sectoprat | 19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3

Resubmissions

29-04-2024 23:38

240429-3mv2qsdg77 10

29-04-2024 19:52

240429-ylvx5abe9s 10

Analysis

max time kernel
1045s
max time network
1054s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 23:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe
Size

347KB
MD5

f22010f23446baebc9bc52f97b0b2df8
SHA1

8f5ccc85fb2eea1f496402df21faf0f988a196f2
SHA256

19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3
SHA512

bb72d18151c438b67f047689e48970849b7352d990beba3eaebdecb0f62b3ced2205ae55cd76871dff925ba7b8ba25d5354340993753679932e51efcdf3c6e96
SSDEEP

6144:dD0MWKPc0wJk+uRjiu4FpXFr9TgvzI3OrfP:aMWPJKQFpXFR0vzjP

Score

10^/10

sectoprat stealc zgrat discovery rat spyware stealer trojan

Malware Config

Extracted

Family

stealc

http://185.172.128.150

Attributes

url_path
/c698e1bc8a2f5e6d.php

Signatures

Detect ZGRat V1 3 IoCs

resource	yara_rule
behavioral2/memory/448-162-0x00000214A2930000-0x00000214A6228000-memory.dmp	family_zgrat_v1
behavioral2/memory/448-163-0x00000214C0AD0000-0x00000214C0BE0000-memory.dmp	family_zgrat_v1
behavioral2/memory/448-167-0x00000214C0A10000-0x00000214C0A34000-memory.dmp	family_zgrat_v1

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/1688-195-0x0000000000700000-0x00000000007C6000-memory.dmp	family_sectoprat

Stealc
Stealc is an infostealer written in C++.
stealer stealc
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	u18g.3.exe

Executes dropped EXE 3 IoCs

pid	Process
3312	u18g.0.exe
2768	run.exe
1380	u18g.3.exe

Loads dropped DLL 3 IoCs

pid	Process
2768	run.exe
3312	u18g.0.exe
3312	u18g.0.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2768 set thread context of 4960	2768	run.exe	106
PID 4960 set thread context of 1688	4960	cmd.exe	113

Drops file in Program Files directory 41 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\MessageRpc.Net.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Newtonsoft.Json.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\ACResources.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Incinerator.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.mshtml.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.Prism.Interactivity.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\NLog.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\msalruntime.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Identity.Client.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Identity.Client.Desktop.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WSC.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.Diagnostics.DiagnosticSource.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Win32.TaskScheduler.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\SMInfrastructure.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\log4net.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.IdentityModel.Abstractions.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Identity.Client.NativeInterop.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\EndpointProtectionClient.Net.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\defrag.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.AI.ServerTelemetryChannel.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Web.WebView2.WinForms.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\SMCommon.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\EndpointProtectionInterfaces.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.Memory.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WebView2Loader.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Expression.Interactions.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.Prism.MefExtensions.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.ValueTuple.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\gpp.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Incinerator.exe	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Web.WebView2.Core.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\System.Net.Http.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\WSC.exe.config	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\DotNetZip.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\SDKModels.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.ApplicationInsights.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Identity.Client.Broker.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.EnterpriseLibrary.Common.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Web.WebView2.Wpf.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.Prism.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
File opened for modification	C:\Program Files\iolo technologies\System Mechanic\Microsoft.Practices.ServiceLocation.dll	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3160	1600	WerFault.exe	90
3040	3312	WerFault.exe	100

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u18g.3.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u18g.3.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	u18g.3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	u18g.0.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	u18g.0.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{301AFCA4-15E7-4ACF-961F-E0B962058331}	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2768	run.exe
2768	run.exe
2768	run.exe
4960	cmd.exe
4960	cmd.exe
4960	cmd.exe
4960	cmd.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
3312	u18g.0.exe
1688	MSBuild.exe
1688	MSBuild.exe
3312	u18g.0.exe
3312	u18g.0.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
1688	MSBuild.exe
1688	MSBuild.exe
1688	MSBuild.exe
1688	MSBuild.exe
1688	MSBuild.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2768	run.exe
4960	cmd.exe
4960	cmd.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
Token: SeDebugPrivilege	1688	MSBuild.exe
Token: SeDebugPrivilege	3400	taskmgr.exe
Token: SeSystemProfilePrivilege	3400	taskmgr.exe
Token: SeCreateGlobalPrivilege	3400	taskmgr.exe
Token: 33	3400	taskmgr.exe
Token: SeIncBasePriorityPrivilege	3400	taskmgr.exe
Token: SeDebugPrivilege	1448	firefox.exe
Token: SeDebugPrivilege	1448	firefox.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
1448	firefox.exe
1448	firefox.exe
1448	firefox.exe
1448	firefox.exe

