Analysis
-
max time kernel
300s -
max time network
301s -
platform
windows10-1703_x64 -
resource
win10-20230831-en -
resource tags
arch:x64arch:x86image:win10-20230831-enlocale:en-usos:windows10-1703-x64system -
submitted
25/09/2023, 01:41
Static task
static1
Behavioral task
behavioral1
Sample
b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe
Resource
win10-20230831-en
General
-
Target
b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe
-
Size
239KB
-
MD5
751a173de4c3d8ad83c925d5edcd7505
-
SHA1
9b081b970832e64fa8a2ee82a54d824346cb9272
-
SHA256
b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9
-
SHA512
068305877ffb53f619c0132bb28362cc058fd8024f970435c43ef93d59604011ae4d7a7f38276eb724bcbde872c9869c1a56f5afaa3a8820889879a8d73e12ef
-
SSDEEP
6144:kM46fuYXChoQTjlFgLuCY1dRuAOi0y1R7w8y0:kVYzXChdTbv1buI1R7w8y
Malware Config
Extracted
smokeloader
2022
http://77.91.68.29/fks/
Signatures
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Control Panel\International\Geo\Nation cmd.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2716 set thread context of 4176 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 72 -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdge.exe File opened for modification C:\Windows\Debug\ESE.TXT MicrosoftEdge.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe File created C:\Windows\rescache\_merged\3720402701\2219095117.pri MicrosoftEdgeCP.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2492 2716 WerFault.exe 69 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI AppLaunch.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Internet Explorer\Main browser_broker.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000\Software\Microsoft\Internet Explorer\Main MicrosoftEdgeCP.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ee85eede51efd901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\MrtCache MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 6039d4de51efd901 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache MicrosoftEdgeCP.exe Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000 MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000 MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0" MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 304399d051efd901 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{7F371322-C6EF-4A5A-97CE-4BED5FD3DF44} = "0" MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History MicrosoftEdgeCP.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = e091ff2f84efd901 MicrosoftEdge.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0" MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings MicrosoftEdgeCP.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif MicrosoftEdge.exe Set value (str) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:" MicrosoftEdgeCP.exe Set value (int) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063" MicrosoftEdge.exe Set value (data) \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000 MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople MicrosoftEdge.exe Key created \REGISTRY\USER\S-1-5-21-3540700546-2554825161-2349363825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU MicrosoftEdgeCP.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4176 AppLaunch.exe 4176 AppLaunch.exe 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found 3184 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3184 Process not Found -
Suspicious behavior: MapViewOfSection 11 IoCs
pid Process 4176 AppLaunch.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeDebugPrivilege 4836 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4836 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4836 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4836 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeDebugPrivilege 4416 MicrosoftEdgeCP.exe Token: SeDebugPrivilege 4416 MicrosoftEdgeCP.exe Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found Token: SeShutdownPrivilege 3184 Process not Found Token: SeCreatePagefilePrivilege 3184 Process not Found -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 5004 MicrosoftEdge.exe 4516 MicrosoftEdgeCP.exe 4836 MicrosoftEdgeCP.exe 4516 MicrosoftEdgeCP.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2716 wrote to memory of 2500 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 70 PID 2716 wrote to memory of 2500 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 70 PID 2716 wrote to memory of 2500 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 70 PID 2716 wrote to memory of 2836 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 71 PID 2716 wrote to memory of 2836 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 71 PID 2716 wrote to memory of 2836 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 71 PID 2716 wrote to memory of 4176 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 72 PID 2716 wrote to memory of 4176 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 72 PID 2716 wrote to memory of 4176 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 72 PID 2716 wrote to memory of 4176 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 72 PID 2716 wrote to memory of 4176 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 72 PID 2716 wrote to memory of 4176 2716 b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe 72 PID 3184 wrote to memory of 4804 3184 Process not Found 75 PID 3184 wrote to memory of 4804 3184 Process not Found 75 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 4884 4516 MicrosoftEdgeCP.exe 81 PID 4516 wrote to memory of 364 4516 MicrosoftEdgeCP.exe 86 PID 4516 wrote to memory of 364 4516 MicrosoftEdgeCP.exe 86 PID 4516 wrote to memory of 364 4516 MicrosoftEdgeCP.exe 86 PID 4516 wrote to memory of 364 4516 MicrosoftEdgeCP.exe 86 PID 4516 wrote to memory of 364 4516 MicrosoftEdgeCP.exe 86 PID 4516 wrote to memory of 364 4516 MicrosoftEdgeCP.exe 86 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe"C:\Users\Admin\AppData\Local\Temp\b050634379fc9cac5dbfdfc606040c7bc366c511c12044aa649f508816ce45b9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2500
