e5de39b88a2313eb9144253ba63e2b35c7facb5763f076d82b3fa4a529cd1ebd

Analysis

max time kernel
109s
max time network
117s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
28/08/2023, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe
Size

724KB
MD5

377e3c9ebbcec50695cbba98e94aa0fc
SHA1

dbe1ce3f2cb7ccc1e2755b6f8db9b44bd86f51de
SHA256

2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a
SHA512

a71d21c83e9b4595fb0a88341c37cc68f7a4626c11cc048eaaa2d04a40d75b89262f951d17172bfd1514514d38ff4cd6b4a5a9446dfde32d09a4d64fab15f617
SSDEEP

12288:qjOtvHMm5xvOWRP8jm7SoiJY8RvWX9g+ch8GB4pQtTME:mOtT5xd1qmWzdRvejchrTB

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2120	PJpZonGeVN.exe
5076	EzCS.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\debug.log	chrome.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\2219095117.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2164	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133377076161473869"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 0e28665cbed9d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\shrinkl.com\NumberOfSubdo = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\SOFTWARE	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{15E16AEC-F2F0-4E52-B0DF-029D11E58E4B}"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\AudioInput\\TokenEnums\\MMAudioIn\\"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disqus.com\Total = "87"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disqus.com\NumberOfSubdomain = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disqus.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disqus.com\Total = "18"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\lsr1033.lxa"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = 322d9a43ff74693161317f9e26a7d6bb591a6f276432e10543a70c26e1b357a5	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disqus.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "409;9"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\disqus.com\Total = "14"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "207"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\cyberlab.fun\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "SR Engine (11.0) Text Normalization"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "English Phone Converter"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\tn1033.bin"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cyberlab.fun\Total = "348"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cyberlab.fun\NumberOfSubdoma = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\cyberlab.fun\Total = "245"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = e8b0ad72bed9d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 60d58ac1f0d9d901	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cf502f5cbed9d901	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2767205360-3565838719-3800013281-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Software\Microsoft\Speech_OneCore\Isolated\PIjyYIeAhMCaaV = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 2 0009 aa 000a ae 000b ah 000c ao 000d aw 000e ax 000f ay 0010 b 0011 ch 0012 d 0013 dh 0014 eh 0015 er 0016 ey 0017 f 0018 g 0019 h 001a ih 001b iy 001c jh 001d k 001e l 001f m 0020 n 0021 ng 0022 ow 0023 oy 0024 p 0025 r 0026 s 0027 sh 0028 t 0029 th 002a uh 002b uw 002c v 002d w 002e y 002f z 0030 zh 0031"	MicrosoftEdgeCP.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2120	PJpZonGeVN.exe
4652	chrome.exe
4652	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5076	EzCS.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2700	MicrosoftEdgeCP.exe
2700	MicrosoftEdgeCP.exe
2700	MicrosoftEdgeCP.exe
2700	MicrosoftEdgeCP.exe
2700	MicrosoftEdgeCP.exe
2700	MicrosoftEdgeCP.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2120	PJpZonGeVN.exe
Token: SeDebugPrivilege	5076	EzCS.exe
Token: SeDebugPrivilege	4572	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4572	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4572	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4572	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1596	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	1596	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2996	MicrosoftEdge.exe
Token: SeDebugPrivilege	2996	MicrosoftEdge.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe
Token: SeShutdownPrivilege	4652	chrome.exe
Token: SeCreatePagefilePrivilege	4652	chrome.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe
4652	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2996	MicrosoftEdge.exe
2700	MicrosoftEdgeCP.exe
4572	MicrosoftEdgeCP.exe
2700	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 2120	4192	2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe	68
PID 4192 wrote to memory of 2120	4192	2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe	68
PID 2120 wrote to memory of 4552	2120	PJpZonGeVN.exe	70
PID 2120 wrote to memory of 4552	2120	PJpZonGeVN.exe	70
PID 4552 wrote to memory of 2164	4552	cmd.exe	72
PID 4552 wrote to memory of 2164	4552	cmd.exe	72
PID 4192 wrote to memory of 5076	4192	2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe	74
PID 4192 wrote to memory of 5076	4192	2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe	74
PID 4192 wrote to memory of 5076	4192	2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe	74
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 1744	2700	MicrosoftEdgeCP.exe	79
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 2700 wrote to memory of 4120	2700	MicrosoftEdgeCP.exe	84
PID 4652 wrote to memory of 2028	4652	chrome.exe	87
PID 4652 wrote to memory of 2028	4652	chrome.exe	87
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93
PID 4652 wrote to memory of 4516	4652	chrome.exe	93

