xworm | e1ea405efb08d4a7d254423fc5b700021eb653b1545d120c0f6cf4ff31c7f0ae

Resubmissions

02/05/2024, 02:59

240502-dg26eshb97 10

02/05/2024, 02:36

240502-c3k9csef7t 10

Analysis

max time kernel
300s
max time network
303s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
02/05/2024, 02:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a ton of ya/ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
Size

63KB
MD5

222c2d239f4c8a1d73c736c9cc712807
SHA1

c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c
SHA256

ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d
SHA512

1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02
SSDEEP

1536:tJc/5q1qoR5PDdAZcIED4VuCkbFybjQ9f0jQRmONww+W:7c/iqoJekbFEQ9W+mONP+W

Score

10^/10

xworm bootkit persistence rat trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:23638

209.25.140.1:5525:23638

bring-recorder.gl.at.ply.gg:23638

action-yesterday.gl.at.ply.gg:23638

147.185.221.19:23638

then-wheel.gl.at.ply.gg::23638

then-wheel.gl.at.ply.gg:23638

teen-modes.gl.at.ply.gg:23638

Attributes

Install_directory
%LocalAppData%
install_file
uwumonster.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral23/memory/2872-0-0x0000000000C70000-0x0000000000C86000-memory.dmp	family_xworm
behavioral23/files/0x000900000001ab73-9.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Control Panel\International\Geo\Nation	znooyo.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uwumonster.lnk	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

Executes dropped EXE 12 IoCs

pid	Process
3664	uwumonster.exe
744	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4952	znooyo.exe
380	znooyo.exe
1368	znooyo.exe
696	znooyo.exe
4464	uwumonster.exe
1340	uwumonster.exe
5288	uwumonster.exe
5224	uwumonster.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Windows\CurrentVersion\Run\uwumonster = "C:\\Users\\Admin\\AppData\\Local\\uwumonster.exe"	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	znooyo.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	Taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	Taskmgr.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	Taskmgr.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1232	schtasks.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "53497"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.vice.com\ = "4941"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = 01000000db8bd59033275daa35710e353c3f928a0bd1eff697270c42000048ebc4e2515e83f6ab4d388726a81b714cd9c7ade56f47670ec577438a295a1c	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vice.com\Total = "5367"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 2a8df32a3a9cda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.vice.com\ = "53032"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\youtube.com\Total = "115"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.vice.com\ = "5367"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\oembed.vice.com\ = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vice.com\Total = "4897"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\NextUpdateDate = "421431098"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\vice.com\NumberOfSubdomains = "2"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\youtube.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cb9af2f7399cda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.vice.com\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.youtube.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "25"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.vice.com\ = "4914"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ef6c62e3399cda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe

Runs regedit.exe 1 IoCs

pid	Process
5436	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3484	znooyo.exe
4784	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4952	znooyo.exe
4952	znooyo.exe
1368	znooyo.exe
1368	znooyo.exe
380	znooyo.exe
380	znooyo.exe
380	znooyo.exe
1368	znooyo.exe
380	znooyo.exe
1368	znooyo.exe
4952	znooyo.exe
4952	znooyo.exe
3484	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
4784	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
4952	znooyo.exe
4952	znooyo.exe
1368	znooyo.exe
1368	znooyo.exe
380	znooyo.exe
380	znooyo.exe
380	znooyo.exe
1368	znooyo.exe
380	znooyo.exe
1368	znooyo.exe
4952	znooyo.exe
3484	znooyo.exe
4952	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
4784	znooyo.exe
4784	znooyo.exe
3484	znooyo.exe
3484	znooyo.exe
4784	znooyo.exe
4952	znooyo.exe
1368	znooyo.exe
4952	znooyo.exe
1368	znooyo.exe
380	znooyo.exe
380	znooyo.exe
1368	znooyo.exe
380	znooyo.exe
1368	znooyo.exe
380	znooyo.exe
4952	znooyo.exe
4952	znooyo.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4040	Taskmgr.exe
5436	regedit.exe

