hxxps://codeload[.]github[.]com/kkkgo/LTSC-Add-MicrosoftStore/zip/refs/heads/master

Analysis

max time kernel
112s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 23:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://codeload.github.com/kkkgo/LTSC-Add-MicrosoftStore/zip/refs/heads/master

Score

5^/10

persistence privilege_escalation

Malware Config

Signatures

Drops file in System32 directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\SRU\SRUDB.jfm	svchost.exe
File opened for modification	C:\Windows\system32\devmgmt.msc	mmc.exe
File created	C:\Windows\System32\DriverStore\FileRepository\netrtl64.inf_amd64_8e9c2368fe308df2\netrtl64.PNF	svchost.exe
File created	C:\Windows\system32\NDF\{48EFB5E7-FF38-484C-B7AA-7A914BF99AC6}-temp-06282024-2324.etl	svchost.exe
File opened for modification	C:\Windows\system32\NDF\{48EFB5E7-FF38-484C-B7AA-7A914BF99AC6}-temp-06282024-2324.etl	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.chk	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRU.log	svchost.exe
File opened for modification	C:\Windows\system32\SRU\SRUDB.dat	svchost.exe

Drops file in Windows directory 58 IoCs

description	ioc	Process
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk	svchost.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 20 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6260	ipconfig.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\RAS AutoDial\Default	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\hnetcfgclient.dll,-201 = "HNetCfg Client"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\RAS AutoDial	svchost.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	control.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
3984	msedge.exe
3984	msedge.exe
1600	identity_helper.exe
1600	identity_helper.exe
5184	msedge.exe
5184	msedge.exe
6748	sdiagnhost.exe
6748	sdiagnhost.exe
7040	svchost.exe
7040	svchost.exe
728	msedge.exe
728	msedge.exe
3984	msedge.exe
3984	msedge.exe
1600	identity_helper.exe
1600	identity_helper.exe
5184	msedge.exe
5184	msedge.exe
6748	sdiagnhost.exe
6748	sdiagnhost.exe
7040	svchost.exe
7040	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5816	mmc.exe
5816	mmc.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
652	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

description	pid	Process
Token: SeDebugPrivilege	6748	sdiagnhost.exe
Token: SeShutdownPrivilege	1256	control.exe
Token: SeCreatePagefilePrivilege	1256	control.exe
Token: 33	5816	mmc.exe
Token: SeIncBasePriorityPrivilege	5816	mmc.exe
Token: 33	5816	mmc.exe
Token: SeIncBasePriorityPrivilege	5816	mmc.exe
Token: SeLoadDriverPrivilege	5816	mmc.exe
Token: SeDebugPrivilege	6748	sdiagnhost.exe
Token: SeShutdownPrivilege	1256	control.exe
Token: SeCreatePagefilePrivilege	1256	control.exe
Token: 33	5816	mmc.exe
Token: SeIncBasePriorityPrivilege	5816	mmc.exe
Token: 33	5816	mmc.exe
Token: SeIncBasePriorityPrivilege	5816	mmc.exe
Token: SeLoadDriverPrivilege	5816	mmc.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3352	msdt.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3352	msdt.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe
3984	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5816	mmc.exe
5816	mmc.exe
5816	mmc.exe
5816	mmc.exe
5816	mmc.exe
5816	mmc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3984 wrote to memory of 1992	3984	msedge.exe	82
PID 3984 wrote to memory of 1992	3984	msedge.exe	82
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 4520	3984	msedge.exe	83
PID 3984 wrote to memory of 728	3984	msedge.exe	84
PID 3984 wrote to memory of 728	3984	msedge.exe	84
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85
PID 3984 wrote to memory of 4764	3984	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://codeload.github.com/kkkgo/LTSC-Add-MicrosoftStore/zip/refs/heads/master
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8517946f8,0x7ff851794708,0x7ff851794718
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2816 /prefetch:8
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3060 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,12347731635670676074,7171723469394314820,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault51305f28h3632h461chb414h1bda34c0c577
1⤵
PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff8517946f8,0x7ff851794708,0x7ff851794718
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,9888234257472907062,9240292090380340318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,9888234257472907062,9240292090380340318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5184

