stormkitty | 391d1a7d36777422bcb7b5cb9d5e55c988a277f09aa27a2d724424c4466fca4d

Analysis

max time kernel
150s
max time network
157s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
25-07-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Anti_R.A.T_V7.exe
Size

142KB
MD5

fb8bb0610a5e2c19496e9ed8b69c6fb7
SHA1

38bb10084ab1c83139c34c9f06d0a8b45fedb377
SHA256

391d1a7d36777422bcb7b5cb9d5e55c988a277f09aa27a2d724424c4466fca4d
SHA512

2e61e3d20161dec313c3662e2a56442e3ef3f75e60905afa615be81062b066d01dd4ca4dbb58874e46ca5b7756cac9ac175bc01be308caeebb1a5e21efbd4023
SSDEEP

1536:jGglhxmYHTgkrKF2gfk9bGs/X335/RD6K7IOuJLwaZww/joT3/4X:jXlhMOaFFfk9b5/hXEOuJLwoww7oLY

Score

10^/10

stormkitty xworm credential_access discovery execution persistence rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

manufacturer-rank.gl.at.ply.gg:60383

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3280-0-0x00000000006F0000-0x000000000071A000-memory.dmp	family_xworm
C:\Users\Admin\AppData\Roaming\System_User	family_xworm

StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty

StormKitty payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/3280-1113-0x000000001CD20000-0x000000001CE40000-memory.dmp	family_stormkitty

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4292 powershell.exe
888 powershell.exe
4500 powershell.exe
3232 powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Anti_R.A.T_V7.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation	Anti_R.A.T_V7.exe

Drops startup file 2 IoCs

Processes:

Anti_R.A.T_V7.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System_User.lnk	Anti_R.A.T_V7.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System_User.lnk	Anti_R.A.T_V7.exe

Executes dropped EXE 2 IoCs

Processes:

System_UserSystem_User

pid process

1888 System_User
1396 System_User
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1888	System_User
1396	System_User

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Anti_R.A.T_V7.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\System_User = "C:\\Users\\Admin\\AppData\\Roaming\\System_User"	Anti_R.A.T_V7.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 ip-api.com

flow	ioc
1	ip-api.com

Drops file in Windows directory 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.pornhub.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{A7D59C81-41ED-471B-B28A-C5D3D0FE49E7} = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\pornhub.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "428716652"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 9bc0c51deededa01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListFirstRun = "3"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "428113787"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.pornhub.com\ = "14"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 4	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2872 schtasks.exe

pid	process
2872	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exeAnti_R.A.T_V7.exe

pid	process
4292	powershell.exe
4292	powershell.exe
4292	powershell.exe
888	powershell.exe
888	powershell.exe
888	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
3232	powershell.exe
3232	powershell.exe
3232	powershell.exe
3280	Anti_R.A.T_V7.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3708 MicrosoftEdgeCP.exe
3708 MicrosoftEdgeCP.exe
3708 MicrosoftEdgeCP.exe
3708 MicrosoftEdgeCP.exe

