8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144

Analysis

max time kernel
159s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
03/01/2024, 15:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe
Size

2.5MB
MD5

1a24421bed22f901ccd66d66cba8250c
SHA1

560a9710a44769dd83ef01a43929808bae2fa6a9
SHA256

8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144
SHA512

6ca06dbdbb85dffafc56aa1883a6536d4a585c7eb62a8b7d3a3355b6e3bbaa40df01c6c444905c87558734374345acb8e1ad8f2a9e4f6716c204fda92f3cf778
SSDEEP

49152:AsBZfN9yei2T2EtHagHclR8RnS6b1c4H7k8/CWf9PmFnMFrvGf:vZ1ZixsHagHcr87+fsJ1sMFrvK

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5tJ3Xx4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5tJ3Xx4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5tJ3Xx4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5tJ3Xx4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5tJ3Xx4.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5tJ3Xx4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5tJ3Xx4.exe

Executes dropped EXE 4 IoCs

pid	Process
1044	hZ3sk24.exe
3760	aA5bh82.exe
1644	2mL9740.exe
3608	5tJ3Xx4.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5tJ3Xx4.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5tJ3Xx4.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	hZ3sk24.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	aA5bh82.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000300000001e7df-19.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 13 IoCs

pid	Process
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe
3608	5tJ3Xx4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
904	msedge.exe
904	msedge.exe
1056	msedge.exe
1056	msedge.exe
3152	msedge.exe
3152	msedge.exe
4880	identity_helper.exe
4880	identity_helper.exe
6108	powershell.exe
6108	powershell.exe
6108	powershell.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4364	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4364	AUDIODG.EXE
Token: SeDebugPrivilege	3608	5tJ3Xx4.exe
Token: SeDebugPrivilege	6108	powershell.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
1644	2mL9740.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe
3152	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3608	5tJ3Xx4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1044	1160	8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe	90
PID 1160 wrote to memory of 1044	1160	8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe	90
PID 1160 wrote to memory of 1044	1160	8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe	90
PID 1044 wrote to memory of 3760	1044	hZ3sk24.exe	91
PID 1044 wrote to memory of 3760	1044	hZ3sk24.exe	91
PID 1044 wrote to memory of 3760	1044	hZ3sk24.exe	91
PID 3760 wrote to memory of 1644	3760	aA5bh82.exe	92
PID 3760 wrote to memory of 1644	3760	aA5bh82.exe	92
PID 3760 wrote to memory of 1644	3760	aA5bh82.exe	92
PID 1644 wrote to memory of 3152	1644	2mL9740.exe	95
PID 1644 wrote to memory of 3152	1644	2mL9740.exe	95
PID 1644 wrote to memory of 1676	1644	2mL9740.exe	97
PID 1644 wrote to memory of 1676	1644	2mL9740.exe	97
PID 1644 wrote to memory of 1268	1644	2mL9740.exe	98
PID 1644 wrote to memory of 1268	1644	2mL9740.exe	98
PID 3152 wrote to memory of 3472	3152	msedge.exe	100
PID 3152 wrote to memory of 3472	3152	msedge.exe	100
PID 1268 wrote to memory of 828	1268	msedge.exe	99
PID 1268 wrote to memory of 828	1268	msedge.exe	99
PID 1676 wrote to memory of 3732	1676	msedge.exe	101
PID 1676 wrote to memory of 3732	1676	msedge.exe	101
PID 3760 wrote to memory of 3608	3760	aA5bh82.exe	103
PID 3760 wrote to memory of 3608	3760	aA5bh82.exe	103
PID 3760 wrote to memory of 3608	3760	aA5bh82.exe	103
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104
PID 1676 wrote to memory of 1456	1676	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe
"C:\Users\Admin\AppData\Local\Temp\8647351f3a2882d4d6c37d3d41e4c42b1bdc80d61f9f7572e262f7e7381b9144.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hZ3sk24.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hZ3sk24.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aA5bh82.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aA5bh82.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3760
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mL9740.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mL9740.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:3152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x104,0x170,0x7ffebcb946f8,0x7ffebcb94708,0x7ffebcb94718
        6⤵
        
        PID:3472
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
        6⤵
        
        PID:1524
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:904
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
        6⤵
        
