blackmoon | 2c310264f618891a79f8ced977a2398f87f1030d4852b3e176878b4b31cf9d6b

Analysis

max time kernel
55s
max time network
62s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
14-04-2023 20:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe
Size

6.9MB
MD5

3de8b7d91dbf9a81b81327bd4b5163e9
SHA1

422e3d7ecf94f38304718ef30c84cf6ea6ee23e0
SHA256

ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa
SHA512

30aedf3573f0d0e0274d54b8f99e5b0df3a95d9854d425901c7d87d46f5bb59558b523ed859ab908c3a35e6f65a2a749ebb506a8a679e68b0c0fba1db805c084
SSDEEP

98304:+F0CJ9DlZB9GzQ8JBAUZLw5lNBNcwJJBAUZLWM:W5kJV6DJV

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2132-121-0x0000000000400000-0x0000000000752000-memory.dmp	family_blackmoon
behavioral1/memory/2132-122-0x0000000000400000-0x0000000000752000-memory.dmp	family_blackmoon
behavioral1/memory/2132-123-0x0000000000400000-0x0000000000752000-memory.dmp	family_blackmoon
behavioral1/memory/2132-127-0x0000000000400000-0x0000000000752000-memory.dmp	family_blackmoon
behavioral1/memory/2132-128-0x0000000010000000-0x00000000100D4000-memory.dmp	family_blackmoon

Blocklisted process makes network request 4 IoCs

Processes:

cmd.exe

flow pid process

4 2132 cmd.exe
6 2132 cmd.exe
4 2132 cmd.exe
6 2132 cmd.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation cmd.exe

flow	pid	process
4	2132	cmd.exe
6	2132	cmd.exe
4	2132	cmd.exe
6	2132	cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe

description	pid	process	target process
PID 4156 set thread context of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe

Drops file in Windows directory 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

Processes:

MicrosoftEdge.exebrowser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\LowRegistry\DOMStorage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Zoom	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\wwi.lanzoup.com	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\MigrationTime = c7407ea65a45d901	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\UUID = "{CA78D920-D788-40DF-B462-65E9AC440732}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\wwi.lanzoup.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\lanzoup.com\Total = "63"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url3 = "https://signin.ebay.com/ws/ebayisapi.dll"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{16F28BED-74DB-457E-9A95-75786E960C47}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\ChromeMigration\MigrationTime = c7407ea65a45d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\lanzoup.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "63"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\FirstRecoveryTime = c7407ea65a45d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\DatabaseComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\SharedCookie_MRACMigrationDone = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 3d15b2f9226fd901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ReadingMode\SettingsVersion = "2"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 01000000037f6e15bbeda096ad3d97c4047a7b97b34029749f78005be82c09790cfcb38baaca1420c0aabe8565268c142d5f5070b0b0b62e52c84981225e1395b10783cf27c7d6adc8548d596b48627cfaea584c434c0601ec63bb458afc	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3346939869-2835594282-3775165920-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdgeCP.exe

NTFS ADS 1 IoCs

Processes:

browser_broker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\CZ.zip.3zrc46u.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

cmd.exe

pid	process
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe
2132	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

992 MicrosoftEdgeCP.exe
992 MicrosoftEdgeCP.exe
992 MicrosoftEdgeCP.exe
992 MicrosoftEdgeCP.exe
992 MicrosoftEdgeCP.exe
992 MicrosoftEdgeCP.exe

pid	process
992	MicrosoftEdgeCP.exe
992	MicrosoftEdgeCP.exe
992	MicrosoftEdgeCP.exe
992	MicrosoftEdgeCP.exe
992	MicrosoftEdgeCP.exe
992	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	4552	MicrosoftEdge.exe
Token: SeDebugPrivilege	4552	MicrosoftEdge.exe
Token: SeDebugPrivilege	4552	MicrosoftEdge.exe
Token: SeDebugPrivilege	4552	MicrosoftEdge.exe
Token: SeDebugPrivilege	3520	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3520	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3520	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3520	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2540	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4552	MicrosoftEdge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.execmd.exeMicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	process
4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe
4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe
2132	cmd.exe
2132	cmd.exe
4552	MicrosoftEdge.exe
992	MicrosoftEdgeCP.exe
992	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 4156 wrote to memory of 2132	4156	ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe	cmd.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 3520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 824	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 992 wrote to memory of 520	992	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe
"C:\Users\Admin\AppData\Local\Temp\ce9dcd1d760fdb5a9f5d0166a03d21acac1890b7db87f1f8f07e9db83e2eacaa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4552

