46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4

Analysis

max time kernel
134s
max time network
158s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
07/07/2023, 22:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
Size

12KB
MD5

e1ab7e9de0652813a3d1c4500a72c561
SHA1

a5fd98050674055d2e5588f3a088f2ad467333a5
SHA256

46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4
SHA512

da7fe2cf303ee72a622b6c51078f67119bca590586bb1f298335b3a3820e00ad43918ad5da97ead1eb0cbbd02854e6584e8408d3f6d23898073909171dc150e1
SSDEEP

192:HMDLTxWDf/pd3cIEiwqZKBktLe3P+qf2jhP6B5b2yL3:H4IDH3cIqqvUWq+jhyT2yL

Score

7^/10

bootkit persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Control Panel\International\Geo\Nation	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133332421624687212"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{97D43A2E-F70B-42AA-9CB8-58DC1A4F8FB6} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7e065e8c21b1d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{0F48FD09-F724-448C-AA59-D83BF290C54C} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{398370C3-ABD0-4AEB-9893-7E84346AA55E} = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4772	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3868	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3792	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
3264	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
4716	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
4804	MicrosoftEdgeCP.exe
4804	MicrosoftEdgeCP.exe
4804	MicrosoftEdgeCP.exe
4804	MicrosoftEdgeCP.exe
6020	MicrosoftEdgeCP.exe
6020	MicrosoftEdgeCP.exe
5532	MicrosoftEdgeCP.exe
5532	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeDebugPrivilege	1908	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1908	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1908	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1908	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeDebugPrivilege	4988	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4988	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeDebugPrivilege	2972	MicrosoftEdge.exe
Token: SeDebugPrivilege	2972	MicrosoftEdge.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeCreatePagefilePrivilege	4712	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe
2292	taskmgr.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
3240	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
2972	MicrosoftEdge.exe
4804	MicrosoftEdgeCP.exe
1908	MicrosoftEdgeCP.exe
4804	MicrosoftEdgeCP.exe
5640	MicrosoftEdge.exe
6020	MicrosoftEdgeCP.exe
6020	MicrosoftEdgeCP.exe
5068	MicrosoftEdge.exe
5532	MicrosoftEdgeCP.exe
5532	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 3868	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	69
PID 4484 wrote to memory of 3868	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	69
PID 4484 wrote to memory of 3868	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	69
PID 4484 wrote to memory of 3792	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	70
PID 4484 wrote to memory of 3792	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	70
PID 4484 wrote to memory of 3792	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	70
PID 4484 wrote to memory of 4772	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	74
PID 4484 wrote to memory of 4772	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	74
PID 4484 wrote to memory of 4772	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	74
PID 4484 wrote to memory of 4716	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	71
PID 4484 wrote to memory of 4716	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	71
PID 4484 wrote to memory of 4716	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	71
PID 4484 wrote to memory of 3264	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	72
PID 4484 wrote to memory of 3264	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	72
PID 4484 wrote to memory of 3264	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	72
PID 4484 wrote to memory of 3240	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	73
PID 4484 wrote to memory of 3240	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	73
PID 4484 wrote to memory of 3240	4484	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	73
PID 3240 wrote to memory of 512	3240	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	76
PID 3240 wrote to memory of 512	3240	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	76
PID 3240 wrote to memory of 512	3240	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	76
PID 3240 wrote to memory of 1896	3240	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	77
PID 3240 wrote to memory of 1896	3240	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	77
PID 3240 wrote to memory of 1896	3240	46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe	77
PID 4712 wrote to memory of 2944	4712	chrome.exe	82
PID 4712 wrote to memory of 2944	4712	chrome.exe	82
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85
PID 4712 wrote to memory of 168	4712	chrome.exe	85

C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
"C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
  "C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3868
- C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
  "C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792
- C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
  "C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4716
- C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
  "C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3264
- C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
  "C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3240
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    PID:512
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    PID:1896
- C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe
  "C:\Users\Admin\AppData\Local\Temp\46fd7fec12ae431d9f9aca1293c06d8d10bb82fc921f44a7f40921ba63bcb7b4.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ff901029758,0x7ff901029768,0x7ff901029778
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1804 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:3780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1532 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:2
  2⤵
  PID:168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2852 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2844 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4304 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4536 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:4904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4672 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4740 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4564 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4904 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=816 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4412 --field-trial-handle=1856,i,7713407140251846132,13722594026978407694,131072 /prefetch:8
  2⤵
  PID:5712

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3724

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3144

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1908

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5640

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:5700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:6020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6088

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1028

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
PID:5532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5600

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e0
1⤵
PID:3960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
PID:1324

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
3499ef0fde8001dae9d42e0f73b46ed5

