hxxps://www[.]teach[.]nl/

Analysis

max time kernel
86s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
30/08/2023, 13:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.teach.nl/

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
3532	teach853.exe
3596	teach853.tmp
3648	teach853.exe
1748	teach853.tmp
2356	Teach2000.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Teach2000\Smiles\Street signs\is-6VNJ8.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Translations\is-2TDDP.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\JouketjesSmileys\is-F5AVL.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Dillness\is-A1GGM.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Molecules\is-N5GNO.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Molecules\is-775HR.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Molecules\is-5L374.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Loading\is-4GH61.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\HTML Templates\is-S5GPG.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\is-TKRBR.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\TeachOriginal\is-LV59I.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\TeachOriginal\is-5SVCV.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\TeachOriginal\is-4AEOO.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\JouketjesSmileys\is-G3E1P.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\SpaceShips\is-SQU83.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Loading\is-5GCDT.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Smooth Smiles\is-Q4I8V.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Plain Numbers\is-MKQI0.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Benzibox\is-PG9AN.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Benzibox\is-FNM2H.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Street signs\is-MNJ4E.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Plain Numbers\is-V0BUD.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Loading\is-AF9CO.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Pointers\Cross\is-7HQBP.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Translations\is-2LSKP.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Trick or Treat\is-A6RFG.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Alien faces\is-VERQD.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Fyton5\is-JDE7D.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Funky Faces\is-VGH4O.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Benzibox\is-41437.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Emoticons\is-325TJ.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Emoticons\is-JVPTS.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\JouketjesSmileys\is-3IL44.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Love\is-31NP5.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Fyton5\is-9PVRT.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Fyton5\is-KBFCO.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Funky Faces\is-6QAPC.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Loading\is-DTQ2O.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Fyton5\is-4SU74.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Smooth Smiles\is-8JH1D.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Smooth Smiles\is-ES3F6.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Translations\is-CVFSE.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Alien faces\is-2VTPD.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Alien faces\is-DC42I.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Love\is-6VGPU.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Love\is-4S4FL.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Topo\is-PCNQU.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Plain Numbers\is-LL8DN.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Dillness\is-QR76S.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Emoticons\is-4GGBQ.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Street signs\is-38TBA.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Loading\is-3EM30.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Fyton5\is-JBTLB.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Fyton5\is-7GIM5.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Trick or Treat\is-UDCCP.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Benzibox\is-PMPVP.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Molecules\is-7E94R.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Street signs\is-9MJHE.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Pointers\Periscope\is-2KLE2.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\Street signs\is-MG9FV.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Translations\is-5BL9V.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Translations\is-SCSKE.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\TeachOriginal\is-M6FNU.tmp	teach853.tmp
File created	C:\Program Files (x86)\Teach2000\Smiles\JouketjesSmileys\is-6P1JD.tmp	teach853.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.t2k\ = "Teach2000.Document"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult\shell\open\command	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult\shell	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\DefaultIcon	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult\shell\open\command\ = "\"C:\\Program Files (x86)\\Teach2000\\Teach2000.exe\" \"%1\""	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult\DefaultIcon	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.t2k	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.ohw\ = "Teach2000.Document"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document\DefaultIcon	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam\ = "Teach2000 Exam"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam\DefaultIcon	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam\shell\open\command	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult\DefaultIcon\ = "C:\\Program Files (x86)\\Teach2000\\RES.DLL,2"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\shell	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document\ = "Teach2000 Document"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document\shell\open\command	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.t2kt	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam\shell\open\command\ = "\"C:\\Program Files (x86)\\Teach2000\\Teach2000.exe\" \"%1\""	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.t2ks\ = "Teach2000.ExamResult"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult\shell\open	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\ = "URL:t2kp Protocol"	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document\DefaultIcon\ = "C:\\Program Files (x86)\\Teach2000\\RES.DLL,0"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam\shell	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\URL Protocol = "http://www.teach2000.org"	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\shell\open\command\ = "\"C:\\Program Files (x86)\\Teach2000\\Teach2000.exe\" \"%1\""	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document\shell\open	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.t2ks	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.ExamResult\ = "Teach2000 Exam Result"	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\DefaultIcon\ = "C:\\Program Files (x86)\\Teach2000\\RES.DLL,0"	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.oh4\ = "Teach2000.Document"	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document\shell\open\command\ = "\"C:\\Program Files (x86)\\Teach2000\\Teach2000.exe\" \"%1\""	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam\DefaultIcon\ = "C:\\Program Files (x86)\\Teach2000\\RES.DLL,3"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\shell\open\command	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp\shell\open	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.ohw	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.oh4	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Document\shell	teach853.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.t2kt\ = "Teach2000.Exam"	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Teach2000.Exam\shell\open	teach853.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\t2kp	teach853.tmp

