Malware Analysis Report

2024-09-23 03:43

Sample ID 240622-1x59cawdqf
Target Runtime Broker.exe
SHA256 637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69
Tags
xworm rat trojan stormkitty evasion execution persistence ransomware spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69

Threat Level: Known bad

The file Runtime Broker.exe was found to be: Known bad.

Malicious Activity Summary

xworm rat trojan stormkitty evasion execution persistence ransomware spyware stealer

StormKitty payload

Contains code to disable Windows Defender

Xworm family

UAC bypass

Detect Xworm Payload

Suspicious use of NtCreateUserProcessOtherParentProcess

StormKitty

Xworm

Modifies Windows Defender Real-time Protection settings

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Drops startup file

Reads user/profile data of web browsers

Adds Run key to start application

Looks up external IP address via web service

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

Launches sc.exe

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Uses Volume Shadow Copy service COM API

System policy modification

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-22 22:02

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-22 22:02

Reported

2024-06-22 22:02

Platform

win7-20240508-en

Max time kernel

0s

Max time network

0s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

Network

N/A

Files

memory/1244-0-0x000007FEF6093000-0x000007FEF6094000-memory.dmp

memory/1244-1-0x00000000009A0000-0x00000000009B8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-22 22:02

Reported

2024-06-22 22:10

Platform

win10v2004-20240508-en

Max time kernel

437s

Max time network

439s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

StormKitty

stealer stormkitty

StormKitty payload

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 1892 created 5112 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\servicing\TrustedInstaller.exe

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Runtime Broker.exe N/A
N/A N/A C:\ProgramData\Runtime Broker.exe N/A
N/A N/A C:\ProgramData\Runtime Broker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\Searches\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Documents\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\3D Objects\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Contacts\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\OneDrive\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Desktop\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Favorites\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Videos\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Links\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Downloads\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Music\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\Saved Games\desktop.ini C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133635676035940172" C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{69BCD917-86F8-4904-9E23-D373D7E88F71} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\whoami.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1892 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 3340 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 1984 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1892 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 1892 wrote to memory of 4892 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 1892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1892 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 4124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 4124 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4692 wrote to memory of 3244 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\policies\system C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "5" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1020,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=3744 /prefetch:8

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"

C:\ProgramData\Runtime Broker.exe

"C:\ProgramData\Runtime Broker.exe"

C:\ProgramData\Runtime Broker.exe

"C:\ProgramData\Runtime Broker.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=5052,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=5060,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=1420 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=4680,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5368 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5496,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5568 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5504,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=5772 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5992,i,3724086843943218842,1026644135694712596,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=124.0.6367.118 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=124.0.2478.80 --initial-client-data=0x238,0x23c,0x240,0x234,0x264,0x7fff6bb1ceb8,0x7fff6bb1cec4,0x7fff6bb1ced0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2320,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=2316 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1896,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\elevation_service.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4416,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4440 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4168,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4104 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4164,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4700 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3412,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:8

C:\ProgramData\Runtime Broker.exe

"C:\ProgramData\Runtime Broker.exe"

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" qc windefend

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"

C:\Windows\system32\whoami.exe

"C:\Windows\system32\whoami.exe" /groups

C:\Windows\system32\net1.exe

"C:\Windows\system32\net1.exe" start TrustedInstaller

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" qc windefend

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"

C:\Windows\system32\whoami.exe

"C:\Windows\system32\whoami.exe" /groups

C:\Windows\system32\net1.exe

"C:\Windows\system32\net1.exe" stop windefend

C:\Windows\system32\sc.exe

"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4748,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=4688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4188,i,359840344503946284,2399212865653575415,262144 --variations-seed-version --mojo-platform-channel-handle=3240 /prefetch:8

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 medical-m.gl.at.ply.gg udp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 8.8.8.8:53 16.221.185.147.in-addr.arpa udp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 104.90.25.175:443 www.microsoft.com tcp
US 2.20.12.87:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 175.25.90.104.in-addr.arpa udp
US 8.8.8.8:53 87.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 update.googleapis.com udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
US 8.8.8.8:53 edge-mobile-static.azureedge.net udp
NL 23.62.61.97:443 www.bing.com tcp
US 13.107.246.64:443 edge-mobile-static.azureedge.net tcp
GB 216.58.204.67:443 update.googleapis.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 8.8.8.8:53 edge-consumer-static.azureedge.net udp
US 13.107.246.64:443 edge-consumer-static.azureedge.net tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 147.185.221.16:28857 medical-m.gl.at.ply.gg tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp

Files

memory/1892-0-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp

memory/1892-1-0x0000000000D50000-0x0000000000D68000-memory.dmp

memory/1892-2-0x00007FFF759E3000-0x00007FFF759E5000-memory.dmp

memory/1892-3-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/1624-10-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i24mp0pt.z0d.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1624-4-0x00000245746B0000-0x00000245746D2000-memory.dmp

memory/1624-15-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/1624-16-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/1624-19-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cadef9abd087803c630df65264a6c81c
SHA1 babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256 cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA512 7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 2b453e11296c30377ad61a79aaaa8028
SHA1 d24b574a09a27eafae2cb1f424152889c0626c50
SHA256 ecb67197af6883787011beb002c314c2cc8131bf324246e18bf9fc00a25cb29d
SHA512 5f6eb836692c95454f89b1f723a737a51554ca49dfd8e2b8b377a09bb36cb40c99b89f0d261e990a8a0a1011c816d22f25083b746a5030a2863cf9a8d87491fe