SHA1
3b235cc2bdb6e99a97a64db3bf5595859d217215

SHA256
a4a043f5b8e293e33b9149bfc7a2f2c45f327f8582be33e5d4e972be106dac30

SHA512
0eb32ae7116bb3540d5ffbeb2fff085eadfb7a8e5c6275887c6e95c6b5a9058e6331649f8ce785d001718a21bdbfeb2671b27a3801c3b8ff369772da3935d8dd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
d4b5982f4afb93575d530c76b270237d

SHA1
8d22d7592b5084923bf12d9cd88b7e5309bfbd16

SHA256
08922b6fee4ddad124c877a75b15bc20c16e3f67f0f5d5d75eb10b22f4110861

SHA512
921f3085f81f5cf0e5847e7d94a496a7a21d02e7b70d9c490cb0ff0082bb1dc036b89ee581b87e1047a0edb6ce59db14a34e8fe476493d5c4e68630cbf03ab80

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
0369cf052a09233ab819730b99ac290a

SHA1
8ffcbf00c97c2a22c0ecaba75c389ecba45426a6

SHA256
a73920e29769d7bd6093ec42cd5c949fcb9f60549965d69c151f28df7554e3e6

SHA512
cbe26eeeffc25da964b713895acf153a276944153e54fbdf3b78a5bb06708ce364588fca2d57a4c106520055b4950e4b1323b169cdc8a0bf246abe4331593685

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
54320dabbd5dcaaf05c45a8bef5cb04a

SHA1
9123004bb228f40cbd9086634c5c74a191261066

SHA256
56dccb13a3752bc957bbf6770183c4c2f136bb2615c71aa42294017464e3ce39

SHA512
986d700051dd23050a9b970e96e6a6ee5a35fdfb5ea373b494200d7f8be1bf46b08df68f4ceb7e0d81e1a9e7b662e77ef74091f41baaa38a99bb0c47f7ad4f74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
b5432a9c50bce2f2a5f637ed00affec9

SHA1
5beb0bba38ae3e5e203d098d149cf54da88dc6fb

SHA256
55d81958f01c0824f09e6212021bec15b2190560be3c753e7b7b22f34c2c397d

SHA512
cb45c72087aeed1e173a1904be11422855ebfb72c8097450ca12b3bfd306d76a31a22b325baefb9941a6fcd41aaed681a509d0c6e525a877b51f0c6f63d0ad05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f8e4aebdad1ee1fce50fd952cb0189ae

SHA1
a13570d938f70824541400e27a7bc3b04931027a

SHA256
814920e397019a6bd3e63edf1653068cb123a6dcf0259be848309a9c19172fba

SHA512
b809da8bd15650e0848d8d05f8ffed54bba11d53183770f32a205976180541909c90c943cdd3ec47854e5f65391331714fb36b8610c5e321c99536e5a3454743

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
55f5706f7d18ae2792a38b71631541bd

SHA1
ec16ce483359b12fc429669a234d9a97c6abfa89

SHA256
f6318a0b9a9e9263880089faa4cd726471cc5632f24057aac470aebed7582baf

SHA512
9905124e9e55b271ef8c4dc21277583184bd47f606f7cb4df07be2fa15640f643d111a9a008117004e14326a4bafd291ebc0e8d99de6996fb2c7e9ab1d996230

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0150880609f8797e999e746d2a2d3ec6

SHA1
1845a3b448e7d028bd85754d4ad5b9e3d82c88e5

SHA256
0c4bddf4458920129ae81f719e596d9d29495c1421e48006a0b43b15cba3e610

SHA512
a2af0a6677a874ef4e18f20c4c40c0182c51c885bc365fa2ada9f2fc6ae7930372ed17a33b32efd5aebd8a14e6cbeb2d5f3e36e7bd8b9de8aa9877b5c5cad276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a0da30e59f30e3087a1f465dd4cd8341

SHA1
f853535a6c0e4c346e99d7c4d91942431149f59d

SHA256
7217b456f17e1c68875db9c68690f3934958f6f5ec67faa2fb006affb0133fe5

SHA512
dc563ba810d763c4fe23469ff28c85917915198cf0e2c4a28d138d13675f57cd42290bf79346d6d63ee5dccf8f0aba4ee05954d4dcc6bb9e60b2b55fc824fb70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
1d72b2032a4611a80256060c8a43b128

SHA1
c1b1650b107a1805c2a92b6e7f5166c98a835c86

SHA256
99b904593d44c3337fa2a68a46c43c111094775d9c6f10a7399b1764b6206872

SHA512
9429090701515ef4516fb8ea7de2c289ed321a7fd8a279ba43fca4de2ac048b53721f97bf2f881c884fc2bb195096fd44c44864f620f8e742a460137db2fb155