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- NTFS ADS
PID:4516

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:824

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:520

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:4428

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\KIQVE9IA\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\ICHQ045F\t0[2].css

Filesize
7KB

MD5
735162b4e97db624744f254af254af29

SHA1
bb3aeb0132f119c149dd8c45dd7cc9d5817bb2e3

SHA256
1cc95374d6491f2a6186eaace874eb9edde3bc590ae0138842bb739ca7719b2d

SHA512
3610f614e88ced1191da157d3e2f76719ecc79e2e8c6778e3ba9874665dd73622030cc7c7137315db81366c82fd440ac2a57a70de1f647aac3d5f40cd62b5981

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\TPQ05ZA7\favicon[1].ico

Filesize
1KB

MD5
e2a12d30813a67034ecef52f8f5447d9

SHA1
87cbf0958c40d8c61c591020fae3f5e2b5dfb6de

SHA256
22489aa1578915c922e7d16566a5b926a6c430961f3327e90f0b10dad21f0781

SHA512
f9743821b5f4a1253e600813a3ffc81ee37bdc0774379227f9b5dfb2fd7aad3270b01246580fd73e8d42cc0611b6d4078ef09b4b53f2edb2cc6cfa2c83d54c48

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\CZ.zip

Filesize
3.6MB

MD5
bea1439d81663f4e51180dcf9b419baf

SHA1
313799a52b531c3a946731b6797e8206eb839609

SHA256
e2cf942f950916b6f82026da9b9693adece14833ce696b6b8b67c3fcf6a7fbe8

SHA512
8a12a4752ab8ee8d63faf7cee8db56dcb9621094a3bc6c8f86fff3521801fa8e070bdff354f7c9c4d8de3b1d438ea38bb2de4243908ff1789e200c44b31adb9d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\CZ.zip

Filesize
3.6MB

MD5
bea1439d81663f4e51180dcf9b419baf

SHA1
313799a52b531c3a946731b6797e8206eb839609

SHA256
e2cf942f950916b6f82026da9b9693adece14833ce696b6b8b67c3fcf6a7fbe8

SHA512
8a12a4752ab8ee8d63faf7cee8db56dcb9621094a3bc6c8f86fff3521801fa8e070bdff354f7c9c4d8de3b1d438ea38bb2de4243908ff1789e200c44b31adb9d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\CZ.zip.3zrc46u.partial

Filesize
3.6MB

MD5
bea1439d81663f4e51180dcf9b419baf

SHA1
313799a52b531c3a946731b6797e8206eb839609

SHA256
e2cf942f950916b6f82026da9b9693adece14833ce696b6b8b67c3fcf6a7fbe8

SHA512
8a12a4752ab8ee8d63faf7cee8db56dcb9621094a3bc6c8f86fff3521801fa8e070bdff354f7c9c4d8de3b1d438ea38bb2de4243908ff1789e200c44b31adb9d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\N3253Y1C\CZ[1].zip

Filesize
15KB

MD5
faa09f61454ab414dac3c98102d48b30

SHA1
70b5cace095c5aecd153b43486288b29f8357d16

SHA256
61988356ed680930074904af0f292b70c7c94c309b645efa5d2efbd4da9fb6ca

SHA512
94a192831af56b4a2516a88ecbfda3a8548ea343177ce1b23ca2b78e907c08e6257e4618a5de1696695a8865e8bc4f7f94177dab9253407a74f863b9984b608e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\N3253Y1C\bd[1].js

Filesize
258B

MD5
f6533028e6d965aecc218460acbd4f21

SHA1
f8569a0e9d0672e9013d23b1574db06a9b97cfd6

SHA256
a57b4a9c1aae1743d9953c45a31d008cfb3ca0b414c8bdd1fe854dd404280e72

SHA512
41de09df9886dec3b6d7c7bf098a235494980e244aeeed6a7f91431f9c553475b70216f128a64b63c3532801b4fbaf4216c3615d076b57ef72029dcf15e8f620

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\N3253Y1C\hm[1].js

Filesize
29KB

MD5
9af45561bd61795c9bf6f94fd995e9c4

SHA1
f9d509e67f1c8a328f48809642c41d7e2e296cee

SHA256
c641a818e0b2bb9253fe031503a187be5d2306f6dc68965de2753bd4347651c3

SHA512
75f41427b6dbd99f70586514e2fbfb248e40990c5b99e7921aa3752538c31209878d5a54e03fcce17c6392d563e5b173307807020ca22ea425732e1f1d1a6606