        PID:2444
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
        6⤵
        
        PID:3288
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        6⤵
        
        PID:3748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3888 /prefetch:1
        6⤵
        
        PID:5088
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
        6⤵
        
        PID:1380
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
        6⤵
        
        PID:5544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6076 /prefetch:8
        6⤵
        
        PID:4484
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6208 /prefetch:8
        6⤵
        
        PID:5496
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
        6⤵
        
        PID:5460
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
        6⤵
        
        PID:5748
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
        6⤵
        
        PID:2608
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
        6⤵
        
        PID:4560
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7240 /prefetch:8
        6⤵
        
        PID:4688
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7240 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4880
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2232,7264704599751091326,8277650228053912969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5348 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffebcb946f8,0x7ffebcb94708,0x7ffebcb94718
        6⤵
        
        PID:3732
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,2864224000523696155,13267127014537762412,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
        6⤵
        
        PID:1456
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,2864224000523696155,13267127014537762412,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffebcb946f8,0x7ffebcb94708,0x7ffebcb94718
        6⤵
        
        PID:828
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,8841196322009160925,2907787818861546712,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1056
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8841196322009160925,2907787818861546712,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        6⤵
        
        PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5tJ3Xx4.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5tJ3Xx4.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Executes dropped EXE
      Windows security modification
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3608
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:6108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5972

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x150 0x2d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b810b01c5f47e2b44bbdd46d6b9571de

SHA1
8e3d866cf56193ca92a9b74d1c0e4520b5a74fdc

SHA256
d1100cf9e4db12cc60cce6e0e2e3d9697e762c219f6068eb55a1390777bf4b45

SHA512
6bbf900b2f7614dd17aa6d5febe3ad1100851e2309ba2cd5219c5aa5af7bf830eec2cc88071d37987aa7e3f527b8df5b2d85e8b21b18fcb071baaab1a2eadae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
242c4fe16faf4d947bab259c43bc2020

SHA1
a1a27f4c358d60a14945bac478d1b28d35a02152

SHA256
26bd833ca52a0d62d85c4f191d68bc3a1d449ac2ae9e2108d92ac5b00821d24a

SHA512
3e24157184d6b1eb7195d0dd1ed5a3d0311a521249f4a41ae87f4830768b8c736a298452c1ec502eef74f44718fcdc56e0f1542aba049117df139e00bb45bbf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4c5983782375fe1d79b3f95af26c4012

SHA1
a8726c687172c02382a6a2e3cb6f4368a51fbaed

SHA256
6127df02f52c1deb82fa0e544ab91e878d1f9a5296c1e8896fd16721d44abcb1

SHA512
da2a08877220d396a7b79fc52d779a5d53bdaa8a8b504092af7c5a8abe8ceecfddfd2d15276fbc2e0902c8a26ed9bec03e802f761e484957debbca6c1e6c8f82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1589225c8defc5b47e930c0fffb4962f

SHA1
be618a53ac5d0bc4e6f17917f527f17cbceea218

SHA256
33c36e21d3f95d5aa5d57325e0273b9ba3816429c9800153682807c0a678d85d

SHA512
a617adb72c72ac5af7a6e134e49b4686cd6e2bfa035f2a20c0b0281f6af0b8c28a81d56ef454714e6b6e81e12e077e570d42886a6ae78e92cd7f1506b100f8e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
248df8fc81995f40d2ba092b522154e6

SHA1
507e0f2c7aa001df86c7cd8fb4415e3837955b8f

SHA256
2e1e96b87fd9cbac2341bc56a4edbd345dcb607ef1112a4bc2ec865c1ad0b045

SHA512
f87f394fb3a24e55a88dd1a9f47aa6b2def448c41b656976154ea7174b1403d9c818d12486dc0a8e65e96e46794ca4b564ac6be95afd9f9a3515c437c3d0fca3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52a8f683da7c74f51d4b3c2bcc6f4d4c

SHA1
1c5c05a8785c44c937b4394dc288e5251a385317

SHA256
8485e68d1f4c4d70b7800d1894f8bd307e0574864289f4489b3be1c7c3a8eda2

SHA512
46e5725a67e16fe15d1cb4c8d8d0203d8ecba0ec011763e051de7dc5d26fad535b5c353af4b9f09c687e4fc49e061dee9b23d112d9b9e9e84c76fb7a4f905911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef9629187722c470b3111c45713dfc3b