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
172KB

MD5
bff72b6b9f630f0fd2f88e8a841114b5

SHA1
157999ace24f23323dca8446ed0e003ba89225df

SHA256
25cecb20dbe9e5fb1926b075949893df85d0c6f7471d3f365e7c4824e7c2fcc9

SHA512
258f5c7e11e375eccd790277e9e66683089cfc6ec624a44b805f6521d98f592e1f4d1392576de06b317631b0c6452e72a23311fe7c9996f682bb8d3b8fcf8682

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
94KB

MD5
eb092cf6e12fdbbed8727986ab97657f

SHA1
16abf753ce51cd20077869c68f34af5a5d61b501

SHA256
598f8e425936314f3bd490fd428291ec361e63317a2dc7a7f89df40416aa7d38

SHA512
68615d170f8fca86232368dad3e36ffc1c9e15a74899eb07b88f2fefcfdce68a04fbc0ac7bdc060f7b9c2c43d87def97d21b82002caa7a0ddacffde7bbe5f476

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59ba4d.TMP

Filesize
93KB

MD5
2350c9bdb6752748b03ef59319d74f88

SHA1
db36d3d8f8e75d3d4285347ab86464c9bfebb822

SHA256
f377f43c8cc51d04837a1a59f7d248412858536447ce5f45fd0e14d1c93e8165

SHA512
c6a9d3745344f1c249ca4d83376e79d4f1aa55608c647165f98d0626c7088b971bf840fd40c7fb785d68b5730d7f0dc7307272024b9a72cd98edb083f2c9280e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0E5QL9UQ\cachedClickId[1].js

Filesize
35B

MD5
75c843c7b717e7b722777907475c67a3

SHA1
983d1c9a05b315288039b9d4694ce3b402259240

SHA256
1d348f9f803c95305f63def9d75fd50e79e54a375e1a4a888edbbea366845580

SHA512
41f58c029586198b0f5e7ab6d2cc1edeb113184f82c8adffc81f0e229ff5ce44cc9aabb8bda82f923984a3cfe5e42c68ef2f4620ff94ae0b1809b03b9a6fd37f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0E5QL9UQ\d1174-0627e[1].woff2

Filesize
17KB

MD5
0627ec86dfad171ba217bbc765326ed7

SHA1
d83f8aac9cb272a8825602735e3766f4975d5c68

SHA256
d53336707c39d1ec20a2b1f7399ca9f183c45592e215a42fd596dfa2dbb8ad7a

SHA512
a64bb605c4c4a1d3a3905155e9f52b4c59abb95fffc61aa1405d6d4e4687ac308ef4104f897770ad8c7001e40f91f68eb35041d693367a970aab2a86e80150e9

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0E5QL9UQ\f[1].txt

Filesize
391KB

MD5
669dba586ac5a09c834d667882bd79f3

SHA1
7b6de72dad9cbf1ab998115193a1ed3ad955099b

SHA256
8187dcb05ebcfc94502aeec0524c23c7d22afbafe17aff1d39acc1d59a3a52db

SHA512
302f3ebb297d6abc79b0939ed9b45458239773fa80796d674ea528613364159a031d09ac548c7ac4cfab752d6fbf64ab6251e58e67d3973cec61e56722c385d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0E5QL9UQ\js[1].js

Filesize
141KB

MD5
56904314f573bf7cc62142510c54b3ef

SHA1
497a71b6f8c18911c277fe99e7685a29c66ae633

SHA256
9b2bac5ba80b084f69f7d777b4959d0ed401ba3831c37a1d380e7ab3bc85e460

SHA512
43b12c987f6f82d38ac098d7fa120b766b8c59bf06e32f3552379d4800df7e72d63017d5f268c80ddbdb5bd51e08399a85fa3b59a70ae17f9da65587e05e8f82

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0E5QL9UQ\loader[1].js

Filesize
53KB

MD5
fdf98491cc4b626e727a7a218bf2bc17

SHA1
0a8774eae5be05fd9899f2d6ed54170558b80049

SHA256
0e02d113888fe909eaecbfe5e5d95d9b66259d7ed85b9d474020e751e91dc612

SHA512
846eb1f5f262aa8f5397be611e39e5e946fe59b9d951a14b13237ee17b8e7f5663e9de2c26105f5ccc2d25a5683fe65cdd959f9842b5aa70e5aee2096c0c3ecc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\0E5QL9UQ\modules.2c904f1732637ed19b74[1].js

Filesize
269KB

MD5
1d607445fc7960e738a24695ce76a56a

SHA1
e0f670ec3fefbf6af0cdf68d856ecbe427900211

SHA256
6c4602745f86d61c46cab5080d5b2ac240dc43de296a9e4ec0a0d8bf393428c8

SHA512
98f7ba65c6a6eaf0c4d42b16dd6bd5e88f504e5dd6fc3fdfe805149649be32ed45bcf55c99867ad3943326ca0610867776a0a0178b32f284245122e82dc0c807