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 51cf8df21f531e31f7740b4ec487a48a
SHA1 40c6a73b22d71625a62df109aefc92a5f9b9d13e
SHA256 263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d
SHA512 57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

C:\ProgramData\Runtime Broker.exe

MD5 89af2aaffc3ddda07a0fc977c8bb2236
SHA1 412bd5812599d5729a51d0350df48030b0d04e1a
SHA256 637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69
SHA512 8c2b26d0f1b0ae80149a2aaadef329ab7fb3495bdfbccb7f8ff60368094cd955829b2cb1217b16808ac41a223661d48c2dcf88d3daeddc6b699aa88272be75ae

memory/1892-60-0x000000001BFF0000-0x000000001C0F2000-memory.dmp

memory/1892-62-0x00007FFF759E0000-0x00007FFF764A1000-memory.dmp

memory/1892-74-0x0000000001520000-0x000000000152A000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

memory/1892-104-0x0000000001640000-0x000000000164C000-memory.dmp

C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENC

MD5 501fbe06fcba4ced4f744f475dc4c7d2
SHA1 be1b6bd6267a332fe2ae535e3c290d2e899e215e
SHA256 cde3d2832d11e8382ace0cd53be2fa954f30221d6e8cf614caf2efe9034eed88
SHA512 3768b2837da91b90840852caa469c8075ce635520fef97d15d112b294153a318f6cc420861348c4769241663673f26ab997e389dab7e6603fbd5a3993155bf98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 117988eb2b31d0c2015a483bf61588b7
SHA1 1aa6bf0e0209bf6f4288c08be12d69b448d0ecb6
SHA256 4932d61d7c23514f5c7a74743dafaa9ee5db0eaece3107530dd834653b86f047
SHA512 2e6a8abc59957395eb94c2bacb43c09bc1c13f6ed4b0a80764de894b85dff76f9ffb6afc5ca01ba0fdb0a8f02b30c43300bec11515069485508986f85ec5c5cb

\??\pipe\crashpad_4692_IVAVNKZJCYKMRLAS

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b54b80cccd9e3b25fde218a7b5313f14
SHA1 7571c576ebb3f1b182a905bdafa0d0d2274549d1
SHA256 846bad830a6dafa0a8cbcaaef67b7d74ec160ef114478ad9571a6b795faa980f
SHA512 622f8aa11dbb7893dfaed457231a3092d5981dc419fc37f96112f0b4730f6e4468f3119e21392c439b06fc5147bb5f921303ecddc3d2eda478230ade558ba5ce

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 9a0c2787a91d39480bef18a05cd50b53
SHA1 dc3604bb685d15eaffd20127694fba9ef9a2dff0
SHA256 85b6b7c2bdba24ee39a00399e75ffdab660509b7b686273add96766ce63fc692
SHA512 5d3722e6a26a1c72838fa1e800db2daf9aadd5eb075686ef822ed97a552595a4eaf68a2856b8f5f657d53f350e30d6be39ec93c273d2983b439cb035d6fb83c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

MD5 20d4b8fa017a12a108c87f540836e250
SHA1 1ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA256 6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512 507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 53d7e1dcc5a398139f220a06802a9850
SHA1 7a06bb479fbd7b6fcb145278cf149410edc34053
SHA256 b50b8ae9c37d6a6afaec1a8baec6dd694a1b433aa97bcde428bb9e37b097e922
SHA512 379088324b6c35f13436c08679c5d5560c6b860041408cdd05136e83fb5d0089709c008b1b74a789286f101752555ad91ebf38ec5794851e228b168803d729c4

memory/1892-861-0x0000000002FF0000-0x0000000002FFE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

MD5 756d83c73e203dd0d3630514fe4e6a35
SHA1 a2c0acac3820c54514e784549e879a5b32bdda93
SHA256 73856d651faa39a92084b974fa5c01efc7285c0e9569ddff9f997a9268bdec90
SHA512 7c3f3e7eefe00545f41946c437091e88817db70bdeeaaf292a6af0b098ffc82777b320e7f65631b1e469dcc5b088cccf5f252f05703f306e9f9e70696337256b

memory/1892-896-0x000000001C560000-0x000000001C56C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 fd98baf5a9c30d41317663898985593b
SHA1 ea300b99f723d2429d75a6c40e0838bf60f17aad
SHA256 9d97a5bbc88fdcceac25f293383f7e5ce242675460ffbfb2ee9090870c034e96
SHA512 bf4dbbd671b5d7afb326622a7c781f150860294d3dba7160330046c258c84a15981c70e50d84dc7faaa7cc8b8c90bf8df818b3f2d3806a8a3671dfe5e38fe7b0

C:\Users\Admin\Desktop\desktop.ini

MD5 9e36cc3537ee9ee1e3b10fa4e761045b
SHA1 7726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA256 4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA512 5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

memory/1892-944-0x000000001CD00000-0x000000001CD0A000-memory.dmp

memory/1892-950-0x000000001C730000-0x000000001C73A000-memory.dmp

memory/1892-952-0x000000001D6F0000-0x000000001D6FA000-memory.dmp

memory/1892-954-0x000000001D700000-0x000000001D70C000-memory.dmp

memory/1892-956-0x000000001C440000-0x000000001C47A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEE2.tmp

MD5 1b942faa8e8b1008a8c3c1004ba57349
SHA1 cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256 555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA512 5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

memory/1892-963-0x00000000202B0000-0x00000000203CE000-memory.dmp