3520dd9ebad9498685a28bd3ea52fcb61732b75f314fa501948b91e5bece39bb

Resubmissions

22/05/2023, 15:51

230522-tazdysca7s 5

22/05/2023, 15:46

230522-s73l7shd42 4

Analysis

max time kernel
649s
max time network
532s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2023, 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

17KB
MD5

e0f60606773d0775b7195023bfced4d3
SHA1

19ab2c158865f67131d1c02d10df4653e1f1cba7
SHA256

3520dd9ebad9498685a28bd3ea52fcb61732b75f314fa501948b91e5bece39bb
SHA512

ed487512b89b3a64eea0351c0586f6844df72a18f474b7f914601b92064888dc8e435f335ff1d4b533450417e8ab4f6d5fd1211f1a8048101273ba73be98fb99
SSDEEP

384:rHMKIL8DpmRgVoOsKTElKeGM7U3Hhhb22p7X28B2XBJCBXQL:rHdIQfVoOsKgI1MeBhbx5nQJQQL

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	msoobe.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	msoobe.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	windeploy.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	windeploy.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	windeploy.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	windeploy.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	msoobe.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	msoobe.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	msoobe.exe

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	dwm.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	dwm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	dwm.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	provtool.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	provtool.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	provtool.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	provtool.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	dwm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dwm.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 5 IoCs