SHA1
26e3e55f34b39702292cd6aa0d30631fbf3a68a4

SHA256
5bbf9a07c12bfff9642f70bd8fac21a0b9893d3de67e33613d2fa481e4cbfdaf

SHA512
97ad5be8cd05b809bd83383c2352bac81e86c253022069a7a52062f1b0fdd3ae40f0b35335475cec8644f18e462d24a733eb7a5c6c87d670863b9c5f6236dfeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5547c78192a4395c43db6ef0ef3f0b27

SHA1
36b4ac483a792870b6a869e21b146597b091572a

SHA256
f1e457e66f02e4747f1bae2789d95674b20fe56602a80c959615eb613a11699a

SHA512
81ab88814a21ba64aec024e82166a160df148de73c1aba96c90451bb4482e14e5b695e3af47d3df54f6546cdf4c952d04eb7beb08643c2fd17b908a482e0699c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\aa503db7-9097-498d-b5fb-d92f98b17a74\index-dir\the-real-index

Filesize
2KB

MD5
cb854805a4eb746fd590b4fbe6e2a1f6

SHA1
afd4a3219252d588746abec4a9e0c10174a13e41

SHA256
1183c8df8aca4215874f517ff9da331904df2c86a0cf4e5d974f5234cf31be49

SHA512
11d5b3df9826350b5e0500b1c862b0c6a56fa294c5721e67898dedfed5aeeecd3aaaa3573dbf19f1beeda193cde860fa159172fd49e91b8a7552048a94cc788f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\aa503db7-9097-498d-b5fb-d92f98b17a74\index-dir\the-real-index~RFe594915.TMP

Filesize
48B

MD5
b7ed5786c8ccdb21a26b2a0fd7337212

SHA1
91ce97c1193d061e9b1bab57d8f370cc85213e8a

SHA256
ee13e7f5a95d26646d3a60ed38ca6908626b7f2f96da13406e3d917a1bbacbb5

SHA512
3cf97d6a324099e72155dd4db77483ee7ed96908dccb787367e820d3d2c20ca882c065889eb5ae6c377fb6938333b934e91768d35d13c6fe233285f9e4fd45e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
b51cd420aeaab030ace364e3da4426e5

SHA1
c7975d2b66cd606f3efbd2c1ac8d8351b5ee731d

SHA256
165615e9b43b851ad2a563f4d4719ec4926b75506c5f9dde8aef8e8ce0a30a35

SHA512
0dd88b388ac02980967a9456ae303a3dff612894063051a08b2e60fc5009314c4170c5a08f0ff8def2674a64c5bddbfe9bfeaa1c919f2ddab7b6d4bbb92096f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
ce7d2b38610d1aea0f4bb67d16c7a564

SHA1
bda3e4b0492266e8ec0d7cc8ec5d98e2d7876723

SHA256
cc2a33e87d48ce1bbcfef7b5f899419c647de7a9cf230117a1f6fd858405b3aa

SHA512
15163b11d0da126090d4f7b2f0e71943e128e8d82b307625a3085cd2e01102905f89d865ca81d933a740ce6aea21f053f9c59d8a21408c9588209e3df3c1a825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
e471904716c352b6bb0dc20d4fdd8032

SHA1
18728fa008f316ad98a2e6732ebc3b0e419450e4

SHA256
c4ec17775fbf1078f9f7af326c9a0aec919537bac37ec91d337bdfc4ced757bb

SHA512
e3a51a0d1cf33b682683bdce570bbade0368b9314577e1e7138523113e54cd26e07de4490f97301d25ba5d5b7621da123c55b005b8253e6f437e1bc310476c73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
8181baa86f1c0ae2366dbe0ec2f1de05

SHA1
154059a60bfeb0ffb1d407965f0f75da0c57b873

SHA256
f2f095203a53c5eb1b3745f2c3bcb35b6f6a9760c227a2c1f1b9973d26ebcaca

SHA512
ecd6b616d6af9d4cea88eee4dfd1a971602e3e6f6b2fd32764b99938934fd285eafc567638604c2ba7c99b47b760d72344ee48a425c356027664cd30ff3ec489

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
414ba495d44cd3e882761940fc668abf