Suspicious use of SendNotifyMessage 45 IoCs

pid	Process
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
1380	u18g.3.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
3400	taskmgr.exe
1448	firefox.exe
1448	firefox.exe
1448	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2768	run.exe
2768	run.exe
1688	MSBuild.exe
1448	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 3312	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	100
PID 1600 wrote to memory of 3312	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	100
PID 1600 wrote to memory of 3312	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	100
PID 1600 wrote to memory of 2768	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	102
PID 1600 wrote to memory of 2768	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	102
PID 1600 wrote to memory of 2768	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	102
PID 1600 wrote to memory of 1380	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	103
PID 1600 wrote to memory of 1380	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	103
PID 1600 wrote to memory of 1380	1600	19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe	103
PID 2768 wrote to memory of 4960	2768	run.exe	106
PID 2768 wrote to memory of 4960	2768	run.exe	106
PID 2768 wrote to memory of 4960	2768	run.exe	106
PID 2768 wrote to memory of 4960	2768	run.exe	106
PID 1380 wrote to memory of 448	1380	u18g.3.exe	112
PID 1380 wrote to memory of 448	1380	u18g.3.exe	112
PID 4960 wrote to memory of 1688	4960	cmd.exe	113
PID 4960 wrote to memory of 1688	4960	cmd.exe	113
PID 4960 wrote to memory of 1688	4960	cmd.exe	113
PID 4960 wrote to memory of 1688	4960	cmd.exe	113
PID 4960 wrote to memory of 1688	4960	cmd.exe	113
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 4876 wrote to memory of 1448	4876	firefox.exe	122
PID 1448 wrote to memory of 2532	1448	firefox.exe	123
PID 1448 wrote to memory of 2532	1448	firefox.exe	123
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124
PID 1448 wrote to memory of 3112	1448	firefox.exe	124

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe
"C:\Users\Admin\AppData\Local\Temp\19f69ab66f36fec6887b22cd80df485311a63cf71eeb3e76e5824822c64b22f3.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1600
- C:\Users\Admin\AppData\Local\Temp\u18g.0.exe
  "C:\Users\Admin\AppData\Local\Temp\u18g.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:3312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 2364
    3⤵
    - Program crash
    PID:3040
- C:\Users\Admin\AppData\Local\Temp\u18g.2\run.exe
  "C:\Users\Admin\AppData\Local\Temp\u18g.2\run.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1688
- C:\Users\Admin\AppData\Local\Temp\u18g.3.exe
  "C:\Users\Admin\AppData\Local\Temp\u18g.3.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe
    "C:\Users\Admin\AppData\Local\Temp\iolo\dm\SystemMechanic_5488CB36-BE62-4606-B07B-2EE938868BD1.exe" /eieci=11A12794-499E-4FA0-A281-A9A9AA8B2685 /eipi=5488CB36-BE62-4606-B07B-2EE938868BD1
    3⤵
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:448
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1532
  2⤵
  - Program crash
  PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1600 -ip 1600
1⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4060 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3208 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:3
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3312 -ip 3312
1⤵
PID:3996

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3400

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.0.116479672\365816665" -parentBuildID 20221007134813 -prefsHandle 1880 -prefMapHandle 1872 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f814ae10-f9f4-4808-ba63-ad9cb3dad4c5} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 1960 1c3ba4f5558 gpu
    3⤵
    PID:2532
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.1.78054152\1383331210" -parentBuildID 20221007134813 -prefsHandle 2340 -prefMapHandle 2336 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9faa06d6-d3d0-4b70-a87f-f32d52dd9810} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 2360 1c3ada72b58 socket
    3⤵
    - Checks processor information in registry
    PID:3112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.2.825232672\690877959" -childID 1 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c4e37113-7725-46ca-b429-6498510266f2} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3136 1c3be3b8e58 tab
    3⤵
    PID:1844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.3.519169887\221205713" -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 3600 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f8edb0e4-aff6-4b19-a344-b3fe664231d3} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 3612 1c3bcab7f58 tab
    3⤵
    PID:1380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.4.156136780\967548529" -childID 3 -isForBrowser -prefsHandle 3992 -prefMapHandle 3988 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b51edd4-6410-4dee-8603-c8b8fbbeb863} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 4000 1c3bcab5b58 tab
    3⤵
    PID:3904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.5.1197417397\1694866407" -childID 4 -isForBrowser -prefsHandle 5124 -prefMapHandle 5000 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4b4ea254-e644-432a-9c5c-b9618e6f96ba} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 5132 1c3ada65058 tab
    3⤵
    PID:2188
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.6.925261213\301035715" -childID 5 -isForBrowser -prefsHandle 5280 -prefMapHandle 5284 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {11c93a53-d998-4252-9d01-84b6b3b6117b} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 5272 1c3c0c46c58 tab
    3⤵
    PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.7.855927744\119835662" -childID 6 -isForBrowser -prefsHandle 5544 -prefMapHandle 5540 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f2f343d-50dd-407a-b7f3-4eaf70dbbc82} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 5460 1c3c0c71558 tab
    3⤵
    PID:2856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1448.8.286414249\1435368410" -childID 7 -isForBrowser -prefsHandle 5916 -prefMapHandle 4904 -prefsLen 26285 -prefMapSize 233444 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b96b529-71c0-4729-88c0-24d6d487af62} 1448 "\\.\pipe\gecko-crash-server-pipe.1448" 5928 1c3bcab5858 tab
    3⤵
    PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=1036 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:5772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=3828 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4728 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:8
1⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5772 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:6004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5616 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5576 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:6088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=5688 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --mojo-platform-channel-handle=5800 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:1
1⤵
PID:3164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2a0,0x7ff980c42e98,0x7ff980c42ea4,0x7ff980c42eb0
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2212 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:2
  2⤵
  PID:184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2360 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:3
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3368 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4356 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4356 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3956 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4612 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=4412 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3948 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2216,i,11028465655555796927,13741561460198957515,262144 --variations-seed-version /prefetch:8
  2⤵
  PID:3372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\iolo technologies\logs\bootstrap.log