evasion

pid	Process
3672	taskkill.exe
4760	taskkill.exe
1588	taskkill.exe
5000	taskkill.exe
3456	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Internet Explorer\International\AcceptLanguage = "en-US,en;q=0.5"	msoobe.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000010\Virtual Key = 20000000	msoobe.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000202\Target IME = 00000000	msoobe.exe
Key deleted	\REGISTRY\USER\TEMPKEY\SOFTWARE\MICROSOFT\CTF\ASSEMBLIES\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	msoobe.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Control Panel\Input Method\Hot Keys\00000071\Target IME = 00000000	msoobe.exe
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\CTF\Assemblies\0x00000409	msoobe.exe
Key created	\REGISTRY\USER\S-1-5-20\Control Panel\International\User Profile\en-US	msoobe.exe
Key deleted	\REGISTRY\USER\.DEFAULT\CONTROL PANEL\INTERNATIONAL\USER PROFILE SYSTEM BACKUP\EN-US	msoobe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000011\Target IME = 00000000	msoobe.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000012	msoobe.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000200\Key Modifiers = 03c00000	msoobe.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\CTF\SortOrder	msoobe.exe
Key created	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\CTF\SortOrder	msoobe.exe
Key created	\REGISTRY\USER\S-1-5-20\Keyboard Layout\Toggle	msoobe.exe
Key deleted	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\CTF\SortOrder	msoobe.exe
Set value (str)	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	msoobe.exe
Key created	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\8	msoobe.exe
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	msoobe.exe
Set value (data)	\REGISTRY\USER\TempKey\Control Panel\Input Method\Hot Keys\00000201\Virtual Key = 4b000000	msoobe.exe
Set value (data)	\REGISTRY\USER\TempKey\Control Panel\Input Method\Hot Keys\00000203\Target IME = 00000000	msoobe.exe
Key created	\REGISTRY\USER\S-1-5-19\Control Panel\Input Method\Hot Keys\00000203	msoobe.exe
Key deleted	\REGISTRY\USER\S-1-5-20\SOFTWARE\MICROSOFT\CTF\HIDDENDUMMYLAYOUTS	msoobe.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	msoobe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000072\Target IME = 00000000	msoobe.exe
Key deleted	\REGISTRY\USER\S-1-5-20\CONTROL PANEL\INTERNATIONAL\USER PROFILE\EN-US	msoobe.exe
Key deleted	\REGISTRY\USER\S-1-5-19\SOFTWARE\MICROSOFT\CTF\TIP	msoobe.exe
Key created	\REGISTRY\USER\TempKey\Control Panel\Input Method\Hot Keys\00000202	msoobe.exe
Key deleted	\REGISTRY\USER\TEMPKEY\SOFTWARE\MICROSOFT\CTF\TIP	msoobe.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\International\User Profile\ShowShiftLock = "1"	msoobe.exe
Key deleted	\REGISTRY\USER\.DEFAULT\CONTROL PANEL\INPUT METHOD\HOT KEYS\00000203	msoobe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = 20000000	msoobe.exe
Key created	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts	msoobe.exe
Key created	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\15	msoobe.exe
Key deleted	\REGISTRY\USER\S-1-5-20\CONTROL PANEL\INPUT METHOD\HOT KEYS\00000201	msoobe.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000011\Target IME = 00000000	msoobe.exe
Key deleted	\REGISTRY\USER\TEMPKEY\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	msoobe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000071\Virtual Key = 20000000	msoobe.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Control Panel\International\User Profile\ShowAutoCorrection = "1"	msoobe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000203\Key Modifiers = 03c00000	msoobe.exe
Key created	\REGISTRY\USER\TempKey\Control Panel\Input Method\Hot Keys\00000104	msoobe.exe
Set value (str)	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\16\IEPropFontName = "Vani"	msoobe.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000071	msoobe.exe
Set value (data)	\REGISTRY\USER\S-1-5-19\Control Panel\Input Method\Hot Keys\00000011\Virtual Key = 20000000	msoobe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	msoobe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	dwm.exe
Key created	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\CTF\HiddenDummyLayouts	msoobe.exe
Key created	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\38	msoobe.exe
Key created	\REGISTRY\USER\S-1-5-19\Control Panel\Input Method\Hot Keys\00000070	msoobe.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\CTF	msoobe.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dwm.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	dwm.exe
Key deleted	\REGISTRY\USER\TEMPKEY\CONTROL PANEL\INPUT METHOD\HOT KEYS\00000203	msoobe.exe
Set value (int)	\REGISTRY\USER\S-1-5-20\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	msoobe.exe
Set value (str)	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\39\IEFixedFontName = "Mongolian Baiti"	msoobe.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Control Panel\International\User Profile System Backup\ShowCasing = "1"	msoobe.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys	msoobe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000104\Key Modifiers = 06c00000	msoobe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Input Method\Hot Keys\00000201\Target IME = 00000000	msoobe.exe
Key created	\REGISTRY\USER\S-1-5-19\Control Panel\Input Method\Hot Keys\00000010	msoobe.exe
Key created	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\10	msoobe.exe
Set value (str)	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\37\IEPropFontName = "Leelawadee UI"	msoobe.exe
Set value (str)	\REGISTRY\USER\TempKey\SOFTWARE\Microsoft\Internet Explorer\International\Scripts\28\IEPropFontName = "Gadugi"	msoobe.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	msoobe.exe
Key deleted	\REGISTRY\USER\S-1-5-19\CONTROL PANEL\INPUT METHOD\HOT KEYS\00000071	msoobe.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Control Panel\Input Method\Hot Keys\00000071\Key Modifiers = 04c00000	msoobe.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3904	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1840	powershell.exe
1840	powershell.exe
1884	msedge.exe
1884	msedge.exe
736	msedge.exe
736	msedge.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4620	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
736	msedge.exe
736	msedge.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeTakeOwnershipPrivilege	2448	msoobe.exe
Token: 35	2448	msoobe.exe
Token: SeBackupPrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeSecurityPrivilege	2448	msoobe.exe
Token: SeTakeOwnershipPrivilege	2448	msoobe.exe
Token: SeBackupPrivilege	2448	msoobe.exe
Token: SeRestorePrivilege	2448	msoobe.exe
Token: SeSecurityPrivilege	2448	msoobe.exe
Token: SeTakeOwnershipPrivilege	2448	msoobe.exe
Token: SeTakeOwnershipPrivilege	2448	msoobe.exe
Token: SeDebugPrivilege	3672	taskkill.exe
Token: SeDebugPrivilege	4620	taskmgr.exe
Token: SeSystemProfilePrivilege	4620	taskmgr.exe
Token: SeCreateGlobalPrivilege	4620	taskmgr.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	1588	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeCreateGlobalPrivilege	1712	dwm.exe
Token: SeChangeNotifyPrivilege	1712	dwm.exe
Token: 33	1712	dwm.exe
Token: SeIncBasePriorityPrivilege	1712	dwm.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeShutdownPrivilege	1712	dwm.exe
Token: SeCreatePagefilePrivilege	1712	dwm.exe
Token: 33	4620	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4620	taskmgr.exe
Token: SeShutdownPrivilege	1712	dwm.exe
Token: SeCreatePagefilePrivilege	1712	dwm.exe
Token: SeShutdownPrivilege	1712	dwm.exe
Token: SeCreatePagefilePrivilege	1712	dwm.exe
Token: SeShutdownPrivilege	1712	dwm.exe
Token: SeCreatePagefilePrivilege	1712	dwm.exe
Token: SeShutdownPrivilege	1712	dwm.exe
Token: SeCreatePagefilePrivilege	1712	dwm.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
736	msedge.exe
736	msedge.exe
736	msedge.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe
4620	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 736 wrote to memory of 3004	736	msedge.exe	91
PID 736 wrote to memory of 3004	736	msedge.exe	91
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 3584	736	msedge.exe	93
PID 736 wrote to memory of 1884	736	msedge.exe	92
PID 736 wrote to memory of 1884	736	msedge.exe	92
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94
PID 736 wrote to memory of 4664	736	msedge.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell start shell:Appsfolder\Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-redirect=Windows.Launch C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffec43446f8,0x7ffec4344708,0x7ffec4344718
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7229262717854691960,8396203217024686852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7229262717854691960,8396203217024686852,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7229262717854691960,8396203217024686852,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7229262717854691960,8396203217024686852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7229262717854691960,8396203217024686852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:4592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3908