SHA1
a3ed860d7b09544549b5ad21aabc60cc857b98f8

SHA256
dc7cabca44bc37e0c119a2e5d430ac2422dc0c15ac21918f74e564cc619c1acb

SHA512
ded7754f4516f94ca5fdc6bbce3ee1473d572e740436b100a63ab0d026204fa929da3b0efc9db7d868509e82740c6d8384d0854568d14557ea2a0e0bd40c4486

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58cdab.TMP

Filesize
48B

MD5
c94d2ab917c3124a86c90d44ea3657db

SHA1
dc19974a0efe1a094b242394b13ab81100591ded

SHA256
4fa5e127564cc9245b9ff989b5806f0130c2d5e62070ec3667bcdd68bf72e3ed

SHA512
18663c372134d7fb5f4e188e19c3c26a25b9e72c5d37670cb382b2032d84a17273dec983a81c1864160c6544cf21dafeeccbcf38912bf87563af721a9951d54d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eba2b04926f2f128c29eb44933746289

SHA1
a662cb16846b68b448297ab68959909a86c7b047

SHA256
aa0ca7e246e34449442415e382474603df1fa3d7dcf1d8722b331dbbc1f5b742

SHA512
f306ba1e7844adb8ade78c7ecdbbe3d3bb439de7b1dbbcbcc7115f159f73faba96c24be585f0f2f72e03894a36b09b3d4bb940c6e4c360290508fc51d2a72778

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15630e3624491a11af0bb74f78caf6c0

SHA1
84e72cdf425ba026adac5f2fb440430ca3c652de

SHA256
33685b9a6f0cb24bf5df8b8290eff13c284ca8556b8f3bb31b237d5b21f3238c

SHA512
a5d7d14d906bc05fe59391b740dc6ca55b9786361f1ec591fe42845efda4ca84531be469a12894b1c3c1ef7dbd9b352a88bc5d1e31d5a06db3bd6c2694167b0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c3e5b0879cdcff3dbbc3045bbe796b51

SHA1
1ce76df2f0ecd9cb2bd984f8e247b33c794b74d3

SHA256
b092f069e71098a1e90f965fe1d895ac4af4e64e5df0303e00621275fc763cc4

SHA512
f973699daa3c6d7e74d9934a7e81cf2a305aeafce85db116b5485becc244e48a3e037e0f644661bb0bcb97df33d43acd66da4827a920df387c5965b1090f7850

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58a256.TMP

Filesize
874B

MD5
6fe12fc5ddc00bf7d7807411a0ebc29f

SHA1
a99c817228922d777f8a006ad4337c393bc0eace

SHA256
b86816f898d0764f4c72de3bb0f01cf79c3e1818144d2fa4d3ea83663d7a0b91

SHA512
ef5a5955b6e87cf8c8497b306d663fe1c6146b6d6722e5209cc1baa745ce4fbc194811bdf221e1c13c2774d05267bc5d0d52afb90f79951596c181f2ae3ace99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
6f884ebcec241a3d8fd66d311d691eaa

SHA1
0588979499ea8300ba4b62f4c056d0e26f659f9f

SHA256
96f13bfc3213eee8bc52cc382bbea7439c7a9a91f1a6e99e15b36a5937accc4e

SHA512
16cee6120064d6f13013528c32df4c8debdccd5cd5f85eedf4ed7d098b492140cd1389bc5d24b52754afad4311d8f6b5cdf8127bf91ffffca7400be45a303c4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
8661ed8ab0ee7ab5fff696bf069e5fa3

SHA1
ce17b3fd41112e05cd7fd57520253fe9872848a1

SHA256
1265455cc76aca5c96d1d7ad31ac9fbb00e8a4cbd80c433eac810594164664a8

SHA512
79ebd091422b72cd94489a46895b83e079ffcab0bd0c57d4a43087f766ce23b59c0a0bcf7568d4190c4686b1b850bb79ee4309132cf118ab31bbb0d0147a1523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e5887ee0aaf48ae02c24f4eb65d554fd

SHA1
20f0e83e2659d34a1d0f3879d09eb09c5e2b2cbc

SHA256
798e4a03f68f25053f142c880872a3cfd12869330436a0b64a2ef84eac4e8281

SHA512
8b0b18d917631e7164902ae105ea0db4b26d36f7283a29c48fe3d7e704a076318978a0fe278f53ede60ee7d0033b64328eea6ad14d28e6563c0c6f96305479c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e58f1bce5dd98958ec60babaa73481d