Suspicious behavior: MapViewOfSection 26 IoCs

pid	Process
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	2872	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
Token: SeDebugPrivilege	3664	uwumonster.exe
Token: SeDebugPrivilege	4108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4108	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4464	uwumonster.exe
Token: SeDebugPrivilege	1340	uwumonster.exe
Token: SeDebugPrivilege	4040	Taskmgr.exe
Token: SeSystemProfilePrivilege	4040	Taskmgr.exe
Token: SeCreateGlobalPrivilege	4040	Taskmgr.exe
Token: 33	5164	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5164	AUDIODG.EXE
Token: SeDebugPrivilege	5288	uwumonster.exe
Token: SeDebugPrivilege	5224	uwumonster.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe
4040	Taskmgr.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
3988	MicrosoftEdge.exe
5020	MicrosoftEdgeCP.exe
4108	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
696	znooyo.exe
696	znooyo.exe
824	mspaint.exe
824	mspaint.exe
824	mspaint.exe
824	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2872 wrote to memory of 1232	2872	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe	73
PID 2872 wrote to memory of 1232	2872	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe	73
PID 2872 wrote to memory of 744	2872	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe	78
PID 2872 wrote to memory of 744	2872	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe	78
PID 2872 wrote to memory of 744	2872	ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe	78
PID 744 wrote to memory of 4784	744	znooyo.exe	79
PID 744 wrote to memory of 4784	744	znooyo.exe	79
PID 744 wrote to memory of 4784	744	znooyo.exe	79
PID 744 wrote to memory of 3484	744	znooyo.exe	80
PID 744 wrote to memory of 3484	744	znooyo.exe	80
PID 744 wrote to memory of 3484	744	znooyo.exe	80
PID 744 wrote to memory of 4952	744	znooyo.exe	81
PID 744 wrote to memory of 4952	744	znooyo.exe	81
PID 744 wrote to memory of 4952	744	znooyo.exe	81
PID 744 wrote to memory of 1368	744	znooyo.exe	82
PID 744 wrote to memory of 1368	744	znooyo.exe	82
PID 744 wrote to memory of 1368	744	znooyo.exe	82
PID 744 wrote to memory of 380	744	znooyo.exe	83
PID 744 wrote to memory of 380	744	znooyo.exe	83
PID 744 wrote to memory of 380	744	znooyo.exe	83
PID 744 wrote to memory of 696	744	znooyo.exe	84
PID 744 wrote to memory of 696	744	znooyo.exe	84
PID 744 wrote to memory of 696	744	znooyo.exe	84
PID 696 wrote to memory of 2168	696	znooyo.exe	86
PID 696 wrote to memory of 2168	696	znooyo.exe	86
PID 696 wrote to memory of 2168	696	znooyo.exe	86
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 3324	5020	MicrosoftEdgeCP.exe	92
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 208	5020	MicrosoftEdgeCP.exe	93
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 5020 wrote to memory of 60	5020	MicrosoftEdgeCP.exe	95
PID 696 wrote to memory of 4040	696	znooyo.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\a ton of ya\ya - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy - Copy.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "uwumonster" /tr "C:\Users\Admin\AppData\Local\uwumonster.exe"
  2⤵
  - Creates scheduled task(s)
  PID:1232
- C:\Users\Admin\AppData\Local\Temp\znooyo.exe
  "C:\Users\Admin\AppData\Local\Temp\znooyo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:744
- - C:\Users\Admin\AppData\Local\Temp\znooyo.exe
    "C:\Users\Admin\AppData\Local\Temp\znooyo.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4784
- - C:\Users\Admin\AppData\Local\Temp\znooyo.exe
    "C:\Users\Admin\AppData\Local\Temp\znooyo.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3484
- - C:\Users\Admin\AppData\Local\Temp\znooyo.exe
    "C:\Users\Admin\AppData\Local\Temp\znooyo.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4952
- - C:\Users\Admin\AppData\Local\Temp\znooyo.exe
    "C:\Users\Admin\AppData\Local\Temp\znooyo.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1368
- - C:\Users\Admin\AppData\Local\Temp\znooyo.exe
    "C:\Users\Admin\AppData\Local\Temp\znooyo.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:380
- - C:\Users\Admin\AppData\Local\Temp\znooyo.exe
    "C:\Users\Admin\AppData\Local\Temp\znooyo.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:2168
  - - C:\Windows\SysWOW64\Taskmgr.exe
      "C:\Windows\System32\Taskmgr.exe"
      4⤵
      Drops file in Windows directory
      Checks SCSI registry key(s)
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4040
  - - C:\Windows\SysWOW64\regedit.exe
      "C:\Windows\System32\regedit.exe"
      4⤵
      Runs regedit.exe
      Suspicious behavior: GetForegroundWindowSpam
      PID:5436
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:824

C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3664

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3988

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1632

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4108

C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4464

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:1020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:60

C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3512

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5164

C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5288

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:6048

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5140

C:\Users\Admin\AppData\Local\uwumonster.exe
C:\Users\Admin\AppData\Local\uwumonster.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5224

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s DeviceAssociationService
1⤵
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\uwumonster.exe.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BLQDLNEB\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\styles__ltr[1].css

Filesize
55KB

MD5
2c00b9f417b688224937053cd0c284a5

SHA1
17b4c18ebc129055dd25f214c3f11e03e9df2d82

SHA256
1e754b107428162c65a26d399b66db3daaea09616bf8620d9de4bc689ce48eed

SHA512
8dc644d4c8e6da600c751975ac4a9e620e26179167a4021ddb1da81b452ecf420e459dd1c23d1f2e177685b4e1006dbc5c8736024c447d0ff65f75838a785f57

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\anchor[1].htm

Filesize
45KB

MD5
1acdef90d263ba5c0c1c8d9e687e6f6d

SHA1
bd944490caed868b2a1da16e12976e87135711cf

SHA256
a471c01501d29c1bca256d0007bafcf99137cbbbd0cfb317ebdd6fb32db0761d

SHA512
ac9900ef17a7312a7a95c64c51c195a665671d9183fa87258c44c4a835a89f8b657e653c22657a6e26721c0ebe72e2d158b9340da9a0a14824ef461695202ce1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\bframe[1].htm

Filesize
7KB

MD5
7677e639670f9090e168f7d843f33426

SHA1
6254b0c8be9c6978afc94b125fac0de7b29a5f30

SHA256
39f7754ccdd323188dd2ab50c2b2e1c4a632cd67f5cecffb6ad24fee0282e11a

SHA512
6d6851dc3df55c63c00f13eec8d541c46e3f059ada1a4d71b9fc0cec3ea559efa066954d08f073a38f799e7baa1e9fd711b8a6c0c669b5fca8774372e94b8b34

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\js[2].js

Filesize
270KB

MD5
b9bdc535485ef8364dc07c50a943b0dc

SHA1
e165b1d757813c9f6f9ae9506f4d391c383033c4

SHA256
75f5bcf4c801c9ec6b6b5d243a58d5b1768328b41679cd03f2149506671929c3

SHA512
4d3aeccbc01840f86a6e5f7569acbe602c66ead32c9ba2a25d2da16f63df9d77aee0685250ade30b130e8c37ace7b09b134d13365b62d70f0cafce791cf42045