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SussySystem32.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:3904

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1932
- C:\Windows\system32\help.exe
  help del
  2⤵
  PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c del /?
    3⤵
    PID:4156
- C:\Windows\System32\oobe\windeploy.exe
  windeploy.exe
  2⤵
  - Drops file in Windows directory
  PID:2076
- C:\Windows\System32\oobe\msoobe.exe
  msoobe.exe
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:2448
- - C:\Windows\system32\provtool.exe
    "C:\Windows\system32\provtool.exe" /turn 3 /source OOBE
    3⤵
    - Checks processor information in registry
    PID:3360
- C:\Windows\System32\oobe\FirstLogonAnim.exe
  FirstLogonAnim.exe
  2⤵
  PID:2824
- C:\Windows\system32\taskkill.exe
  taskkill /f /im System32
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3672
- C:\Windows\system32\taskkill.exe
  taskkill /f /im msedge.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\system32\taskkill.exe
  taskkill /f /im dwm.dll
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1588
- C:\Windows\system32\taskkill.exe
  taskkill /f /im dwm.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5000
- C:\Windows\system32\taskkill.exe
  taskkill /f /im start.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3456

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s dmwappushservice
1⤵
PID:4008

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4620

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SussySystem32.bat" "
1⤵
PID:2752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\SussySystem32.bat" "
1⤵
PID:1768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3084

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\39a3f4705ef5dc4f9880eb40e54ac422

Filesize
271B

MD5
d6650e3886f3c95fb42d4f0762b04173

SHA1
1da4b8bb6bb45d576616ad843cf6e4c2e9d4784b

SHA256
9101f028c2288850be393281297500902b297c8b6ecf793292678b04a72709c9

SHA512
1f82db4bd6ea401bb5610c21ed48848b9b61c55aabb4efada31dc677835b8e4451045006c4067e9cc51267a1c861765b49c3b3ab4c568be1dca0c0109fd8ceaa