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 476551.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4676	msedge.exe
4676	msedge.exe
3336	msedge.exe
3336	msedge.exe
2088	chrome.exe
2088	chrome.exe
2864	identity_helper.exe
2864	identity_helper.exe
5092	msedge.exe
5092	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe
Token: SeShutdownPrivilege	2088	chrome.exe
Token: SeCreatePagefilePrivilege	2088	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
1748	teach853.tmp

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
3336	msedge.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe
2088	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 1788	3336	msedge.exe	23
PID 3336 wrote to memory of 1788	3336	msedge.exe	23
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 1596	3336	msedge.exe	85
PID 3336 wrote to memory of 4676	3336	msedge.exe	86
PID 3336 wrote to memory of 4676	3336	msedge.exe	86
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88
PID 3336 wrote to memory of 992	3336	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.teach.nl/
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb71e46f8,0x7ffdb71e4708,0x7ffdb71e4718
  2⤵
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:3792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,14342322122768716220,13095190296975534027,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3912 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Users\Admin\Downloads\teach853.exe
  "C:\Users\Admin\Downloads\teach853.exe"
  2⤵
  - Executes dropped EXE
  PID:3532
- - C:\Users\Admin\AppData\Local\Temp\is-D9DI7.tmp\teach853.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-D9DI7.tmp\teach853.tmp" /SL5="$C01CA,7911810,136192,C:\Users\Admin\Downloads\teach853.exe"
    3⤵
    - Executes dropped EXE
    PID:3596
- C:\Users\Admin\Downloads\teach853.exe
  "C:\Users\Admin\Downloads\teach853.exe"
  2⤵
  - Executes dropped EXE
  PID:3648
- - C:\Users\Admin\AppData\Local\Temp\is-RU7TU.tmp\teach853.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-RU7TU.tmp\teach853.tmp" /SL5="$A005C,7911810,136192,C:\Users\Admin\Downloads\teach853.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of FindShellTrayWindow
    PID:1748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffda6fd9758,0x7ffda6fd9768,0x7ffda6fd9778
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1972 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1908 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:8
  2⤵
  PID:1780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3096 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:1
  2⤵
  PID:556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1712 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:2
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4596 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4796 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:8
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=1968,i,13609726901928612098,1378402942289801556,131072 /prefetch:8
  2⤵
  PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2692

C:\Program Files (x86)\Teach2000\Teach2000.exe
"C:\Program Files (x86)\Teach2000\Teach2000.exe"
1⤵
- Executes dropped EXE
PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Teach2000\Teach2000.exe

Filesize
3.2MB

MD5
e25d2fe920f239bc688b3143795632ed

SHA1
8fd4a3a6247ac818f67b339374913763c7184ac6

SHA256
75e8af65e460ba21b2f04e722d772f1acdf9a640fdb332d35958d6980a5fd5ec

SHA512
4c14e9aefdf2490ccbb15103d32556025f7389665e3dfe21dda5a099394e29a92396a10751de1ea2a78750b390359a58cb290accb3a0baf5db7f450538a001eb

Download Submit
C:\Program Files (x86)\Teach2000\Teach2000.exe

Filesize
3.2MB

MD5
e25d2fe920f239bc688b3143795632ed

SHA1
8fd4a3a6247ac818f67b339374913763c7184ac6

SHA256
75e8af65e460ba21b2f04e722d772f1acdf9a640fdb332d35958d6980a5fd5ec

SHA512
4c14e9aefdf2490ccbb15103d32556025f7389665e3dfe21dda5a099394e29a92396a10751de1ea2a78750b390359a58cb290accb3a0baf5db7f450538a001eb