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\recaptcha__en[1].js

Filesize
505KB

MD5
e2e79d6b927169d9e0e57e3baecc0993

SHA1
1299473950b2999ba0b7f39bd5e4a60eafd1819d

SHA256
231336ed913a5ebd4445b85486e053caf2b81cab91318241375f3f7a245b6c6b

SHA512
d6a2ed7b19e54d1447ee9bbc684af7101b48086945a938a5f9b6ae74ace30b9a98ca83d3183814dd3cc40f251ab6433dc7f8b425f313ea9557b83e1c2e035dff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\EZFSCJJ0\www.vice[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\EZFSCJJ0\www.vice[1].xml

Filesize
7KB

MD5
7257cf6270646b31168dda5ee1b98dcd

SHA1
83dc862344c4d227a1dba0c50be475cf4a47ee22

SHA256
a9d298484b67fd1df18703e7e7d0829fbd6d7c39362d2b9269e4c76dc1ea3797

SHA512
e193afd0e01f4a68c772bd2fc848bba041483870bf68e64833f2f25f4cfc63e920a1c3113d64badd5cfa7f66543c21e8148817ba49d8e1dfdc31229d4f3688ec

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IG8G0TZ9\www.youtube[1].xml

Filesize
228B

MD5
7b68cad745afc6c3d2250d8e9b562252

SHA1
2b071a993bacd8097e3c6c1778f798cb37d5de32

SHA256
12c74901f77488da9d2ec09d2a1ea731e39cd93898afa1727e0372e409a41243

SHA512
a2401904565c5f2de31e448063264b350c42d567f9ff25aa548a419bbbb83181c4a68c604162667e995fcc121f8d032c9d4b29e1e9a72739c91f04acf1db5f4f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IG8G0TZ9\www.youtube[1].xml

Filesize
17KB

MD5
8b4cc226f9c77bc5256312d7dbd34d3f

SHA1
6b376a28004c5fc349f25dcae011304841b33a9a

SHA256
163ce68665b36f64bc86d45faf80e02794cf99f1e1ce6c19c6c5096006b94e70

SHA512
a7322d4f46209f5dae79d84f8e7e3f782c1ef8cd4e6d09dd97d212a1e487558148caaff6230081fc86b9b7c3d0635206f7b1b25ae20684c09a8a8eb5b6fbe1d4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IG8G0TZ9\www.youtube[1].xml

Filesize
985B

MD5
e393bbfcbdc138769810cf7e347b24c4

SHA1
aed436817fa1cd705a884841384a3482cc079161

SHA256
9458adf7931b9ff7a4f15b11d1b650da58780f5342f05875f56501692c567b92

SHA512
f48bc91500f8744c8408aa83e05a4edd8c02430e1543bd1339fe49a9df2d997294a4c8f9070059b4c2736bfcc043776c2740e16c23f9da751d4521b6e5e27339

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IG8G0TZ9\www.youtube[1].xml

Filesize
985B

MD5
d0d501ae35ee90089aa31b926fb182f8

SHA1
62c418364b9f6763aef18ac86cbe750f2f5521ea

SHA256
330a9fcdd044974103134d2b33877948ab369a078287345ff899056a36bd6648

SHA512
eaddf8196c81cef992f8e96880244cdba6e091bd42981c214757e38ad3cc4cebbd96e5d0d0933f8fa511deb85f08a9ef902644465d57a843942a1afebd7af79d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\IG8G0TZ9\www.youtube[1].xml

Filesize
985B

MD5
fe39638fb9d74837ca950a83cc443beb

SHA1
55c03a054b8bfb8bf1a3d9bb88d0cfae28ac46e2

SHA256
16e432ef3575d6715fa66e660bbe33e1be4e902494d1c3410be3a98ceaec66c9

SHA512
b2451a1590ccc97ef23654a37abecb89ae8207d2df657c8a022305bf12e6e1e86f75cec94729679404efb2f3637aacbcbab982c45fa271545b13fea9794aa2ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\1RW1HGLX\PCOP[1].ico

Filesize
6KB

MD5
6303f12d8874cff180eecf8f113f75e9

SHA1
f68c3b96b039a05a77657a76f4330482877dc047

SHA256
cd2756b9a2e47b55a7e8e6b6ab2ca63392ed8b6ff400b8d2c99d061b9a4a615e

SHA512
6c0c234b9249ed2d755faf2d568c88e6f3db3665df59f4817684b78aaa03edaf1adc72a589d7168e0d706ddf4db2d6e69c6b25a317648bdedf5b1b4ab2ab92c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\1RW1HGLX\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YP6L2E6G\coast-228x228[1].png

Filesize
5KB

MD5
b17926bfca4f7d534be63b7b48aa8d44

SHA1
baa8dbac0587dccdd18516fa7ed789f886c42114

SHA256
885cf4c748081f6e569c4c5432249084eded544d55f7c85cf47ec1aebe6bdcd6

SHA512
a99269cc3c0af6a291e5373c4e488eaa3900e66bc3342933da3a18caff5401a4408aa1cb4463fac649c3cc5d88773f789fb120e292ed956188f1f5eda8ca7633

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\YP6L2E6G\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K3QN37R0\KFOlCnqEu92Fr1MmEU9fBBc4[1].woff2

Filesize
15KB

MD5
285467176f7fe6bb6a9c6873b3dad2cc

SHA1
ea04e4ff5142ddd69307c183def721a160e0a64e

SHA256
5a8c1e7681318caa29e9f44e8a6e271f6a4067a2703e9916dfd4fe9099241db7

SHA512
5f9bb763406ea8ce978ec675bd51a0263e9547021ea71188dbd62f0212eb00c1421b750d3b94550b50425bebff5f881c41299f6a33bbfa12fb1ff18c12bc7ff1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K3QN37R0\KFOlCnqEu92Fr1MmYUtfABc4EsA[1].woff2