pid	process
3708	MicrosoftEdgeCP.exe
3708	MicrosoftEdgeCP.exe
3708	MicrosoftEdgeCP.exe
3708	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Anti_R.A.T_V7.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3280	Anti_R.A.T_V7.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeIncreaseQuotaPrivilege	4292	powershell.exe
Token: SeSecurityPrivilege	4292	powershell.exe
Token: SeTakeOwnershipPrivilege	4292	powershell.exe
Token: SeLoadDriverPrivilege	4292	powershell.exe
Token: SeSystemProfilePrivilege	4292	powershell.exe
Token: SeSystemtimePrivilege	4292	powershell.exe
Token: SeProfSingleProcessPrivilege	4292	powershell.exe
Token: SeIncBasePriorityPrivilege	4292	powershell.exe
Token: SeCreatePagefilePrivilege	4292	powershell.exe
Token: SeBackupPrivilege	4292	powershell.exe
Token: SeRestorePrivilege	4292	powershell.exe
Token: SeShutdownPrivilege	4292	powershell.exe
Token: SeDebugPrivilege	4292	powershell.exe
Token: SeSystemEnvironmentPrivilege	4292	powershell.exe
Token: SeRemoteShutdownPrivilege	4292	powershell.exe
Token: SeUndockPrivilege	4292	powershell.exe
Token: SeManageVolumePrivilege	4292	powershell.exe
Token: 33	4292	powershell.exe
Token: 34	4292	powershell.exe
Token: 35	4292	powershell.exe
Token: 36	4292	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeIncreaseQuotaPrivilege	888	powershell.exe
Token: SeSecurityPrivilege	888	powershell.exe
Token: SeTakeOwnershipPrivilege	888	powershell.exe
Token: SeLoadDriverPrivilege	888	powershell.exe
Token: SeSystemProfilePrivilege	888	powershell.exe
Token: SeSystemtimePrivilege	888	powershell.exe
Token: SeProfSingleProcessPrivilege	888	powershell.exe
Token: SeIncBasePriorityPrivilege	888	powershell.exe
Token: SeCreatePagefilePrivilege	888	powershell.exe
Token: SeBackupPrivilege	888	powershell.exe
Token: SeRestorePrivilege	888	powershell.exe
Token: SeShutdownPrivilege	888	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeSystemEnvironmentPrivilege	888	powershell.exe
Token: SeRemoteShutdownPrivilege	888	powershell.exe
Token: SeUndockPrivilege	888	powershell.exe
Token: SeManageVolumePrivilege	888	powershell.exe
Token: 33	888	powershell.exe
Token: 34	888	powershell.exe
Token: 35	888	powershell.exe
Token: 36	888	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeIncreaseQuotaPrivilege	4500	powershell.exe
Token: SeSecurityPrivilege	4500	powershell.exe
Token: SeTakeOwnershipPrivilege	4500	powershell.exe
Token: SeLoadDriverPrivilege	4500	powershell.exe
Token: SeSystemProfilePrivilege	4500	powershell.exe
Token: SeSystemtimePrivilege	4500	powershell.exe
Token: SeProfSingleProcessPrivilege	4500	powershell.exe
Token: SeIncBasePriorityPrivilege	4500	powershell.exe
Token: SeCreatePagefilePrivilege	4500	powershell.exe
Token: SeBackupPrivilege	4500	powershell.exe
Token: SeRestorePrivilege	4500	powershell.exe
Token: SeShutdownPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeSystemEnvironmentPrivilege	4500	powershell.exe
Token: SeRemoteShutdownPrivilege	4500	powershell.exe
Token: SeUndockPrivilege	4500	powershell.exe
Token: SeManageVolumePrivilege	4500	powershell.exe
Token: 33	4500	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

Anti_R.A.T_V7.exeMicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

3280 Anti_R.A.T_V7.exe
1972 MicrosoftEdge.exe
3708 MicrosoftEdgeCP.exe
2884 MicrosoftEdgeCP.exe
3708 MicrosoftEdgeCP.exe

pid	process
3280	Anti_R.A.T_V7.exe
1972	MicrosoftEdge.exe
3708	MicrosoftEdgeCP.exe
2884	MicrosoftEdgeCP.exe
3708	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Anti_R.A.T_V7.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 3280 wrote to memory of 4292	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 4292	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 888	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 888	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 4500	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 4500	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 3232	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 3232	3280	Anti_R.A.T_V7.exe	powershell.exe
PID 3280 wrote to memory of 2872	3280	Anti_R.A.T_V7.exe	schtasks.exe
PID 3280 wrote to memory of 2872	3280	Anti_R.A.T_V7.exe	schtasks.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3708 wrote to memory of 4392	3708	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Anti_R.A.T_V7.exe
"C:\Users\Admin\AppData\Local\Temp\Anti_R.A.T_V7.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3280
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Anti_R.A.T_V7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Anti_R.A.T_V7.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System_User'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4500
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System_User'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System_User" /tr "C:\Users\Admin\AppData\Roaming\System_User"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2872

C:\Users\Admin\AppData\Roaming\System_User
C:\Users\Admin\AppData\Roaming\System_User
1⤵
- Executes dropped EXE
PID:1888

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1972

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3500

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3708

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2884

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4392

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3536

C:\Users\Admin\AppData\Roaming\System_User
C:\Users\Admin\AppData\Roaming\System_User
1⤵
- Executes dropped EXE
PID:1396

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4944

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System_User.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8592ba100a78835a6b94d5949e13dfc1