SHA1
6307ddc190d649fb819bb5338fd795f5c3f9f091

SHA256
edda2638f0a9dc4783ca41672d66e71de0681784c3003e888417fe502442b083

SHA512
23ff5a36407dbd3da606a094c716d3114338d8b02d1f9ea6bb402a783cc8f2a59cb0d169b420fd1267611d9babdca6f521d921b7d7e267ffa2c4791c29e1d202

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\hZ3sk24.exe

Filesize
2.4MB

MD5
331286ccfef0f9d93edce15d5ab89f23

SHA1
f569d725f16d033dbd6479cbde513ee4003492c0

SHA256
8640e6333193359bb71c47135ffdd3011eaf882c3987a7c6d54490d15b537486

SHA512
e9b476430ee65b61df079096d8f94097522aacffc96a8faee6e8ed809790012dac0cb67be5739d7b1c51b403b63f1abc5a015200702affd688ca710786c3e49c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\aA5bh82.exe

Filesize
1.9MB

MD5
208367a5ec0e35825acaa8d1bcae6a44

SHA1
4e6c5175652bfe18adfb256bc43e7a9fc13d9400

SHA256
0b50e4d10b9a1916cf99dd7fc11b2626587913c14755908f644542e24d82c0f8

SHA512
defc302f8f1e5b8bd27166bc8cfa356e59cc13a24b729aed829568cf759125442cb27f7ee16900982342039b53427e1e89ca0169c2f770b4c73bb60a62c4045e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2mL9740.exe

Filesize
894KB

MD5
779db1fcaa2b01c67fa62fdcf541137c

SHA1
85aa8928790bc40c8dcfac0585e87526d285905b

SHA256
0b343aceb8665dabb2f978310bc369bcac837bc19c7422d059fd485d50bb2c42

SHA512
b657c28f2159a283214b8ad103492f467e79bbd6465385bde9f15e5c3712433e7d77bf08b5637c2d4dcd7c2fa85fe4704ce0cf4096af4097861762fe10f5a00f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5tJ3Xx4.exe

Filesize
1.5MB

MD5
5029a0767b3bb36cd7105e83778330ea

SHA1
83d56d1f28cf29b87e26917bf17b70edeef7724a

SHA256
d7dd9ecebcbb7f231089d5f387682120d46a895b652f5a9c6ee663b1922fa8b4

SHA512
c2872608b20a7b53414573c30317f1c0bca3ab4e69dd47b21900b63e7b2691c65278d03504314ff4043a33eed5bfe36cff8be13b771a5115bb6aac1691e837ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xogoqezd.lmo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3608-202-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-285-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-525-0x0000000008C10000-0x0000000008C86000-memory.dmp

Filesize
472KB

Download
memory/3608-526-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-619-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-538-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-205-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-34-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-328-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-593-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-165-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-584-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-429-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-586-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-331-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-603-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/3608-500-0x0000000000F00000-0x000000000135E000-memory.dmp

Filesize
4.4MB

Download
memory/6108-616-0x0000000006020000-0x0000000006374000-memory.dmp

Filesize
3.3MB

Download
memory/6108-594-0x0000000005590000-0x00000000055B2000-memory.dmp

Filesize
136KB

Download
memory/6108-595-0x0000000005D80000-0x0000000005DE6000-memory.dmp

Filesize
408KB

Download
memory/6108-596-0x0000000005DF0000-0x0000000005E56000-memory.dmp

Filesize
408KB

Download
memory/6108-590-0x0000000005650000-0x0000000005C78000-memory.dmp

Filesize
6.2MB

Download
memory/6108-589-0x0000000004FE0000-0x0000000005016000-memory.dmp

Filesize
216KB

Download
memory/6108-585-0x00000000735C0000-0x0000000073D70000-memory.dmp

Filesize
7.7MB

Download
memory/6108-617-0x00000000735C0000-0x0000000073D70000-memory.dmp

Filesize
7.7MB

Download
memory/6108-618-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/6108-588-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download
memory/6108-620-0x0000000004FD0000-0x0000000004FE0000-memory.dmp

Filesize
64KB

Download