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PNVG5WD6\jquery[1].js

Filesize
30KB

MD5
48ee178e3149e6218973a42f6c334e3b

SHA1
53c0da9cb7d5cd77cc0ad91c1b756b484381ac73

SHA256
6bc21e325f9e92c5571194ff99852960f3e85876f69aaf05579c1e83ea2a0422

SHA512
da4a944be0c65971a39991a2f1f582abd1369a9b02fe666b08f6b784e6ae907df3a34577224ed61baba457bf590603d01f2097111c62dd3fddcd38b7a36a872a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\AP98JH4Z.cookie

Filesize
185B

MD5
aac89bb8337c7bba8afa51d5f5377597

SHA1
ecd5d234f34973816049f7304a3170fadba2a9f5

SHA256
ba7eb19cf110fa027137a84fa6f90ceb50a8c159f61be9ceb6015a6072c21851

SHA512
b0eeb7371dd1959cde3b5d9633106822a709a286d554b63d9fad1b6484cefe585a499d8c3371fbeff1e88d72787fca2bead8409fc9c02aee8ffa60c200e353ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\EXTFYAI3.cookie

Filesize
391B

MD5
887ba7676c66c9f1082a19f4af970afa

SHA1
734b56bb7bfc06371482a02a25f35e3f1bdd8338

SHA256
7b382ffcc79b1c46127cbea365ebdb80ba6d509b556f6814a54040fd2cc06069

SHA512
661e2724e3d3eeb8785e8a4bc043cc8e866a3b512ca761b16f13fd387f8380d14028bcef68cfde07a09a7d2403a5125a5eca45680b8e451bf656ff5702996152

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\IA6BGK68.cookie

Filesize
72B

MD5
aa836887a73102da22fa3b9528fb21d4

SHA1
c8bd8a8ca3d5ddd61d889e4ec1179c080db37aa0

SHA256
a7a94c7fc3d87d1dacfa0ccfab6f22953952516b3f3a45d21d9ecd330d0a6210

SHA512
377489639504fc2348ff6a3c59eaa51af4f9e183823f42db3dff86249930aad8681c2475b500032c6d4c54e9f5fe66bbaf3c09dda60e8274772c6d9d57e2ae18

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\T1VETA61.cookie

Filesize
194B

MD5
724cc9313de77db24f40b026486adb81

SHA1
208a91858dccf53d0e83b26c990b6cfb2e366161

SHA256
42d76c53db6a4bfe5275ff41d0230e8e9da245e3100d7b8709295472b879e416

SHA512
065e4d0be3fc81f61a0786bb50c2c87093d5214cf3b6b09e92f12e05743e93f99f2331237f0b137e33c1221cf1bc71fd5fd098bbaee6c09fc99876bee502baac

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\TR34ZXSH\wwi.lanzoup[1].xml

Filesize
137B

MD5
8c5dc759f72f204f9fbf6ed56ea3920a

SHA1
b00ab4b9921346a109fb94a84e650e77c197bf9a

SHA256
ed74bd54548e183f27832933671542522a14e1137bf20017be88b50da40236fe

SHA512
fe461d7a03da1ed912dbf9eaaf92ae80e20bf8113d9c7cf70044a1829d7740bd4932cce58ff96375c6be63dffda635108c0fc235fbfb397a1554571f47a6f7dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\TR34ZXSH\wwi.lanzoup[1].xml

Filesize
137B

MD5
0d055eac2386c01cbf2dad4f92ef8452

SHA1
72d1532ebfb9166abf75bceb79f1c198df35f5d3

SHA256
eaf9c3f521a1d87f5e373d4321b465c893f8a93a0f2e0c43854259ceafb5a6e2

SHA512
7cd119dadec591c7e4d35b37beab4b3eda2aae28e35946041bc1e0ac4f84101a4c45f559f4221b73d69ba44d01aad8db3f561d578c150460e58335cb210a1f36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
1KB

MD5
a5e6c7344987bb18b476f31c2f2b58e4

SHA1
3a18a64cfd39299f428359641f4c50dfdf713f88

SHA256
1d70d21c8e5add99988779bce8af145da76baa2c1d21684a53ea0a656454f6fa

SHA512
3c6c118ac7e1faf5918a7cae21132fd6bfcdf6935d16b734259e641f06468278611d85b9d136de77bedd240672a5565ef668b695d4c19cffecc466dc35a160a8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7C

Filesize
1KB

MD5
4013036aba574bd048ba58ea663cf8cd

SHA1
5ad1d428bcd32ad23ba316047f69db9c5f23476c

SHA256
f2bf623b9c1a0f9a463ea9c1d0a7709b409e0f1f4df2472b8f86c0577ca21d5e

SHA512
10933f46e60745bece2c0f14db012ca5058e68eba39de71470378ad0897041a9186dadb3fc741c227c4c6b52d51504d9fe5a748ba35dc60fe26d6abb3c8aa6a5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
1KB

