3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

Resubmissions

03/08/2024, 05:17

240803-fyp9asygqc 7

03/08/2024, 05:15

240803-fxj1wsygmh 6

03/08/2024, 05:12

240803-fv63msygka 6

Analysis

max time kernel
150s
max time network
138s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03/08/2024, 05:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ.exe
Size

16KB
MD5

1d5ad9c8d3fee874d0feb8bfac220a11
SHA1

ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA256

3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512

c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
SSDEEP

192:M2WgyvSW8gRc6olcIEiwqZKBkDFR43xWTM3LHf26gFrcx3sNq:JWgnSmFlcIqq3agmLH+6gF23sN

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wordpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 6 IoCs

evasion

pid	Process
5112	taskkill.exe
4428	taskkill.exe
4616	taskkill.exe
2684	taskkill.exe
3588	taskkill.exe
1344	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies data under HKEY_USERS 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qbbbsumjrvleeo\DeviceId = "<Data LastUpdatedTime=\"1722662347\"><User username=\"02QBBBSUMJRVLEEO\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02hejtapvaevysud\AppIdList	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02tumljrrlzseryo\DeviceId = "<Data><User username=\"02TUMLJRRLZSERYO\"/></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02tumljrrlzseryo\DeviceId = "<Data><User username=\"02TUMLJRRLZSERYO\"><HardwareInfo BoundTime=\"1722662354\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hejtapvaevysud\Response Saturday, August 03, 2024 05:19:12 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAbGzS/r69LkyAKo2mRWxVZAAAAAACAAAAAAAQZgAAAAEAACAAAAADzeMCPfwg5occhSr5ixE95dIQ1a+owsN+Hli2nC1L+QAAAAAOgAAAAAIAACAAAAAtnbz1NPowF1y49EuoFfPJDrxqUIfJvObcE97sa7sVQ4AHAADnwqnUMN8O5qfRkIGPJDGbLI5Ownm7weUGR+NeiDtQ/FsYu64Z+mxIAcFzetVX2pOnlVasfA547O72wNUks/GlVz1hsPVZa4HTf6BYJHXCsWpAyvfHuKO2Y3hazwNIjpy/xUkCEmxXmSQjLMxISrlVLtKJZf46A/miCj4V6gYLDZg9DNg7NmB039ztbk82j/raG21WmxHQfTfKurTW7j2grmDV7uk6vfxJ2knItqsjp5MwQ/kSfmJAQ8k42lquBU3ML8Z5YmxbJ6HZbnR16RalJ0O2oBcnNp5gFGr4n2ss67qnsp2ozvhvlFgiX7ivzWFq7PbIa3kL0xhdR3MoLiqYMAeA+OpG9gw9p+1zwc1pvqVHFH8XwZAAThiSFQjJcuMJa6KvdMG16qdThohGFvudI2XOTMUtySyruUVrS9IzTZq6w8oPU3Ov756DJimiBFFWWNuWWxIJGacTjIOFwYh1BgHED2tPBToxjhFB498EgQ7P4AkOzQDq9t9L5MkMawVTkiHmRBO3ldIu7nuDDI6gT+ccpIAiGfSjBmGWxK5nhe0