Download Submit
C:\Users\Admin\AppData\Local\CM2C354.tmp

Filesize
1KB

MD5
02b6f33726625278453aab2c569e21dc

SHA1
5fa6f8ec54062e065cd5d3fe0c58e4f17d34baf6

SHA256
c124d9a92cf6193140d7a103d897a01727738ab30671ec263c33be7e72dd7986

SHA512
90824f21768f940355d9b442dee23630a5e30e07706ca808d8a42381169d78d690b2f996de7fa778bcf55b931b5335e28d817e71f2bb316af6e8ef93d20763ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
462f3c1360a4b5e319363930bc4806f6

SHA1
9ba5e43d833c284b89519423f6b6dab5a859a8d0

SHA256
fec64069c72a8d223ed89a816501b3950f5e4f5dd88f289a923c5f961d259f85

SHA512
5584ef75dfb8a1907c071a194fa78f56d10d1555948dffb8afcacaaa2645fd9d842a923437d0e94fad1d1919dcef5b25bf065863405c8d2a28216df27c87a417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d2642245b1e4572ba7d7cd13a0675bb8

SHA1
96456510884685146d3fa2e19202fd2035d64833

SHA256
3763676934b31fe2e3078256adb25b01fdf899db6616b6b41dff3062b68e20a1

SHA512
99e35f5eefc1e654ecfcf0493ccc02475ca679d3527293f35c3adea66879e21575ab037bec77775915ec42ac53e30416c3928bc3c57910ce02f3addd880392e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8727dc58-0a99-45e6-a433-7b9f5bfdbf78.tmp

Filesize
24KB

MD5
945dc19d27eae064a025fba5c627b4b2

SHA1
2a49253adbcb1696bd12e973f8830eb8a41d9bcc

SHA256
99b6168866ab08089da33a7aa6fef7ac31324c387e9ede764ac81be9b29d3cfd

SHA512
db69c33c2180d6aa45dd93e79a9062dbf4720064efc2f9feb0128feef264faaec28d632e988b1b8b168283704e5650de942abb12f391a17ff30eb9eb106d730e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
42f45fe60d4fc7b74fca481a35dfb6dc

SHA1
cc94dbd2fc84990d3ca849deedbe78d37331c735

SHA256
0ff81bfe8be0518d8f0d6ac60e1782d0c04745701c9ec549404fddf3e0604f8f

SHA512
c8855091db9b73ca924a8d3c8c84edba9bc5cc4766816872561d7f2b0d09874636247db6f82815f3d8dfd7a2202e8d664f7b8668925af166cb3e4b01163a2bf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
d168037bb028d7c29b8f19582e95af74

SHA1
6abd1f57c1cb2802f41ad996598c334558f93492

SHA256
7e8eb94774b9c5e89897f7e1896e8f6cdfca6b9120f52e780836e404d0c35efb

SHA512
d1133038a3262b05ea36d3d91d63d0a048bbe35b466cc90941ae5295f255fad81e90a4109e621a58deaec8be09e5a9d42dff109f0f695350111501d80f5a7b74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
259631748287c1b63f279d7fa3db7d03

SHA1
4b9322d2550349009f962e921e3d199e84f5aa89

SHA256
f069c6989b3a948abc78d3ba620a5eea759d619d5a41d09f36cf728cd46f0eb2

SHA512
149a7c9ae545df4e66d939656af975c962a4f5bfa074afaf5d1b30f493449892b836d68f065083d5649b7603bc1f3001e23f0ae64141795f30fb3175ce984f53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
951a7f42cd4ee2e8d6ec9fe25382aa33