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2RBLWZ4M\f[1].txt

Filesize
79KB

MD5
8257afdb8dda4686aa91df5586bda9a6

SHA1
ab4ba55c4de42ca1616d92ada9f979cb4ee1f674

SHA256
8cca176e7c6eb776494cc5dc361d8217bd4ed284a01b86bca7cc422d4d3a0e57

SHA512
d60c71ce2e9b7d2266a6d8adfd7c98bafcb2cea257e6646efc430e84e1d2e547dcfe3745e27ee75cf232df899d91770686534753baf7e5eb00376431fb9e673f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2RBLWZ4M\gtm[1].js

Filesize
404KB

MD5
dd33abb63819d57f18cfd0e2b44b919b

SHA1
14d568e39dff380241a2b6e1c8a68876ed107cec

SHA256
639549df14ea0ef6b70f8be47521bd00e9a82c85ad8a5e7f413f9a7b08f274e7

SHA512
c5b93672cd980f588f4f80a20bb6b561b2cfd259205bb315fa8bc3b091d0414283bb5e328f695d6bf30c53efe8eef38f5b1960270d775f8b19df16625de5cbff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2RBLWZ4M\obtp[1].js

Filesize
22KB

MD5
afd3aec78079479ef637fa1e1a4ddf26

SHA1
3adbeb0630dbbf873c77872c17567e46fdfe698e

SHA256
4b8f2b177e73f0072f1c899e85882e5b8b72c4bfdec8e1d9d431b163079dc8d7

SHA512
6ee191effb062178430fef7ce00eacb79579ac23cdb73ab5a31723bb9f967abfbf67128c31b57282b9a0fea7903ebe398685fa2e84b0cee82fcb983f62de8dbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2RBLWZ4M\polyfills-ctv.c3efb46c9757f2ab4cccffd99e71be73c7d11baf[1].js

Filesize
22KB

MD5
580963329f08c97e0c279521175aec78

SHA1
bebf63d246ab2761c1a20d306f7c650eabf844c0

SHA256
7d76eff4b4128a61e4cc29b282fc7246f16dcb9e2cc69d6deb5b3ae1d4d3c3c6

SHA512
56a503c9e5a673ea3e30340ba08bcdf04bd238622e2c657ac71b04018de9e165c75ef49c56f429b01d296f3bff5c049af0db0ffcc516650bb516ee8363f041dc

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2RBLWZ4M\rtg[2].gif

Filesize
43B

MD5
b4491705564909da7f9eaf749dbbfbb1

SHA1
279315d507855c6a4351e1e2c2f39dd9cd2fccd8

SHA256
4e0705327480ad2323cb03d9c450ffcae4a98bf3a5382fa0c7882145ed620e49

SHA512
b8d82d64ec656c63570b82215564929adad167e61643fd72283b94f3e448ef8ab0ad42202f3537a0da89960bbdc69498608fc6ec89502c6c338b6226c8bf5e14

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D1NDUI05\585ea-68c47[1].woff2

Filesize
16KB

MD5
68c477c4c76baab3a8d1ef6a55aa986f

SHA1
4af50379e13514558dd53d123db8ea101ec5e24c

SHA256
0364d368abf457d4e70dbc7a7a360f3486eaea2837b194915b23d4398bee91ac

SHA512
92b34fe3b7f82f10cf6de8027ac08f4a5b8764fb4e0b31c93da6e3d5bd08e0bc83b79fd70b8207a1066b689583e0b6976fa3c885b0c067ea343e6f2031d55d25

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D1NDUI05\5bba3-e5711[1].woff2

Filesize
12KB

MD5
e571167fbcce8d5081bce96a09930063

SHA1
e12420f5e4da3ccdc75a58ce744e7d5a0c6cf79e

SHA256
98be19bc78b5bc5d419e4fa6ea055ebd4671a963e2cc644aeed4362f15d14c31

SHA512
2a7e28d5e1cc8fcb4089f51a012ba801038c1e115102f68405c730f58b490f3c9fc352ba533e0bf062f965b5fb44239b1b8ba914863a72c68aeeb27101c31881

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D1NDUI05\hotjar-424839[1].js

Filesize
9KB

MD5
6909f0765917a6ddbc4ad45d5efbbfc0

SHA1
647e0e4e40646cbc1305a3fce1c15b4c8c7a7379

SHA256
9defcb028b3e008f59c17bd1ebd61bb112a4b2fecc5a10d3df7ef409c023256a

SHA512
8d2a4b10bcf44a51ca1816e8577d8bc5563c7f6377eac70f844d6658e2649d115c6de876d4a3194758a1cf49abaf3ccb5dc1ad05f66c0641914c1d7565a410ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\D1NDUI05\ld[1].js