Filesize
4KB

MD5
e61ac364f47e22e07350b40ac9100436

SHA1
3e8c1210c6740afa8c38efab526d6f16f0cfd7c4

SHA256
822480fd8068c477f94decee1997f8b80f88dbd3473239cd2741e68e5175f716

SHA512
01bc90b0955bffe8d107b55eaaa1a5d74007fc92463d9e95abe2020a5b9ab384d04cd08bd879251135eb8869b8d8f5814031eca2df34db0d23161633421daaa9

Download Submit
C:\ProgramData\mozglue.dll

Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\nss3.dll

Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
086d7b1acf9ac891e4a1da272815d4dc

SHA1
1376ed9c5b967853f3204c004c7f71ba4f11f38e

SHA256
49c205e00b8212881bb9e8cfc209fb0d38d8dcd2057e3e1619a869b4a512f862

SHA512
8c3311e9b3c138323b4b7ab217edec0511e74267b4ae2369e223720a7387c6299ff083d6728fe78b86b5194d964be52682d3d7267910bf7b373653bf18eef978

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
6887d23fd3b65d80e716c3b867af3e44

SHA1
51ac1c465051e416847460f4f2ab9e284c60b5c0

SHA256
4081a02624edcfab307ba78537562c79510a87161486fcb9c8ec1154b300f52d

SHA512
9d78f6fd288451aaec178f55f2d9a42191f603fab37c6647c71a921f7fcb29f51c598ddf7b6a9a619f573d72bedccf7a8162dd925555e64291804543a83361ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
264KB

MD5
453d4b6320dcfaa87aef51c45aa9df69

SHA1
7d0f9059e3dfcc9cc010f2ffb9ec75a2549b1485

SHA256
fc7a886d9fde0f8673115ef2af636724206fcb11a692cfb8c266fb1c59c95bf5

SHA512
c9b3321bc5caa1ff84c4a9349d9193f2a19267471b36fed137488327497729079274930763a680d797e4982d6f3ee169985852013090d50acdf88a9c81aa8ac3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
fb65fbbcfdbca7342377cae37e007618

SHA1
336eb500c173917444f373e3b6b55c540dc882da

SHA256
325c6fc036607372b1693fc6ffbb2687b2145f8cc5efca62d1b18913e88c9817

SHA512
fa978c1fed9f6c7d5fc2393d695b9380d1937863cc7b33a04f22e87d4a4f17334ae3c5c45cc4f5ae291d2c0a5f8c7e18207de1a3acbfba38350fac355abb5414

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

Filesize
4.0MB

MD5
4bf48bb8e6653b27a8a25e3a54daf594

SHA1
34c650601846b4d12517e2f6b3fa5060ed7e239d

SHA256
f1f9e4b61904d36d8e6eee3179d8289d8d85ded3c9ffa7928ab19e88e6d656ee

SHA512
22e9183bd95ce91178914ffe4beffe4576950835f626a24e73789feb953c0a38e09591c3a64f4d0195c645d5364d1f22e205b42188d66c18cc9db1245be16615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000001

Filesize
49KB

MD5
1b47c227582d2f07f152cb8f223ab9f9

SHA1
3323ec93302bf2cdf1de265ee376ab60c901a81c

SHA256
4f662151beec1a3515ca2aec59ade23f54c50fdaad0c078cc84aa14f82545dbb

SHA512
6a8ab48f308ab74d6f504231da1d80e28901affb6bcccfa4743d3c15294c1074e591b9dfe03429e03a67e423351881e7e3b3a4e7e7eb71624ab47808e9a1b97d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000002

Filesize
119KB

MD5
7c3ffa2a7ba245d83ce9c06a27b9c6a3

SHA1
948de6476cee4c421969af7100a4b0079b89f705

SHA256
7713cfa2b65066b862fe4b3d9467d1d3e9dae29e6ac19723ba19c363856b986b

SHA512
77f0c025baf6730f2d09e92b2cc7305b2298fdc8386dd34596451c869779a74a192727ed9dddb023be11b54f54d122289e857001bd90a79ced7199b8b304d64c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000003

Filesize
21KB

MD5
5abe097d454a6144319c1e37c896e912

SHA1
7df44715f401dcccaf4f9b8c72eac3bc286d2483

SHA256
b44dedb31962c3040ccea097836cddfe4330a909368c7d6a6b3797eac645c4fd

SHA512
bf830ad0059143c222c83daae09b95f81cdfce269e4b2464d06af8d9e18af30aac8a50a59cec0d43654caa9dff44d06b6b6804e599976cf3eb5f4023b9b24a6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000004

Filesize
26KB

MD5
0c6f3c11f96d5d9826d3caa18767bc18

SHA1
454e8573efd5b56d2d8ff11a698fbe6833cbee0b

SHA256
89fed7e275f2991f2a8f8176e09ecdbf865d8d9373f6d8a988d570274e5d8d56

SHA512
d4da000cb558461360f7534a06c595c5ab942b7c8443e8ea237856331c17bb39824a074dbff083aa2fd4cc964ce74b415e020345d1177c9d5e46f825b32cae7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000005

Filesize
469KB

MD5
872b4b6417af52709cf7b340e3ee17ad

SHA1
022ff7be1c6584400d6d520d9eff870d2816322b

SHA256
19a81a72aba844ab4e8f4ef924b4df40ee47fafd8ffebd97afa348a0c81ae740

SHA512
9bc95cb129895d64efa1415c48e16339d6747e3f84ee34019f2a22811864756e8882da291c68d7f4243fca5ea65b8a09854353be2f82bbf3340825bfb857fca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000006

