lumma | hxxps://upload[.]advgroup[.]ru/mvWwiE4h

Resubmissions

31/07/2024, 17:48

240731-wde6lawcll 3

06/07/2024, 22:17

240706-17c1jswgrd 1

06/07/2024, 22:09

240706-125tdathqp 10

Analysis

max time kernel
153s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
06/07/2024, 22:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://upload.advgroup.ru/mvWwiE4h

Score

10^/10

lumma xmrig evasion execution miner persistence spyware stealer upx

Malware Config

Extracted

Family

lumma

https://bitchsafettyudjwu.shop/api

Signatures

Lumma Stealer
An infostealer written in C++ first seen in August 2022.
stealer lumma
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 8 IoCs

miner

resource	yara_rule
behavioral1/memory/5072-1130-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5072-1129-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5072-1136-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5072-1134-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5072-1133-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5072-1135-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5072-1132-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig
behavioral1/memory/5072-1137-0x0000000140000000-0x0000000140848000-memory.dmp	xmrig

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2476	powershell.exe
3240	powershell.exe
4560	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 5 IoCs

pid	Process
116	Loadkeqwkedkqwekqwek.exe
4684	1.exe
1828	2.exe
4880	3.exe
3988	update.exe

Loads dropped DLL 1 IoCs

pid	Process
1828	2.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5072-1119-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1126-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1130-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1129-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1136-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1134-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1133-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1135-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1132-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1137-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1128-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1127-0x0000000140000000-0x0000000140848000-memory.dmp	upx
behavioral1/memory/5072-1125-0x0000000140000000-0x0000000140848000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\WmiPrvSE.exe\" "	1.exe

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
5008	powercfg.exe
968	powercfg.exe
1520	powercfg.exe
1636	powercfg.exe
2432	powercfg.exe
4580	powercfg.exe
1768	powercfg.exe
4500	powercfg.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	3.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\system32\MRT.exe	update.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1828 set thread context of 3240	1828	2.exe	124
PID 3988 set thread context of 1536	3988	update.exe	159
PID 3988 set thread context of 5072	3988	update.exe	165

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2760	sc.exe
4032	sc.exe
3848	sc.exe
1300	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-587429654-1855694383-2268796072-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 51 IoCs

pid	Process
1512	msedge.exe
1512	msedge.exe
3680	msedge.exe
3680	msedge.exe
3216	identity_helper.exe
3216	identity_helper.exe
3660	msedge.exe
3660	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
4684	1.exe
4684	1.exe
3240	aspnet_regiis.exe
3240	aspnet_regiis.exe
3240	aspnet_regiis.exe
3240	aspnet_regiis.exe
4880	3.exe
4880	3.exe
4880	3.exe
2476	powershell.exe
2476	powershell.exe
2476	powershell.exe
4880	3.exe
4880	3.exe
4880	3.exe
4880	3.exe
4880	3.exe
4880	3.exe
4880	3.exe
4880	3.exe
4880	3.exe
4880	3.exe
3988	update.exe
3988	update.exe
3988	update.exe
3240	powershell.exe
3240	powershell.exe
3240	powershell.exe
3988	update.exe
3988	update.exe
3988	update.exe
3988	update.exe
3988	update.exe
3988	update.exe
3988	update.exe
1536	conhost.exe
4560	powershell.exe
4560	powershell.exe
4560	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeRestorePrivilege	968	7zG.exe
Token: 35	968	7zG.exe
Token: SeSecurityPrivilege	968	7zG.exe
Token: SeSecurityPrivilege	968	7zG.exe
Token: SeDebugPrivilege	2476	powershell.exe
Token: SeShutdownPrivilege	1768	powercfg.exe
Token: SeCreatePagefilePrivilege	1768	powercfg.exe
Token: SeShutdownPrivilege	1636	powercfg.exe
Token: SeCreatePagefilePrivilege	1636	powercfg.exe
Token: SeShutdownPrivilege	4580	powercfg.exe
Token: SeCreatePagefilePrivilege	4580	powercfg.exe
Token: SeShutdownPrivilege	2432	powercfg.exe
Token: SeCreatePagefilePrivilege	2432	powercfg.exe
Token: SeDebugPrivilege	3240	powershell.exe
Token: SeShutdownPrivilege	5008	powercfg.exe
Token: SeCreatePagefilePrivilege	5008	powercfg.exe
Token: SeShutdownPrivilege	4500	powercfg.exe
Token: SeCreatePagefilePrivilege	4500	powercfg.exe
Token: SeShutdownPrivilege	968	powercfg.exe
Token: SeCreatePagefilePrivilege	968	powercfg.exe
Token: SeShutdownPrivilege	1520	powercfg.exe
Token: SeCreatePagefilePrivilege	1520	powercfg.exe
Token: SeLockMemoryPrivilege	5072	dwm.exe
Token: SeDebugPrivilege	4560	powershell.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
116	Loadkeqwkedkqwekqwek.exe
4684	1.exe
3240	aspnet_regiis.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 4376	3680	msedge.exe	82
PID 3680 wrote to memory of 4376	3680	msedge.exe	82
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 64	3680	msedge.exe	83
PID 3680 wrote to memory of 1512	3680	msedge.exe	84
PID 3680 wrote to memory of 1512	3680	msedge.exe	84
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85
PID 3680 wrote to memory of 4896	3680	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://upload.advgroup.ru/mvWwiE4h
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa832446f8,0x7ffa83244708,0x7ffa83244718
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5184 /prefetch:8
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,8365293060366816095,2529448166865187476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c 0x384
1⤵
PID:880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1008

