB8610000-0x00007FFEB8620000-memory.dmpFilesize
64KB
-
memory/1624-153-0x0000000000000000-mapping.dmp
-
memory/1816-189-0x0000000000000000-mapping.dmp
-
memory/1864-139-0x0000000000000000-mapping.dmp
-
memory/2064-174-0x0000000000000000-mapping.dmp
-
memory/2332-200-0x00000289703C0000-0x00000289703D0000-memory.dmpFilesize
64KB
-
memory/2332-201-0x0000028970C60000-0x0000028970C70000-memory.dmpFilesize
64KB
-
memory/2548-154-0x0000000000000000-mapping.dmp
-
memory/2716-177-0x0000000000000000-mapping.dmp
-
memory/2832-197-0x0000000000000000-mapping.dmp
-
memory/3132-194-0x0000000000000000-mapping.dmp
-
memory/3132-203-0x0000000000000000-mapping.dmp
-
memory/3152-170-0x0000000000000000-mapping.dmp
-
memory/3332-152-0x0000000000000000-mapping.dmp
-
memory/3364-185-0x0000000000000000-mapping.dmp
-
memory/3456-183-0x0000000000000000-mapping.dmp
-
memory/3520-150-0x0000000000000000-mapping.dmp
-
memory/3536-165-0x0000000000000000-mapping.dmp
-
memory/3572-199-0x0000000000000000-mapping.dmp
-
memory/3668-228-0x0000000000000000-mapping.dmp
-
memory/3920-190-0x0000000000000000-mapping.dmp
-
memory/3996-187-0x0000000000000000-mapping.dmp
-
memory/4080-172-0x0000000000000000-mapping.dmp
-
memory/4188-148-0x0000000000000000-mapping.dmp
-
memory/4232-196-0x0000000000000000-mapping.dmp
-
memory/4340-157-0x0000000000000000-mapping.dmp
-
memory/4348-142-0x0000000000000000-mapping.dmp
-
memory/4376-207-0x0000000000000000-mapping.dmp
-
memory/4612-179-0x0000000000000000-mapping.dmp
-
memory/4784-192-0x0000000000000000-mapping.dmp
-
memory/4828-209-0x0000000000000000-mapping.dmp
-
memory/4964-143-0x0000000000000000-mapping.dmp
-
memory/5112-205-0x0000000000000000-mapping.dmp