hxxps://u[.]to/1J1rIA

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-03-2024 20:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://u.to/1J1rIA

Score

8^/10

persistence

Malware Config

Signatures

Modifies Installed Components in the registry 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

unregmp2.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Version = "12,0,19041,1266"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\IsInstalled = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\Stubpath = "%SystemRoot%\\system32\\unregmp2.exe /ShowWMP"	unregmp2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}\DontAsk = "2"	unregmp2.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

unregmp2.exe

description ioc process

File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini unregmp2.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

unregmp2.exewmplayer.exe

description	ioc	process
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe

Drops file in Program Files directory 1 IoCs

Processes:

unregmp2.exe

description ioc process

File opened for modification C:\Program Files\Windows Media Player\wmplayer.exe unregmp2.exe

description	ioc	process
File opened for modification	C:\Program Files\Windows Media Player\wmplayer.exe	unregmp2.exe

Drops file in Windows directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

unregmp2.exemspaint.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Video\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}\ = "Toggle DMR Authorization Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000_Classes\Local Settings	mspaint.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}\ = "Open Media Sharing Handler"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command\DelegateExecute = "{45597c98-80f6-4549-84ff-752cf55e2d29}"	unregmp2.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemspaint.exe

pid	process
1036	msedge.exe
1036	msedge.exe
3316	msedge.exe
3316	msedge.exe
4468	identity_helper.exe
4468	identity_helper.exe
2192	msedge.exe
2192	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
720	mspaint.exe
720	mspaint.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

Processes:

msedge.exe

pid	process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

unregmp2.exewmplayer.exe

description	pid	process
Token: SeShutdownPrivilege	3844	unregmp2.exe
Token: SeCreatePagefilePrivilege	3844	unregmp2.exe
Token: SeShutdownPrivilege	2444	wmplayer.exe
Token: SeCreatePagefilePrivilege	2444	wmplayer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exewmplayer.exe

pid	process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
2444	wmplayer.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe
3316	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mspaint.exeOpenWith.exe

pid process

720 mspaint.exe
4260 OpenWith.exe

pid	process
720	mspaint.exe
4260	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3316 wrote to memory of 4208	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 4208	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 3260	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1036	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 1036	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe
PID 3316 wrote to memory of 640	3316	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://u.to/1J1rIA
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2a3446f8,0x7ffb2a344708,0x7ffb2a344718
2⤵
PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
2⤵
PID:3260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
2⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:2720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
PID:2608

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3468 /prefetch:8
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
2⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3828 /prefetch:8
2⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
2⤵
PID:1252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
2⤵
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
2⤵
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
2⤵
PID:3464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5576 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,3335530791070669893,3149013642734800858,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
PID:3416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1908

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\ConvertToPop.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:720

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4260

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
PID:2236

C:\Program Files (x86)\Windows Media Player\setup_wm.exe
"C:\Program Files (x86)\Windows Media Player\setup_wm.exe" /RunOnce:"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
2⤵
PID:2620

C:\Windows\SysWOW64\unregmp2.exe
C:\Windows\system32\unregmp2.exe /ShowWMP /SetShowState /CreateMediaLibrary
3⤵
PID:3588

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /ShowWMP /SetShowState /CreateMediaLibrary /REENTRANT
4⤵
- Modifies Installed Components in the registry
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Modifies registry class
PID:4904

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Relaunch /Play C:\Users\Admin\Desktop\CloseRegister.wm
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2444

C:\Windows\SysWOW64\unregmp2.exe
"C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
2⤵
PID:1192

C:\Windows\system32\unregmp2.exe
"C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:3844

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:4944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cbec32729772aa6c576e97df4fef48f5

SHA1
6ec173d5313f27ba1e46ad66c7bbe7c0a9767dba

SHA256
d34331aa91a21e127bbe68f55c4c1898c429d9d43545c3253d317ffb105aa24e

SHA512
425b3638fed70da3bc16bba8b9878de528aca98669203f39473b931f487a614d3f66073b8c3d9bc2211e152b4bbdeceb2777001467954eec491f862912f3c7a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
279e783b0129b64a8529800a88fbf1ee