EHsGasNMfls+C3PovFWO5fV+x7UAODE9OTDexH5su/jk7KgDGzRt7RSS6qmTom8E8cm2UkgACEABI9+N53QWFKh8Wf9cFic4Wwce/MWCcSXxail4aItJT/Qb4E+2+oZDjL1VRGB994oybR6eadRp1YqH+GYYuVqhg3kbOcZApGtovyyZYuTaDC1FqBU2QFu5spsNUQ6p2+CBTES4FwnxJ910rraeYcBIqJIkTcuYPnajLYhX4lUxilPpjDDdonG7Ct4drNjv0cFMFtMbi+DvTrkckBFfZ0kPfkVehkErA4k74JrKKr0hTMmZVX9HlZ530lzn6axYcpFkb0XhkusvJRrHMSsG467r39QjUw56dTem1+o+zFSBuZgDTiQKve0v+NJLKW3Cmn0DWV0ACNL46XGjnZS0vKstmQTsaPgSz1LQfic5Wn3jevIvbK/wXs1ImHr+OWtkYhLwo0YsINPdVnHj2uwL3mPaPJJ2rcxy8rApD+gCyoYfKMhT5LnIHoYouGRPA31H9IygiP+Zw2kn8NUX7kCxGkPEUxdsDZRzZEl4nCSGF5yWrPnk4TO45WF30F9lLKCpNf7KsGzxe8K07xCcdydz4bZIGWtw28M9/ZsFss7JLHA8A9SsJWTAzK8hR/pkaXS9tQzGHe11PT1YJFFQAwTeZlb7cBArN+YSMwdiLbuhCBz4QBjQ0hjxRFR8pNboeJBYRVyh3FM9cb5Cd4oenF0Wm86ImvjU8MD9Z5PvfBIgxjypFNOFXafq8RJhuBct1eQEtAQd9ywbpnygnwKEVbzlQ+9i3hX2bRKy7u/HoZzeDbZaRM1AAxVXeUquF7BHq9G9AUV6Fg0Qis2C3eiXRviBV0ly0Uv72sMSTk0NW3eTCq4aZq7VyBnyurxW3glG8Syuqanahlhnv2pVWm8PJylPNs0XeSZMZYox6YUxKASXXTwPx6OBAoO8cvx8fJvh2nqMnMB/ofy+nWc33voKxxW2y2arX/XNyupbPUSBu/oBpOWtQuVj0xiO4s16p1V8YD82O/S7xLrMxJFCuk+6HHgw17Dw6BmojgaOcc2+mey0i3e9u0h97ij6NCSaVvRstvSkLhtQg25867f1OuOzJrmuyeHTmYTfsPCdmr/7BXHIsFCQSmNlcC8iMPhgBCJwm2q7xYQaGZTIoYhJzsD4bfJII5kaU6jnOJ2VjsRTRimxzMOlUJlxobcBAkANC8IMHLDsxH7s2XHd4EkV1ort64wENb2msbC8FDPLjCjYo0MC8ckTOwfXvBMQh8h+otQgGsg0necA8djRPwLp05VkkcirztxrSnKXuO8sA9KVgBQNgBuFMU4ldSCo1cSLfG92dVL5/ffmmiJlCC/scShkHC8oLJCBfVktYADaxc13oWLYNT8I8t5VsNy6CDTEyHHscyGvqjio2Qg8MbTLo4wL4PggkX2ovBOxbYlonumcp31VGAgrwd4wWn1mHyfcCx6VO90mAURPmU/fjiOtl0/EZIaO7dVD8u/+16y+0eNO/icnhH6+aNBd+sDf2rvG1MUE1Z2PsXp8pe/ctZwr+byobl7x+GJX3J5NJ73uOv2mNMPcvxaozjaGoRfJjj9qz+9qq1k0gsuWfk+OcIGCqP6V6M9Tiympm0M1GaBXtcTtB5AisUt+a6BYc9ElXKLARkS89Bwsek7R8A34IRrQiICD+GE2rVeFbYL4R7q5J7KQKW1pIQUNIPLzQw9rZFtdCF/ml57mCQlkNGec2v4mwBwhLiivh9NuvNtYjij9h+EHvJDMqZYsFVcSZ9sUtxBuSWpewrh9tox64CwwLvt05L4ecPPc5pLjVr73xDizvPLIdtG2a6PQ22y8S0Y57XA7hxXKVsVG+gu6Zof6MUEf483Bx/USx85eCYT6OIvtUEyij525tKIOrqebbJJ9JT/fTj4XoeJgWpec70QiLsoaB4HmuCQHA/ToK/BesnTN7mXc0oyhjgkxlPX6yp44Ed8TJMduwYREf8woh54qsPIVAAAAARMny0OzPnD7kxdO7+U7HR28TiTZRCOATdai6AYIlo9bYqt+pSoISfuA0es5gVvmmPICE20Fp3RpkgBwDhpVhbA=="	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02hejtapvaevysud\Reason = "2147780641"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qbbbsumjrvleeo	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId = "02qbbbsumjrvleeo"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qbbbsumjrvleeo\DeviceId = "<Data LastUpdatedTime=\"1722662347\"><User username=\"02QBBBSUMJRVLEEO\"><HardwareInfo BoundTime=\"1722662352\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\"/></User></Data>\r\n"	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\DeviceLicenseUpdateFailureCount = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qbbbsumjrvleeo\DeviceId = "<Data LastUpdatedTime=\"1722662347\"><User username=\"02QBBBSUMJRVLEEO\"><HardwareInfo BoundTime=\"1722662347\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02tumljrrlzseryo\DeviceId = "<Data><User username=\"02TUMLJRRLZSERYO\"><HardwareInfo BoundTime=\"1722662353\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\ValidDeviceId = "02tumljrrlzseryo"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02earcfdmeedtjxl\AppIdList	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02tumljrrlzseryo	svchost.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02earcfdmeedtjxl\Reason = "2147750679"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\ValidDeviceId	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qbbbsumjrvleeo	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02qbbbsumjrvleeo\Provision Saturday, August 03, 2024 05:19:07 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAEfDz4AdMFUu4mM4ObAdmYAAAAAACAAAAAAAQZgAAAAEAACAAAAB1dKfl6kPKQU7ztwtdBSh/WkA+rKE8V9ZcpaPswF9UzAAAAAAOgAAAAAIAACAAAABN2KtipnyvFoJr1z6CT4H4ft9zpEq2xWLYG7EC4hOWyyAAAAD5hnvmQOh5eKNtolHQPPzWLSXZ+iCt0EkqZr3DfSVg0UAAAAA8wGWEMnsRYOn4BJ3YkClfXWYcYm5sJPb1a6hk6j3n/0mBK5njsbM71l6H03K3USSSZMkq96xz4hw2ecadFS9w"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hejtapvaevysud\Request Saturday, August 03, 2024 05:19:12 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAbGzS/r69LkyAKo2mRWxVZAAAAAACAAAAAAAQZgAAAAEAACAAAAC7oOI8Sye71Ufw11Erm6Nsz5HWFzHUIts8qoRfqB8lqAAAAAAOgAAAAAIAACAAAAD66fRjMBF5glcytZ1wKUQZWDeITpP7dzMa94hzbR+uG0ASAAAtOSawc2TKhB2Q8hWbn9m9ZKJArV7ZyychFfiGm8ce8TH9OFQx8oqbcrPYHb/R6mREUHjgfSIcJRZbOdJt15fWslJoPKH2AUxG01vSQPlwU92sGi3cm24I7S3Vg0QF0DXdXY3ITtaeqDS0/mWXsCB0woKkRdt95WYqnHyWLsArZJi9hXdq8goJhL1ZUXrpAgdzuPMdHGXbNvvi0hVYJau6DjoRzEZ/Q5qdTdOEzCa1V32QLCC90o/ipUDvCQ27k0Am1xv1cqP4DhijYgvbmrtbHCgjrN89zv9Eu/ppKTSlg4kVRf5IUpkeDJpGZ3pwsUnzIr/xyhb6M7axBrefXJrxGYkCEhglyEnidmsJ9p/nfCskmcyuQr7TwTFEIhMceLYMgft2IwfJ631UaYql0QO0MIzWv4gLrx6Z2VHbfKGs13aiIyqnVP0xFXJSTrx0ZAh2pQO5uKyn3fR2whd3qbwyqJPM55jV7iJINiKd8F5FmUN6eJUF8787AuiuOqIk4FTdHv3VgmaMKyB/KaaDHv5Vh2CBujkgr8xoe3xsgTn8Qd0Re4bwT2oZCqO0SakAN16DBA9o1LHGAAsRgSnwysh5ZQmpBiW2ERCMVYrCnw42TBSfRCysXtAXxqrdpNgGYo6Mmh1H03I9lFPwUW5FcGTmdRNqlB3rX34TcRhVEpUPKK6Nb23YAmZ19mLsM7+rk74KZQEi8jQK9Ho6pCsHGBpFVL4YEDAqA1JcksNZ0TVnFHvoQ3gSe8zhUIm1xvUQnaNJIn50wqQW2IdUCvQ0FxKWAAr2p2hGKspZKzx2fWDmJ+9B0wKh1pYMaLrPJIZxWuRiIg9W0GG7jVhPeQAyohNS8h3N52WPLN9SKdjeyvUvRO42OJx7eigWijrY1sctMZS8rjNwZWWlZGxYhTyH6qnjDfGI0CBmDuNpjIVuvG1fSJLLgP3VjlaglcnQM/i44ug8q3dzZR8Rdh0qhAc9DiIcHMR2Cpn2UypSxLbUexcfHE83px38JY9RFEJ5gQ2QfLCAXt9d0I/JSkPtsaoLbfI/INtuX35CNLJqsyfj4+aImpZ047rDhaEAfAzQ3gn5dnu/3U49xaSf5m0pZKoae2FiidiaUbeQgfleofuAZZBn+2MKufhK81M0xsFAm5KRNimrMuEfd3jCnj8cstDkjSPCY21jGpr/8ozFnxRcTUA6XeeK3s5pfNNjz5suwqQivgOr77a1SuVt9u8aXJOy69r9LvbsiRqNuGm1SUL7wmtoLntrK25q+RMtIe/+UxWE8NCs90BT65FUQRC8O4lYPMGN6c3F4012Vz/h+FYct80OQdkz0ICWMzwrbNwHDG+eNkVgMRNz49jrPQQ94/hvueVjyijbaOqdxp8n0B3Bw18nQkCs5FZm9h3dM/Rob2Ua/KeeC7uVZOaor97zDsqzXVmtTE5VOxyFJOYc0RVpGayO9OJ5JecqzkOHIvEG6eBAbf9CjvO+RjkWTeaMWy42xvZkkv3Tm8pjyBTtVdcC+f1VaCYN6c56E6tKHaU0+fkdEPhg8zulLBpM6y5/9uQNU+iD+K+DXFK1B/qdETX+FkDdDtRLLHyMQzy8ttqKqj+rNuDF5ozRq9G7kOprdfYJ6jd4pbSwYMR5GFADytU2ssdyFRKcMFV66CJSlocTTmngv/RG0/qii6iySCbXqmDHS5iQ0Jdxjc9F4W5QXqM0fc+7O83zACmq9k+vY/7RjDo8D9/FyxUzdYedMK7g6g3ppk5igSFp9Y1lPt67ouUR2mqeLg0i7MSTN3CMANl0yDvNjqPRMVBKY9QCeNVhzXTsYxEC3rq2nsPfDn6TC0fQGwDFBQF+dHY5KD1VPEoBXD2+2nwNQ1n09cCtqkNBtJkHPJaeMY1YAxefxl4ivy9T0wephFIIG1dJK49LCgbgpmBMtiakZ+RFlweM/ZjpQSUf9F2ITW8w/Hya2Y7o74wJ8T1WfQUNUi3UqAl/ZzHUOwOkqvKUhaHVgCMHirI2qzC5JfLIKpAXZwZAYtFW1Ebo+aRXz5FatbqznMjriN8H50T248RwwC9Q1nMWdrkFi12y4/Qb9PtdV7/vsG9HZCRyRUa7KO+ESENC2Mve01R/t7vOHROM05zTQgbDZ44Zh5hRPeBCROMRmSj+gb6kczaXKE6iWn70yhXIeIb6ibgP5jw7incavnDbHrXZiTKRf2C5p7jo6o+zSMpOe3rDkZBslqUFx9maG86iD/NgAEMyI+m9HsQEh5cUph1g4Yc7m8XHwcqSaVp0DLqev/WypGgs8NH5Jxeb99z2Apr6WZdyeKrT6X/sjOxm3Ca6sEGcRrsS2qOUnre+xGeIWV2G45xSGthd0B21CZg1PAqxNj+UkVyv3LC2SVIJFHDF2zG/PzoNxOnwO+KR3SvGXu5V4foVaToUgnjcHAiFTZdZxkDu7lj2K/Y2CrIOTuUWNTfLNaEPZxcuHnRZyHn2kuuVxfV1pPfJSmrQ/6samBHTlH7+W6ty9V/HAEc8Tv0w3ptd5D6pkV//pC+8YEhIvyAYkv9pAxXXt2Z/oy9QebuQB+7Vs9rcZvZP7xKQtrMWHwdRUuJmafKvOFKnufFM4lHDdLMckoFSOqU+El3IoM9eCtms4Yguv8ILdpBtx/dFzNOpvUbwfQH3Frn6n+N1+NXuQo8jAYLi0REhxd2N6+mC3XSIfUuCkPnC+sovtZWTMJqt8TYhjx3GOAUQwMq2COpv87XLrGLc9sveoyUoJXDpMPxiyNfRORd658DKY5Y07bTE5AL59lNJOfbwJ1kU7C8zpIclpcpq/uU22QR0Zcar+Wq75KD716Ph9Kc2HKbBwr/uqD3yMAlq+XFLhec3mShC/00JKtz8oRuFTbZSpB8BrNHqRXfpGalGUo+VWvFOrKMukBQE/L84Hed7xWF5Dvrzvg1U4LuiOxnLVPZpdVUS/H7hS55XTwch2RYRo+c9ld9157iThUR9MYKf9/GaUimonV8eGArZLK9alD4+QBnxsuPMGxQBOh22OgVp1yVHJTQwqK0AbN7J5L4fMuZF4ANv7PMGTynI1/qCofM0oxBz7jZwUzhF10kUJsFQyGNYzZQYe6Kb0mox2ZTw814gOh3L71I2K4DDs4zUYbafD5TtwPEje1b1I+TbSwyzy36UdOsiH5gJImAswZMsIIWGQQ27hkVSkdEGzaoitWb7TbSDY2y4gJHCdQsU1CsIamcY2XPsVy4kCN/Gu4dLOzUAIxU9hOoMNyrUdYk0R3Vyu0OBfI98fzrsv+xMNT9hrTRxamRa+7N0Sc+AKPmNIHdKSETmdKOtjkXfaX2VrJmdqwRZeEQ32wO8tHMrGretVVfjrTbW9ZxtAX/iMfRRrQ/OTHcDprGZ6WdvM9peHS39cN00cuX4Ce+SKuTWerEKUIJJjuaD8ei6WRNWE4OQuk3BcixD7ecO+JPrxazcXOaSDQlra7d+Fhsa8hbzXw7lAeerk7fO5MziAHQzJnGiiCysXlES1/q2yitU4NioM64uaVOvB/Q5N+WwIBLv2PiB8E7wsLb+lN+JWqJh++RQXc+BdtFZm2amptk7cSXeUqSjvIF/TELVF+9mt+tKEozEPj3tuw/9bxEUB6BIA7q2GNC8/dB1FS3GEZFXP84LPV2qkmjYojYqy8Mr+e9sWKEPj+BjuKNH1ZCWnPyfK3XwcgnRzxE/m1blnKVbtujBsAAILB3IR1BJGmMutSZhv/hFhizoG4TKPsUjGjSuhpKLoEqsUQlH7EqqxFY350+x6bexIDHsd8gMX9eyWXbOnNw/9n45gO02IsCe4/vFySnc7Vaf5Z2yLYDoseZVcI6bsi+TT44JdNFODnAOBy7EQGAxE4t65d/ZjREL8Tk+Sl678S4T7TZsaW9xYx45p9Uwyaxe1dXE3lykhVMdI3Ow+npxpU4mEmzOfqDb4iPmpQLdWMvSUiseD9Jp7meoxF9fAgQ9/cg1QK0gNQHfXgvF7d+/mpgNAkdlogyDDowPhAXQoDQIm3nZ1DUsj0Ty19dUKITbjdOBh5XOBcyEGaQnPD2lVfXWDa4N4E5/T+62XyItUaAcGtln6yrSPtbVuG5Rk/CzGTPHHYeZB4zQg8f0NAzCVFuQEwT/snlozx8tVx6YAN4GuOJjqpFIh03OTP2IJltcfUULVm3DYfn8MQDJvpekvWaqDoMmd82DKKS6o4AFB3bDIdn2SSfeGxKOFKWEEl6YdyLUYmGuJTEreYOIouYm3v92APqW8IqFDRnbt6a78ph06B02wmyymBaN3bjeEPPcA5KqzbM5Vm12US1SJRUk+y+yzV/0bY0FJnlcHgyzqSAkXfGJRO/PtLEkMorABx6fQlIFfJ6EkfSHUespWmnlZqdf+bq/8jL3EoDWG0HIrbdpOXZHfuTYhIds0CvqU3jDaTKh7tnkyAdrjOWcjatxcw5/Gn6a7bq4TxlKe6Sk8wCdW57gbovimDFJuPlJMr1To62smcJg06QhFMHNX0I1TMd3X1XfkxtvP/CovH7VtyCAtWovhKs8rl0WFPQ41Q88616mfnCCCbiRIgR5filsaGxi/mPJBYtqk7wLn61IzYLqj5RH/TX9JUuTL49HCc+K5xl/22Zu+M9pwM2MX6nXJqj/Bt/ELdlfvxNAjMWuWCvVdF5na8enE7sQKWf/qWGiFw64iATy6w4PYFuiTYRfDB5pAPQjl0i6eRK6dV3Xe0BPXhaNj/bPRqLz4YlXDFWKTRL4RiPofkxOp90bDcBr9OlHMnaYHSuT3vV6lJAuovuahwbh9DeoJid0P04ssIDLoSa4n4UyXOY4/VWqXckjtUwnYH40wXTXjI86OmK6vRf4BN3eHUDNqCukpx3DAvvhXQ8e0ShS6RGZnhZLlfvHGBlIhPBnB22HQOfKCc4PbsOnTK1vd3hqg7W2Ki/Sr3Je7iuYVjEDoUG29KkWxil9tbkXrXHEzjAKaWXusVLZ2E9KdrAIgZzT+leRnx1Oa3BpdH0sFiIzBUM1l7yVN6deNzdBiNFIyEVXBn7XwTuzvRN4sJaUKAM+4RyA7oRcKKsOyFVhmrQKK2GTLbU0eeav0VYbj6/bnCHfyNemN3Oi+wwTM8d+MS2QwBBGO95+Gpi2k6gFcUIcqkiRYzKnjbZzz3Sxv2edufZXiM7EmSKBDnJOaTUB1ivZXMdoJ7ZreU1LBkWSOT9rPovUvhCYwpCIUp+Onq4MINUv2RGqlHwdk8yW0nQBp/jp7SkJIcr1zyz/RZA2Vcjv56IvyZnJejEXDSkJ7d7J8N0nGh5XVC5vBuBSe0dWWUaTU3Zp3XxCA3ET0nCKKsC3LL5paY1D6LS5