MD5
fa670f5aec77348d2796cfc52a58f7f1

SHA1
052adf3812b930a4f24de8cd17b63929a5cfd798

SHA256
3b14ab471efc212e39c0156f2e857d5bef2bee95031843fa1363adfd0b4a0f3d

SHA512
f9f6852dbcda3eb946698d3d94a12c000fc3876a55f924e28737d110494119bcb97437107ac0883bd2981f28ac571a10bd21d26b91cd663abaa65b7652b8a3bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_4FB671D7D2E90DD5F9C49160E26552F9

Filesize
1KB

MD5
8a88c2ee2ebac7df51a9ed9ecc60c27e

SHA1
38aa331c141a7e040e0498a93673bddc1ea709a8

SHA256
5265e45003d39f039266b26f788dcc97784129abdcc28007aff061747d793825

SHA512
9039d054bec70cf4adaf32cace42b22bb6fe0f33d0e1a168b9d5e86f51d8fc97424ea13dbafa239c0900a699dc179bd8c3df6f7906e1b78f573a286e35743697

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_F27DDA895271D0BD5772905407A3DEC9

Filesize
1KB

MD5
33868daf94f423ce3d818c468aac8b65

SHA1
dc99d6fef5e2672634c28aedc565f7590da45eb6

SHA256
83ec6576c85537169960a35818d3080be2addfb4a6399a893b76db20b1cdf684

SHA512
8e4f1315da8a93543e7151b7b9eca0610672c78970a945abe253eb006b760364a11c153e6afc241bb14661e693f0f98529268023f8edd99b6d0c1ab82a2d2f9d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
1KB

MD5
ae89221037f321c7d3857165b5f362a5

SHA1
4f086520bf08d5e9f5d2e9c2bc4c60f6d72c468e

SHA256
bb3ac3a41db268a668dd8986e11f2f287338523a5e21cefbc65d98ac43f5d2b3

SHA512
8d9026e9607b2e029b2d02b949694b21dc499bf78df680fb4af7189616bef83dafcf035129870f86f6bec56f9a209e2d31fd472aa0069437c78b6c49eb910d89

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_4136D3715888E22D65EBE484B233D81B

Filesize
508B

MD5
b1af0f84dd0bd9fac6ba058b810f7b46

SHA1
95f01496352788b55a8472179145f2b3afe0bc1c

SHA256
1dea6a2515efa3dabe91af29949de03b47d121620858922ab465bd6199b3d595

SHA512
584b081d8ec52b05521ea6f4dd9af91bbd5ce764e23fbdbd814fcfc853fe985e85f70c7843ecb8482d17f512f43cf80deef2fe769c20e6101b94ab03a73daa98

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_96EEC010953ED454BBCDFA69FC071E7C

Filesize
516B

MD5
5938fe6e4997e1909958567c90f956f6

SHA1
cc768dadd0851a2bf100e099c6d3bd5737602b46

SHA256
f261f5f75d246497ba3043c06ad3f0572f100cd450a59fc639d24853c6e3143d

SHA512
03ab1a9350de258f8df4176826e2ae8f16c843252e95811dc4ae4a14307ddc552837f737807323c70336898414df6ce0ddd217629852eddd19874d7b96833969

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\349D186F1CB5682FA0194D4F3754EF36_97A2CB43E01F27293633B7B57353C80B

Filesize
532B

MD5
3482e76016254977711be7d582b1ffec

SHA1
b3fc8f576e0826df876d689effc77ebf10b4bf2b

SHA256
a5e39113a25e9867c57c3a00ca1ba3dd6e813601c19e5c41dff028a319598551

SHA512
0d06330c84f87d7a7a05db04aee5a25c25f808118f3c9924c8b180ab8326d0e483c96d7d6a162c1095e2af1b12d5709f109351f9cf217d4847715312fec44a9d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_4FB671D7D2E90DD5F9C49160E26552F9

Filesize
524B

MD5
43f41b9372354b7bdff816281522863e

SHA1
23dde97cc04b629494fcee8d097e378f90a233b1

SHA256
683e724d276d3f839ab6712d6d26e6e95b6f3a865acdfddb6e39a856daf356af

SHA512
a83b8a587c8a0de5cba51a1228974730e906390f043f2c9ccf635c25a1054949f535f67eeae70bf8b007fa3a638856b6e5f0a9fdd47e75e3a2e18e22c2f83edb

