cb6602ec77e62c6f9f37a762870ee8917211d05f9138cf161047842e0eef8092

Analysis

max time kernel
204s
max time network
239s
platform
windows11-21h2_x64
resource
win11-20240730-en
resource tags

arch:x64arch:x86image:win11-20240730-enlocale:en-usos:windows11-21h2-x64system
submitted
02/08/2024, 10:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.exe
Size

3.6MB
MD5

d5dcd28612f4d6ffca0cfeaefd606bcf
SHA1

cf60fa60d2f461dddfdfcebf16368e6b539cd9ba
SHA256

32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf
SHA512

dbfcf464c3211b7454c406a9f9532c416910ac24ea862d7061e3503f294d690b4957020dcc703984449e0934c7a595cf9061412fa25383850dd86235648ac23b
SSDEEP

98304:whqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3R:whqPe1Cxcxk3ZAEUadzR8yc4gB

Score

6^/10

discovery

Malware Config

Signatures

Drops desktop.ini file(s) 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	wmplayer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	wmplayer.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
572	4984	WerFault.exe	82

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1872973762-1326452598-87257502-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
796	msedge.exe
796	msedge.exe
2460	msedge.exe
2460	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4584	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
796	msedge.exe
796	msedge.exe
796	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	436	unregmp2.exe
Token: SeCreatePagefilePrivilege	436	unregmp2.exe
Token: SeShutdownPrivilege	4984	wmplayer.exe
Token: SeCreatePagefilePrivilege	4984	wmplayer.exe
Token: SeRestorePrivilege	4584	7zFM.exe
Token: 35	4584	7zFM.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
4984	wmplayer.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
796	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe
2728	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2280	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4984 wrote to memory of 4308	4984	wmplayer.exe	83
PID 4984 wrote to memory of 4308	4984	wmplayer.exe	83
PID 4984 wrote to memory of 4308	4984	wmplayer.exe	83
PID 4308 wrote to memory of 436	4308	unregmp2.exe	84
PID 4308 wrote to memory of 436	4308	unregmp2.exe	84
PID 796 wrote to memory of 1176	796	msedge.exe	103
PID 796 wrote to memory of 1176	796	msedge.exe	103
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 4416	796	msedge.exe	104
PID 796 wrote to memory of 2328	796	msedge.exe	105
PID 796 wrote to memory of 2328	796	msedge.exe	105
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106
PID 796 wrote to memory of 2976	796	msedge.exe	106

C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.exe
"C:\Users\Admin\AppData\Local\Temp\32f24601153be0885f11d62e0a8a2f0280a2034fc981d8184180c5d3b1b9e8cf.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2360

C:\Program Files (x86)\Windows Media Player\wmplayer.exe
"C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play -Embedding
1⤵
- Drops desktop.ini file(s)
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4984
- C:\Windows\SysWOW64\unregmp2.exe
  "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\system32\unregmp2.exe
    "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    PID:436
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4984 -s 1160
  2⤵
  - Program crash
  PID:572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:3952

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4984 -ip 4984
1⤵
PID:1628

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2280

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s fdPHost
1⤵
PID:384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://c/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff908413cb8,0x7ff908413cc8,0x7ff908413cd8
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,421829445010789323,16215546849695590552,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,421829445010789323,16215546849695590552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,421829445010789323,16215546849695590552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,421829445010789323,16215546849695590552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,421829445010789323,16215546849695590552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,421829445010789323,16215546849695590552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:3568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:72

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://taskmanager/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff908413cb8,0x7ff908413cc8,0x7ff908413cd8
  2⤵
  PID:2556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1936,17177376810829027885,16905980108180544308,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1936,17177376810829027885,16905980108180544308,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1948 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1936,17177376810829027885,16905980108180544308,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17177376810829027885,16905980108180544308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17177376810829027885,16905980108180544308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1936,17177376810829027885,16905980108180544308,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4436 /prefetch:1
  2⤵
  PID:772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:652

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:1548
- C:\Windows\system32\Taskmgr.exe
  taskmgr
  2⤵
  PID:2056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e15960b37c05dc7b54098cd898fe5a4d