Filesize
44KB

MD5
6040cbeef4d1089892946e803f0ff0c9

SHA1
14e6765e2149d88f50385b99ac10b053e422b719

SHA256
ab26e787fa89d35aced53de24ee22db847af08d248be4ae79ac5067ecb476557

SHA512
4bc782df5e1957b7b547444d6f99df73cc21d05728a6568edd3d3221ed322dbca77e7948488b7639ec32bf2d2b3567029b9d1bf9061c3e6a84a97f6f9c81508e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z3F6EH2W\23986-0eb3a[1].js

Filesize
93KB

MD5
0eb3a8982280d69dbad51a8208682fba

SHA1
74727e431f5f9169003fc31d1fd3e42f500ec047

SHA256
7f883a2ea4917ddcdcc0e5df38b8afcba36a58e517e1c8b1eefae02a862f71ac

SHA512
ed86c655a219f27415e5c2a3c7621ca4affa2648f2ca189c93535c916ec95af007de4110aae5474b981bb139eef79d462c6fe4d269292417f56c0f1eb6950206

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z3F6EH2W\72c3f-5a164[1].js

Filesize
47KB

MD5
5a1645b16ec651b5b77dd807a1e0ccdf

SHA1
bfe9359ecb35010c092823c730571f16ae7445c6

SHA256
8d6ba808bc4b65fe9778943cefef1f4df4931199a42804dcfe1289c2f3956898

SHA512
bc5c961d293876f2ded61e24a4c9af928541f6d4cbacba02dceda244a26186f6f03faf1eae1698e864678005465f0c682e1be881db66cd6b4b25b962bd5a3c2b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z3F6EH2W\73832-630c2[1].js

Filesize
166KB

MD5
630c228dc3000aabbe300f9dcab20f7c

SHA1
dc0577813ce245d0c4b98ccafa5bba3c5e179f54

SHA256
12124ad14d042cdaccd10c5b523588115ea7a32420858ca6b97f47ead499ab55

SHA512
fbccf9c9749a9cd353b32246b90fef27aa4d7013b650d9fd947aeff45353249890900922639f893c2da5f684f532836ca6efd9b89e40216f4a62de623f42f1f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z3F6EH2W\e1d66-56362[1].css

Filesize
113KB

MD5
56362b3b9d49c30afe79b8438cb0f336

SHA1
8f153728791685737ccbe9d37f08d001f041070c

SHA256
b489ef1bfd11178bad576aaa13e119105d23b1118b05eb82674527c3f19a2ceb

SHA512
3830f3979ede6ce8ae0ef80693d3acc2394df380f3d81d5d06b7117527978861d84a56926cb239fdfe6ebc6559f47efde566ec17f4364b33c5719f7267d0dca7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z3F6EH2W\sdk.c3efb46c9757f2ab4cccffd99e71be73c7d11baf[1].js

Filesize
451KB

MD5
51feae0a40292b56add780fd45b3f8e3

SHA1
b974db10aabc4e2a167271a5e6aa0e20bc8d91b2

SHA256
023a072504fc398174db5d2232fb6f08c82ba63dbf28834df89e26ffebfa5e07

SHA512
91700d2c3e119bdd10b43b38feae459ad14804dc84ea72e956fcf8dd1c13b9ddff102d24805473b487e4a073eb0349953ec18f947501aed27fe4f91a7d349bb1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\59YO15X3\gta-v.en.softonic[1].xml

Filesize
411B

MD5
f1b8ad99e0a443495956fcc37408c7e4

SHA1
c9a2f3692e813519e2de3665fd008750599ed818

SHA256
c2b660e8c8e1355cbcbb60e9f25e83d912846f05139586dc794da12fae4bc353

SHA512
6549662f9eae54ed5a9a20278a94fb11b6384c36ecc0cca47a4a48d76fe768d5a60856e6a48e952649b866a5e6803e57bde9dfdd83ebcfcfc6a1f65bd44917ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\BH3D8DO3\en.softonic[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ANEQGYU2\c6a73-91dde[1].png

Filesize
1KB

MD5
91dde5a34a64a36d8de82112d86249b7

SHA1
a62281335242dee49863f3d2ab7bdce82453dd32

SHA256
673b00e2d93145a1a38ba186d0d5035f3539c0a91b83518624501acb5d41d229

SHA512
3efd740b9c2d05c3ebbd51c000c3271a2f634d39e1bca60871fc31fd49b702e57395d8dd32792786813c9c254152524c692a026d5dc82c8a17a896aa69f12751

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BSWZY72K\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\T9H5HK9U\gta-v-download-grand-theft-auto-v[1].jpg

Filesize
1KB

MD5
feadf6e89b5b38bc8077de0842cbc5db

SHA1
c9b857c78e0b74fec72d5bf3b1215d39b7a89997

SHA256
0a41498dbcce0068a470e6aa6b83f4c7d2af3236a153932d946f08b8d934ec07

SHA512
a3102bad7ed2ac9937276545c865c822ca1a05b3a864db5cc69310f2ee3057a6562871b4c0c405217b1d07d6b7ad127cb671f2eb88c416ab5dc3765871214dce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
6e7fd801790bc6ea210584eae422b3b9