SHA1
bbccfa15b95721bf89ba7ade11cad939d94241a0

SHA256
5de1c82a47d4ff6446d3350a0f7899797bdcfc3105ef61adcee3d407526ef45f

SHA512
d32d539227e8b67ff1abe07538e85dc8e33e1b4cc46547ae00257ac73a61a657c850c62ba08c8b84f66d940003f8fd5acc68b0a50631f752d91f093a38b39d2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
130644a5f79b27202a13879460f2c31a

SHA1
29e213847a017531e849139c7449bce6b39cb2fa

SHA256
1306a93179e1eaf354d9daa6043ae8ffb37b76a1d1396e7b8df671485582bcd1

SHA512
fbc8606bf988cf0a6dea28c16d4394c9b1e47f6b68256132b5c85caf1ec7b516c0e3d33034db275adf267d5a84af2854f50bd38a9ed5e86eb392144c63252e01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
5e326447332b0a50f4a2ccf3866667ee

SHA1
16b94b9c90b9ab7ab4fb22aa05c3476649464558

SHA256
df755c06dea8dbb396aecef1d5a9698c66d9bf327f9b2244d3598ee15aa069fa

SHA512
6189ede86399c31a735058ee3aaee93d19ca9e562317d814ff9589974cb631a9e887f2bd98f1aea9b1e9243eacff5de7cd849d1c8fe94db7f19b3ac44d07bb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mtuyvwx5.kzu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58c984.tmp

Filesize
1KB

MD5
2412af2bc0209d5edcb0277f1aa5ef0c

SHA1
0b33f3b900f900cf4406257050d21028d96917cf

SHA256
44aca418c5a7b98269f76e74cc7950dcbdf8ce97d0e6eae874935b57e7352769

SHA512
5e62e028b8b134405d126c17d37d6a7eccd1fea38f445c66b6c9f3c1d0dfd7509680ef156169da99479b3f47de47ccb63e48959c9b56c24a84a5c298cb13c267

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58c9b5.tmp

Filesize
1KB

MD5
fd9c9e81bec6a32441eba036085783f8

SHA1
7d435c85f7c9698fc4e8ad11bcfda676bdb7f854

SHA256
cb13ac91d5090a3c2eb28370fa4a49d04a2f040b32ffe218d39835ced0bc4e80

SHA512
a120338d51c9ac373b12a0b840eaf171e16345a30b468910ed83034d880d96441703030ebcdb261f06de523284f2031198f64bad1faf464667ac0a3ae17887e9

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58c9c6.tmp

Filesize
1KB

MD5
ef60b1e5680dc58f03614b6753fe36cf

SHA1
85c1c3f4152066f5e337f5cbd98f956d30fb3b63

SHA256
b419e496e0aa5d06eece63b9aa51323745315a0021e52c3cb0e0b7f7a055990e

SHA512
abffd69a53d2e79f9d31e5303ec43431a1f1104230a93ab561fcf59c5ae8792338eab798dd973926f15f56cfdb35d7ddaa9c37fd51dc75b7a0b156d788d285ad

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58c9d8.tmp

Filesize
1KB

MD5
e89a01a7674dd0d02d762b0fdf6740b9

SHA1
de588cb1c9c6cf02ff7a0308c8b0f07eeaefd4f7

SHA256
529a3303129f50d269bf7fa996481021be04491d193cb2fefeb84bb68425567c

SHA512
e5ae7b89a5eb8db4a024362dd939f8597c9d0e70dcce2d78da68b6d01d8e5481e5046c34322bfbb97113e9361a27c456056d9723494a2753687d6e7d2317c085

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca18.tmp

Filesize
1KB

MD5
0a713c16e6a17f7947270c19fab74ec1

SHA1
73933e5e9c514e2d05cafddf0fb19614bd8a28b0

SHA256
728caf8935f8813f5adf49acac667cd3c5fc2a530c7d7ef12f811d4685068ac5

SHA512
530e59bc319661e4898f96461ff6846dda1059c6f29ef76c60f8848db1da0bbd0611594a58b55cd0cf4a90f72cb6ca44d3c022e8bad0a789316562b0841e4b4b