C:\Users\Admin\AppData\Local\Temp\2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe
"C:\Users\Admin\AppData\Local\Temp\2500ebe33e767137feb39a533114e47a1dbe94bf4b5f94640348da7cdfac445a.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\PJpZonGeVN.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\PJpZonGeVN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineUpdate /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn GoogleUpdateTaskMachineUpdate /tr '"C:\Users\Admin\AppData\Roaming\Update.exe"'
      4⤵
      Creates scheduled task(s)
      PID:2164
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\EzCS.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\EzCS.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  PID:5076

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4672

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4572

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1744

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4120

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-web-security --load-extension="C:\Users\Admin\AppData\Roaming\Google Translate"
1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffcb7dc9758,0x7ffcb7dc9768,0x7ffcb7dc9778
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2120 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2980 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:4612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1604 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:2
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3756 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4676 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4684 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4972 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:3128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4980 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5372 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3948 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5356 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3108 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4012 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5372 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:1356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3096 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=5956 --field-trial-handle=1824,i,8883521304178943176,694858036382384736,131072 /prefetch:1
  2⤵
  PID:3268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\1e93190a-caf7-485f-9a9e-47321b590f21.tmp

Filesize
6KB

MD5
c3fcf70a057f28b44c53c38ca708e806

SHA1
58c98095a4cd64d802afb14917e4c59ccb5cab60

SHA256
7b9ae95076c81f1eb9d2b92beae575221b81c66d4f39ba7accc8fb587105490e

SHA512
4a61e1c5ca52d2a0cc50cd21953a9cfdf91d5db828875dd00ee035252ab76299cb19fc9049f8601a8a9d0ec7155c4b7d0a4d0260344a351c3cc3c187460b5f53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
718f6596f2436e80e5b67cde5d5d57a9

SHA1
f74ae6c3c5eb99a03d6967574b7fcb93cb8d0c20

SHA256
0c824c43da7fc89367d870aeec81420a527be09346f88f22e5ace1964180c751

SHA512
ff6743d05bf00e04f76db5f1388f11512aa7002e86fff54b30f5ca9b50eae4603fdfaf1fa1fea6e4e4e38ad4d3430b2c69cfb651bc87886eb9998ddb9b30b0ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
864B

MD5
908aa39e4b4570312ee3e5a01df07d98

SHA1
6637e8a2e00cdbbd1c2dea64925b60e35304ab59

SHA256
80d15a8153a0e69f32740dd6bb95c46809aaca5f0e660c40e17057d78edd0af6

SHA512
730c6486a0528c1f6dcfbc14ba5504b1e7eb61552658d67b0f3238ee43c28d5b1f677c69887d0f587c0040e5ea70af0998e5a26a30b801d2628a4d74d3ab8734

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
00d9e7d0fc05791fb5aea4993531e801

SHA1
6dc5c8881586ebf028ac3ad3877f2f3fa12204bc

SHA256
5424972f6f5fd3b550d7fc4e4373a7410982caf7843e8f4916d23fec4decd995

SHA512
c4b4b76c465e634309ba0b457a89947411bdbfd6ee0f2ab4952775f97008cd8a8dc38506ba2736acc2803ab2f12bbc0bc400c03d8bfe55baad331330b9fbc30d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
60119595503a1a84f65043198d28cdf9