C:\Windows\System32\msdt.exe
"C:\Windows\System32\msdt.exe" -skip TRUE -id NetworkDiagnosticsNetworkAdapter -ep NetworkDiagnosticsPNI
1⤵
- Suspicious use of FindShellTrayWindow
PID:3352

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6748
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter AdapterGuid={EA9541AF-7146-4529-80BA-F1A9AD00DFE1}
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:6928
- C:\Windows\system32\netsh.exe
  "C:\Windows\system32\netsh.exe" trace diagnose Scenario=NetworkSnapshot Mode=NetTroubleshooter AdapterGuid={EA9541AF-7146-4529-80BA-F1A9AD00DFE1}
  2⤵
  - Event Triggered Execution: Netsh Helper DLL
  PID:5348
- C:\Windows\system32\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe" /all
  2⤵
  - Gathers network information
  PID:6260
- C:\Windows\system32\ROUTE.EXE
  "C:\Windows\system32\ROUTE.EXE" print
  2⤵
  PID:6296
- C:\Windows\system32\makecab.exe
  "C:\Windows\system32\makecab.exe" /f NetworkConfiguration.ddf
  2⤵
  PID:6328

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNoNetwork -p -s DPS
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:7040

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s WdiServiceHost
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:7068

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost
1⤵
PID:7096

C:\Windows\system32\control.exe
"C:\Windows\system32\control.exe" /name Microsoft.DeviceManager
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1256
- C:\Windows\system32\mmc.exe
  "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5816

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:5736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s Netman
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:6164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1612347604\2024062823.000\NetworkDiagnostics.debugreport.xml

Filesize
136KB

MD5
d1af6caf911591c7e2c743cfadec9339

SHA1
2b4da4c3aaae7f88e9d34f533a6901e6c93c7b08

SHA256
1e4c09211275a5b2c7e2f1a5b9784fa09bea72c4c29c9e162c4948fc116060fc

SHA512
39e48445ccb9a79a479dc9ee5baa822abfdd020e91d6c93f536c9236479e93080485fc33bc2630ac9bdb896b2e16eceaf1d24fdded0ae77e1d19d0432e3a56e2

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1612347604\2024062823.000\ResultReport.xml

Filesize
38KB

MD5
dc538423ee7013ae094dd87512ac85e9

SHA1
a49e7ed96b71e7e7c43409c7697a2c37fbf25af0

SHA256
0ec386aab4a7eafd8ffbf1a1da4da46943c563291f227f362fe0edee94b3ef3e

SHA512
a4f796da94b1c4c1075e07a69c2779d31f1a89a2fad63194190c3349d46b9112a3540b4d450f76f39a7db2fcb5b7baa8ea1280d1d47509b60764288e1bb50cea

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\1612347604\2024062823.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
543c5871c0704a35ec45e7a693901386

SHA1
fe78323876fb31fb125a47d71fce641da2aae5b8

SHA256
20b6e43f6d8fe247e4d52b05dbb0427726ffc7a93fa2b537586122adb50577ae

SHA512
1a5658553a3b758a01248187222d5f1278573899857a67572053bb583efa964d6c837ff6bcf865ac8e944e372f81afdc37de91e6807f0cfa33f29e1d3c15ee55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14c28adb7b7c9870a4238f1018fa9b1f

SHA1
49a78fcb596fab858e4295d61849c912eaa94c43

SHA256
d8e2b170a1cdfd12df6f4bb86561fe040fabfef150aa2400ea257105f64284ac

SHA512
fd99df26adb0a85b822c2707bb2ea0529ae5e36df7e4221d696fecc7f15a09453ff8613fa2727b842f39805ffbd2a0eab7258be5a5926e6568c1c783fdc70643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6269c680934ef24229e7e1888213b484