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\UnivMenu_1.16\" -spe -an -ai#7zMap23765:88:7zEvent32137
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:968

C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe
"C:\Users\Admin\Downloads\UnivMenu_1.16\Loadkeqwkedkqwekqwek.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:116
- C:\Users\Admin\AppData\Roaming\1.exe
  C:\Users\Admin\AppData\Roaming\1.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4684
- C:\Users\Admin\AppData\Roaming\2.exe
  C:\Users\Admin\AppData\Roaming\2.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  PID:1828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3240
- C:\Users\Admin\AppData\Roaming\3.exe
  C:\Users\Admin\AppData\Roaming\3.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4880
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:3276
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:2604
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:4580
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "WindowsManager"
    3⤵
    - Launches sc.exe
    PID:2760
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "WindowsManager" binpath= "C:\ProgramData\WindowsManager\update.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:4032
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3848
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "WindowsManager"
    3⤵
    - Launches sc.exe
    PID:1300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Roaming\3.exe"
    3⤵
    PID:3508
  - - C:\Windows\system32\choice.exe
      choice /C Y /N /D Y /T 3
      4⤵
      PID:720

C:\ProgramData\WindowsManager\update.exe
C:\ProgramData\WindowsManager\update.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
PID:3988
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:532
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:548
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:968
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of AdjustPrivilegeToken
  PID:1520
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4560
- C:\Windows\system32\dwm.exe
  dwm.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1fe3a26bd35b84102bb4203f31e74c7

SHA1
45fdfa8433789b575eb64e116718e62e0e0cf4a0

SHA256
26e0d51529de906dd285ba48288e25eaf5213c0f0bab9bc5f119ecbc5e1b93ee

SHA512
d528db2e9b917d4fbe24b1b5c6f4cb274f4f91c84f63e5119e041fa89ae0cd01a370e314f8b6aca9d6fa958e79feabc720f4b54b3d8aed69aab11fa84cad36bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2915233ace3b11bc8898c958f245aa9a

SHA1
68c6aa983da303b825d656ac3284081db682f702

SHA256
b2cb442f2ca27619c8df087f56fcbbb53186c53f8fd131af886ee3712220477e

SHA512
e3f1b70d39b615e212f84d587ee816598236ee6ce144d919593894fcce4a0900343a9e8b837a0d1bd10921fff1c976c84c4a570eda776fe84d374a69e7a54890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
f56e0fd84a7e0fc6b664974cd0056790