SHA1
6f9ff0320c0d82d46efdd567290d4df97e692cb6

SHA256
b751833f59eb7053ad884c5c4a7dcaf8a86b28651b76173b4d6c8e3746295289

SHA512
4a4c399f19b2299ab176447060f1020b5a2790e8aa98230f968c597755b7daf10fccc5180b82c54fa20ab407cefd672406104de1c7904301b5cd1dfdacc3ad27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
bea7f63c323628e1d677a20c5021b40c

SHA1
b71c88fa87b7ceaf0e2ccca9790d6d84e43bcb83

SHA256
d784abc91a0bdb6c9f47a6772c10b7b071f0c9dc88674e7ca10e31b49ce6f2f1

SHA512
6f1c69ea214833975d58072b491488945b9a37c008fd9350f6e63361e60a5421d07384d4787e6af1fc76ca1d81af79a831aaf760f91b900e1f0b7c243e8deca6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
707B

MD5
b1152ff84bfe1a37aff21d0dc72beaf8

SHA1
9fc6cc7ed1327f9fb3ab55b0a615114b60f5340a

SHA256
b18e445443d46e0780bd0321c5515fdcbfae4c112fa7520c17eeedf6d3f3732e

SHA512
1877350919d2e886adb1444243ca7e94d754f62f3cb9dad04afd37d291bd1195f5e7bceac68e4da099be08fa292fcb86ffab4c1c213b6936ca036b3c779f9e3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b6643551595c1393161700973c1ab560

SHA1
25cda11fcad022d108d34a4376cb0ec2e2d90c1d

SHA256
5a7d3262298fede46242b30374d10905cf112fc9fb1d272615fd6fbe41597857

SHA512
5a40f1b70d05de58a1702d786ad46ff6ba0ab2507ae39a12b01b6d24f7b19b3cd2b784584235862243757bf91d1ff6d32296a777eebf85ca409a33816dd56bbc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
87864ced52541281a94d21aba947a938

SHA1
f5e1629537f19c2fd3252017e62f2806785498d7

SHA256
d9e8dd8c36dbce5ea7fcfd2e0317280c3cbf1c72881124a859e66e8e8a3205dd

SHA512
cecd76340f2cdab649b984cdebb922d31ed870701ba9703be2966fb2d7afeacc7ab5882061b4c4b29dd70d3d434d94e9c5abf4d734bc4e193e441d2efe21c072

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
11KB

MD5
ab6d1face94514e5991449e5fdf6799a

SHA1
983b10571a71314cd8206543085528ac77dc5ad6

SHA256
5a100e1300b0a5925480fe46c363b295c4f490f4f36a76158359c32f72635ebf

SHA512
7aeaa497059a7f47c2969ca8c36f85dad40d3d08d7ac58d20f8d1676456c6d80a3397c26909cb03ade0800ef783524077f7d2240d7eeb4246e5819ed4465554b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
e0ff415c5f398632f85a4919abf33448

SHA1
f3f5bcb84eb5236113edc68a789812656c6690ac

SHA256
ba61bdc169794511fe62920695191cc3b817b5ccd9a7d3fe75f00b37165277af

SHA512
f6ad7977a89cee24fdafabfa49fec6ccbd82c11ca92875f7c6efc3a6a7ab3f4bff15249daaf5a547102505e40fa42dee25499c693d56ac1d6cc9305dd9c8cf05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
177KB

MD5
12a7b90f945d4a6ef1fa5cc27e6519e6

SHA1
fd8ff939d4715200fc3ddb880dd3772908c7b2c6

SHA256
7e235fd5504567d8cc6588dcc4d7e5f15a34338557247252515a168e556398d6

SHA512
7efff554d0fc2865a0077579e47dc83770c3125948390836f2518068be7841de6ae01a7c95cb23f1a62cc027e675ded54e6558a25a6f9c53d85caabcc20a8d75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\WK479IGQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7KE05WY6\ads[2].htm