Filesize
9KB

MD5
797d1a46df56bba1126441693c5c948a

SHA1
01f372fe98b4c2b241080a279d418a3a6364416d

SHA256
c451e5cf6b04913a0bc169e20eace7dec760ba1db38cdcc343d8673bb221dd00

SHA512
99827a3fab634b2598736e338213e1041ef26108a1607be294325d90a6ba251a947fd06d8cb0a2104b26d7fe9455feb9088a79fe515be1896c994c5850705edc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K3QN37R0\KFOmCnqEu92Fr1Mu4WxKOzY[1].woff2

Filesize
7KB

MD5
7aa7eb76a9f66f0223c8197752bb6bc5

SHA1
ac56d5def920433c7850ddbbdd99d218d25afd2b

SHA256
9ca415df2c57b1f26947351c66ccfaf99d2f8f01b4b8de019a3ae6f3a9c780c7

SHA512
e9a513741cb90305fbe08cfd9f7416f192291c261a7843876293e04a874ab9b914c3a4d2ed771a9d6484df1c365308c9e4c35cd978b183acf5de6b96ac14480d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K3QN37R0\KFOmCnqEu92Fr1Mu72xKOzY[1].woff2

Filesize
15KB

MD5
e3836d1191745d29137bfe16e4e4a2c2

SHA1
4dc8845d97df9cb627d9e6fdd49be1ef9eb9a69c

SHA256
98eec6c6fa4dcd4825e48eff334451979afc23cd085aea2d45b04dc1259079dd

SHA512
9e9ec420cf75bf47a21e59a822e01dc89dcf97eec3cc117c54ce51923c9a6f2c462355db1bc20cdf665ef4a5b40ffcfa9c8cee05bb5e112c380038bfef29c397

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K3QN37R0\KFOmCnqEu92Fr1Mu7WxKOzY[1].woff2

Filesize
5KB

MD5
a835084624425dacc5e188c6973c1594

SHA1
1bef196929bffcabdc834c0deefda104eb7a3318

SHA256
0dfa6a82824cf2be6bb8543de6ef56b87daae5dd63f9e68c88f02697f94af740

SHA512
38f2764c76a545349e8096d4608000d9412c87cc0cb659cf0cf7d15a82333dd339025a4353b9bd8590014502abceb32ca712108a522ca60cbf1940d4e4f6b98a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K3QN37R0\KFOmCnqEu92Fr1Mu7mxKOzY[1].woff2

Filesize
1KB

MD5
57993e705ff6f15e722f5f90de8836f8

SHA1
3fecc33bac640b63272c9a8dffd3df12f996730b

SHA256
836f58544471e0fb0699cb9ddd0fd0138877733a98b4e029fca1c996d4fb038d

SHA512
31f92fb495a1a20ab5131493ab8a74449aabf5221e2901915f2cc917a0878bb5a3cbc29ab12324ffe2f0bc7562a142158268c3f07c7dca3e02a22a9ade41721e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\KFOlCnqEu92Fr1MmEU9fABc4EsA[1].woff2

Filesize
9KB

MD5
df648143c248d3fe9ef881866e5dea56

SHA1
770cae7a298ecfe5cf5db8fe68205cdf9d535a47

SHA256
6a3f2c2a5db6e4710e44df0db3caec5eb817e53989374e9eac68057d64b7f6d2

SHA512
6ff33a884f4233e092ee11e2ad7ef34d36fb2b61418b18214c28aa8b9bf5b13ceccfa531e7039b4b7585d143ee2460563e3052364a7dc8d70b07b72ec37b0b66

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\KFOlCnqEu92Fr1MmEU9fCRc4EsA[1].woff2

Filesize
14KB

MD5
79c7e3f902d990d3b5e74e43feb5f623

SHA1
44aae0f53f6fc0f1730acbfdf4159684911b8626

SHA256
2236e56f735d25696957657f099459d73303b9501cc39bbd059c20849c5bedff

SHA512
3a25882c7f3f90a7aa89ecab74a4be2fddfb304f65627b590340be44807c5c5e3826df63808c7cd06daa3420a94090249321a1e035b1cd223a15010c510518df

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\KFOlCnqEu92Fr1MmEU9fCxc4EsA[1].woff2

Filesize
5KB

MD5
6bef514048228359f2f8f5e0235f8599

SHA1
318cb182661d72332dc8a8316d2e6df0332756c4

SHA256
135d563a494b1f8e6196278b7f597258a563f1438f5953c6fbef106070f66ec8

SHA512
23fb4605a90c7616117fab85fcd88c23b35d22177d441d01ce6270a9e95061121e0f7783db275ad7b020feaba02bbbc0f77803ca9fb843df6f1b2b7377288773

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\KFOlCnqEu92Fr1MmYUtfCxc4EsA[1].woff2

Filesize
4KB

MD5
133b0f334c0eb9dbf32c90e098fab6bd

SHA1
398f8fd3a668ef0b16435b01ad0c6122e3784968

SHA256
6581d0d008bc695e0f6beffbd7d51abb4d063ef5dedc16feb09aa92ea20c5c00

SHA512
2a5a0956ecc8680e4e9ef73ec05bc376a1cc49ddb12ee76316378fe9626dccedb21530e3e031b2dae2830874cc1b6bfd6cce2d6d0dce54587ff0fc3780041ace

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\KFOmCnqEu92Fr1Mu4mxK[1].woff2