SHA1
204c62ec8cef8467e5729cad52adae293178744f

SHA256
3619c3b82a8cbdce37bfd88b66d4fdfcd728a1112b05eb26998bea527d187932

SHA512
32730d9124dd28c196bd4abcfd6a283a04553f3f6b050c057264bc883783d30d6602781137762e66e1f90847724d0e994bddf6e729de11a809f263f139023d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
480B

MD5
b01415f91bce5233ad2ded1a2a36aaea

SHA1
7f41d067a037b37b752297bc5e172eee7566560d

SHA256
886aaaa94133a06c0ae17c3a5f48600ad73d1d454714d39bcacf62b9e6bc6870

SHA512
23a009a345be97c90e90122a8123dd252b2e59a6ae71ebe8a319e6dea645249f8b1c51775f2439cc342b11ee2fa2ace17228aed9dbaf16300dbaba47fbf962c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
456B

MD5
7f2cb8ff0698180171ca35fbef9128ce

SHA1
64ceb87eb6589829f78b38dfe36c9c1dee276af9

SHA256
9fe5d690bf040955f88ea7e6542a7a3ccc6221bfdec481d0aa089d54bc2848d7

SHA512
9035fcb5fbb890d644a1960a81aed2e62412e02c2317bb55d12359d6ddab64d9b84bcbfa1db29a755f327dcb8d0592f499794aa17b6fe75c3afcf759372cae36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
c320d63d65178305c9e6c230166db68b

SHA1
dad87814670f1001c4fbc882f0e1356f10425273

SHA256
9cf44c7dd53641c94a665dd925c4ac74747bcec1a95f7cf3144c07ac8eb2a700

SHA512
c2b5f28bd35ceadbff095263b9cff1f49d89cfaefb71cf83aafcb507aa9455bd307ba2e491582de468ed02b261d0033196b97e312e06f0a891002a230ef5f831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
ffd34bc20da6e4ae7b5118651bd37e67

SHA1
edf0aeb38a4059fdf4234ffac2bccfe851251bb4

SHA256
2ce5e1b6802c0bde174745a847bdee44246f3d0b32d32cbdee4980c73d29786f

SHA512
8b1dc59c41d35b8c588923ca28ee179b7569b9f26ff6cb1692bb1ed8fd05e635431da0b9a00fb4053189c983fc1e45c83414ccf3ffe5c06b194e2062931a6052

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9a8674a352d44931b66d0d0fde27f984

SHA1
d067f9ef111bf3d4234b3584e8c00ff51072d881

SHA256
ec97c5b1b96c0bde43463aa2581b7cc30a3af269f241005a8e63cbab2df8bf2a

SHA512
fe80058d41d4380ec9ae3f92fb8aaf341e534ff473055aa58e0354b8779d628ffbe3203678f52e815af21b0961922d159635b794a9f7b03fa8c63d6562c23483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d9ba94acf82be8c2ccc6a4807e8b8801

SHA1
b967faf9d17902d0dfc88b11665c2da4f24ee4d3

SHA256
e74640dfaad02786130fd13a4b710c880e36861abe8121c4be1222bb959fb1d3

SHA512
5743015d122923a6d5d5ef20697fe7fbe1ad774e670de0620b0698cf5d2c676eb0b7f94c3c43f4382cbb4d2faa331df3375bf27c99c016b547ef30a965724cc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f0d89e29a7a6cbad07d11f8bc572cdb5

SHA1
73f3b4d90589c395802ed4ae5d787d0e2c2fe27f

SHA256
6015c5da1d3c8dad6a63972150b75d6c32faa17eef1c39d490a740b68cca0b83

SHA512
f0c7e37fdbd5522be0b484547f0ef05f53b620bd083cc4c1635a931587631e4534b8babaa98578e734a404d3461b5d1d768533449607468c78d9eb418166db9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
934f5f42eb09436a8545dd42c90e8036

SHA1
73854c5fd3260782746f11b29d59e6870930bfb5

SHA256
4db667b7db671a4a8699eeea288599c749ff9fb265538759ac047556bfce4f68

SHA512
a768153514efdee31f9cf0cd1d058297d778cb5d18dcbfd8f4dd3c54ff521802a8c18f8c664f19cd0725f84a91da969c7f7e5054b778647bd1801851cc5fd52a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
b866430dd4e4615316ee55d532b8e32e