Filesize
603B

MD5
2c739853e3edfa26869416e3d4e5d369

SHA1
c263dc1c36c954b252bc7e775e6e82865d9b29b8

SHA256
00daef3b4a945d15f73efa05e0ce2ca51f2f8252e1da8fae5c2efb0f6dddacce

SHA512
eae3df357290171698ed241a53688a1907712a53d5ac7b8ca06c618335fe45fc556c9903dcc09283a4dabb6ac896ca67af1aeafa528593db532f2e8586540a86

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\54VO188Q\www.google[1].xml

Filesize
92B

MD5
c6e478540c89047fd04a2a538b2771e2

SHA1
80fa7b87e8b8a538d8dbc84e0d3628523feea445

SHA256
55692b39530d87e5844ff127b28643d125285499f5fc34523c4477e32a081968

SHA512
e4233184a48e24779c7e2fe4485ca409998fa543cfebcbd1d07d394e3506d1f787a71a927257efc25e14959661c80339a60fe71a2581b6fd8369035571ff8e18

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\6ZA8ZACA\cyberlab[1].xml

Filesize
683B

MD5
1833b1ef8afb102722d83f777bc0c4d7

SHA1
6d9875558c6a2692e1a3b607d2a6e5f35f31a54c

SHA256
c4a54ca3ff5a96bdcea485a00f89590a816cdf7d87152462fb5b32a54a0c5aee

SHA512
047a12a14647bc40c85c01b28eaeb33d7b45a48c81b9fd7ba5abacb81e666c1da67342d674eecbb1e8904f579305a6af72774104997013a4b427317320291169

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\6ZA8ZACA\shrinkl[1].xml

Filesize
301B

MD5
b2f3856a1c7fba19f012dec558d13a64

SHA1
59119876af2c8f893688ab2bddb612d6340ede9d

SHA256
3c7778007421dc64ef8f8ab85337f1396fbcfb59512aec4db3ae2b9cbc6137ce

SHA512
f584cce07dcff9bbf984e4b8610639718c0c2a3505bd6040d9774bdd71d6a76ed577f8542b171c5d4de7d8b933f0433898fe43033023d96c4e95b1e5e57c8067

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\6ZA8ZACA\shrinkl[1].xml

Filesize
435B

MD5
fdb7a660e3b0df7dc1678836e71bb39c

SHA1
4468ee1ab78b9f6b634861f7bbb308c4f0b54e0b

SHA256
6ba742468eac8cad64a2d98d04a34b40e0531cc831061bff16bc2808ddd79e7d

SHA512
7b9da52cfd6dbb0855176750e64662a57e66be802334f4c27b9c6b7c321451da931862d1bc4a30b4272a77112179198b3488766672b23782d0458b295d41bfd7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\H546DZKM\disqus[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\H546DZKM\disqus[1].xml

Filesize
239B

MD5
c76ffe7787931ad03baaf6aed101501e

SHA1
c85e5785f4029ce4ab3138114473688dc6b1c39d

SHA256
a165525e851eabb35b44563893c7a17bd93a5e8a773699f5a254a7202fbf18fd

SHA512
cc95c51d433ba0a1d8b0dff286ffe28d31ca04c493473550a968a173ab17b87151e2452688b1791ba65f93fe7d4f22aba68aa7cdc35a67ce8f8c151be6e8bdee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\H546DZKM\disqus[1].xml

Filesize
323B

MD5
707d7c4ad5dbb512ce9c13a1cde5cd95

SHA1
585288bebe65a0bd99417dddada86756fa2f361d

SHA256
a465105fdccc91941bdda112c1eafa8ca897009cdbd02dcc5431b0880ae744ae

SHA512
14b16931a563e2cf8e2030d51085eef089e0def662d000ee727f02a99c8a7b806dac2ca9665be8ad7d103e3ab2b4a6f80c673e7aa4decfbd91b8ba5b05907231

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\SKZQQL5W\CyberUI_Icon[1].png