ift3wOuYfWm4mWgcr0BHMhut3iKYrc0MRkCGBtCaamQN4A5UrUF216jWITUKURk3RAvKsOZvjmbvWDvIGTY+bCHN2emxUcYlK/kh0JQEyzYtVuvZ2KEB/B78eEKd5ypyNl2GlCaWpm19NaHx2bbXpkdwyu00JFq1Tqn+GDqrRGZI2G7KBtdLdoVkW169+NWMd5Suf/ls+k573E1NTtGLykhjpMFEZiMSrKM4pTvMfJUYWMrMrgrgIGHG3j6VlMRV1MfR6XCNBYxAN28SU0omeHRBntpM1OTRDDId5rOOKWNFu65XHBLR6LVad2PgZOyHJHtYz7EvbeNVgKbM8Ux6lniVqlXATuB2kVZ5NZAJ9UgyzkQy3gb8ssbU0ejK5L8UigzEQmNLZynbwP/6cIXXLvSxfsi2DPqbXYD/pfLgjXaG26bGxq4H4Kj+F22I9jGa9+HZ2DKYNepB1MdBwgRzJBjInK2pj0eI4vC8GJDUajcr3aBklAifQr4LDIHT7fB3vtHwXw2OpehivAbZKAF66INi+p4Xwnpzu+nDebGue3CLn87aOpfgGwr0MDSJDqd4t7d62xo1556j7rsMbzEn+TEQ3wTBw/OQbEepWJSg+LbUBY7hvLhbA5g2uYvtZ5PhpEPIm/4jnfLSMViM4F2RLY9X8KvxdREwxUmOWxP2m7GWBx69hCL+e4Wk7dW/zCZXC4nnSPqgBGwRb5ThchVkDj54Xqa01ddUmT5z56zd4umG0Yt3IxzZDhXBkseA0zGS7PSuGBt7GlD14cbgwd9T8/5GC2UFhZeZarqJutGZhxknbsGv6dpAax5CIm+aQ2wJnyjyNRjAX74kugfWbIJJd4z7lMIcueX4QdkUZn9ofaMKosMF6MUEHXQ/iR5M7eG9OQ9iM6UM0/Lf+Pn9QAAAAJcWqlehjZD0+Qs8FkFkgtaz6jTpMAv6pG7jaxpvEBaAE84AphHB5ZEeHdr/jn86BZTZ2WkBGsca3MPzpwEUqq4="	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02tumljrrlzseryo\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-21-873560699-1074803302-2326074425-1000\02tumljrrlzseryo\DeviceId = "<Data><User username=\"02TUMLJRRLZSERYO\"><HardwareInfo BoundTime=\"1722662352\" TpmKeyStateClient=\"0\" TpmKeyStateServer=\"0\"/></User></Data>\r\n"	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qbbbsumjrvleeo\AppIdList = "{AFDA72BF-3409-413A-B54E-2AB8D66A7826};"	svchost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\S-1-5-18\02qbbbsumjrvleeo\DeviceId = "<Data LastUpdatedTime=\"1722662347\"><User username=\"02QBBBSUMJRVLEEO\"><HardwareInfo BoundTime=\"1722662351\" TpmKeyStateClient=\"1\" TpmKeyStateServer=\"3\" LicenseKeySequence=\"1\"/></User></Data>\r\n"	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\IdentityCRL\DeviceIdentities\production\Logs\02hejtapvaevysud	svchost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 7033323cf7f1da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.google.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\google.com\Total = "25"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy\ClearBrowsingHistoryOnStart = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\google.com	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Privacy	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = d28b76a864e5da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "428824376"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.google.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "429427241"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4124	WINWORD.EXE