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca1a.tmp

Filesize
1KB

MD5
5cd85da8b06b7c6a227a9a264ab77339

SHA1
2afca2c49892951ff79125c58cb0a695ebfa3706

SHA256
bcde5269f804b99999887de75294130dd8c5ecff455c0c46718001f27cc5b5b3

SHA512
f0098220752f4c083c7e345a76f1d895c7113903ec4f1fd5271f4507cd300e88ae54d8ca1fd5f4336b362c1f6a933a75749df038d3464ef5d3c5dad3726cba30

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca2c.tmp

Filesize
1KB

MD5
9d5349d276fa1b45bedc0f80e1f18bbb

SHA1
350de333d324669e7aae791a9a73a1ab13bc41f8

SHA256
339ef8c16088ca438b0652a777df01ec1caf12543b23a61f80544ec94808c641

SHA512
3d406938f1ced7c447f3d075c66a7a611f457eb6406183c6f2002f0df7964b5d792980906b94ee0d18d4a767f2e976f18ce8a5dc7aa65cbefd99762c226969d2

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca2e.tmp

Filesize
1KB

MD5
2de6e471f06099da8deb8cfd6d201def

SHA1
d46d09a3f2696be725609dbb1aee69a4e51495d4

SHA256
076b2ba3bc2a75a063259b41fb64563ebeded4f67d32007a235f165276ed7c79

SHA512
3faa22955faebe42bde7c84db7ff5e95b5f3ba3b591bdbe7d4b5788a4d23317a62b4ab12ad688ca3d49824dc7ab001faf40183b5bee69d9c9539320f02cb2578

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca40.tmp

Filesize
1KB

MD5
bff25a0403a54a140068475a9f81f285

SHA1
6297282334956bd73f033bb1284e4ec5f032157c

SHA256
bed12ad855efd57c7b1cbfc1acf9e578ce839f67a31756e1b0fd34da1c5d7cef

SHA512
b7bdd181f75a52f7cce57b3863f27bcc68c596e371f475cb1bfd7acdddc8d6563e5e1876468edffcff2efe04a739f2c3e6dd62d301e0e8cc2cf3804a687b0892

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca42.tmp

Filesize
1KB

MD5
1d519d32b3ec40d433393a182847ed34

SHA1
9ad41fa7a02729d9e0b0b1566f8f9709d91ef999

SHA256
8e8b97b2d2c16f3d7fce26b2346cbfe0f5979d4a98febd70f5e6eff845d8532f

SHA512
958d015b23f4cbe9a7a92bdf87ab0a1efbd8f72455486ebe53eaddad806338232f78194c9279ad8c97c25e554fd678fabb6b0647c0baf17fbd745496c8f322a6

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca53.tmp

Filesize
1KB

MD5
5ed2be49ec9741c75b823d3ec602e94f

SHA1
f9c913d6e31d867f72462a25ad1bca8d75c32892

SHA256
ad516b5df04ebbc42e18547d0a5cea920e0bef68ec1d689543921d16a20cfc06

SHA512
5a33397840372bf3470a6c524436e37a332be2bb9be77c9ac6d697a559fa6ae3712750a9d8fa8e6a5eff5d8d98aae433d4d8d10be7422e124ef5f0c96cc4cc80

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58ca74.tmp

Filesize
1KB

MD5
1ec9cffef55983450a85e31e48273f6d

SHA1
3acd697823484ec5baf5e77d313ff32fd4872b18

SHA256
6301c080b44f3cdfce088a604791cf55dacef995c194783678871a9a49657307

SHA512
21c1e4a504c383543d9130fce3068906b12d7f1723feffd1056dbd3f4ffdbaa08e8f7b542fbdd9dedaa11fd47c652833ebef60f9df59654fd514510a6394223e