Filesize
526KB

MD5
4b70d1b6eb1b106021e197a81a7e6352

SHA1
e1792c9ca8f7143d01bbc353ae57680c41846fe9

SHA256
e1966aa3ba4ccea31a9e19a82521ee689de361ea10a63e89e628bae663a607b8

SHA512
741419607de2c9a5a1f6be4c72e9892012c6140b157af3ddf3e23d21db133448760e64befc943efbe47a4fcb80e981fd0f6e3921b0b9079cdaf013691c1c6927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000007

Filesize
31KB

MD5
b9f443ceb800767b570f983490e3c75c

SHA1
69e7842589333eb242afcefbf84d9c22119d5a32

SHA256
57c510418859797e20ea2d068dadcb60208fbdbcad6040d6de5fe6c42402ef2d

SHA512
89bbaeb0e448213be6ea46be01286222f9adb6bce75be26f4a923a9a2c5ba8c1b9c0a6e0c63ca34574f841ef19d59d7a06359bd5c7991d4d1e9853341f87ce2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000008

Filesize
70KB

MD5
d010c44248f14f599e8312d6dd7b28a6

SHA1
17d3652c229d05e7d2c4778b57e413fc132ebdfe

SHA256
2c5b75483b9b2ae97dc421791520e7f8c14439a637f8b68ee745912381692348

SHA512
efd2b25ea587c5e050faff7187499c06b029699f2aa6911aaa0a1a33ca4dd63f082fd801952f60effc2b8dd56d2669d302beb0fd08a60742e3ef6847e792b95a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000009

Filesize
145KB

MD5
f61161c353c894ff0ace2d3b297cd5da

SHA1
ef360b6f9d983f1155f2d06d2212c0e8db5f21e6

SHA256
7a5109402a79972b27e09867e13a5cab0c98163fbfc85c6452303f46596d8f40

SHA512
e4b51e24d1e2e5dd136dc9b9274693a4ca3343247c27d25a760f1655f971ec724ef96f357861a38010edb5591a44732223219bc8e8beb523eae8b199b604a2a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00000a

Filesize
79KB

MD5
e51f388b62281af5b4a9193cce419941

SHA1
364f3d737462b7fd063107fe2c580fdb9781a45a

SHA256
348404a68791474349e35bd7d1980abcbf06db85132286e45ad4f204d10b5f2c

SHA512
1755816c26d013d7b610bab515200b0f1f2bd2be0c4a8a099c3f8aff2d898882fd3bcf1163d0378916f4c5c24222df5dd7b18df0c8e5bf2a0ebef891215f148e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00000b

Filesize
118KB

MD5
5c8aa5a64fed9dfbbc13261567c5d890

SHA1
0c89ea5a55eb53d37a0a196f02af34bd2f140376

SHA256
98cbef7ed37298ede5c635e8b58b4f8d89b6c2211a4d10b6723118f0812b87e2

SHA512
46468f5f245a48c4d2bdea87015b1caeb56c86bf33bb3e0c94f4672b93d7dd46e618493e589d3bc231527b92b3909552e976f38fe6d159483cace94b88bb344f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
126KB

MD5
b7bb1417196cf03f6f5e8f2fccef24a3

SHA1
6a7cb728021229535c8de84a312925c12af086fd

SHA256
1e49f746a9f53d701a1599f1b69c5c799c26ea21d51952908c6527c020da77da

SHA512
d816253da865ef911ea305f7b7dc49f0698ba6317ba1420c761eac655983a4f3cbe87db479440f267894d7b3137eef9fab24dbc205a5a6a6b49a0cc12293113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00000d

Filesize
1.6MB

MD5
67f96b962f176794c69f26049315a961

SHA1
33d455420e9a9c23775f4351913048ed8744c50e

SHA256
5a7a4b926da6994ac75f46b8305e0bbdbc6fe858ef7c41bd56d6865f302a0628

SHA512
4cda6ae8292da285c26c263e62fcc9667ce45528fa0299c830372f9a9479ba1013f189d30a6ca4887e5b92f69c0cde835fe165ce221a55177efd6f08899fc5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00000e

Filesize
1.1MB

MD5
6363dd6febe465b92b02176fde4c6907

SHA1
a35c94ccbade02c7c2490272529f63042a931731

SHA256
cf3405ce812ef6ef3f5e805048b6bf27008f045d16b8ea208fcd70ae22af9c90

SHA512
9d87af75f4fb7550deebebe7b2896977d2f43553a1014fa0b17da3030aeab0239d2813f76b2d6e128607189455a73afd09b0e1c835791db7190d2c11a62abfe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
65716482c80c08e1efbe9b10dcdbd00b

SHA1
1780bddef9db81736092d41429bb7571a0d6a128

SHA256
bc461f202c8f623ab1a4319c6af71bc509002a12167591ad55ac1d638322f92f

SHA512
238ba69db701f26327732abea64bc5f6bcf0d55b4324ffe99618b81447b8c861e4df88931e6bd83702d9d1ec489494155db84e5fcb1f276ee3a0e84394d5dd38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
479c8c808d295dfe4e47def49a94d539