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵PID:2836
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"2⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4176
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2716 -s 2562⤵
- Program crash
PID:2492
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9A28.bat" "1⤵
- Checks computer location settings
PID:4804
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5004
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
PID:4060
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4516
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4836
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4884
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1508
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1220
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
PID:364
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:3424
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
PID:4696
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
74KB
MD5d4fc49dc14f63895d997fa4940f24378
SHA13efb1437a7c5e46034147cbbc8db017c69d02c31
SHA256853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1
SHA512cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\BNCSRQ9I\B8BxsscfVBr[1].ico
Filesize1KB
MD5e508eca3eafcc1fc2d7f19bafb29e06b
SHA1a62fc3c2a027870d99aedc241e7d5babba9a891f
SHA256e6d1d77403cd9f14fd2377d07e84350cfe768e3353e402bf42ebdc8593a58c9a
SHA51249e3f31fd73e52ba274db9c7d306cc188e09c3ae683827f420fbb17534d197a503460e7ec2f1af46065f8d0b33f37400659bfa2ae165e502f97a8150e184a38c
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\LYC5UOO2\suggestions[1].en-US
Filesize17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize4KB
MD524be8a92460b5b7a555b1da559296958
SHA194147054e8a04e82fea1c185af30c7c90b194064
SHA25677a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3
SHA512ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\6Y0OOEPS.cookie
Filesize132B
MD5b0fbae34cf9f61b9de2260be8d52edee
SHA17c9909b0cf9dc84f683db23ee28c8f2344832ccc
SHA25609ab59135d76d8f47db10843061e009127ce0ef595f04cb967e0c4a140a4e8ae
SHA51257ea6cf17b2693249830b793cc3c744a4b5eb47d0daa9c169bcea6def8506281e5191cf77b6b17c7e7731cddc761344a11f4b757cee89fa86ba2a23856e0f8c8
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cookies\BHWI2R9H.cookie
Filesize132B
MD5a179459caa9efb1ac0d83c6c7926ae87
SHA1a62d7fb83b9ac9b70b620d48c54824b6de693167
SHA256b38e866251c2aa5e169758e2884920763cc5b413700297da17afdf01177952cb
SHA512baf0f3821cb7286767d5a4f76cf222f929736c7c30a7799e85c37d433b8d65203e0ab469267803a84a112b1041ed1d3c56701180ce5151c6b420b1b250fed8b4
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize1KB
MD5b5eda74305a01c41450e0d12777199e1
SHA136162e9e8c3a69b237d317f7c300f11927a37c12
SHA2566e5c17b2b4e22fa800baa0eaf0b76ce73005e463b915503e8bca92223b9cf594
SHA512f96b2ea451f4ceef082e1289a7f1e160580f5a8d515eaf2b4df0d8d818c34355c17538806f873fba07118b5c937d8c3172721ee03e3d16126e07c0db5faf16f3
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize4KB
MD524be8a92460b5b7a555b1da559296958
SHA194147054e8a04e82fea1c185af30c7c90b194064
SHA25677a3cfe6b7eb676af438d5de88c7efcb6abcc494e0b65da90201969e6d79b2a3
SHA512ed8ef0453e050392c430fdcf556249f679570c130decd18057e077471a45ab0bc0fba513cb2d4d1c61f3d1935318113b3733dec2bc7828a169b18a1081e609a0
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize724B
MD5ac89a852c2aaa3d389b2d2dd312ad367
SHA18f421dd6493c61dbda6b839e2debb7b50a20c930
SHA2560b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190
Filesize471B
MD53b7403306365b481a905b872a4a8fe8d
SHA1848d8b54a1b0fa0f473fe13bbabcb7872c0a6067
SHA256f7ffcd2b2deb0aafb5ab3eca136e1bfa6560686bf31f6982afeb0535dfd70bd7
SHA512bb40f31f256d4635c9ef00ef2eb7f6d959a262e55e8028d2d009073b74979900672073db15b2e3130b551dfe3b770863251940fa13c49375b8e18c5be24fb2a9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
Filesize410B
MD561a1f31971fb56d191978a77738ed480
SHA193438ae3268e6510cc2a44d03ca1da137d3c76ad
SHA2565145aec049b4f358127d1d286d6c06d7c783f3428a0a02e33d74c08837513d7a
SHA5128da13430cfead3dee2066eadf1dd692cff8daa4fc45fc661ce11be61be4031d617e52cca61d9e0d37f9eead0db1c64d928f0ec45e27882fc112536493e80308e
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
Filesize342B
MD59188007e12da8a594e773e559122d48e
SHA16e5db2c8b779a4e5932bcd8b481559c3f10b2477
SHA2569ffbc7ad093129386a40861cd3986a3924780f29266b246a37c860832db2366b
SHA512f3d7d74b31ed68ded0da9974df015deb8f683ab8ebb24e883b1cbaa0187f82196436519d28dc902540a6259847ab779e01f8129de89a58bc9950a51e81935a20
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
Filesize392B
MD53ba25096350480b0d154c6bdfe626e56
SHA1e2ed8ae95a615878c9147424dc8328f4958d42cf
SHA256291023a08f1a184ceddaea158771fe40c2c21fb6582984659bd6b376c0f1cb44
SHA512b944b34c02b26d0e1822695a7c4b177ae6e4808824335da525635625ca14d9b3d5e0c658e2d35fdc1e88f7043531e227a370f5f57ec2c4a9f534f59f57465969
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_87DCDABBB68171FA19C9A78DBA85E190
Filesize406B
MD588b95f507ba8cc65b332a6679738ba27
SHA1355614971bd62bcb8d57b0609c6e5e204fa26d7e
SHA256b9ad6f24485fa02b2ce78f88fc8ac329112e311ee5253797fb679e453cf479f0
SHA51253a7d09b4d0bd16ba2b9259b8edad88312451999d2ad17fa1b08dbdc01efd736c1745cdce801552cffcdb19be90ca10e6d414e36cb2b64c111921d9c94273d9a
-
Filesize
79B
MD5403991c4d18ac84521ba17f264fa79f2
SHA1850cc068de0963854b0fe8f485d951072474fd45
SHA256ef6e942aefe925fefac19fa816986ea25de6935c4f377c717e29b94e65f9019f
SHA512a20aaa77065d30195e5893f2ff989979383c8d7f82d9e528d4833b1c1236aef4f85284f5250d0f190a174790b650280ffe1fbff7e00c98024ccf5ca746e5b576