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\4B3D1CD03E2BE9D4F9CDDE390F5EFE31_F27DDA895271D0BD5772905407A3DEC9

Filesize
532B

MD5
cc1b99e6a13010fd4e78e69d2e1ba578

SHA1
84573f331c8df8fe6a0ed61b2f752122b6c75961

SHA256
2cd0401daa07df540bcb1c3ca1728a3ea7fa4dd11d8b90d12058549c1a36ea93

SHA512
f3fa09294b06ab07a4c6831ab346e360edc8d1add182b51aec5cd8cd4c2064bab6bcae223c27e2d083acede98bfcebb938057e3a4fb77a58acdff6abfd5c3c19

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_50D7940D5D3FEDD8634D83074C7A46A3

Filesize
506B

MD5
d3f65fb006523c37caab6bd05e9f6730

SHA1
970277135f557d64605ec91949e86559895487da

SHA256
4c546cb7a74e9dbf0985804d8da94f9e6a7caf55525daa635d9e52c40b5376c4

SHA512
aa44355b19787c76751023c6f28890940c5fd2f07c450eff00e9df0ba1079269a89a6628953e3a8635cd0029cd3608616d1503a2815802c018e501abcbb7b848

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.pri

Filesize
207KB

MD5
e2b88765ee31470114e866d939a8f2c6

SHA1
e0a53b8511186ff308a0507b6304fb16cabd4e1f

SHA256
523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e

SHA512
462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d

Download Submit
memory/2132-123-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2132-122-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2132-121-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2132-127-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/2132-128-0x0000000010000000-0x00000000100D4000-memory.dmp

Filesize
848KB

Download
memory/2132-120-0x0000000000400000-0x0000000000752000-memory.dmp

Filesize
3.3MB

Download
memory/3520-197-0x0000011D99E70000-0x0000011D99E72000-memory.dmp

Filesize
8KB

Download
memory/3520-229-0x0000011DADD00000-0x0000011DADD02000-memory.dmp

Filesize
8KB

Download
memory/3520-291-0x0000011D99E80000-0x0000011D99E82000-memory.dmp

Filesize
8KB

Download
memory/3520-289-0x0000011D99E20000-0x0000011D99E22000-memory.dmp

Filesize
8KB

Download
memory/3520-287-0x0000011D99E10000-0x0000011D99E12000-memory.dmp

Filesize
8KB

Download
memory/3520-192-0x0000011D99E20000-0x0000011D99E22000-memory.dmp

Filesize
8KB

Download
memory/3520-293-0x0000011DAA5E0000-0x0000011DAA5E2000-memory.dmp

Filesize
8KB

Download
memory/3520-195-0x0000011D99E50000-0x0000011D99E52000-memory.dmp

Filesize
8KB

Download
memory/3520-225-0x0000011DADB10000-0x0000011DADB12000-memory.dmp

Filesize
8KB

Download
memory/3520-223-0x0000011DADB00000-0x0000011DADB02000-memory.dmp

Filesize
8KB

Download
memory/3520-221-0x0000011DADAB0000-0x0000011DADAB2000-memory.dmp

Filesize
8KB

Download
memory/3520-219-0x0000011DADAA0000-0x0000011DADAA2000-memory.dmp

Filesize
8KB

Download
memory/3520-217-0x0000011DADA80000-0x0000011DADA82000-memory.dmp

Filesize
8KB

Download
memory/3520-214-0x0000011DAA700000-0x0000011DAA800000-memory.dmp

Filesize
1024KB

Download
memory/4552-247-0x000002E780E00000-0x000002E780E01000-memory.dmp

Filesize
4KB

Download
memory/4552-248-0x000002E780E10000-0x000002E780E11000-memory.dmp

Filesize
4KB

Download
memory/4552-175-0x000002E7FD9E0000-0x000002E7FD9E2000-memory.dmp

Filesize
8KB

Download
memory/4552-174-0x000002E7FD9B0000-0x000002E7FD9B2000-memory.dmp

Filesize
8KB

Download
memory/4552-172-0x000002E7F9520000-0x000002E7F9522000-memory.dmp

Filesize
8KB

Download
memory/4552-170-0x000002E7F91E0000-0x000002E7F91E1000-memory.dmp

Filesize
4KB

Download
memory/4552-149-0x000002E7F9700000-0x000002E7F9710000-memory.dmp

Filesize
64KB

Download
memory/4552-133-0x000002E7F8E20000-0x000002E7F8E30000-memory.dmp

Filesize
64KB

Download