SHA1
1d28a6a03c62ea550cd90b1814dbb50f2439b8b3

SHA256
ef8f3fa367cd8cbfa4fd91aa2cf4bbd557249fb63ac757938ef2baaf64828165

SHA512
a200030fd99ca95f8fac87a393da00d8270b0ed3e4b3f0e14ed3cf136acb80948e3698878a1d4a2b36b0688c60ed8e2458ab31171f3bf594e500b3b49d15dd36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b2b8d6a7eaa9d6beed337eb93c731550

SHA1
96804750a3a451f96b885856fa8ff1615aa238dd

SHA256
dca654128ceda65ddd054198c4e2aa8fcf463146347f2c3e73d9e431f545cf42

SHA512
ce49558dffb418992380f7e31186e0b252ccd7ce825317b3fcae48b9883c1b233040bfd18ae32691139bbb12e06b7fcc575d55de6d13798300434a317f4b5324

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL

Filesize
36KB

MD5
cb90b820de0a92dad3fe2cc083672eda

SHA1
8e7e1278ccfe41f8ad1a2506d4c3bd18b8279e65

SHA256
cdadeeb1b3047f149ab92ff76c93220643e57b84727ae6707ec1685f9506b1e8

SHA512
7389252345b05d5223f3266d804972fef86feec17c83d6fda69c3cecf74cf680df236a4cae098fee2af741ce5b8a9cefa3dfcd57f703a8b2a5773f25efc69480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
805ebd346de7966d17f2988e0e18d292

SHA1
597ea365e50732a5791f7e61775e9b352167a49f

SHA256
12271d4f8b04e8aace22966beac38f11b1ff2f793fd181c37a929565fc92d13b

SHA512
e0a20752695f7bd500d9a3a8b4fca39fc3faad8af43845e8b03dea8c8ff560b29e9d859bedd5cacd653bab4fc56df94a3840541b77ed13b8306ab46f0cc0b848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
54e193f063ca7cc6e50e2949037f143c

SHA1
673fa2dd144edf4255491cfaaef2e8c41c464678

SHA256
6ac4493fb68410c13e091c0bb7e0ba10d35fa0929c93e268336cc3c80e72d6b7

SHA512
f4ce9c5bd77691575d0fad3137085a88253257a91788c7b7f7900fc0bb87e9cf4013bf694e3e0a1bf3fa7176a4e9af2fa3309ee335e8107fc065c2a61aa6f05b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
dcfab338bd0664e962004e7d96e8026b

SHA1
258392680b44604a4993b3f9d27094c266005619

SHA256
78b5ae9b22afb5060fed05e500944c7c6086be4e847e9e6a8ce19411b2463ab6

SHA512
e4244d245b84939ab08f6114ebe4d279993fcdbdc02053b3543a5f072e598355c0537be2871d9d4ea752d5358cf966a839882e62498536febecd609d3ced606a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
30KB

MD5
9db0819ddc0dc9b6435e6427915792bb

SHA1
c37872d0d18c77e16679fad48179960aa62d5499

SHA256
44ef35ce8ab45dead89314ff4493d04e52a232277c37608a3ea42ee2351bb51a

SHA512
45adc6614f30b6a01731481d293a5e5dbf67e169dd7c58390fdf5467293077babe93796aa6c506df14a872c3102aa78936781a4c323a6974f1318d941fcd2b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
69KB

MD5
b6fce65787e4f0cbb9254bf81c1a03b7

SHA1
f9b9b9d805403367046585498499b11258c1c0b2

SHA256
7a221ea075ad0b1c746bf5bbd8225a964e45050600f537a3fc9f6dd757a6a3bc

SHA512
9f4d8634b266a1511526e53ba9083f28571f4d2ecd655abdc4d4a7804574fcf29c090c5489bfa18b75e308a62ef637fd83dd8e2d45d578a652042f49a5fb4b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
69KB

MD5
ea13cbb4053c26e1eb4a6d488b4d596d

SHA1
ae1f7a144ea5934ae921beb5f4ca99d1c5d6288c

SHA256
9f9e4b75a2c776c1df24d6fb5c7768f3607a096a5238cc87e1a0634e975be9d0

SHA512
f97ab27ba2767eb458f07bd77ce8fe8927d20c5756cc82f53db065e2372d19efc05561fd4ed53ef9e0dcd4c7f629b0e34eb557e683181505afc4b02f0dc717a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
eef5374bfca9d198ad6bc995140aaec5

SHA1
a286a154a3cb1677a2300534ceb7e49e2ca981e8

SHA256
c388dea6c5544f2ea7b51361938521aba7e78b41a748a533870a6fb442b5fbfa

SHA512
19bce65cb4caad66eea066f9e4974a6642e6f8b734f52dc2fe1fdf7712ec7442ae80095beb9869531398a66a1eeb5c21f36913df7eda82db2ee3cba9bc5bd766

Download Submit
C:\Users\Admin\AppData\Local\Temp\46f95580

Filesize
1.4MB

MD5
af7032698e8bee15a0983a6c97a9573e

SHA1
8fe95b8dae584efd59626c40aa05cf1d511478ca

SHA256
b3a5f43a84b9e3ccaca662d911f5929a6b996e530e845328726968f3d798fcc9

SHA512
8e91a415a5d1dbd4dc40ea868e2f060188a995e711e490e5803f37d16b940ec3764791bba02d22b619ac308aace45ab20547c73453f60a8db67601ded0cc2f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iolo\dm\ioloDMLog.txt