Filesize
14KB

MD5
5d4aeb4e5f5ef754e307d7ffaef688bd

SHA1
06db651cdf354c64a7383ea9c77024ef4fb4cef8

SHA256
3e253b66056519aa065b00a453bac37ac5ed8f3e6fe7b542e93a9dcdcc11d0bc

SHA512
7eb7c301df79d35a6a521fae9d3dccc0a695d3480b4d34c7d262dd0c67abec8437ed40e2920625e98aaeafba1d908dec69c3b07494ec7c29307de49e91c2ef48

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\KFOmCnqEu92Fr1Mu5mxKOzY[1].woff2

Filesize
9KB

MD5
efe937997e08e15b056a3643e2734636

SHA1
d02decbf472a0928b054cc8e4b13684539a913db

SHA256
53f2931d978bf9b24d43b5d556ecf315a6b3f089699c5ba3a954c4dde8663361

SHA512
721c903e06f00840140ed5eec06329221a2731efc483e025043675b1f070b03a544f8eb153b63cd981494379a9e975f014b57c286596b6f988cee1aaf04a8c65

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\api[1].js

Filesize
850B

MD5
ee87fd4035a91d937ff13613982b4170

SHA1
e897502e3a58c6be2b64da98474f0d405787f5f7

SHA256
7649b605b4f35666df5cbcbb03597306d9215f53f61c2a097f085fa39af9859f

SHA512
9e27179bdedb6fe008ab8dc0827d479c674e7e21ad44081c78782f29dd5b91ad2d5bf4f6912d6d1ad3275eedce659e26ace02f769c6b7f4b1f660a3c628feab3

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\K45PWI2A\webworker[1].js

Filesize
102B

MD5
284b36421a1cf446f32cb8f7987b1091

SHA1
eb14d6298c9da3fb26d75b54c087ea2df9f3f05f

SHA256
94ab2be973685680d0be9c08d4e1a7465f3c09053cf631126bd33f49cc2f939b

SHA512
093f3f5624de2e43e43eb06036107ff3260237f9e47e1f86fdfba7c7036522187a9b47b291f5443c566658a8ef555e5033c7f2ac0c9f4fa8eb69eb8e2540b372

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\Dahk90Fxhr1MEtfyZ-6_j6N-qVuiwfy-NjSFsUln5nQ[1].js

Filesize
17KB

MD5
5bc0a82a24abe097e6f6c1098bef9591

SHA1
2da9f4ad273be56e0bfbefc24209cdeba5f9f270

SHA256
0da864f7417186bd4c12d7f267eebf8fa37ea95ba2c1fcbe363485b14967e674

SHA512
14351ce0be86a502718daa7a695ea4404d215af58acac418a0e7963219300f749b1feb9d7cbf3cfa088811fb5daf6948379f4421cf67b41974eab5db55924d8b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOlCnqEu92Fr1MmEU9fBxc4EsA[1].woff2

Filesize
7KB

MD5
207d2af0a0d9716e1f61cadf347accc5

SHA1
0f64b5a6cc91c575cb77289e6386d8f872a594ca

SHA256
416d72c8cee51c1d6c6a1cab525b2e3b4144f2f457026669ddad34b70dabd485

SHA512
da8b03ee3029126b0c7c001d7ef2a7ff8e6078b2df2ec38973864a9c0fd8deb5ecef021c12a56a24a3fd84f38f4d14ea995df127dc34f0b7eec8e6e3fc8d1bbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOlCnqEu92Fr1MmEU9fCBc4EsA[1].woff2

Filesize
1KB

MD5
52e881a8e8286f6b6a0f98d5f675bb93

SHA1
9c9c4bc1444500b298dfea00d7d2de9ab459a1ad

SHA256
5e5321bb08de884e4ad6585b8233a7477fa590c012e303ea6f0af616a6e93ffb

SHA512
45c07a5e511948c328f327e2ef4c3787ac0173c72c51a7e43e3efd3e47dd332539af15f3972ef1cc023972940f839fffe151aefaa04f499ae1faceaab6f1014f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOlCnqEu92Fr1MmYUtfBBc4[1].woff2

Filesize
14KB

MD5
19b7a0adfdd4f808b53af7e2ce2ad4e5

SHA1
81d5d4c7b5035ad10cce63cf7100295e0c51fdda

SHA256
c912a9ce0c3122d4b2b29ad26bfe06b0390d1a5bdaa5d6128692c0befd1dfbbd

SHA512
49da16000687ac81fc4ca9e9112bdca850bb9f32e0af2fe751abc57a8e9c3382451b50998ceb9de56fc4196f1dc7ef46bba47933fc47eb4538124870b7630036

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOlCnqEu92Fr1MmYUtfBxc4EsA[1].woff2

Filesize
7KB

MD5
585f849571ef8c8f1b9f1630d529b54d

SHA1
162c5b7190f234d5f841e7e578b68779e2bf48c2

SHA256
c6dcdefaa63792f3c29abc520c8a2c0bc6e08686ea0187c9baac3d5d329f7002

SHA512
1140c4b04c70a84f1070c27e8e4a91d02fda4fc890877900c53cfd3a1d8908b677a412757061de43bc71022dfdd14288f9db0852ef6bf4d2c1615cb45628bebc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOlCnqEu92Fr1MmYUtfCBc4EsA[1].woff2

Filesize
1KB

MD5
7cbd23921efe855138ad68835f4c5921

SHA1
78a3ae9ec08f2cf8ebb791a2331b33a03ab8cc76

SHA256
8eaae4c8680e993b273145315c76a9a278f696467c426637d4beab8cb3dc4a3d

SHA512
d8a4db91d2063273d31f77728b44557612b85f51143973caa3cfd60ab18f8c3e4b8cdaab43af843fe29441cd1d8299bf2f139a78e47bf740277b33a377377177