Filesize
83KB

MD5
ff2d97623869d6e46fb13c7406fd0fa2

SHA1
7d8e7ea2b5e53f112b3d6a47f7559cb3ee762ce3

SHA256
ae66f339856c89acbf7e27149dcdc45da7b1646d6ddf1cb83a4b9b5ffa8e5109

SHA512
2d87ea5f37d5183fa1965b1733e6eff417347f867bb398628a056ed42ef60cc04b5df104d753db624ebeae0bfe017f9bffb4a721592514cff18e4678ef49260f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DFF3F673A2A14BF759.TMP

Filesize
24KB

MD5
d3cdb7663712ddb6ef5056c72fe69e86

SHA1
f08bf69934fb2b9ca0aba287c96abe145a69366c

SHA256
3e8c2095986b262ac8fccfabda2d021fc0d3504275e83cffe1f0a333f9efbe15

SHA512
c0acd65db7098a55dae0730eb1dcd8aa94e95a71f39dd40b087be0b06afc5d1bb310f555781853b5a78a8803dba0fb44df44bd2bb14baeca29c7c7410dffc812

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
be6f288703e9324b6b4fc6cbf9d42bcb

SHA1
f99f0ee134df6ff832a934e42849236c8da69a2a

SHA256
89c85d23e0902a524c0ef025e850c8bb7554b7f54b771c4260fe299e0129d395

SHA512
4cd3585f7f7c3e2a125c4d5c7be9e7d9efe93b0529a14ee7834ad85806a4de7bb9835f715e06ca35ad8354beabc1abcd687e9efbe630b25c06565e2787c3f2fa

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_649E475F2AC1F765D655CB8DFE21A0D4

Filesize
471B

MD5
7d86a3dce6d27e0a976ced013a552c63

SHA1
ba7bb8b3b3ef53390afc5c48387be80fad4471d8

SHA256
366822f1c01f284a91051f7e1753d6a5526f32be04336dc424de852d1ee22eac

SHA512
2f1cf3c8b3dffb87deba2d4730c023a16a79feceb2118372693e2dfdf73317baf6e998683c16c6da9f2aa096347470acfc73e4f75595947439c30a996b9e4933

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
aa62f8ce77e072c8160c71b5df3099b0

SHA1
06b8c07db93694a3fe73a4276283fabb0e20ac38

SHA256
3eb4927c4d9097dc924fcde21b56d01d5d1ef61b7d22bfb6786e3b546b33e176

SHA512
71724e837286c5f0eb2ee4ad01ac0304d4c7597bb2d46169c342821b0da04d8597491bd27ef80e817bc77031cd29d2182ccc82ef8ea3860696875f89427c8e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_6FD5A434BAAF16FF393815C37124476F

Filesize
472B

MD5
8c141c9e4ae293080c66a7390c51860a

SHA1
88fcdb4721be225cbe3a96b3900ab9f3d062c132

SHA256
20dfefd2835c3db0ddaea174a330d72d6a5c932a0e24947be8cb8e913d1930bc

SHA512
b1a2f5b366b63ef75b01fbd8906881dac63ce716995474ccd7f511e3567d1d71f0b7ec92b594d23ad84b5c16264fd8066f7665b6467962046fccaba18a7fc18d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
5e5ceec2302583e26b2651c13baa5365

SHA1
47d1c5c11470484479d8a16fe192aac891890100

SHA256
f98c1b5f960da358bbad17e991d24564bb837af24a23cfb1f596fd9d0e9a4fce

SHA512
f37ecc00c2d370bc1f6bf54d7cd4ae0b37f70f396388b513686a132501a5bc454697678d49b49f8708a6659dc2f40a191b14c4d81b67f05f236cc744a42b3c36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
10ac5cabe4456c5d9308f5abcf12ad02