Filesize
2KB

MD5
9c1aaff9ea0820394d08eb649ba71fce

SHA1
a6d916d8086bb74f490d26449b81f830f06d6a6f

SHA256
868b7960d6e4755cece1f95df465a5d23b8c96954ff535b778cd722215d9bcdd

SHA512
a3ac4bbbcf55f32b24768939c37199a2c609a156344b0851aff4b2e7885069af400f9f9b45e6db0f818ac197c5f43bbadd91de33837adc2b33e630aea9030a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F3C.tmp

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6F8D.tmp

Filesize
20KB

MD5
91dbaf73c1a8c55254d90272f998e412

SHA1
2b86b31c8c00c937291e5ac3b1d134a5df959acf

SHA256
0628922305d2478ba75a48efadf932d439616eaf1ff908be334793f7bde28107

SHA512
109f4f59616cc1d1682b4d9468804f7668c77ce1878afec06a57037193f31a9c1c39f5d269277462936373b129d26488cddcc34d455c27185534e7754baaa988

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.0.exe

Filesize
203KB

MD5
2f86937ad3cdaff7287236a1e404886b

SHA1
3dd0b323a149babe4d4ee76f2a10171ceb28cc04

SHA256
0d5efca4bc1e92e344799c3f52157792e51ed052637c4ea483d007655fad657e

SHA512
e151213d5c7ed02e3e6d997d1bf5278b947bacecad29d0886d5d79aa0aaf4a9dc2b5fb1c2a7c127c6e9a8d105eb29a872a5093152503c8636060d479890d4b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.1.zip

Filesize
3.7MB

MD5
78d3ca6355c93c72b494bb6a498bf639

SHA1
2fa4e5df74bfe75c207c881a1b0d3bc1c62c8b0e

SHA256
a1dd547a63b256aa6a16871ed03f8b025226f7617e67b8817a08444df077b001

SHA512
1b2df7bee2514aee7efd3579f5dd33c76b40606d07dba69a34c45747662fad61174db4931bca02b058830107959205e889fee74f8ccc9f6e03f9fd111761f4ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.2\UIxMarketPlugin.dll

Filesize
1.6MB

MD5
d1ba9412e78bfc98074c5d724a1a87d6

SHA1
0572f98d78fb0b366b5a086c2a74cc68b771d368

SHA256
cbcea8f28d8916219d1e8b0a8ca2db17e338eb812431bc4ad0cb36c06fd67f15

SHA512
8765de36d3824b12c0a4478c31b985878d4811bd0e5b6fba4ea07f8c76340bd66a2da3490d4871b95d9a12f96efc25507dfd87f431de211664dbe9a9c914af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.2\bunch.dat

Filesize
1.3MB

MD5
1e8237d3028ab52821d69099e0954f97

SHA1
30a6ae353adda0c471c6ed5b7a2458b07185abf2

SHA256
9387488f9d338e211be2cb45109bf590a5070180bc0d4a703f70d3cb3c4e1742

SHA512
a6406d7c18694ee014d59df581f1f76e980b68e3361ae680dc979606a423eba48d35e37f143154dd97fe5f066baf0ea51a2e9f8bc822d593e1cba70ead6559f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.2\relay.dll

Filesize
1.5MB

MD5
10d51becd0bbce0fab147ff9658c565e

SHA1
4689a18112ff876d3c066bc8c14a08fd6b7b7a4a

SHA256
7b2db9c88f60ed6dd24b1dec321a304564780fdb191a96ec35c051856128f1ed

SHA512
29faf493bb28f7842c905adc5312f31741effb09f841059b53d73b22aea2c4d41d73db10bbf37703d6aeb936ffacbc756a3cc85ba3c0b6a6863ef4d27fefcd29

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.2\run.exe

Filesize
2.4MB

MD5
9fb4770ced09aae3b437c1c6eb6d7334

SHA1
fe54b31b0db8665aa5b22bed147e8295afc88a03

SHA256
a05b592a971fe5011554013bcfe9a4aaf9cfc633bdd1fe3a8197f213d557b8d3

SHA512
140fee6daf23fe8b7e441b3b4de83554af804f00ecedc421907a385ac79a63164bd9f28b4be061c2ea2262755d85e14d3a8e7dc910547837b664d78d93667256

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.2\whale.dbf

Filesize
85KB

MD5
a723bf46048e0bfb15b8d77d7a648c3e

SHA1
8952d3c34e9341e4425571e10f22b782695bb915

SHA256
b440170853bdb43b66497f701aee2901080326975140b095a1669cb9dee13422

SHA512
ca8ea2f7f3c7af21b5673a0a3f2611b6580a7ed02efa2cfd8b343eb644ff09682bde43b25ef7aab68530d5ce31dcbd252c382dd336ecb610d4c4ebde78347273

Download Submit
C:\Users\Admin\AppData\Local\Temp\u18g.3.exe

Filesize
4.6MB

MD5
397926927bca55be4a77839b1c44de6e

SHA1
e10f3434ef3021c399dbba047832f02b3c898dbd

SHA256
4f07e1095cc915b2d46eb149d1c3be14f3f4b4bd2742517265947fd23bdca5a7

SHA512
cf54136b977fc8af7e8746d78676d0d464362a8cfa2213e392487003b5034562ee802e6911760b98a847bddd36ad664f32d849af84d7e208d4648bd97a2fa954

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
e7fda902d05fa1bc275ccb859373f2ce