SHA1
e33caf5684422e2d0b17d245cbe01a64bb91ee38

SHA256
e2f3d48c5363c14b853e7b2b36be5d19c3a12bf11ae4927238df655da2b48072

SHA512
a35ecc833369f941b97b09708acf1cf9e484283a785948ac39d4ee547da06a6aa9c0078499f78576d49bddadee2f6f2330bda71ef4e6e8c534719c18a11af853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
531ce00c3a130b482abd975806803620

SHA1
bdbfcfc6c16f9b15380bfc8c8adf234fb2eaf831

SHA256
fe6aa6de0057009b2f5303e4360aa835298afe8cd5152418e7bb9c5dfae3d04f

SHA512
79c7f2829ab3d1fbbc7f7f06eeae6623f85bf73c5a0d243d7485fa154fc9d36c4e04875953d83326ef39a34515903276a45ff497bb491756db0cea8e3542a43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
810B

MD5
bed2f6f0627da56770fc9557a5204f66

SHA1
95f373021428954fac48944b2181617ee28373f0

SHA256
1a8354f5f0ec5597b5e3b88548489f6f79383f38a780ad7012cd28c1ba8c3d0e

SHA512
77c7031a41d85af83ba28d3a9267e42144850bf8491389d59abfd882722bbb159c0672d19c489488481e889f6618c032ea9b55a80c252bd3860402c6e7045a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed5ce0d68ca4cb36e92811a7a84fc2b2

SHA1
848c699ba09b58b3bca0176a870bef9fa865edf3

SHA256
1e1dae863625d53e301cfb49b9f77a424fab0da2b655237b4c5207a17d1a7b90

SHA512
5310275bea2c20df5f214fb7dda5c3459635d9efb576e7f342af55b7bbecd8bfd14babe38a79f871d348023fd23da492000f37ee4f7973c76125a7cb2f5f2a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6e9d965b790ca0cd9b95ca12eb5180a0

SHA1
7cd298140567298e879eb4aab24ffd5d109e7a30

SHA256
f63e4068ceffbb1cc26ae1f111e5d787ceefb11125406216c5c68a165d727573

SHA512
532bc6a73854e61e9a467f32446770024c2f8604e7451fd99135d02d9ea068b1054c52dcf28cd2caf483c76f4ea8073910b9722cb9a89a5aa17ee6b9eda05a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0efa1e5b1563db406a782c4e46fda35e

SHA1
99d2c724c4963179fa2264f7b8237007c1c22f4b

SHA256
58bac8117a0a8eca52790a389f8d378b03cf5b82e1c6d8756fd5ce31d7858196

SHA512
53a86cceeeae1fa377939a973452601049c7b39a901712a28c0d9493867b26835e37a51543d3a7b3e1f212e7f9abbe3a9a71d2bec5811d4f7eb12245c6f1a8b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0cfde50f09ac2c949c1b1f0daad31ff1

SHA1
9d2b8d3f064a1d7a25991bd291e5c410a5e62266

SHA256
0c8f9a00d1ee443053698235a59464c718c363f2aa0e6969015bceb9b6f1260c

SHA512
28da8f2fcb3d37b2092c8df5904d035620785aeebbd2e2c0869976b89d175590c4832278f333b807a059b0d33a6ae089e739feddacfb95b7b91b31bf28777764

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b4528bb9cf04742e7a4755006dbb72a7

SHA1
f40cd00e39dae59a5eaa9526a86d39b325e79ee2

SHA256
a1b1a08a37e420e8c8813d3c784634b120776cc77401103fd1f8acc97f4b33da

SHA512
82cea1a5d9504318bf375ce570cba278f1bd8d0151e73582bdb50a0a05f2a95c27e4b3e959156dd404c5de9044f0bc1d3b5692aaea3f2f135867b3df19407715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
115656d6ce228f8a918499573429e219