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58caa5.tmp

Filesize
1KB

MD5
08b8968fe873dc3ef343d020360a676e

SHA1
4ca3dfd1b178030887618b23657d2ac16e68e11d

SHA256
14062c99a72e9bfdb1f264d52663023ee1dc4587484418aa63b69497477a2176

SHA512
efbb1b0a4e3e4a2ddc5927f86142c2389d0cdfe7a880c18fbc6014d613fbf8fd570381546802c8c6414bc614381c48bcce11f409418d572346592a3de6eb33a3

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58cab7.tmp

Filesize
1KB

MD5
fabbba72015892a3756ee7ef70f2ec87

SHA1
e9077bdca9812c60a4ff0dbb88b201ec3eb0f033

SHA256
728795319d4adc917e3e20a73076e00ab9414783e917a8de1c6c131224098ae2

SHA512
46097b70c2021de890cef0922e0ab28c6bf32ab949e00983ccd07ea97e8865236bf3685bf53ac53e3028a56f5dc9a170cd03f66966b67d962b806446c1858a6b

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58cac9.tmp

Filesize
1KB

MD5
b9b93ff0f39d74b076eb7722594a0fbe

SHA1
031f37828b91a8bb4cb01b2c1752f876585430b1

SHA256
12b13dc7b4fee1fa8b1ce91d81bc9793d4d839fb8b62a4fa48868b5637d7a9cb

SHA512
18deafb76c108912235b837b8e3f2c914ae022ad78cf821c790b0a99bc499550b490b883a0c441a3436249a834cd2d84477302d5fdc5a7bca2124eda899e007a

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58cacb.tmp

Filesize
1KB

MD5
b68c2835421afbe69c48e9f25a462e0e

SHA1
2227ed0c5f260e3f75ec05752abaf3e609d0ef3d

SHA256
9a516b05e082675820ba7155184cd5baa2fd8eba88aa3773b516991aab377b1c

SHA512
8f211c79a2dda6692f3a2dc58e8ad90c07fe9e6578a2c91dfc4124ac565ae28f8fd36811b984c3859591cb2ec50e9b7a12dead7987ccc3b008286b3fe916f338

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58caec.tmp

Filesize
1KB

MD5
38008cbf267c2e36968c0d5a6f4dbbb0

SHA1
5d6e97263b676fa2fa25e5d05ba524ae0c0bedb5

SHA256
b93f8675f395cd5d6867b29875b85851bb9d92ed9f5d50ec20b5266ebf721d63

SHA512
865327afc339fdff916ecea404388318832844b2a01226195502adada4f516495ffac3b9c3a1682648dbe173ea33d86bbe2dc0c1ede1b92e105e69c1f9d4f722

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58cafd.tmp

Filesize
1KB

MD5
ac141d1d3f1f8344a5d28ab93984a4f9

SHA1
3d9fbcdfd4f78d4663bf5e9861b9c13c952a4f5b

SHA256
879fa86cd42f90d82db984ba86662d8ddf4a267340746bc0069044af9e7b62bb

SHA512
0422327f22740a664b91ed6831639b86ccc960940be4a35a593edcfaa8bb3c00be5362cc0f5979ff422bbaa2593130bda0de58c2c87a01a302d8553a408ed3c1

Download Submit
C:\Users\Admin\AppData\Local\tpm-d20-12dc-e58cb0f.tmp

Filesize
1KB

MD5
e552ed036c0bd82f7049202496647886

SHA1
bad1926a9f2b7941c9d70ab96a243a41dfa103c8

SHA256
0fd76bfd8de0c601240e426b535080752a2edd1d52ca93a73e59c35ee7b802a2

SHA512
bbbbddd900f420cf84a16630cd778db645ab09debfb662cb79dd28efea468a803b4dbd9055d56b7d52997f76a3ec6949d6801ea26374efe9bc8f5f5b455cb257