SHA1
e727824bc2593e190c8ea09bca6bef9ce8130e7f

SHA256
0b7a1d82f4b5ef87bcb00c61c33d34a09d7e4b48f3c04b491f60836b9430c19b

SHA512
c74a57e92fc26b29720a06d94d93322fca3fc6d0b90ada5db502443c283f2fbd3751ab3aa5dcdd0aaa2099c86b0277c0eb5e3e04a7ef315c30d5c6d3de5961f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\3d8b27c5-e1ca-41b9-a8da-5e8edd5a6ac8

Filesize
11KB

MD5
dc7240f79c4c0e38eceff9686e975a2f

SHA1
ea12abdfa6ecadd29908298c0caaf1de9238c640

SHA256
2131b240515f8b2ead5f218cbc47d05478ad16187189955f5157b8ba694ff0b9

SHA512
c35a93c4b0624ad336df6739a78d071f9bb76fc204d11e1a958e8ce8717add721bdc575d052431dbe5f7a8640a3fb0b840ee09ce902881eb7a72fe8429884f7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\datareporting\glean\pending_pings\adcab79a-ea8b-49bb-9854-dd2636120da9

Filesize
746B

MD5
e60b67e3f72539c4f4452272a91049c2

SHA1
6d875b276604024096911500b1612f6b49b62c20

SHA256
e3dd95e243258e223134a7c158a1b4f75b3d579dd1bd1b41520db28dc032cbc7

SHA512
93595f55da27480408add5b369a19bc229675fdc51971ddcb44d65663537080ee27b59a5432fcae8a1e47f29cb92d7a15285222d15b49ef557c3aefc87f7c5bb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
a2b373c0d43eeddc6d123dc6c3229ed7

SHA1
71e7998a02d8cbe3e0050f28bc944dfd482eb2ac

SHA256
e2cbf253b3e40a8257c867573fe7ce082ade14e3590baeadf55ae3bcc95cfa66

SHA512
bb36c760ee03c206eea4bbb804171c1d7595add0fe60371f02f5f4146e17f13b2334f974f1766c0849d34283a53c5cf699dba6fbd497de445e4343f5e2f6c19c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs-1.js

Filesize
6KB

MD5
3361d63264a3aec99b9b90efe9665f1c

SHA1
9c48407920da53441f2bd94aaf09907afa080296

SHA256
d87756a317dbe2ac527ae1b7aa8ae9c30c584b39b410f1472aebc46de91cef49

SHA512
685bd375aa07a60bac7d48b7279055aa1d958c78dd7654d3c5aa65ef9ecf82cbdab4a225ce2d46a9102a1d84b9ee47c67077fe620962c53875a5070a79c91fba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\prefs.js

Filesize
6KB

MD5
aeda38a9d6bc30a5f54b384f20a1b4b8

SHA1
0dcc2f57c2c387ffd3facb09dd19907011fc2ecc

SHA256
b3f66a3cf61cafe8024e5db7275dac2edb33366fb51162e758a0cb1e3216b0de

SHA512
3e311e5d079f2fea14fa828a6deea443888cd96395b24b22983ece06d8959b54f4929753ab6f31d5dbe257116179857535ae657f188e305e32e117b39bb29ede

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
0af273a84d75d8edb88a09cdefa226e1

SHA1
704eb0656a73f755a44c6526f56c02014de960de

SHA256
1c2d9714790287477704dee4bbbe75719c23e5444a2157b34dc81fc9f7fc2989

SHA512
eddf7fe4acfac4d9f2b30152e75f02e38026693d8d621654febf1d63bae5706e45fafb7e01ed362504c6f5afc916583d4b65e786928c3787bda0e121ff601350

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\sessionstore.jsonlz4

Filesize
4KB

MD5
7b50145ab2aecdff99f0d5586d8b5367

SHA1
a6d4c1119d040759c22cae92c03d04193743acd6

SHA256
7cfbd17fc4ef18d565df45289ef2d554c94c356d44a3bc01d400e5b42b0bf9ab

SHA512
6d4eb9f01f0dcf36973c46600c63e028ff1ee8d64e34d1c29aeb439da53034095944cb0a7472f86aa3ed65bbf3f9b05686669930bbebf6018768aa00d41f233b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\4s2odj76.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b01efd0877d8bb4a5d754d6d5a5922cf

SHA1
6dfaecd4219afbb206185171c64c777e9c73ae21

SHA256
ef1ebedd446ce18b79317f09953ff8a6069f92749188b45945567c315388aa90

SHA512
6f5fce89b6dc7e6979fdb01493c0811bcd55cb945d7665cd9a23e93419a5aa28207b3f614461103f04b0406741e8020c35252fda5529e41e3e918e42fd89c086