Download Submit
C:\Program Files (x86)\Teach2000\Teach2000.exe

Filesize
3.2MB

MD5
e25d2fe920f239bc688b3143795632ed

SHA1
8fd4a3a6247ac818f67b339374913763c7184ac6

SHA256
75e8af65e460ba21b2f04e722d772f1acdf9a640fdb332d35958d6980a5fd5ec

SHA512
4c14e9aefdf2490ccbb15103d32556025f7389665e3dfe21dda5a099394e29a92396a10751de1ea2a78750b390359a58cb290accb3a0baf5db7f450538a001eb

Download Submit
C:\Program Files (x86)\Teach2000\Uninstall\is-UQNE6.tmp

Filesize
771KB

MD5
50a8f69da1beaf6a1e0b2357c526d22e

SHA1
da2bac50ad89d7f5921a419511871309312834f8

SHA256
c0c8fcf30aff119e494db187a7f7001bc3b6c370d351f9da5b12f29be4331741

SHA512
8aabadaf05319702bf17bce644bd9119a30fd58877b2693377b59a8b2e3d6d06e179fbd6da7a8f344be0cd2aea1bb37e51388299e1076f0b8c33acfabe1e7d03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
6c5d509e37bc7658a5104ca10661c9fb

SHA1
39a7f4b334b2385222f4eb4654da3d7dd003084d

SHA256
fff9e323bfc50a0853e31411caf00325335daf2c274b2a9742aab40d0f1dd10c

SHA512
066049677c4fcc8c2b7223b6fa5cb766fa6689418ab6654cc5bb2e6bce19825b7c901f2c2efa3a2cc129637253a100277a0330d4be99a92b77c023456b038a14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
ecf0d7903c80cd8181013792b918452d

SHA1
6169e4ceb22a56637642a2bfa7d121cdeb53b38e

SHA256
b8b0f00697d24f74c3ccfdb9ddec8a03be48155bc406d1acc8026bcf4be9cbe6

SHA512
dcce463faeee61741e6adb8611f7ac24c1f3075536a2789ffa4810155295ecb0c5897c02efb8c8bc0daf09118720de3bfce7373da47b549139295c227dd58a0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
355bd4ae3e0577835912af7b9136d8f0

SHA1
91f607880e350e37bab9b9199a79f5189e1e238d

SHA256
38aa7c3a9f9c3a9c48cb67b6234df13462532ea057abbe0d42d928b6ab4c4883

SHA512
df24345387487a23d40967d37b0a68fc399f76f888700b6aa05c75536267f08bcc3e11aeee7964b0f0b050a3d0a45fd7a91033e9bc5c9a1309bd49f85a4c546a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
178KB

MD5
61e16f957dc22236f5049cb7c5589e36

SHA1
e20087ffc1276713ef9cc5997002233dba8f3fa5

SHA256
f527718160cab3db4cd06600d3c01322228ec7983169e1c3bace0b6c33a3f86b

SHA512
88e88fbebf784ed1b29d3121ca68422597a6c64fd1845fb7501de1eae3908a666488b8e78bd91fa1f45df22b38f3221735fc2db26b6f0718621a260557058763

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3423d7e71b832850019e032730997f69

SHA1
bbc91ba3960fb8f7f2d5a190e6585010675d9061

SHA256
53770e40359b9738d8898520d7e4a57c28498edddbadf76ec4a599837aa0c649

SHA512
03d5fee4152300d6c5e9f72c059955c944c7e6d207e433e9fdd693639e63ea699a01696d7bbf56d2033fd52ad260c9ae36a2c5c888112d81bf7e04a3f273e65d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
f5369fdee37abb3f624562384ac857d8

SHA1
f2b790ad696ab664467a747cb873cbd23b5f4991

SHA256
d1da26687c51a77bf6af400032bb4e099e883297170e253a2b3187e037fe7ade

SHA512
1fb3a673d8b5e341147ff0e1d6ff332b5fec9a3ecea10997531acc97fb7009f08ad9e3b89601b8ff2edf3815dca12c37ef32722d475587651fb8448aad398a78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4b8d6807ea8ad3c0fd4b4effdfbe3f93

SHA1
04b15a0b7d6a6abc3beff87eb5c25627048f0a7c

SHA256
593b3b54542ebc5e88debe3bac65cde3714fa929e8b4227766842efd1db6d6eb

SHA512
6035f56effcb0a3c4574eb96566222b275382c05f470e9a422dcbb9ad1470f5d1b29d94b3d6ebc5ef39faed52b352e8cf3c71ac9dd2061ec6319422cf41d4639