SHA1
2c7923730ff68a25d23f8e56c3e5b8e62d2a1de2

SHA256
a3dd370b2b481e239fa13c330f274b7d279573b77ffb813ba68a4961b36d6cb6

SHA512
7e0016a20ed5935f0b0ec2722617661b2486cfde8a9f0901c5f01b23a1545f8637149e5086281f02d834a6be112cbc8eae4af86639f7c1e1c9e2bc34cdb6f979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f0985952f484235e84d2365c937c1cb2

SHA1
66d17c1c715dce2d57308c282e14149ad7326cb5

SHA256
e2f7e7e357a5853208627d8db9f834e309b516d2547dcd0e72598ad71b511a6e

SHA512
1a6f1f0e607cc93ebf45bac15b9221328d8a84e7c177ea5105b6cb9e8cdda34b8c8dfd54d8ee52cd8d590224258bf959646e8f844f45d1be2de6e555bc173549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cccdb04720e1632b3ababce0c0954ddc

SHA1
627fb15e39972f5339ba623ccf2aacf616adcc12

SHA256
4aaa61366719d6428b64217960e4c31bb925799dd75288307cd306a4ec833a0e

SHA512
4af29420d1bddd88a5fcfca9ef860d2cd1f97b9bf295c16b522a33d2580f264b35b3a373a1627a1f3be80044162c8580f54efae2e55befce3de8915c916b5bcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
793a855823adb3e36b4a796fe95e7dec

SHA1
e6f7a14f6218df8fb6663c299c225cbc7f259764

SHA256
2f0940f432d9264f0926058e605482999e467b311acef46994aa019a8ec1b666

SHA512
0e5f27201c34a50a11666bbf50005e354b25c76e1bfe58a91fada462598ee69d8fbeabcbce9b78856f89ec6d8189ee9b07216c72ea0cdf6eef63dfaef1a13980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
b44a991e1fb5a3196954f7f11b164abd

SHA1
d89f3c2b9715fef92dc5ccad2943cb37b9ce7dcf

SHA256
1ae8fe705c24f713b15a818a2fcd33285b89cc81091b26c2f2da97a64cc5a683

SHA512
3c7bdceb24d44ce00e3bcc5b968322e72c62bd3d8f8a8fc17d376ba7d88d82f368de24eb471dcf2edf305049fca329107e7eeb503fc7fbfba4f173928b77964c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
2bd3a2e3338717505865b66d74c3bf1b

SHA1
6a3a958a371fa1a9e48dd7a4159263342ebc77b5

SHA256
4749c7e2eab042346ca0067a5eff657c2f3089ec692d474e47e0108954a6d440

SHA512
b1b148350fc271d5824721cb7d6500a1cc6dfa4dc1a4f7b83ce928a4dce91397f74351fc320810c7dfe9bb7818af9b82504c903958afdc9620ab3c6e2c028973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3ad37b31acefd3b50469b4852f8c34b

SHA1
7f20c5f060f546c1ee5ca82753f383321165fb9d

SHA256
d527924407dc1015dca446d09f1d2ba12680dc7e1110149520a6f8c0507169b7

SHA512
173a466f8c4abc4beacc367e55622b4fa410e241061055b85b0b4faf0d00202732f09a95473f9c3fcd1fa3e16f082d091d960478234206983e033e7d1ff1c623

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e76f1a6a15a6b7f8d229ab2dddc8fb7

SHA1
cc132a5e28532e00c3dafea18e767562876c43c8

SHA256
a4891a35d89c1cb06b8646079ff94d75c0a47c30da43b645970ce2ad43786704

SHA512
5529db17922ef232a0e99b2fa506b644bbec4bba0552f068f543b325a1c14ba42f577442ad6d947422cdc484873494ac315bbf71617b795d9d2017f39d2e1558

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e8ca75c89c1e2eb612966a68a24aca88

SHA1
78c377df77c5670e91e071de5e22d41ec9055a9f

SHA256
c1848872ecf79ca1c035450f0052f042fab1796306f0431ad7e0e5a758018b3a

SHA512
00328fd1dcd6c92f6d5e197ed5422857bc490d559633c1f85735aa19fae62ad8bc760c465587000c497efa057a5309905fcea3c3d80f0e0314d4cc54f809cf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
342bd0bf95bc516a43926fd64434049c