SHA1
30a972c249b8c309438cd623a0aa54cc962a8339

SHA256
f0301832be0daa92e75114859d6a1477773d29561672426ec504e73a10763121

SHA512
eb853236ffe3fe72abd6a02d0e50a90dc682744f77cb7fbf33c4d172a812dc7c76d742146b05f4f3f04765743928c00cf83e18eeb41b7f104ae3f27bf617a91d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\v87rjhc\imagestore.dat

Filesize
14KB

MD5
ddfcc11f504441a0f45b16e31b31f550

SHA1
99a9d94eaab74f0db739dcbe67d2775601134a4c

SHA256
f085ea816c6baed12cfe74b153f956e42d26b95bf65cf32103268c85c581ad9d

SHA512
134f72e311f3921d18158c22a38a06c7908fa0b3f35a760f4bc79e8f8f3c9c85d381891e071981118bbd3731e53ac80ab87bcf46733798c7c4c9bee0d007f188

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF1650BF5824D68A1C.TMP

Filesize
16KB

MD5
2113be2d96e9337ffb3fd028b2c247c3

SHA1
8f2ff5521d9dc437e66a3d1fd1b37faf432ee1af

SHA256
0f512da472678e9065854c6b7f14b6ce86ee81e1e7f93f7d78d918df6fdddc19

SHA512
9c1f52ee397d602aa97d466ecee7d6d622966cfd14aedc99ed4790ff779a4981fb4435557baea2ae755ad371cff6295ff4d9e13228f3d3e0766278510b9db3ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
f38fdf88264cf901385b2975c33cb8e9

SHA1
4b9b603155d61303131cb0569723c55cc5ab172b

SHA256
564f194c0b7171476082b21cc1e372420e1424215cf8249db053be5fb9481213

SHA512
da08bc964ae79cd6c15205d0c6900522d96ff6b6218c14deb2b5371b1c87c6f6883900b0c5fabefb474f4c994e1d5771dc495f8ccc3c00597b2b9cc8a2f57712

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_56D3ED1FAA849CF9BE5986D2E9A8BFFF

Filesize
472B

MD5
df26aa95a0c60191d4d628e34d5e83e6

SHA1
e3b6aadd954461f50c4ac64c652a51cd743bd2d7

SHA256
d773280ea82a46169013c420d5d41091f155d9cc2c63fb900506a1502d5272f6

SHA512
39eb07b7256d20243fb88cffa828bed6b635c00d5626dcb2e91816ed6b7e342225e00fca60116df7f2a090b86cf989c1edd8fe5b9b7e389983ab269f4b9b1748

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
aa62f8ce77e072c8160c71b5df3099b0

SHA1
06b8c07db93694a3fe73a4276283fabb0e20ac38

SHA256
3eb4927c4d9097dc924fcde21b56d01d5d1ef61b7d22bfb6786e3b546b33e176

SHA512
71724e837286c5f0eb2ee4ad01ac0304d4c7597bb2d46169c342821b0da04d8597491bd27ef80e817bc77031cd29d2182ccc82ef8ea3860696875f89427c8e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
a0b5afc4b8e7949370da7d9a76cd3c75

SHA1
869c3df0535987bbf4cce7746f0e42b790f9628e

SHA256
a6ce58162bfe642e79b2801be4669fb44e76ff2a8ad553e22907d35f2662b72d

SHA512
560bf7f5d613cdbe6d026f1143351be11256fc51689f9f099468893659e0628502daa95f0c4d6173d8a296fb76ddc8a750b41530146699331380a9d358aff871

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_56D3ED1FAA849CF9BE5986D2E9A8BFFF

Filesize
402B

MD5
4cd4111475104b9e402febc5004196cd

SHA1
24c2bcb174485787585e607b9d4ee9f798214315

SHA256
d5282a710a320d4106a5d3f003e5224220af67e3302422fe21ef58624b35ebd3

SHA512
8860877136ffd0d563645ea373ef025d92a06a0ac69d52e5e470190a4fd4a7381a2d007c85ea82c7e51cfd71acf3ed3aab562ca6b7be90b3772efdc3e7dc4ffc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
e9adf8cf15b5f40955c48921be17d176

SHA1
d71d82eaedd54a8b08583020d333f9383c59ee62

SHA256
bcd3cd88591d91b5d899af13ccf64af20c0b9c8e27df0471d5c29ef2be80e8a7

SHA512
aa14ee3d3d82e383cc4fce89cf365eb160932fe9c6f18fbf234f152734c499af4878b69aec0bc9c12b9296c2154d8fd627bde934d8382a19f554d148968e664f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BSWZY72K\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
5564dc52c9344ce8a3e35cf5db3cc9b2