SHA1
3a1a724380d7c2e668ec77e8fcf15365305a0b35

SHA256
483d0510b4df57ae08adf776ddd8facd4529a3d505b2b14b10b3523f5d70575b

SHA512
8f107769be2cb2f72ce92ef79c6777deca1c18e2b483238645de17b5d86df0095f4f0aa14ab8193771ab3ffe313a6d6040f678f18ff0cfe13709e0acb9ba7822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3f5f3987989005f776047f5e3e379592

SHA1
1753aded846878dbb6e1501e95f87dcde9a9ee9c

SHA256
9876a0c588b214580db9ddb9e0e8c9d9156625444e145056da19209ae938d2b8

SHA512
18b361d718a0ef9664b2c8990163a8dd4bc3eed571974350115296d02635be4e1903a8bd35e85946fbc5bc408a63073b57c8dec5d84ceb4d8ac551120805a8e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bac61725b0b4ca72bfef325fe9dcc10d

SHA1
b23b3a7743fcb9e504f735db0f1349b2ffb85ad9

SHA256
a0895bab6cd0600ab480729007675f40fdd1ce0b4216e3d1caaa98b38294503e

SHA512
ab6185c3ef7f52e314cebedd42e7c011802f82148da0a321f68073f5e8c394268a20c2b9954efe6dce5f399b6b69fe0461be02dbfcf05eb06f0b120fb4f55551

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57dac0.TMP

Filesize
1KB

MD5
6d6a444a552f86a73785ab1ffd3261e0

SHA1
127f0ff57c8b9c3e9e353a8f29a0bb816cb1c354

SHA256
78968cd28c16a3f192c05764d3e9724a4713c19728d44fd9104782b164a963e5

SHA512
2af4034615df74772662e6be1d440201edfb672f5aeb4f03f86995cce7d3f0adfc28ae880929492acf5fd197451ab1621f6b5b9273aee819e863ad490746096b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
76ff6fefc543e5eeb7fd7939bbb16c65

SHA1
ea43012cbd2ff018a6beacf212b8f8514b055f3b

SHA256
d8701094e688e2dc4a3a06b9d0f2ce3e09c4979c06e3d01046f32ed4700d1e96

SHA512
daec6f3670db7aac675fddb8bf4df0f5e304685df0a45702f5679f632cfcf069bb793260e97ad05967a21415f4b8ee1967bea96172a77d48325d63eb50b30516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c9398ca40206b16fd77ae2d279d84a5b

SHA1
f8a333376b1c94416527f4f7d0813b596b47de8f

SHA256
dee23738bc262ac692587d9113444d0c57cdad651b285b67866016eba4bbe505

SHA512
c70050aeea0d6ea9008a6308f2bc83e16e3a84e572bef514de79ce01c491039bd867c6872582b60df828cc05bacb54ea97034e2d89910adabd220106838652f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
27c6a309ac44ebf10c6ab2bbc5b69734

SHA1
3f4a1d28497c6358b026ff2de484ca4ea26d0570

SHA256
272973f4995e81b078d1451eba9fc2b0b58d5708f03d3f30975ccbe24a130b09

SHA512
539d812a2eec3ae73268893683f352910248cc1e2d6ad966510ffe5b0a66377bf1f0571f5ee15f85a3a6e9744abc69d4a6c6f05e997441574dec5d3fd855b723

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t2jjk2ti.twl.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9.dll

Filesize
442KB

MD5
7700a739a7f20e1e09dddd0659e69e4f

SHA1
340e39a309ab0dabe3116cba04d73a72a40053f4

SHA256
8d9a56cb3a2b7be78749f3f59457144a8bc9caf8b7dc702608a7c45e51af8800

SHA512
bd9699823ae300991a14a31aff69e0a5a4ceca6c96bca5c6a8fcd97bf2de091e1a091962025c864116251bb5968c231e65152c6e10436f96039aba31a337fc38