SHA1
12a4cee498ca35a58a9835b9de4b9b2e59fef9d8

SHA256
599ddcd27ff5c64f11b7792df5849c69790759e6b40233d37cca1f7f581547a5

SHA512
11365d5acd59fc211431fae7760a200bd526a0983b945f0f04dc23c86ef9789bc415d5948b1c1d28aa22b35621bf9a0b4244a5a5bdfa9f6c1f441e4b0f81beca

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_649E475F2AC1F765D655CB8DFE21A0D4

Filesize
406B

MD5
06f4d40c349ce52b33db6986079b754a

SHA1
be3b66240f5788bd8815ece4ac2572dce6e43be5

SHA256
9b0f372084e6479ff699180c403ac8f671dc64e290b3e7c5cc3aab1db15c3ae8

SHA512
aac6cf3251355e73ba0090174df23d21ce6b0832d4a8be0fae036c718db51c1c7f0e5246c1c3c87bb2b19588440872fa536d8ca4b9dd95171222f49e682b90d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
e0140090c43f3c2c8fbd09664a558472

SHA1
57702f9765023a5c27ee8071291056839082f965

SHA256
385e2da4afe321ce889e854c6f53e95fd837391b871b604651acb363d6b1a999

SHA512
3f4e7cc13ec921a030d85ecd2f028538430eef6484ec3e638c20937afb26270b379e43f15536d8bf8659baf9acfdc50d404d10efbc928cb56ef9dc27e78b3e0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_6FD5A434BAAF16FF393815C37124476F

Filesize
402B

MD5
67f101cd794846c1b43eedfe220b63ca

SHA1
0a40c79d4186687eb5f9fb788886981ba786f859

SHA256
7e26a4c9260d103419bf5d4b9dc2d1145cc6b17c78637bda0b59645ab6f34333

SHA512
737357435a00119f868f1d0b0febe765586ca99476e9d30c1ddf1de188baa4ec6e5f41f0af632710df8c4513ccebc72481c297c5f9eb630b51577046b5b26836

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\EzCS.exe

Filesize
460KB

MD5
f44c3c0ae12c79ecbcb713e35817585e

SHA1
3dfb2c2dd91a077ac78ce8edc3f566000bc753b1

SHA256
c947d4fb8f0a300725156553f9dbac7ce36ed266c90c0241c53b7923ed3bce5c

SHA512
dfbb5a65a820c28594218ed8371636a06b41119a3ee86a5d1bd7188a0445b9fd8f93a81daf5f4bd2ce63f48edf12622a7c44318210934725d7c608578a861dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\EzCS.exe

Filesize
460KB

MD5
f44c3c0ae12c79ecbcb713e35817585e

SHA1
3dfb2c2dd91a077ac78ce8edc3f566000bc753b1

SHA256
c947d4fb8f0a300725156553f9dbac7ce36ed266c90c0241c53b7923ed3bce5c

SHA512
dfbb5a65a820c28594218ed8371636a06b41119a3ee86a5d1bd7188a0445b9fd8f93a81daf5f4bd2ce63f48edf12622a7c44318210934725d7c608578a861dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PJpZonGeVN.exe

Filesize
35KB

MD5
61392ee50347f9cdc005babcceb9cb58

SHA1
32459d99861cf301b3ec76211004689e586b0ba5

SHA256
bb959404403f3d574038092cc6669e43db517c24c3a2b1ed16c2cd020ca5323f

SHA512
be211ded9b21133ab6d7c34823464e7eadba8aa9305ca5a233675d6f795e726e16d8a22a6601de1087c4ebc4526601cc1d3b51f6dc181a269e7b28c323f2cd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\PJpZonGeVN.exe

Filesize
35KB

MD5
61392ee50347f9cdc005babcceb9cb58

SHA1
32459d99861cf301b3ec76211004689e586b0ba5

SHA256
bb959404403f3d574038092cc6669e43db517c24c3a2b1ed16c2cd020ca5323f

SHA512
be211ded9b21133ab6d7c34823464e7eadba8aa9305ca5a233675d6f795e726e16d8a22a6601de1087c4ebc4526601cc1d3b51f6dc181a269e7b28c323f2cd4f