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOlCnqEu92Fr1MmYUtfCRc4EsA[1].woff2

Filesize
14KB

MD5
e904f1745726f4175e96c936525662a7

SHA1
af4e9ee282fea95be6261fc35b2accaed24f6058

SHA256
65c7b85c92158adb2d71bebe0d6dfb31ab34de5e7d82134fe1aa4eba589fc296

SHA512
7a279d41c8f60806c2253cba5b399be7add861bd15bf0ac4fa7c96fa1eee6557bf1ebd684e909086d9292739f27fa18947af5c98f4920fe00da3acf209c6260a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOlCnqEu92Fr1MmYUtfChc4EsA[1].woff2

Filesize
11KB

MD5
29542ac824c94a70cb8abdeef41cd871

SHA1
df5010dad18d6c8c0ad66f6ff317729d2c0090ba

SHA256
63ef838f895e018722b60f6e7e1d196ff3d90014c70465703fc58e708e83af64

SHA512
52f91e02b82f9f27d334704b62a78e746c80023ee8882b96cb24cb4043f9a256f395d24830b1f4513bd7597f8c564af20db9c715ab014eb2ab752fd697156591

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\UHU0AQ88\KFOmCnqEu92Fr1Mu7GxKOzY[1].woff2

Filesize
11KB

MD5
15d8ede0a816bc7a9838207747c6620c

SHA1
f6e2e75f1277c66e282553ae6a22661e51f472b8

SHA256
dbb8f45730d91bffff8307cfdf7c82e67745d84cb6063a1f3880fadfad59c57d

SHA512
39c75f8e0939275a69f8d30e7f91d7ca06af19240567fb50e441a0d2594b73b6a390d11033afb63d68c86c89f4e4bf39b3aca131b30f640d21101dc414e42c97

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\Z1ILFSW5\KFOlCnqEu92Fr1MmEU9fChc4EsA[1].woff2

Filesize
11KB

MD5
16aedbf057fbb3da342211de2d071f11

SHA1
fdee07631b40b264208caa8714faaa5b991d987b

SHA256
7566a2f09ff8534334b7a44f72a1afaba6bdbb782209be8804636ee8b963c75f

SHA512
5cd45dfb0d0ee44afd9b3ffd93c2942c2f04e359d067d4631edd67a2ee09149766294b29c75aaab7436dacc775a8ca02392c5e4cfb8d7fede19c028448507e0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\CA2XWF71\www.google[1].xml

Filesize
99B

MD5
be3b66e854040d03198bb37b4a97c56d

SHA1
f2f1417ee57c0d5892af3de20945f1112a71bac9

SHA256
439dac4b4d89c392cbc8580c129a3f3a548fe48547c1cf72336177985bce64cd

SHA512
8bc70ff3468cac52958f2d3458d9bd7fd5fc1e522e8d6229b3f908b8243e478cda688a46630bf750e9ddbd9e687d59d8a45104590290e7b693cb99a1e8a434f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
a240d3899f5c942fa4d758eaa3f6cffd

SHA1
ab28b7e179d0b320b32b40f9302c6692bab2f06e

SHA256
fd668a44e7e00cb370d96f1ed1de4a6853f0fe2679fbb5e9cc211450d7cd6111

SHA512
8d774eda4fba5de333e50be8503c902c5f8aa6bc4516a0cad95f8cb8d697924fb88696b22cc712c6468ee9e8866a29c71d24f16d4e19dd0ded38069602babeee

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27

Filesize
472B

MD5
2a97e2522a4e314a0e962e15b2a4866d

SHA1
ab0e36e8e0d18ee589eac7343f18318a5b58ee6e

SHA256
ffa1914ca686ea0fc947aa5d9bbf8fb5503a0052aa0497443a2c478ae35d5cfd

SHA512
97ec03866c137e997d0f7f80b92afa72896a952c902f083de03a95421cc76deb6c5054c2f8b15ce0b95f42f55b897cead4cb30139d96fc7beb8270eb7b09ca61

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_8BB34D7AC6ADCC019FE5325FE9DECAE8

Filesize
471B

MD5
143f3a15fd530c5f20644efcd42a0efe

SHA1
37c9b069ae3fe18c294855473cfc2bfa779841ba

SHA256
c8dc8d331c1d13ef74c33bf414d89f7a5631df905f9aa25469d9a2ceb9a1ceba

SHA512
bfd0dae8de497f10b477337236b668667ce7f15b970ea7ad5485b803cb927729aeaf0a265dd86e4cdd625f468305318b31ed6fda5beb7a6a913282f30e856aec

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_9E57962407F9525599575A43BE833E07

Filesize
472B

MD5
e34cc881cb8ab8263f111f1db8ce3c69

SHA1
05b49cdbd6ccc225ee0def23495e33df404cf84c

SHA256
f73abac44455c6d9169902e1edb1e6f16b4fade4c2d466cdaea1ecbe803ae1c7

SHA512
dae6a4ff3f40e4ef03a79fced500894d5fe86f4dfdc8a0c68c3e414a06c5e3f82410be5656f8d8a916fe3be5db3abc24f2044419623b6675b8ff53813e6ccf8a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
02605fb340d201bd9b5061d5a6850592

SHA1
58ece90fee0552ab6e0370312ee944bc8feede54

SHA256
6b69ddcfca02e2230ed336d2db4c1eeb618f34e96fc5a101e51bfb0781431c90

SHA512
7551bcfd397cdb3bcd853e9cd5cf6e833ed060ed4cd46e13e4a8fe2bf8b6ca84c2cc7b8ca999ea51ca779bbbe22ec02a9af1e9fb02ee3baec92e50d3cf1af4da