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
4KB

MD5
bdb25c22d14ec917e30faf353826c5de

SHA1
6c2feb9cea9237bc28842ebf2fea68b3bd7ad190

SHA256
e3274ce8296f2cd20e3189576fbadbfa0f1817cdf313487945c80e968589a495

SHA512
b5eddbfd4748298a302e2963cfd12d849130b6dcb8f0f85a2a623caed0ff9bd88f4ec726f646dbebfca4964adc35f882ec205113920cb546cc08193739d6728c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b42c70c1dbf0d1d477ec86902db9e986

SHA1
1d1c0a670748b3d10bee8272e5d67a4fabefd31f

SHA256
8ed3b348989cdc967d1fc0e887b2a2f5a656680d8d14ebd3cb71a10c2f55867a

SHA512
57fb278a8b2e83d01fac2a031c90e0e2bd5e4c1a360cfa4308490eb07e1b9d265b1f28399d0f10b141a6438ba92dd5f9ce4f18530ec277fece0eb7678041cbc5

Download Submit
memory/1536-1112-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1536-1115-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1536-1113-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1536-1118-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1536-1111-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1536-1114-0x0000000140000000-0x000000014000E000-memory.dmp

Filesize
56KB

Download
memory/1828-1030-0x00000000005A0000-0x0000000000636000-memory.dmp

Filesize
600KB

Download
memory/1828-1031-0x00000000027E0000-0x00000000027E6000-memory.dmp

Filesize
24KB

Download
memory/2476-1055-0x000001AA03150000-0x000001AA03172000-memory.dmp

Filesize
136KB

Download
memory/3240-1106-0x000002B55E4D0000-0x000002B55E4D8000-memory.dmp

Filesize
32KB

Download
memory/3240-1039-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3240-1102-0x000002B55E370000-0x000002B55E37A000-memory.dmp

Filesize
40KB

Download
memory/3240-1103-0x000002B55E4E0000-0x000002B55E4FC000-memory.dmp

Filesize
112KB

Download
memory/3240-1104-0x000002B55E4C0000-0x000002B55E4CA000-memory.dmp

Filesize
40KB

Download
memory/3240-1105-0x000002B55E520000-0x000002B55E53A000-memory.dmp

Filesize
104KB

Download
memory/3240-1108-0x000002B55E510000-0x000002B55E51A000-memory.dmp

Filesize
40KB

Download
memory/3240-1100-0x000002B55E290000-0x000002B55E2AC000-memory.dmp

Filesize
112KB

Download
memory/3240-1101-0x000002B55E2B0000-0x000002B55E365000-memory.dmp

Filesize
724KB

Download
memory/3240-1038-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3240-1107-0x000002B55E500000-0x000002B55E506000-memory.dmp

Filesize
24KB

Download
memory/3240-1041-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/3988-1079-0x00007FFA927F0000-0x00007FFA927F2000-memory.dmp

Filesize
8KB

Download
memory/3988-1080-0x00007FF7E28F0000-0x00007FF7E32DA000-memory.dmp

Filesize
9.9MB

Download
memory/4684-1023-0x0000000140000000-0x00000001403A9000-memory.dmp

Filesize
3.7MB

Download
memory/4684-1022-0x00007FFA927F0000-0x00007FFA927F2000-memory.dmp

Filesize
8KB

Download
memory/4880-1053-0x00007FF69C200000-0x00007FF69CBEA000-memory.dmp

Filesize
9.9MB

Download
memory/4880-1052-0x00007FFA927F0000-0x00007FFA927F2000-memory.dmp

Filesize
8KB

Download
memory/5072-1132-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1128-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1134-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1133-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1135-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1126-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1137-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1136-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1127-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1125-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1119-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1129-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1130-0x0000000140000000-0x0000000140848000-memory.dmp

Filesize
8.3MB

Download
memory/5072-1131-0x000001F5D2EF0000-0x000001F5D2F10000-memory.dmp

Filesize
128KB

Download