Download Submit
C:\Users\Admin\AppData\Roaming\Google Translate\Extension.zip

Filesize
17KB

MD5
4aefd2ee366496bf69fe8f211bf3df8b

SHA1
2fe8a09171c81be26b52f280410c265e5e26777b

SHA256
3c8941b41de24fd449bf9dff6216233b6305fc247b3725cb250eca645755396f

SHA512
6b457963d38b182a359a3dd996f23f196433dd8ad1d62ac17f5bd8429e82eaf2d60cf175a571669151086e0e2068890cc4494a338baccef1852d3765d9b5cb92

Download Submit
C:\Users\Admin\AppData\Roaming\Google Translate\background.js

Filesize
3KB

MD5
1e4c32f31419a27fa9b23f8fc47a108f

SHA1
709aa1075c55d5d0ea481938174911f1ed40573d

SHA256
5100a2719efb714272fad942be9a3e3f1458aaa9736a2328ab0fa6ae6a9e1cca

SHA512
c31cc0e18212988a7fc18addfc9307784a83b845992d7c42aadb9980d699a3e1dc6ce820f98941b63cd8d60bd288e4a82378ea92878dfe35c388c0a2baf4803a

Download Submit
C:\Users\Admin\AppData\Roaming\Google Translate\icons\16.png

Filesize
629B

MD5
73f19bf4bae975f11356893c71aeb09e

SHA1
2a7563c7dac60424ec5d2f77643422c0f584a305

SHA256
057ed8b342a85ed3972d8d0c72a4fe282abbcce0b8623333a3bcd906f2b09ce9

SHA512
a1e550c38bc6216e8a4c46929e59d92f958c090d9c1de071b349ad2b1faa54389c888fa112ad3b6d2daf3ebeadba28e0b739cfdab83c9029d767c35f44ed4b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Google Translate\icons\48.png

Filesize
2KB

MD5
8be1facb79791a064862a61399b6dfea

SHA1
93bc1b7172e9a3aa7c7d7b24b7be53c992e4566f

SHA256
89ff11a2237f9ec798ed4493738b14be76f11f282c5ab755847779fe241ef857

SHA512
6bdbb91648377ff2af465973c85021085ff413ab0b8da3c59127f46e5b58e9116c5227ed4c8e923d98185f8a85471e84007c927b58a21a06f081e702d0e731ab

Download Submit
C:\Users\Admin\AppData\Roaming\Google Translate\manifest.json

Filesize
1KB

MD5
d4bd279d2a5d553ee945aa172b6de939

SHA1
42a45b164438bf19e09f03eb1f6d011e77af2727

SHA256
8f8f3fb7402f416e1df81a9a041b9315b7a05afddb71b6a44267d78a2dbf8284

SHA512
071b8bd85023f6e0aacf84819e24403d0138617c0425a7b72bf5ce9a587151efc8e7f474f879d1f0c9f88cef7fff96409b207a116b7913bf22ca0fcd5d558574

Download Submit
C:\Users\Admin\AppData\Roaming\Update.exe

Filesize
35KB

MD5
61392ee50347f9cdc005babcceb9cb58

SHA1
32459d99861cf301b3ec76211004689e586b0ba5

SHA256
bb959404403f3d574038092cc6669e43db517c24c3a2b1ed16c2cd020ca5323f

SHA512
be211ded9b21133ab6d7c34823464e7eadba8aa9305ca5a233675d6f795e726e16d8a22a6601de1087c4ebc4526601cc1d3b51f6dc181a269e7b28c323f2cd4f

Download Submit
memory/1744-651-0x0000017D531F0000-0x0000017D531F2000-memory.dmp

Filesize
8KB

Download
memory/1744-407-0x0000017D50DD0000-0x0000017D50DD2000-memory.dmp

Filesize
8KB

Download
memory/1744-659-0x0000017D53250000-0x0000017D53252000-memory.dmp

Filesize
8KB

Download
memory/1744-662-0x0000017D534A0000-0x0000017D534A2000-memory.dmp

Filesize
8KB

Download
memory/1744-686-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-687-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-688-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-689-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-690-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-693-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-692-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-691-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-694-0x0000017D4FBF0000-0x0000017D4FC00000-memory.dmp