Download Submit
memory/448-170-0x00000214C0A60000-0x00000214C0A8A000-memory.dmp

Filesize
168KB

Download
memory/448-185-0x00000214C6190000-0x00000214C61B2000-memory.dmp

Filesize
136KB

Download
memory/448-165-0x00000214C06A0000-0x00000214C06AC000-memory.dmp

Filesize
48KB

Download
memory/448-169-0x00000214C0D20000-0x00000214C0DD2000-memory.dmp

Filesize
712KB

Download
memory/448-240-0x00000214C6500000-0x00000214C651E000-memory.dmp

Filesize
120KB

Download
memory/448-172-0x00000214C0E50000-0x00000214C0EB2000-memory.dmp

Filesize
392KB

Download
memory/448-173-0x00000214C0F30000-0x00000214C0FA6000-memory.dmp

Filesize
472KB

Download
memory/448-196-0x00000214C64D0000-0x00000214C64F2000-memory.dmp

Filesize
136KB

Download
memory/448-168-0x00000214C0A40000-0x00000214C0A4A000-memory.dmp

Filesize
40KB

Download
memory/448-167-0x00000214C0A10000-0x00000214C0A34000-memory.dmp

Filesize
144KB

Download
memory/448-174-0x00000214A7F20000-0x00000214A7F2A000-memory.dmp

Filesize
40KB

Download
memory/448-319-0x00000214C1310000-0x00000214C1318000-memory.dmp

Filesize
32KB

Download
memory/448-320-0x00000214C6C20000-0x00000214C9A0E000-memory.dmp

Filesize
45.9MB

Download
memory/448-321-0x00000214C12E0000-0x00000214C12F2000-memory.dmp

Filesize
72KB

Download
memory/448-166-0x00000214C0690000-0x00000214C06A4000-memory.dmp

Filesize
80KB

Download
memory/448-178-0x00000214C0FB0000-0x00000214C12B0000-memory.dmp

Filesize
3.0MB

Download
memory/448-194-0x00000214C61B0000-0x00000214C61BC000-memory.dmp

Filesize
48KB

Download
memory/448-181-0x00000214C4BF0000-0x00000214C4BF8000-memory.dmp

Filesize
32KB

Download
memory/448-193-0x00000214C6200000-0x00000214C6250000-memory.dmp

Filesize
320KB

Download
memory/448-182-0x00000214C5300000-0x00000214C5338000-memory.dmp

Filesize
224KB

Download
memory/448-190-0x00000214C66F0000-0x00000214C6C18000-memory.dmp

Filesize
5.2MB

Download
memory/448-183-0x00000214C52C0000-0x00000214C52CE000-memory.dmp

Filesize
56KB

Download
memory/448-162-0x00000214A2930000-0x00000214A6228000-memory.dmp

Filesize
57.0MB

Download
memory/448-163-0x00000214C0AD0000-0x00000214C0BE0000-memory.dmp

Filesize
1.1MB

Download
memory/448-164-0x00000214A7F40000-0x00000214A7F50000-memory.dmp

Filesize
64KB

Download
memory/448-171-0x00000214C0DD0000-0x00000214C0E4A000-memory.dmp

Filesize
488KB

Download
memory/448-184-0x00000214C5380000-0x00000214C538A000-memory.dmp

Filesize
40KB

Download
memory/1380-161-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1380-139-0x0000000000400000-0x00000000008AD000-memory.dmp

Filesize
4.7MB

Download
memory/1600-127-0x0000000004770000-0x00000000047DD000-memory.dmp

Filesize
436KB

Download
memory/1600-2-0x0000000004770000-0x00000000047DD000-memory.dmp

Filesize
436KB

Download
memory/1600-111-0x0000000000400000-0x0000000002B15000-memory.dmp

Filesize
39.1MB

Download
memory/1600-3-0x0000000000400000-0x0000000002B15000-memory.dmp

Filesize
39.1MB

Download
memory/1600-10-0x0000000000400000-0x0000000002B15000-memory.dmp

Filesize
39.1MB

Download
memory/1600-1-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/1688-204-0x0000000005FC0000-0x00000000064EC000-memory.dmp

Filesize
5.2MB

Download
memory/1688-200-0x0000000004F20000-0x0000000004F96000-memory.dmp

Filesize
472KB

Download
memory/1688-187-0x0000000073380000-0x00000000745D4000-memory.dmp

Filesize
18.3MB

Download
memory/1688-195-0x0000000000700000-0x00000000007C6000-memory.dmp

Filesize
792KB

Download
memory/1688-197-0x0000000004D90000-0x0000000004E22000-memory.dmp

Filesize
584KB

Download
memory/1688-198-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/1688-199-0x0000000005070000-0x0000000005232000-memory.dmp

Filesize
1.8MB

Download
memory/1688-298-0x0000000007350000-0x000000000735A000-memory.dmp

Filesize
40KB

Download
memory/1688-201-0x0000000004EB0000-0x0000000004F00000-memory.dmp

Filesize
320KB

Download
memory/1688-239-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/1688-203-0x0000000004E40000-0x0000000004E4A000-memory.dmp

Filesize
40KB

Download
memory/1688-205-0x0000000005B30000-0x0000000005B4E000-memory.dmp

Filesize
120KB

Download
memory/2768-128-0x00000000731D0000-0x000000007334B000-memory.dmp

Filesize
1.5MB

Download
memory/2768-112-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/2768-110-0x00000000731D0000-0x000000007334B000-memory.dmp

Filesize
1.5MB

Download
memory/3312-202-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/3312-206-0x0000000061E00000-0x0000000061EF3000-memory.dmp

Filesize
972KB

Download
memory/3312-318-0x0000000000400000-0x0000000002AF0000-memory.dmp

Filesize
38.9MB

Download
memory/3312-299-0x0000000000400000-0x0000000002AF0000-memory.dmp

Filesize
38.9MB

Download
memory/3400-510-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-501-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-499-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-500-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-511-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-516-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-515-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-514-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-513-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/3400-512-0x000002D74A330000-0x000002D74A331000-memory.dmp

Filesize
4KB

Download
memory/4960-147-0x00007FF9A6730000-0x00007FF9A6925000-memory.dmp

Filesize
2.0MB

Download
memory/4960-180-0x00000000731D0000-0x000000007334B000-memory.dmp

Filesize
1.5MB

Download