SHA1
748e6703d792accf3bf4df93b8b4273e0331fa31

SHA256
6308aa71fed5fb1d744e33faf3d6007d81f1ddc103fae28bab5836a135bfcf69

SHA512
448b21882359a276b3a7d5f2f4585682964087e6fae5358ffc6d2e66333c60510e0dec3b213ff631fc04b8f7baef9e94a121a56beafdcb8501a8e9557e8c3067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
73346e23ff5017c75130a0f6509f9511

SHA1
31b621304e4566961cc935bc13f7743fdf394ac6

SHA256
868b2604849eecd622acf33bd58013947eba657480ed668804a33a1e16e9816f

SHA512
4ef516271f792878962985fe0fd5e47fdf31575a4b79de9c9d5084bc5d7ffb96bb61f89ddff6b0a099b6565e3a3567d34897eff778c0e396175ed0548e256d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
64KB

MD5
987a07b978cfe12e4ce45e513ef86619

SHA1
22eec9a9b2e83ad33bedc59e3205f86590b7d40c

SHA256
f1a4a978ce1c4731df1594043135cf58d084fdf129dd1c8e4507c9e06eac5ea8

SHA512
39b86540e4d35c84609ef66537b5aa02058e3d4293f902127c7d4eac8ffc65920cb5c69a77552fc085687eed66e38367f83c177046d0ecb8e6d135463cc142aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
Filesize
1024KB

MD5
162e209fa92c54ab7e4f36f4a8761d6e

SHA1
2b05f9b112b51d26037ce08631e38607d24f86f2

SHA256
d8dccd6871c672ee7b93df2aea21e153ec146d36547f18a36a0d9ac5f988cc8f

SHA512
542d27a0807c479666bf2bca9ef60b731b627339ce93a674c9781c783fba6683732238b9ceac0fe91b40283b43bb0c2302766b53ad5f20763df6f1b659a0bb6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log
Filesize
1KB

MD5
2432c2cfe835103e8281863f89ee060f

SHA1
ac32e96a206a925f3cad64d451e601b6425db4bb

SHA256
691b86b20303aba5eb9f81208cbf86b0681e64122de0f47b83712a4f74360bca

SHA512
38710dfc302221ca552e25a53347f53789a61ed2c98c4d9c9871998a0e5961074283df334dd8997846da27e9108046c1e3f8ac0439a6c01089e299a958f3b0e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
\??\pipe\LOCAL\crashpad_3316_FVVMVHUKTTICXIUP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1092-425-0x00000263F52F0000-0x00000263F52F1000-memory.dmp

Filesize
4KB

Download
memory/1092-424-0x00000263F52F0000-0x00000263F52F1000-memory.dmp

Filesize
4KB

Download
memory/1092-423-0x00000263F5260000-0x00000263F5261000-memory.dmp

Filesize
4KB

Download
memory/1092-426-0x00000263F5300000-0x00000263F5301000-memory.dmp

Filesize
4KB

Download
memory/1092-427-0x00000263F5300000-0x00000263F5301000-memory.dmp

Filesize
4KB

Download
memory/1092-421-0x00000263F5260000-0x00000263F5261000-memory.dmp

Filesize
4KB

Download
memory/1092-419-0x00000263F51E0000-0x00000263F51E1000-memory.dmp

Filesize
4KB

Download
memory/1092-412-0x00000263EC590000-0x00000263EC5A0000-memory.dmp

Filesize
64KB

Download
memory/1092-408-0x00000263EC550000-0x00000263EC560000-memory.dmp

Filesize
64KB

Download
memory/2444-475-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-484-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-473-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download
memory/2444-479-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-481-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-480-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-483-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-476-0x0000000008FE0000-0x0000000008FF0000-memory.dmp

Filesize
64KB

Download
memory/2444-478-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-477-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-474-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-487-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-486-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-485-0x0000000008FD0000-0x0000000008FE0000-memory.dmp

Filesize
64KB

Download
memory/2444-472-0x0000000004730000-0x0000000004740000-memory.dmp

Filesize
64KB

Download