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
724B

MD5
ac89a852c2aaa3d389b2d2dd312ad367

SHA1
8f421dd6493c61dbda6b839e2debb7b50a20c930

SHA256
0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45

SHA512
c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
724B

MD5
8202a1cd02e7d69597995cabbe881a12

SHA1
8858d9d934b7aa9330ee73de6c476acf19929ff6

SHA256
58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5

SHA512
97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_EE9EE35EB9C45E1DB74EFFC22CDC9768

Filesize
471B

MD5
9af09e51d47686470ef5bbcc9e6ad53f

SHA1
9ece83cf50c84f17316d07b07f5b48fe68c5485b

SHA256
9b8fe8c5a7b24027063843d6fe7d156fa5f06c465f98c2c96276b1f4f5786d25

SHA512
67d995907e399591a4f48b9354542d0f8532628e589bf84c35e1fda5aacbd8b0aec7679c62042f65b023bc681bea0829927d83f4fbf3105ebe3fa0b40b8e58d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F2DDCD2B5F37625B82E81F4976CEE400_D7C1EE155B4C5E8C9EE3042DF21F688A

Filesize
472B

MD5
d82886e4da51cd825189e243de66e640

SHA1
edc8290b23161653889b252b37f19ec019720941

SHA256
3d47798cbe8f8488ea79b1ef3fa8e9c89a17ccea4f2305be794601878e3cde73

SHA512
ba84e29c4e2a374bb2b836e4dc40ff52db54159c0145f4b1f90927953e285d72a25f358f4ada1450ac4f09f48d7dcb1d7ff77aac5670fea4678094bb3a3c5ed4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
c318a45e8e9dfb02a9be48f559e7284e

SHA1
d93f256aba11b1dc9dfee7fe4edbb5d6da3bd4e3

SHA256
fdcd31885d0a3b3717d694295944a8ee3b19a17e6c2fb27d0675bfedc9bdb17b

SHA512
77f1e117940f7bb6664507e82e63199ed6656af9c2a1739537645ee1d30d608a3ec1349c26f1ce8573099959526189f4cddbc5e7576807910ab5cbfe4a42b600

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
bc1ff753146e7c9bb3ded8a4453c0bd9

SHA1
140608749c1fbd25850b2c2697be2f3b573f2264

SHA256
ef4bc0ca562bc1df4dd1ade907a2acc9507d65ee271fd8c3ad84a7de7c3621f7

SHA512
fec44f3b5af9ea85fcd283fac30b4d09491a4c9e55c6c5a18b3de5f93478db1af59f2b643830e6e139f47586eee39a6b26dd453cfe9e59c700df5c4e562a83e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\265C0DEB29181DD1891051371C5F863A_5C77EC0FCAF0A83EAAF0F4351F61FA27

Filesize
402B

MD5
2c7c717bc9df24c083b7a530d993310c

SHA1
f25313639a75ce1bb92b0624a65fbe834abbcfff

SHA256
93afb91a336ac606cd7ea591598ce4cae44e9ec836bfde40e9216f0e5211a09a

SHA512
bedb89ab419e4105958512e69a6458e6fb16a9c277e5c905ea3a8f3c5fd52ed0eb91daefe5ddb9e4711434410cda9504ad3a1a88a11ffbb5159fa13ac1aa019f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8BB34D7AC6ADCC019FE5325FE9DECAE8

Filesize
422B

MD5
cf5f7e2ae925f6c407f58b96452b79fd

SHA1
1b2cc47742da177e5d190b450f188cee56e7ed39

SHA256
be95f5a399996ea6b8c69fa94c93a2c19d22224fc625038da12ef8eb6bebc7f4

SHA512
ac133db2f8e88e76ec5390fdf8bfddc32d229ea16f96f1af530a90722ee6e69b2bbaa931dcab264d27ac2d1147992a7375155962741523f84e913db97d88f670

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_9E57962407F9525599575A43BE833E07

Filesize
402B

MD5
76d8742c1ea19dbc9c285115c65f9d29

SHA1
d2ffcd1510c0a8516ddfa3af2d993259d4db5858

SHA256
7b4e8adb5d514f3176024e9fe6119b90e70127c99140c66df1a385f0852f95b2

SHA512
45f54d62d273dd178e5eb002a0fcc8c64bd842fbb5136a6e084eb870f7a66c56a7ead7bff01095ef75f1c61d7f7016459751f97315368d1daae1da5599cd1545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
b1d347596504d37856a0cfae20f6a917

SHA1
2c84c69fde625ccb1cd1a6b003176655aaac15fc

SHA256
59a2c2e9a1df5ea731bf9661692f8f17ef4c37917b86bd05b53907f95ff849c1

SHA512
909c1c59052c76d67d35035a49473e854928e73616c9e1d10cf25205b20d6ae07370343ec738ebfe164142dcb1f343d2b8484b9f40b70391218431d0d60ba07a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

Filesize
392B

MD5
7dad1859e453016ecf7137229292e193

SHA1
20d43b48aafab6bb7e8752d2400445a1b78f9ca1

SHA256
691c6398974269361d12b09be44b6dfe57e182222b58df39be207fe3d1f22d35

SHA512
92fe06e051837db0dcd61a8bccc10a466d9e7f4da1c15e897194831d75a11aef202e5ec745bffcfe7d588d1d77e5cc9aaac531827ecdc012a854604222f39797