SHA1
1cff8059dcbe884cf7687ffcbd919ec17a576294

SHA256
4fe84cbaa01967809a1ce650db9dd3cd3138580aa5b8fc2a0acb99ecc20df67b

SHA512
41c359b5a0a3523373a3b6f4b05aaa48b120010d810e2071164593ef3dedcfb5130de59ed99bb2584beb2735ccbd50bcf44d789ff203cc104c307405f46f4455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
bfdb7c73c57c01477656dcacebc38a65

SHA1
3990233bba28380acfee3f6771d950f6c4dd0eb7

SHA256
e438040d9d733fe8abcaabc1da2695f5fe2f849277bca78ee9213408569e7127

SHA512
2f095e34125ecfdb82a70d5a055c76bb0e27b54e67ed3977094c71db04ae6d29b9d2404ee51a6d3cf01a5910b7b9813a1e81b626d944da043b5a0aef65243b2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13367067579586499

Filesize
925B

MD5
bd9507db970713eb18c0c45505c064b3

SHA1
45679ae531573e4fe83d2631221898bc4e0a0497

SHA256
11dae52ee5082f7e12323eb13470fed5a6692a0ade4d52a3ada4e872615fdcd8

SHA512
154f81d1641ec0e4c173a768403b3628b0af3d47fbd7d135db08ad2880c38d665e28349f69bef464fdc403bc46382d7d5e4a080bcdd8c426b8e8fb5f7698bf65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367067579789499

Filesize
1KB

MD5
1d6ad4f6944071b2cc731293b302ca8b

SHA1
706bb4ab728a248b7635f3bd6720f78947534e02

SHA256
3a6557a9ec91556452573b3050a980b6a998f01d20e3dab21c0842978e034867

SHA512
7b46db3c6609ae28a2a20b7b2a3940d2f09404b9c9e92246a5d0a576065d2456639bab26a6f2a64c1970b590933d37a93f2266d3491d2504a341949e12eaccd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
e84aee7bf5e7ccef413a39e0a9d891e4

SHA1
1b81dd47403e2819417b957fe911292ffca683b4

SHA256
2e11a1e590e58868424275110ee08582bed00dbf6a9714f7c751cb53c83eeaab

SHA512
11223f19d0862007440af5bce7e0fdb97ee0a357afb7ffda2b870bc0387d2910f5c5f2d28b88a1fdc289bd07c1e8fba53ac2fde8a3fad106ed7a19b3ee2d0659

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
211d045c4968e3f35fd2d2992ee5cd3b

SHA1
fb105a69d53f6132ec08b01b427e37fa0b791a02

SHA256
c43c784d6ae4603c609f83e61c68bd9a3858e1bd621fce3d7c507bd0309ca0ed

SHA512
6d95981471f6a96aec7f4d8e610b8078010a9559db385d005e9df8d4074930cc8d9189e4b7355c90de6297caa697837cd25110894a8a62adab783e5d50808691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
2cb35bee39bd1ff8b5c8ee2caee852da

SHA1
477f23c65a6c648cfd569bbbab2c4874779e479f

SHA256
190a7d2ac0a87bdeae7f74de8f6a2b7ecd26a985976c8f97abf3757f232e7516

SHA512
ab117b7c50df7371b6c85864a12965b125f626c90dccce970a0bc53cbd59ba602ca5c21e413e35979031d1c8cf924ffb188cec9e6b9ea9ec95f857b04e595565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
a0fd5ac8f339526f2d0e1f32f4e88ed8

SHA1
63fe09cd22ef7706e10164cb265218feb98eaffa

SHA256
2a6d082e607cf22f3a677d4bb86ac06d2237b070fabc1a1687372f9a527e0d0f

SHA512
68531696650cba1b78f4894f262d9afb40b9c01d2cb28873c167651fa4f7c12895a82cd924dad82317f4a573e22cdb5ad6711e824df342d529e19225dc34d6c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
69a022e89fe770f6533a4cfd3c17542f