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac52f63d8387d12b90d49f61b8cbc1d3

SHA1
4b2ecbc010cc17484603004cd9d4f2ca3783c4e6

SHA256
06f9f896d4ce4278e72ac8e7b862d8d37cbcce1caa1e9adecaf8bfca6273636e

SHA512
c8609bd519d1e60bb6325d965fe471aafa848ecdcc4807285be48acd93cc0a14b65a54818ad7caf5b564bfc305f89f51c3fa24c26f1a44520fcfb175bfa86ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5139833df3555b902da9338770bbab60

SHA1
7666c02c1100a7972a22f9e27d777f833f4f0d16

SHA256
f5522c05a73341cf0fc916863939b5128ae0fbfcb64ae27988a196bc25c4d261

SHA512
978e393f6a524f26ed58759308283cd5969063b54f8abbc6155ee5aa703fbd5b17c6d4a97c9fb4cba4bf94328ffba024abc8bbd09cd12f18623ef78debc32c02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bb55f901b69f06d655c9cc466c6f85a3

SHA1
5c463c9a138675844cb7a061da1527a6deca8147

SHA256
109920666adce9533facaccb9a9c494eed118c95a842fbae3fcfaf755f9aab1d

SHA512
10a5edb1bac6639934fd1cff9377d27dd44927b768949a43846f44ea9f425b6967e8034a5bd484bfe6eae6c44224a8a8d43ed229486abf160814e8417fcd48ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7a55d31c60f53e4d5b849565b892f073

SHA1
c9a274318ec56c11e0e3e634242ff562ccdadd45

SHA256
a010c92533af41e85bfdb8c7f88320d2926094b989909e1195b0e77ef72cd236

SHA512
8b957334a0c4f36d257aba8dc3065c1760b442459e0616fc3e49afd961a167af4c1d4b64e80bf8253a841131da5c8891662f6232a945b52fe2eeaf0813ad7e63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e78f9a3ece93ae9434c64ea2bff51dc

SHA1
a0e4c75fe32417fe2df705987df5817326e1b3b9

SHA256
5c8ce4455f2a3e5f36f30e7100f85bdd5e44336a8312278769f89f68b8d60e68

SHA512
9d1686f0b38e3326ad036c8b218b61428204910f586dccf8b62ecbed09190f7664a719a89a6fbc0ecb429aecf5dd0ec06de44be3a1510369e427bde0626fd51d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1f8a21e91921367589943a5d33714e23

SHA1
4d30368c0fcbf3c369c4b42d4ade46ff542f30a2

SHA256
698e8b75b2e61cacc67a4d00596fb1f5ad9963bb0dfca5f0c6311b5c05842cd2

SHA512
b32ed8a4ac42e7945e1cb03f43a8ad7e17a517cf7b5aba8a98b07d7e15a5122ab056a4dd3210de718741cef5aca96430954c3eead881001085e73486821c406b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d8706649b6656178c138ab4de6b08e5d

SHA1
c0c2b02668100a7e6654b2bbcf1c6b0b5e3799ad

SHA256
da3f5c04047b9b327ac6789dfc7523f5843782096533d3e633769e3fc35083f8

SHA512
8b514db81def574632e7415b34c36f59335f62d3d8507f836a7ee9ef276c7eeeeedbde4cdf6898d002ce5ba7c6a477afddb498600c8f3c6016a6397212a0db9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D9DI7.tmp\teach853.tmp

Filesize
771KB

MD5
50a8f69da1beaf6a1e0b2357c526d22e

SHA1
da2bac50ad89d7f5921a419511871309312834f8

SHA256
c0c8fcf30aff119e494db187a7f7001bc3b6c370d351f9da5b12f29be4331741

SHA512
8aabadaf05319702bf17bce644bd9119a30fd58877b2693377b59a8b2e3d6d06e179fbd6da7a8f344be0cd2aea1bb37e51388299e1076f0b8c33acfabe1e7d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-D9DI7.tmp\teach853.tmp