SHA1
d8fd4c1bab6a631642dceee22db10c2b81a5f543

SHA256
1b43efe711e558d484e22cce0474326504129d346e9f08b3ba695a99a24e8a46

SHA512
bf483bf2dc9e4c0369f32896e2f9049f927399f4f750fdf65def5336787ea721aac13d288d26d7e545b5a12981ab154fb13d8a2d982c5c092bda0d68ac3b012c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.log

Filesize
512KB

MD5
dbee3ffcf3a1b5ebccccc7312c727cc0

SHA1
5cfe17c81487c056887edec11d237fdc2213bce5

SHA256
860b12f41a319dfda26cc8559c7592f7e8e6935f47aaf7fb0ce87fbee2a4e19e

SHA512
d2f13173a6c9727df335e83d8d457d7562c8d26a2e75ea84d8cf97ca2ac179cc8c239bfac0313add95dfd9704083bc0cde2acf948cae4c74b3d3ea6b605d556f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
37d6cbd3b2d9e3d798f964927768c212

SHA1
9db78aa43596713dbcd62a800f963bc292f4322a

SHA256
b7dd95036955254f55493c5901e3acb2f0f84f3006b21b2ceee0b38d87b97322

SHA512
90c144010b7a2c0f56462ae7ee2ab2434992b11521d8b60ae8cd37a82bbcb19a125d68e89ef923ceff91c21f450547f8c12ada19e0aaba06b13aa5a0f3130a6d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chk

Filesize
8KB

MD5
eaa89669a43adedbc280031d98bffb0d

SHA1
bc762ca2a2da1c715cb8a382f396ce776ecc9966

SHA256
cc32d7aa2d65407a0032191c9622f100fdff8c9f75cf89f339611c53ec8a2542

SHA512
9147db27c117cb23e395d8cabbe4d26ba3a37632d78c319e1297a78f60512e54be2d1a33646cc225836b6b129d61e473faa573d02b74f07a056148c579847f95

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
bfceb3d5f8244c06e7ea4db54585c53f

SHA1
80e27c6625a5a005028b1529690efdcdb9776927

SHA256
446fac8f17ed47dca65b037ad2e815642aa460dff0c3403fdcf45a6e991d22a0

SHA512
a9d4a5a3b7ccb1d89f2888ca5bb283e6d74c775f715ca6a6326ad191f036ce2e5b488141ed66a48efef153d370d52e0c989252863fd18bfa4de16fd821b6b320

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edb

Filesize
2.0MB

MD5
44c20d5c18fa89443373f77e2d108e46

SHA1
9db31a17a35f31ca38e6dc4bf15df0a4b45d4a78

SHA256
edb4676a7bfd2c58713e889d4e967251a7906b94350a3261fd88972d851b1dfe

SHA512
91cc5f7c09cfa67fe8ec81ea75a719328a2f4bf384761f3ab5665da02090dc5cf89ed42d83e1e51c43f05918e2faa6a7b427e47a62298352e99e6a9f49fb854c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
a23d9bdf98fe73d8a91ff367a97ef4de

SHA1
a1ea361439cc650180c82f564b0a765cc46870f2

SHA256
0afc34049dce02fbce327636f68d8c91694cf0efe2b438610a1952f544dd6522

SHA512
14b3707700ef3dcfa192e490f9ac3b1de9ba38b0dd8340566f79f899ce689d15046406f738e5ce8a9e4184053ab009b0ffb31fc932c1044e2732d7f90092c37b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfm

Filesize
16KB

MD5
e911a497759ff73361f0faf0653eef0c

SHA1
a344e4b79d895d2664602ad476cb09cb55a526cf

SHA256
e1f0f2b6bd59a645cb5f5f277563939eed9e18e6118746ad89f43244fb6049d3

SHA512
34b2fbe36eef7df7bac38788084c8571e4c94bcb225e2d5ad7ba8d65fc76d83ab2a80e0c061fb7244cd407f4b2eefaac83d9ca9a7d3f64b098cc2a4c9da7e395

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\v87rjhc\imagestore.dat

Filesize
13KB

MD5
0b4a2e17bb98ddb4a5a6d2eb4a1b206e

SHA1
adb6e387581bc3ed6420fe8593569cda296b3679

SHA256
41eba8e70ef32dc2442ce13ac5e359a09ecf6910f2d7fa49498cf4b206752962

SHA512
9cf8c8e92b31a2129d72c66e5c2643974245296f9d99e5c307fc538a0edc64d9247f05215682dbe40df70d47f1972070901b2dc173aefc418e9b29fcac648893