Filesize
64KB

Download
memory/1744-630-0x0000017D54B00000-0x0000017D54C00000-memory.dmp

Filesize
1024KB

Download
memory/1744-532-0x0000017D4F920000-0x0000017D4FA20000-memory.dmp

Filesize
1024KB

Download
memory/1744-499-0x0000017D54080000-0x0000017D540A0000-memory.dmp

Filesize
128KB

Download
memory/1744-493-0x0000017D535C0000-0x0000017D536C0000-memory.dmp

Filesize
1024KB

Download
memory/1744-457-0x0000017D52B30000-0x0000017D52B32000-memory.dmp

Filesize
8KB

Download
memory/1744-452-0x0000017D52C60000-0x0000017D52C62000-memory.dmp

Filesize
8KB

Download
memory/1744-447-0x0000017D52C40000-0x0000017D52C42000-memory.dmp

Filesize
8KB

Download
memory/1744-443-0x0000017D52C10000-0x0000017D52C12000-memory.dmp

Filesize
8KB

Download
memory/1744-420-0x0000017D528D0000-0x0000017D528D2000-memory.dmp

Filesize
8KB

Download
memory/1744-415-0x0000017D50500000-0x0000017D50600000-memory.dmp

Filesize
1024KB

Download
memory/1744-647-0x0000017D52EA0000-0x0000017D52EA2000-memory.dmp

Filesize
8KB

Download
memory/1744-336-0x0000017D4FCA0000-0x0000017D4FCA2000-memory.dmp

Filesize
8KB

Download
memory/1744-334-0x0000017D4FC60000-0x0000017D4FC62000-memory.dmp

Filesize
8KB

Download
memory/1744-330-0x0000017D4FB80000-0x0000017D4FB82000-memory.dmp

Filesize
8KB

Download
memory/2120-179-0x00007FFCB7400000-0x00007FFCB7DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2120-16-0x0000000000360000-0x000000000036E000-memory.dmp

Filesize
56KB

Download
memory/2120-17-0x00007FFCB7400000-0x00007FFCB7DEC000-memory.dmp

Filesize
9.9MB

Download
memory/2120-18-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/2120-19-0x000000001CF60000-0x000000001CFD6000-memory.dmp

Filesize
472KB

Download
memory/2120-20-0x000000001D7F0000-0x000000001D80E000-memory.dmp

Filesize
120KB

Download
memory/2120-177-0x0000000002550000-0x0000000002560000-memory.dmp

Filesize
64KB

Download
memory/2996-228-0x00000221FEB50000-0x00000221FEB52000-memory.dmp

Filesize
8KB

Download
memory/2996-209-0x00000221FE900000-0x00000221FE910000-memory.dmp

Filesize
64KB

Download
memory/2996-193-0x00000221FE320000-0x00000221FE330000-memory.dmp

Filesize
64KB

Download
memory/5076-192-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/5076-186-0x0000000005660000-0x0000000005B5E000-memory.dmp

Filesize
5.0MB

Download
memory/5076-185-0x0000000072380000-0x0000000072A6E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-184-0x0000000000790000-0x0000000000808000-memory.dmp

Filesize
480KB

Download
memory/5076-187-0x0000000005080000-0x0000000005112000-memory.dmp

Filesize
584KB

Download
memory/5076-188-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/5076-189-0x0000000005070000-0x000000000507A000-memory.dmp

Filesize
40KB

Download
memory/5076-190-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/5076-191-0x0000000072380000-0x0000000072A6E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-231-0x0000000072380000-0x0000000072A6E000-memory.dmp

Filesize
6.9MB

Download
memory/5076-229-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download