SHA1
f827d223375e297ba2be924fbe596993e18842ef

SHA256
1d6ccc8804dfb05b7a4d92115b90eed0f6e857027d4c68f696ca6e6ea455ae42

SHA512
9f40860284615dcfbd7bc507aa43a744c11ac4bb1ad7d367f6fcdb762b431e555fad08a32a8bf33efb95230e564860b312e2087bb8d43237eeaaa46e5b9b43de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
8e23ca026cef8d129ab8192b6b5fe114

SHA1
bbcb30d75da9136f67b9f43e3553aec072af99d9

SHA256
46d8298a465c515421ada89677f4fda6ba9761b2417c53eadaa63fc253a68acd

SHA512
bbafbf57196b07dcde161a9c14e30332be8fe75a2e8108f1d2483b49dc96ec6178021712ade0831c54e2fa543de5e0ea05f38e090def0b20994608e42dc25c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
93e38687bb094f8f521fb2799ff59ed5

SHA1
f2dbc216b70a85d1a66869edcc5a11631e36c75f

SHA256
dd73526d4e4a7fad5450fd3fc1461e8b3949bc7aa1b208b8e52391606f7a2f58

SHA512
4941bde34ff238db6fe948b36e8bf6bbbfece2c3fb1b356ca7c085883bec09445fbd906e00cb5130f23626e2a43a5385a6a8cae0dcf8ce436ad5219e81038d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
17b4eae4438813a6f700943ba83865fa

SHA1
2f4b44450f1e641a0a3cfb9f9cc549f6dbba4abc

SHA256
26372705a2780dd85317589864d942028cb0114382c6d5ef05e985f025693305

SHA512
6c356c7b49da7ce948abf78903291a6447ddd2041335fd0ecfec9a1aa8de8000c47be4f3c39ffd1406ad2509d61e100ccd1d4853e3c650442d67f8237d318b9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
13c579252323af4adaae4bef7418119b

SHA1
0fcecb98550c7146dae49adf55802a51dcbbfc47

SHA256
ef88cfb18b0709488116ac91f9b9c9e0a1d13eac31f00455af1b48a40b2cc58a

SHA512
9cef8f74c5471505c52f05bd677aa5d736b5abd2e200f2b7dd97098f46845a9955fcd9ee8e06c46e9b3bb06ab5662e6e3624db2f24ea19eac8e9026e9c0e2d44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
fadfbf9998cbc98ca12459f86ab713f4

SHA1
5845980a746041f16cdc98f36b456506c7871d26

SHA256
95ece1e7c86ece5b4e5e8943e8118daa0c35dee23a04011cfc9e2f1264a6f5a3

SHA512
b9e0269b23cb42a9065a837c06d2f2f956204ba5ccba8f716582a4612b7e6bf9e470a21dc0dd9473aa507ceabc9fcbfb0bda53671eb55aca7486290cc5767a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ypidpgzv.42y.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED0.tmp\NetworkConfiguration.cab

Filesize
1KB

MD5
f66e36b7ed5dbdd8198b51ef9035e314

SHA1
cc51839b7f2cee5d598eef15e027b9410eca8f4e

SHA256
ca72940dc976f17bb240c824d2df6ec293f8b9b5c14bc1cfcba68986ea1972eb

SHA512
96d7e583c34d43b3f7b001760a07d94f4dc2a332f48d40609b140c438970c4a39d469a3073f758c02e5a02c18fd97b9a2188da31e98ac6f2ae38896ba4de77e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED0.tmp\NetworkConfiguration.ddf

Filesize
231B

MD5
00848049d4218c485d9e9d7a54aa3b5f

SHA1
d1d5f388221417985c365e8acaec127b971c40d0

SHA256
ffeafbb8e7163fd7ec9abc029076796c73cd7b4eddaeeda9ba394c547419769e

SHA512
3a4874a5289682e2b32108740feea586cb9ccdad9ca08bf30f67c9742370c081ad943ea714f08dbf722f9f98f3b0bb307619a8ba47f96b24301c68b0fd1086d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED0.tmp\ipconfig.all.txt