SHA1
63e901200ab9a57c7dd4c078d7f75dcd3b357020

SHA256
fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

SHA512
87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZVQ9VIUB\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f114a6a2e3ccfe4d04b4ebe601d37d4f

SHA1
ed4ec84a2375cf31108198aaa634c39a383a08bf

SHA256
216046e7ebe7f2bcefbbd0f1f23734bf3d4e31d3ea280c561e84434496c12152

SHA512
875da36bd162c7f5801ab2a808d6c75ce30cd29099aa59d36c5c37dfc218e8c4feefa8caff9c137d4df861c0e57ebfc59655a8ef6976b9d081df25e5e1e5fcff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d2c4675b6afe302a51de72856dead53f

SHA1
e270d164468023900868ff40790fd8739c6e86af

SHA256
15f37c070259b63cd6f652dadfb13dbd027d6efac7565e02f8c51082e801d9b8

SHA512
4331ffa1fa0b50749f2a04fbbbf3954cee0c59fc3dc2e41e5fa2a73feb186a40cc3e3fccde997d79aaf37cf917223a6b68e9be63812384af14028a9c6ef0fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d23ec04de2744e5ce01bd8074cfa9527

SHA1
11b636522a0b4fce80d909678d12c23f18c0f103

SHA256
4eb9aa5d979abe8fa7cd5e336231873039ad17fcba14ef7786de14fd52b5aeb0

SHA512
d7c542e30783fb6182bdd1e554587d991f0c2e87c23905786a28e52340ad3a5258a8a240f25fb0140e23a2755467df59525cc4e885e3868ddea10eaf25a7fdd8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\6FA3OVOU\ph-icons[1].css

Filesize
14KB

MD5
d790ebdac29bed50f10e08c1f9dd0f3b

SHA1
e6975ab03fe81a0fa2a186c56428c0809e3a8dcb

SHA256
5b30f86626fa2c8d02d4d46857067c5e328039c08e880809fd1703ef1326bee3

SHA512
cea7f20300a5197c839849d793c9903a1bd685f8076f82a1b09a1460ca4cce42be8d1c58f2a199dfe6ff8649c404ce03f336677c66756c4576574c3a0a75c62e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\G9XC57XZ\front-index-pc[1].css

Filesize
83KB

MD5
93fe2247c31df22d15ecb808d098a9df

SHA1
c9a89db5fd59681fcf5070e00b7466d6a194949e

SHA256
3ad432227033b7484d63164e65dc3458b3fbfcf2d783bf15284d856d58bd6812

SHA512
cd6e63c0708ca6efc9d68474784a95313c9a278418e380fa8004782b98af374e9ac0a2e8f0c4872e97d3dfed56db8730d152ce4c707812a0c2c767b3505949e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\UI2IVQQV\www.pornhub[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\O0M7179R\favicon[1].ico

Filesize
1KB

MD5
bf5b6c805abb9d242e0eefe8f85e9253

SHA1
7430ff53470894ca5d22d074c1569efc3b72b95d

SHA256
edff483f89d1eeef57d191848be78a7f52313af079c116bf714a0f5d5b57e9c5

SHA512
b653e0840beab0200a3b97c5edeaf3145d2c1b8425d844f464e9aa2d61c1f51253b1e760e095e5086244415a864ed31673dd85290ac04841095d68a74ab2e19c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\OGJT8GPK\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kmmsfk2y.ykd.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\System_User

Filesize
142KB

MD5
fb8bb0610a5e2c19496e9ed8b69c6fb7

SHA1
38bb10084ab1c83139c34c9f06d0a8b45fedb377

SHA256
391d1a7d36777422bcb7b5cb9d5e55c988a277f09aa27a2d724424c4466fca4d

SHA512
2e61e3d20161dec313c3662e2a56442e3ef3f75e60905afa615be81062b066d01dd4ca4dbb58874e46ca5b7756cac9ac175bc01be308caeebb1a5e21efbd4023