SHA1
4349ebf1157d71ba3b55cd112c3a21f78f4cd1d2

SHA256
acf11b884f654868e192d275b8e42158698af7a26fa37ad6f3f39cd05bd7e7a9

SHA512
56c3d6d1301defac26b2297c74c24bd74024c3a6f005e45d677ec86d89bdf3b335b81c7eaa8f853aacafd798924d08f032475e4073db4252415a0c75fa35e69a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
0c73055941d504c6f0b6e016d3bc9824

SHA1
6ac93d27bed094e2f9fafd25314a3f642de97a74

SHA256
c1486082b0958903b4e243dc88ca2276c14af9135ac8c3ea22c88d88e042e148

SHA512
72cd7cbd9d1c47849993f593acaa5eaf6161256b2105823d24943c48d70fc9c532c0f1c85356ea57940986db1856d4fe1ebb3b58d7209d3b4a14e1c02f755749

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
75757988cbaadfc5235f3c1e63ebae80

SHA1
fcab9b4d7aed943cce92528226402252e06fd4f0

SHA256
b23ebbe69be8a277844705a4f558a08521dfecb3207161d7bb64f935bbfba951

SHA512
c91128333584451661f50291bab52ade777c85d3619c04b008b558c271de3ba09713c41b68a0732380c6c9ba527d3aa5ae3faaeaae288de410163b48d3e2092a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7f142027f4894f673d92a1c681c4b24e

SHA1
15b3bcfb0cfa219052cf244fd2dcbabf18aa32d4

SHA256
1f07903d8c4f458a7192be68e221e0b419ed8f7901d81aceaa6605f47addfcf7

SHA512
177ee3f39f39027af629602d072bdbd774ef283b4d6d141da2d503f56a7b4e717104912fb487184e9643e6dcfece74dd4707320144bd69453830e32bf16871b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
5be4fa708f90518c1acb7fb706e49a8d

SHA1
c496e46d9a8b6ae9f94d341e68c3bbdce66a9c31

SHA256
a4d16e539c8fa1e17a1fef77a127822f2dab582db28470d6c2bafb9a15c83430

SHA512
0dfad2753a506f2c59e94ad7f20c3d90e6c7fbd41ac3080212a501496dfd89967f7f3c24aeb8758dc2897b710b68eaafbdbe6d54a65fc0726c9dc8737097ff05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2c4c038eec1a2f6172840d5af33e9355

SHA1
f60d9d08a03f805b864d57c409543bfcd3486385

SHA256
4b866d8f89eb8e6e62253d28615765f845c58db0de8586ce34560cc99d821ae7

SHA512
f6712e5f2df31c32d5a6df3642e6b61f9c6b08c6178697dc26cdaa8d0cd04ed0d4e04eab6b890f8c791f8a6011035e18fb5fc54d7d2c7d9f2901c4d85abfb12f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0e716d06e0c52d89dd0ffb800c0b8a3c

SHA1
44608b5ed3a1c372d3ecaa788ea108cb562d8de5

SHA256
7d880e609c4ba82bb04306c3a01e6a7224567b720149012405046ea2c55d227b

SHA512
30c5ce20310ba2a469460636d150ff12d3523e91972e006e46146f9edca71a638e5b86b55317d4ddc25c7e8afd37b27db4702e6a3d957ef2b82968b56a236ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
34a1be415aba8a8f2ef190010c6b2aeb

SHA1
4313b75ea97e57460df614eb3c46bc9c7a881bdd

SHA256
9f4e437871f9d20a1b5810e9c8113fac4e1d37177837543752dc235aef64f716

SHA512
01ace4850ec7c9cc4721cad3f44da29ddd675687c3024612bc7b1c96b6ea0b43b6b76416aeeb684608113cd46b6001e408a804f59971dc33ecdb422ae78e8396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
d35defde3ad3faecd5955399986c9785

SHA1
7762067bc38abb0654f552bd5967404c57954ea3

SHA256
69d351f5546d8e20aed4549148ce8b8344faa65fb64e00b248028ac408922319

SHA512
cabff3a74b4b18b87b389f74c383dd79f33f17504a239deb35bb0ccf0d6f9e20b638d136ef8b3b7390f48a16e4f9398f264cc714766c8f7c032124a8737d84d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
3f4aed83a2430af21e88d6295448be34