Filesize
1KB

MD5
34a76b1fcb73fe78c76e40ee517a5694

SHA1
304e7ea8e03ebd8672dc0c08e6143447842b4d76

SHA256
ba73a59ababf349820613734a1946985d4af35d3cce21707d3abc1cfd4227347

SHA512
965579e061fc6da5caaa0d96c99c04e05275b0a6ab65536706f0cdf612b7865f85d0fdc9ff5ccea5fbcde0991b2f2e29be8f256c8143267701e6c957cbe71070

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED0.tmp\route.print.txt

Filesize
4KB

MD5
13041162d7f458b3474e9529d46ee08b

SHA1
e422094bfde293f679546bc9ee4012b8b420f5fb

SHA256
d9b0ccd91decb85917585866b1c87c0b5076303c8554a4a8951ba877f56fa711

SHA512
ab4026fa69adbfd3b87f14b64041d38c7c99ec229ecf7e64995ce50d2c87da0373ca77a6481619c5bfdfb5f84edc4d5af814bb047ebe803712e6f16a88420722

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED0.tmp\setup.inf

Filesize
978B

MD5
319db2a6cce16f3f5f827d19faa93a69

SHA1
e24c205420e9810c8bdc5a01108f622c2ab86820

SHA256
3474450f2a6a0ed4836c7d3d6b0b0281043ea1bc3967773fe263d3fc9c07161c

SHA512
53eed4d8210631d0957c5e3c9df2c2f788535e251eb6c715f126061ebd44a3895260675eb272c5003e402c67e350e8090afd60fd7497e28bde241c8e8ebc7749

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEED0.tmp\setup.rpt

Filesize
283B

MD5
18f5c9a09d3366495bb48af79130ad4d

SHA1
fabccce83cad0c1969fc4cd30aec4eaf733e638e

SHA256
a877e27649de30070d728c7aa130ed9bdb9bd894379a60b5ac7a6e5241651830

SHA512
f0065f77ad7c715c2ffee75aae909b4df97b8a98664a7cc3fe887fb254329a9b62d6d9d7a4cee436ca70d5791eb2bdc6940ead0a8986d933603da44db90c7857

Download Submit
C:\Windows\TEMP\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\NetworkDiagnosticsTroubleshoot.ps1

Filesize
25KB

MD5
d0cfc204ca3968b891f7ce0dccfb2eda

SHA1
56dad1716554d8dc573d0ea391f808e7857b2206

SHA256
e3940266b4368c04333db89804246cb89bf2073626f22b8de72bea27c522282a

SHA512
4d2225b599ad8af8ba8516f12cfddca5ec0ce69c5c80b133a6a323e9aaf5e0312efbcfa54d2e4462a5095f9a7c42b9d5b39f3204e0be72c3b1992cf33b22087c

Download Submit
C:\Windows\TEMP\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\StartDPSService.ps1

Filesize
567B

MD5
a660422059d953c6d681b53a6977100e

SHA1
0c95dd05514d062354c0eecc9ae8d437123305bb

SHA256
d19677234127c38a52aec23686775a8eb3f4e3a406f4a11804d97602d6c31813

SHA512
26f8cf9ac95ff649ecc2ed349bc6c7c3a04b188594d5c3289af8f2768ab59672bc95ffefcc83ed3ffa44edd0afeb16a4c2490e633a89fce7965843674d94b523

Download Submit
C:\Windows\TEMP\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\UtilityFunctions.ps1

Filesize
53KB

MD5
c912faa190464ce7dec867464c35a8dc

SHA1
d1c6482dad37720db6bdc594c4757914d1b1dd70

SHA256
3891846307aa9e83bca66b13198455af72af45bf721a2fbd41840d47e2a91201

SHA512
5c34352d36459fd8fcda5b459a2e48601a033af31d802a90ed82c443a5a346b9480880d30c64db7ad0e4a8c35b98c98f69eceedad72f2a70d9c6cca74dce826a

Download Submit
C:\Windows\TEMP\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\UtilitySetConstants.ps1