Download Submit
memory/1972-207-0x0000021B47420000-0x0000021B47430000-memory.dmp

Filesize
64KB

Download
memory/1972-226-0x0000021B447B0000-0x0000021B447B2000-memory.dmp

Filesize
8KB

Download
memory/1972-191-0x0000021B47320000-0x0000021B47330000-memory.dmp

Filesize
64KB

Download
memory/2884-235-0x0000023ABD240000-0x0000023ABD340000-memory.dmp

Filesize
1024KB

Download
memory/3280-185-0x00007FFF65AE0000-0x00007FFF65CBB000-memory.dmp

Filesize
1.9MB

Download
memory/3280-186-0x000000001BE50000-0x000000001BE5C000-memory.dmp

Filesize
48KB

Download
memory/3280-0-0x00000000006F0000-0x000000000071A000-memory.dmp

Filesize
168KB

Download
memory/3280-1-0x00007FFF65AE0000-0x00007FFF65CBB000-memory.dmp

Filesize
1.9MB

Download
memory/3280-1113-0x000000001CD20000-0x000000001CE40000-memory.dmp

Filesize
1.1MB

Download
memory/3280-1110-0x000000001ED90000-0x000000001F2B6000-memory.dmp

Filesize
5.1MB

Download
memory/3280-1109-0x000000001BE70000-0x000000001BF20000-memory.dmp

Filesize
704KB

Download
memory/3280-184-0x00007FFF65AE0000-0x00007FFF65CBB000-memory.dmp

Filesize
1.9MB

Download
memory/3280-2-0x00007FFF65AE0000-0x00007FFF65CBB000-memory.dmp

Filesize
1.9MB

Download
memory/4292-6-0x00007FFF65AE0000-0x00007FFF65CBB000-memory.dmp

Filesize
1.9MB

Download
memory/4292-50-0x00007FFF65AE0000-0x00007FFF65CBB000-memory.dmp

Filesize
1.9MB

Download
memory/4292-12-0x000001B29B610000-0x000001B29B686000-memory.dmp

Filesize
472KB

Download
memory/4292-7-0x00007FFF65AE0000-0x00007FFF65CBB000-memory.dmp

Filesize
1.9MB

Download
memory/4292-9-0x000001B29B460000-0x000001B29B482000-memory.dmp

Filesize
136KB

Download
memory/4392-663-0x000001F533140000-0x000001F533142000-memory.dmp

Filesize
8KB

Download
memory/4392-672-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-640-0x000001F531900000-0x000001F531A00000-memory.dmp

Filesize
1024KB

Download
memory/4392-657-0x000001F532E80000-0x000001F532E82000-memory.dmp

Filesize
8KB

Download
memory/4392-660-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-638-0x000001F536670000-0x000001F536770000-memory.dmp

Filesize
1024KB

Download
memory/4392-665-0x000001F5331C0000-0x000001F5331C2000-memory.dmp

Filesize
8KB

Download
memory/4392-662-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-661-0x000001F533120000-0x000001F533122000-memory.dmp

Filesize
8KB

Download
memory/4392-659-0x000001F532F40000-0x000001F532F42000-memory.dmp

Filesize
8KB

Download
memory/4392-668-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-667-0x000001F5331D0000-0x000001F5331D2000-memory.dmp

Filesize
8KB

Download
memory/4392-669-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-644-0x000001F536770000-0x000001F536870000-memory.dmp

Filesize
1024KB

Download
memory/4392-674-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-673-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-671-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-670-0x000001F51EA60000-0x000001F51EA70000-memory.dmp

Filesize
64KB

Download
memory/4392-546-0x000001F5331E0000-0x000001F533200000-memory.dmp

Filesize
128KB

Download
memory/4392-472-0x000001F5310C0000-0x000001F5310C2000-memory.dmp

Filesize
8KB

Download
memory/4392-452-0x000001F531800000-0x000001F531900000-memory.dmp

Filesize
1024KB

Download
memory/4392-418-0x000001F530030000-0x000001F530050000-memory.dmp

Filesize
128KB

Download
memory/4392-260-0x000001F51F200000-0x000001F51F300000-memory.dmp

Filesize
1024KB

Download
memory/4392-255-0x000001F51EA80000-0x000001F51EA82000-memory.dmp

Filesize
8KB

Download
memory/4392-257-0x000001F51EAA0000-0x000001F51EAA2000-memory.dmp

Filesize
8KB

Download
memory/4392-252-0x000001F51EA50000-0x000001F51EA52000-memory.dmp

Filesize
8KB

Download