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

Filesize
392B

MD5
daa147467e30272fec2d31ba97a719f9

SHA1
ddc868e03d9a4403baeafc31b3789fcafc80463e

SHA256
7bd8aa06736573bad398590970cad7dc93db2ce113e4654abb4f4d2fc3a9c074

SHA512
d6d4a267dc90563051731dee219d3885af031deb0f48fa291aa7f526eb1f32d0ad4901b253630559efcd4d8851724b8c6bc164611ad9745c94ece52958ebef1e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_EE9EE35EB9C45E1DB74EFFC22CDC9768

Filesize
406B

MD5
1cf23edea57c26706596a1050df4a82f

SHA1
cf720db9e2f744f644ffedd29d8c00f3d2e5cd5a

SHA256
c400550c1b15b4d571c148ffe75bede1a304ec8dce4bb06310dda8ad757dbb0c

SHA512
66b5170b177dd9d1f9c64fc0f0bd9398d03e8331e1a7070007634e92933c94e26cc05f5017a9a5e439f4225b7d1d11bc4a0d93fd029aec2c5242c74d5b3d0b32

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F2DDCD2B5F37625B82E81F4976CEE400_D7C1EE155B4C5E8C9EE3042DF21F688A

Filesize
414B

MD5
51c9b2a1d2a61d4380e24b5604f8c873

SHA1
36bfd2ed08b364824d79e70d816af8369f28bcc4

SHA256
6d7afe6813398520554d479036ef6b75c1a6e3334a72f760ffa545c35c2c1c5c

SHA512
04632d6de18a95d515616170bed67b3b6a3cac300639883671bd98f10d7a10bdf5a34f9da6d7f50b3e895464f3298f8bf7bb4a7389c4eef77acbb23dbcc57aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\znooyo.exe

Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\uwumonster.exe

Filesize
63KB

MD5
222c2d239f4c8a1d73c736c9cc712807

SHA1
c3aa61bd6f8cc640bcfa74c40d9283c9c08c7b3c

SHA256
ff43049677c57277f12a1d97f02af3029d7b75b5ad40303a28f1b0452997969d

SHA512
1f2fea85e45e93916306c234b916d6b4b200dac9656e44f4555f825dd8677cb5e927bd5e7a74bf2fb2f6972a3e6e2d294a6104add162ba3d53a0e6cfedef6a02

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2872-580-0x00000000014E0000-0x00000000014EC000-memory.dmp

Filesize
48KB

Download
memory/2872-1-0x00007FFC02D83000-0x00007FFC02D84000-memory.dmp

Filesize
4KB

Download
memory/2872-7-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-6-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

Filesize
9.9MB

Download
memory/2872-0-0x0000000000C70000-0x0000000000C86000-memory.dmp

Filesize
88KB

Download
memory/3324-88-0x000001ED6CDD0000-0x000001ED6CDD2000-memory.dmp

Filesize
8KB

Download
memory/3324-364-0x000001ED6C960000-0x000001ED6C970000-memory.dmp

Filesize
64KB

Download
memory/3324-92-0x000001ED7D730000-0x000001ED7D732000-memory.dmp

Filesize
8KB

Download
memory/3324-90-0x000001ED6CDF0000-0x000001ED6CDF2000-memory.dmp

Filesize
8KB

Download
memory/3324-359-0x000001ED6C960000-0x000001ED6C970000-memory.dmp

Filesize
64KB

Download
memory/3324-82-0x000001ED6C9F0000-0x000001ED6C9F2000-memory.dmp

Filesize
8KB

Download
memory/3324-80-0x000001ED6C980000-0x000001ED6C982000-memory.dmp

Filesize
8KB

Download
memory/3324-77-0x000001ED6C950000-0x000001ED6C952000-memory.dmp

Filesize
8KB

Download
memory/3324-125-0x000001ED7E1A0000-0x000001ED7E2A0000-memory.dmp

Filesize
1024KB

Download
memory/3324-218-0x000001ED7EB30000-0x000001ED7EB32000-memory.dmp

Filesize
8KB

Download
memory/3324-365-0x000001ED6C960000-0x000001ED6C970000-memory.dmp

Filesize
64KB

Download
memory/3324-156-0x000001ED7EAB0000-0x000001ED7EAB2000-memory.dmp

Filesize
8KB

Download
memory/3324-367-0x000001ED6C960000-0x000001ED6C970000-memory.dmp

Filesize
64KB

Download
memory/3324-84-0x000001ED6D000000-0x000001ED6D100000-memory.dmp

Filesize
1024KB

Download
memory/3324-133-0x000001ED7E1A0000-0x000001ED7E2A0000-memory.dmp

Filesize
1024KB

Download
memory/3324-362-0x000001ED6C960000-0x000001ED6C970000-memory.dmp

Filesize
64KB

Download
memory/3664-10-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

Filesize
9.9MB

Download
memory/3664-12-0x00007FFC02D80000-0x00007FFC0376C000-memory.dmp

Filesize
9.9MB

Download
memory/3988-94-0x000001D229770000-0x000001D229771000-memory.dmp

Filesize
4KB

Download
memory/3988-28-0x000001D223330000-0x000001D223340000-memory.dmp

Filesize
64KB

Download
memory/3988-43-0x000001D223420000-0x000001D223430000-memory.dmp

Filesize
64KB

Download
memory/3988-62-0x000001D2224B0000-0x000001D2224B2000-memory.dmp

Filesize
8KB

Download
memory/3988-95-0x000001D229780000-0x000001D229781000-memory.dmp

Filesize
4KB

Download
memory/4108-71-0x00000287277C0000-0x00000287278C0000-memory.dmp

Filesize
1024KB

Download
memory/4108-70-0x00000287277C0000-0x00000287278C0000-memory.dmp

Filesize
1024KB

Download