Filesize
2KB

MD5
0c75ae5e75c3e181d13768909c8240ba

SHA1
288403fc4bedaacebccf4f74d3073f082ef70eb9

SHA256
de5c231c645d3ae1e13694284997721509f5de64ee5c96c966cdfda9e294db3f

SHA512
8fc944515f41a837c61a6c4e5181ca273607a89e48fbf86cf8eb8db837aed095aa04fc3043029c3b5cb3710d59abfd86f086ac198200f634bfb1a5dd0823406b

Download Submit
C:\Windows\TEMP\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\en-US\LocalizationData.psd1

Filesize
5KB

MD5
380768979618b7097b0476179ec494ed

SHA1
af2a03a17c546e4eeb896b230e4f2a52720545ab

SHA256
0637af30fc3b3544b1f516f6196a8f821ffbfa5d36d65a8798aeeadbf2e8a7c2

SHA512
b9ef59e9bfdbd49052a4e754ead8cd54b77e79cc428e7aee2b80055ff5f0b038584af519bd2d66258cf3c01f8cc71384f6959ee32111eac4399c47e1c2352302

Download Submit
C:\Windows\Temp\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\DiagPackage.dll

Filesize
478KB

MD5
580dc3658fa3fe42c41c99c52a9ce6b0

SHA1
3c4be12c6e3679a6c2267f88363bbd0e6e00cac5

SHA256
5b7aa413e4a64679c550c77e6599a1c940ee947cbdf77d310e142a07a237aad2

SHA512
68c52cd7b762b8f5d2f546092ed9c4316924fa04bd3ab748ab99541a8b4e7d9aec70acf5c9594d1457ad3a2f207d0c189ec58421d4352ddbc7eae453324d13f2

Download Submit
C:\Windows\Temp\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\en-US\DiagPackage.dll.mui

Filesize
17KB

MD5
44c4385447d4fa46b407fc47c8a467d0

SHA1
41e4e0e83b74943f5c41648f263b832419c05256

SHA256
8be175e8fbdae0dade54830fece6c6980d1345dbeb4a06c07f7efdb1152743f4

SHA512
191cd534e85323a4cd9649a1fc372312ed4a600f6252dffc4435793650f9dd40d0c0e615ba5eb9aa437a58af334146aac7c0ba08e0a1bf24ec4837a40f966005

Download Submit
C:\Windows\Temp\SDIAG_effd38bf-a9fb-4291-b02c-bd2850678ec5\result\48EFB5E7-FF38-484C-B7AA-7A914BF99AC6.Diagnose.Admin.0.etl

Filesize
192KB

MD5
d34032dde5fa84b5dfa684d774821abe

SHA1
9f83646b3d61388454a58caef633daa69b344611

SHA256
b1259859c3f96d2826181f83ea3f2f1638448639c955923341afe21d6aff198f

SHA512
992f7fe79f3dad7e72b42da9c26cf82524be6203ce43fe1837eeb7a1392b19caa43c4f494a24d857bcb2561eb31f2e3a002ed5ce750c0a68fc4343afc3673a86

Download Submit
memory/6748-539-0x000002186A2F0000-0x000002186A312000-memory.dmp

Filesize
136KB

Download
memory/6748-539-0x000002186A2F0000-0x000002186A312000-memory.dmp

Filesize
136KB

Download
memory/7040-564-0x000001BE6CDF0000-0x000001BE6CDF1000-memory.dmp

Filesize
4KB

Download
memory/7040-560-0x000001BE6C940000-0x000001BE6C950000-memory.dmp

Filesize
64KB

Download
memory/7040-556-0x000001BE6C900000-0x000001BE6C910000-memory.dmp

Filesize
64KB

Download
memory/7040-556-0x000001BE6C900000-0x000001BE6C910000-memory.dmp

Filesize
64KB

Download
memory/7040-560-0x000001BE6C940000-0x000001BE6C950000-memory.dmp

Filesize
64KB

Download
memory/7040-564-0x000001BE6CDF0000-0x000001BE6CDF1000-memory.dmp

Filesize
4KB

Download