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\v87rjhc\imagestore.dat

Filesize
13KB

MD5
196a871916ee19c069990504da1b618d

SHA1
acabb85dd0f4099ce63dd4769d01e7dd4533582a

SHA256
4ed65e1421e2bdaf79e9d1a95db71411e0a84ef50a58f55cdbcca50a980b1296

SHA512
fcb5d7facfb3939cf259e67f19fdc3205149b49d5aa8ee2c8d043c07bccd32cedb75401475cc313f6470eec5bcdac83da826a5f7e17533ecabf3068c728da7bd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{0F48FD09-F724-448C-AA59-D83BF290C54C}.dat

Filesize
4KB

MD5
7d42f5561ccb3f301dda11b1d509709e

SHA1
e63c416072f44380a4d4ae2b8cc2695f9dd25475

SHA256
3f160685193cb65d4e7e943c1d410249fe98385a32fd969fe71cefdd06a7d41b

SHA512
b3425a840804bb185502056f3651a131afbedf8d445c9f211895ed8a107ddb491578f01f7a66538a25a200e2cb4d8d7a36b18d99416ef593866bbca4de3feef9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{97D43A2E-F70B-42AA-9CB8-58DC1A4F8FB6}.dat

Filesize
5KB

MD5
2b2b34a3fc57545a3427bca2ef83ac1d

SHA1
c7e0a0a2c437cd661400bfec69c0b0f9e0c81c70

SHA256
0abfa28e9ce00ef595959dcf0d8d5560bfc1e65090559452eee045bed2be5c1e

SHA512
486dbe7f362b0a36b97671e483be3c966fd5fbc70f4bb943e7764d5c56f54f612247ead1f97f73f60a1e922137b01e2fc61e837f10a48248610a2162f9d86afd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{026201D7-466F-4665-B3AA-7EEDECD4ECA5}.dat

Filesize
6KB

MD5
96539a4a05e668c05c82a8cc01e019a8

SHA1
4dee444900e895b13272493521049786b07fa14c

SHA256
74bf7ac38178d3c4520fdd396550414a51da1f836d04c819686609d1d09d40b2

SHA512
f1726eecd311029c18d1f700f1dbf5f3de07353e0135b5bc9d922c9ec6eddec7ff1c3c54e44f31d72e28ea6bc405e3cc17e8621daf04887433343e9fdda46e50

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{B7D86BF5-8DC7-42A1-BE93-12BFC845814C}.dat

Filesize
7KB

MD5
52827fb449648f2a2cb7a4f38a7dc192

SHA1
79fbbba3112df1ba4862a0e57d4e33eae7623625

SHA256
432774208ebf0c8aea437647102147f0ec6f78c41943ab2d44950d6b5706f8ac

SHA512
20effd3e46bc49c0ad6b2d2a50a5b6d51cbff3e9bb31d2ef0dc82c4a26b1b16936fa034747bc40079a371c7bf8942a1311467190914047d356f4089636669fc6

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/800-223-0x000002C913310000-0x000002C913312000-memory.dmp

Filesize
8KB

Download
memory/800-226-0x000002C913340000-0x000002C913342000-memory.dmp

Filesize
8KB

Download
memory/800-248-0x000002C924F30000-0x000002C924F32000-memory.dmp

Filesize
8KB

Download
memory/800-228-0x000002C913710000-0x000002C913712000-memory.dmp

Filesize
8KB

Download
memory/800-246-0x000002C924E70000-0x000002C924E72000-memory.dmp

Filesize
8KB

Download
memory/800-238-0x000002C9244D0000-0x000002C9244D2000-memory.dmp

Filesize
8KB

Download
memory/800-243-0x000002C924E50000-0x000002C924E52000-memory.dmp

Filesize
8KB

Download
memory/1908-196-0x000002B973060000-0x000002B973062000-memory.dmp

Filesize
8KB

Download
memory/1908-200-0x000002B973080000-0x000002B973082000-memory.dmp

Filesize
8KB

Download
memory/1908-202-0x000002B973090000-0x000002B973092000-memory.dmp

Filesize
8KB

Download
memory/2972-159-0x000002507D900000-0x000002507D910000-memory.dmp

Filesize
64KB

Download
memory/2972-143-0x000002507D420000-0x000002507D430000-memory.dmp

Filesize
64KB

Download
memory/2972-178-0x000002507D750000-0x000002507D752000-memory.dmp

Filesize
8KB

Download
memory/2972-266-0x0000025005680000-0x0000025005681000-memory.dmp

Filesize
4KB

Download
memory/2972-265-0x0000025005670000-0x0000025005671000-memory.dmp

Filesize
4KB

Download
memory/2972-330-0x000002507C6F0000-0x000002507C6F1000-memory.dmp

Filesize
4KB

Download
memory/2972-326-0x00000250059D0000-0x00000250059D1000-memory.dmp

Filesize
4KB

Download
memory/2972-323-0x00000250059D0000-0x00000250059D2000-memory.dmp

Filesize
8KB

Download