Download Submit
C:\Users\Admin\Desktop\SussySystem32.bat

Filesize
61B

MD5
7c645005dc2f1924a35479d2e22e72b5

SHA1
ed154fba56f7b1dfaeaed8b13b204edb03713385

SHA256
89aa425796f6702680eba1392aa109c9cdd4543e4e17b3dc93da3758642c735e

SHA512
100f086776f2b034625bd2fe65d454966a0d744dc68ac84c9b67587375732f689536079cf87639c6e2c8621f6628b2511404ec61067d54bddd95da20fbd8cf98

Download Submit
C:\Windows\Panther\UnattendGC\diagerr.xml

Filesize
9KB

MD5
d74b114d4bcaf67e15b4c652644f8fc5

SHA1
fad4d315b64140e708d8af1794660935403decd3

SHA256
191599af2bba1a8afc074c3abefc49d7401f7e5462778398d4637b91a3a91561

SHA512
160e25f6b1651c281f6fa53be49aa4c26b2c902b42608860fc834a6aa1b72d79d44c7484af84898c2be33f7bf3a909c8d30ed9748fcd45431a0d7bf9ac46c7b6

Download Submit
C:\Windows\Panther\UnattendGC\diagwrn.xml

Filesize
12KB

MD5
24bcf615b8ca5398277e2f6320930dc5

SHA1
7c685db0b79aac58df1ff41d2d18f42d57cdd717

SHA256
f2e95135280a831d775826ab4636951ed918935204b6a2be6d95a9efed3d4dc8

SHA512
1a7788fee7a607d3059c9f666e58f0e302a7d4402318ac328045ca3d2d9950960890d2b3ae66d1a9ec50c7850b5286204db13c28ca6dc4c7d086729132fea35f

Download Submit
C:\Windows\Panther\UnattendGC\setupact.log

Filesize
47KB

MD5
e8be766472012de30da5a1008d0e85bc

SHA1
7b72e1ce218a2f963e87beb688627cfef1402826

SHA256
4ce7651d8f35eabc206e1a575dcd9598cba3556c4c2d7329198105e908f134e0

SHA512
aa70b55d6d17e6bd49764216dca8a9428ed96ff93fc5dd0c0e5c554ec5b61fff467566318bda3bd9f5628a8ffd78c6c4c6dac66bddd5b46e2848b30727fd13ba

Download Submit
C:\Windows\System32\Recovery\ReAgent.xml

Filesize
1KB

MD5
a87eb5e2a7c2ba24203a9ef0a90b4ec5

SHA1
f916912753c34496dcf68caf023f3bb5599f47ab

SHA256
9a4e9ea283a7376f58e0ecf9e9e4eb8075e07b2680e784a9236709c5dce9491a

SHA512
59b1be8a3b7e61b18bbc4b1ececc2d9618c1c460d04bb4a9696f58d9968cf9afe9c4c4552ea39e6fe4fb63d0c4e81fa39308972a2b7f4c29cc197980801d9e69

Download Submit
memory/1840-133-0x00000296F8E80000-0x00000296F8E90000-memory.dmp

Filesize
64KB

Download
memory/1840-134-0x00000296F8E80000-0x00000296F8E90000-memory.dmp

Filesize
64KB

Download
memory/1840-144-0x00000296F8E50000-0x00000296F8E72000-memory.dmp

Filesize
136KB

Download
memory/1840-145-0x00000296F8E80000-0x00000296F8E90000-memory.dmp

Filesize
64KB

Download
memory/2448-370-0x0000019C22040000-0x0000019C22050000-memory.dmp

Filesize
64KB

Download
memory/2448-369-0x0000019C22040000-0x0000019C22050000-memory.dmp

Filesize
64KB

Download
memory/2448-368-0x0000019C22040000-0x0000019C22050000-memory.dmp

Filesize
64KB

Download
memory/4620-817-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-813-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-812-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-818-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-819-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-820-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-823-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-822-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-821-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download
memory/4620-811-0x000001694FA80000-0x000001694FA81000-memory.dmp

Filesize
4KB

Download