Filesize
771KB

MD5
50a8f69da1beaf6a1e0b2357c526d22e

SHA1
da2bac50ad89d7f5921a419511871309312834f8

SHA256
c0c8fcf30aff119e494db187a7f7001bc3b6c370d351f9da5b12f29be4331741

SHA512
8aabadaf05319702bf17bce644bd9119a30fd58877b2693377b59a8b2e3d6d06e179fbd6da7a8f344be0cd2aea1bb37e51388299e1076f0b8c33acfabe1e7d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RU7TU.tmp\teach853.tmp

Filesize
771KB

MD5
50a8f69da1beaf6a1e0b2357c526d22e

SHA1
da2bac50ad89d7f5921a419511871309312834f8

SHA256
c0c8fcf30aff119e494db187a7f7001bc3b6c370d351f9da5b12f29be4331741

SHA512
8aabadaf05319702bf17bce644bd9119a30fd58877b2693377b59a8b2e3d6d06e179fbd6da7a8f344be0cd2aea1bb37e51388299e1076f0b8c33acfabe1e7d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-RU7TU.tmp\teach853.tmp

Filesize
771KB

MD5
50a8f69da1beaf6a1e0b2357c526d22e

SHA1
da2bac50ad89d7f5921a419511871309312834f8

SHA256
c0c8fcf30aff119e494db187a7f7001bc3b6c370d351f9da5b12f29be4331741

SHA512
8aabadaf05319702bf17bce644bd9119a30fd58877b2693377b59a8b2e3d6d06e179fbd6da7a8f344be0cd2aea1bb37e51388299e1076f0b8c33acfabe1e7d03

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 476551.crdownload

Filesize
7.9MB

MD5
140b475bcdd3e69d975080eddc41be9c

SHA1
c50edfa4d3c8f964035c8774eaa9f9696182eb2e

SHA256
e2451d0d0aa172afa7035fda1073e38b22c4faf601b1870b4ccdacfa393d650f

SHA512
2e9df3fd0c6a6b589b980ce4005f21eb8b90e4ad38284be9c03eca7abc3436e4d36f151ea630a5b2efa8c9bdcfac93d754065c1f600eae1c274cc1424509a22b

Download Submit
C:\Users\Admin\Downloads\teach853.exe

Filesize
7.9MB

MD5
140b475bcdd3e69d975080eddc41be9c

SHA1
c50edfa4d3c8f964035c8774eaa9f9696182eb2e

SHA256
e2451d0d0aa172afa7035fda1073e38b22c4faf601b1870b4ccdacfa393d650f

SHA512
2e9df3fd0c6a6b589b980ce4005f21eb8b90e4ad38284be9c03eca7abc3436e4d36f151ea630a5b2efa8c9bdcfac93d754065c1f600eae1c274cc1424509a22b

Download Submit
C:\Users\Admin\Downloads\teach853.exe

Filesize
7.9MB

MD5
140b475bcdd3e69d975080eddc41be9c

SHA1
c50edfa4d3c8f964035c8774eaa9f9696182eb2e

SHA256
e2451d0d0aa172afa7035fda1073e38b22c4faf601b1870b4ccdacfa393d650f

SHA512
2e9df3fd0c6a6b589b980ce4005f21eb8b90e4ad38284be9c03eca7abc3436e4d36f151ea630a5b2efa8c9bdcfac93d754065c1f600eae1c274cc1424509a22b

Download Submit
C:\Users\Admin\Downloads\teach853.exe

Filesize
7.9MB

MD5
140b475bcdd3e69d975080eddc41be9c

SHA1
c50edfa4d3c8f964035c8774eaa9f9696182eb2e

SHA256
e2451d0d0aa172afa7035fda1073e38b22c4faf601b1870b4ccdacfa393d650f

SHA512
2e9df3fd0c6a6b589b980ce4005f21eb8b90e4ad38284be9c03eca7abc3436e4d36f151ea630a5b2efa8c9bdcfac93d754065c1f600eae1c274cc1424509a22b

Download Submit
memory/1748-1194-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1748-287-0x0000000002350000-0x0000000002351000-memory.dmp

Filesize
4KB

Download
memory/1748-1198-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/1748-1192-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3532-1203-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3532-564-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3532-272-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3596-1085-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3596-1069-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3596-1202-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/3596-284-0x0000000000670000-0x0000000000671000-memory.dmp

Filesize
4KB

Download
memory/3648-1199-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3648-824-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/3648-280-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download