SHA1
9f8fd4938cf3f1c49467070b06a7396fb96f09ac

SHA256
83beeef535ba780cd57d023de9c0f33de3e94668a3db113ea3ac7c23d44b0b97

SHA512
982c41d7ef915fc1473bdc07955e12bb896a6dd98e0ff7052799df1cd5899ff87f9d69ae0a8f4aed1b5faedd7bd4ac37962cf2d1ae589fc63798e9e4fe8af3c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
2e17133b3141c1e4ceb9bff4c2e1ffe3

SHA1
f767a0c872eb849db35b23f3686630fb73e7fa30

SHA256
0a7000788b847d8bf4ba02c06e097a6e162c738fee7b1e1e2011e74e319955ae

SHA512
6c2a1acb48f7280391edd95e1fd8abbbcbde3e2274578265cb85181f76fab175b26d632f5e47e6f5f0079248ccc0dac18a26d7dfeef2c80c890ef75f0074e00c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
5433eab10c6b5c6d55b7cbd302426a39

SHA1
c5b1604b3350dab290d081eecd5389a895c58de5

SHA256
23dbf7014e99e93af5f2760f18ee1370274f06a453145c8d539b66d798dad131

SHA512
207b40d6bec65ab147f963a5f42263ae5bf39857987b439a4fa1647bf9b40e99cdc43ff68b7e2463aa9a948284126ac3c9c7af8350c91134b36d8b1a9c61fd34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
361ad32d4bae1668910cef8476530395

SHA1
33f11945037c758381f6fdbac5e9f6e4271d51eb

SHA256
dbcf7c9c54f29fca735571b040b3b3bb5f13a8f1a895c5e882ba8738aba79864

SHA512
221f5fa62bfed4d7f4ee5c58aef117b2817d66ba38012acc8bfe9c42a2b95c4c64f443abb7e549c7541a3271f4570019e104834e7011e0073c96f550c6d5883a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
5c43376cce6d3acca309cba0a368c564

SHA1
382f63b5fab5188f33a814f1aef3f30a3e7ab9c3

SHA256
f5fd801cc2cfa2c1a26e61cd7be442b95f6529ce8dd30291a7ea09d5e1cd958b

SHA512
d954e0fb0cd5653ecb3f51a3589fb1205da6e7eef460240bed168533b9fdcaa84baf8d32c39573ec0c85b0037d5f02db73c320f14b97638fb2de883bbc11054a

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
c09cf9deb9ef67e65a0a2610c45bfe30

SHA1
751971905c27ff33adeea498a639d66cbd9d9b60

SHA256
0d84f987769ad7995635a7784d5e80344764f243d8aacf4318f501b9c732c28b

SHA512
c392cfbb5017276dcee315619ab28320a72e62a0fb0a616c9bfec66a6908fd15a157f300630369926b894d753d445e5ed4fe03264fef045744f4ae6637ee76e1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
1KB

MD5
9c561e09d1cbd3cadda3b49d1395255b

SHA1
0212990c82696dda66fd48c8f14c8d33d502da89

SHA256
e5b1c0c5f38d0294ac3986875295e74013b183616eca4b05fac831fa67c48def

SHA512
172a2018c9cc8f99397606b046cc0423a1a81f77d392c3767dd08854ad88cb734b56f60bf73a7d08d9c66130db709a411e2047e13f7a23f1153656a79ec5371a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\74d7f43c1561fc1e.customDestinations-ms

Filesize
3KB

MD5
2093190e0725cde62b896d2b46d60f81

SHA1
819e6c09008208e6187e3aa05c7b4ea88ea92c6e

SHA256
408e23a1f95fede18f0dc64c6e63b2f91a9ca77734c09bbc5195c1c4e32e543e

SHA512
5738f41165bba1cfd05079e10196bc0eaf8ec3c53c695e9bc357866ed9c421a0c10799ac844e465c1bdb0d7c4ff6312efc14414aa4e8ad816cbafa906bc0c75d

Download Submit
memory/4984-29-0x00000000068A0000-0x00000000068B0000-memory.dmp

Filesize
64KB

Download
memory/4984-37-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4984-31-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4984-35-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4984-36-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4984-33-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4984-34-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4984-32-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download
memory/4984-38-0x0000000009620000-0x0000000009630000-memory.dmp

Filesize
64KB

Download