4124	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4200	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
5064	MEMZ.exe
5064	MEMZ.exe
5064	MEMZ.exe
4924	MEMZ.exe
5064	MEMZ.exe
4924	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
4744	MEMZ.exe
4744	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
4924	MEMZ.exe
4924	MEMZ.exe
5064	MEMZ.exe
5064	MEMZ.exe
5064	MEMZ.exe
4924	MEMZ.exe
4924	MEMZ.exe
5064	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
4744	MEMZ.exe
4744	MEMZ.exe
4744	MEMZ.exe
2996	MEMZ.exe
4744	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
4200	MEMZ.exe
5064	MEMZ.exe
5064	MEMZ.exe
4924	MEMZ.exe
4924	MEMZ.exe
5064	MEMZ.exe
4924	MEMZ.exe
5064	MEMZ.exe
4924	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
4744	MEMZ.exe
4744	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
2996	MEMZ.exe
4200	MEMZ.exe
4924	MEMZ.exe
4924	MEMZ.exe
5064	MEMZ.exe
5064	MEMZ.exe
4924	MEMZ.exe
4924	MEMZ.exe

Suspicious behavior: MapViewOfSection 12 IoCs

pid	Process
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	4384	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4384	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4384	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4384	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2824	MicrosoftEdge.exe
Token: SeDebugPrivilege	2824	MicrosoftEdge.exe
Token: 33	6240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6240	AUDIODG.EXE

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2824	MicrosoftEdge.exe
1308	MicrosoftEdgeCP.exe
4384	MicrosoftEdgeCP.exe
1308	MicrosoftEdgeCP.exe
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
4124	WINWORD.EXE
6328	wordpad.exe
6328	wordpad.exe
6328	wordpad.exe
6328	wordpad.exe
6328	wordpad.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2996	5068	MEMZ.exe	74
PID 5068 wrote to memory of 2996	5068	MEMZ.exe	74
PID 5068 wrote to memory of 2996	5068	MEMZ.exe	74
PID 5068 wrote to memory of 4200	5068	MEMZ.exe	75
PID 5068 wrote to memory of 4200	5068	MEMZ.exe	75
PID 5068 wrote to memory of 4200	5068	MEMZ.exe	75
PID 5068 wrote to memory of 5064	5068	MEMZ.exe	76
PID 5068 wrote to memory of 5064	5068	MEMZ.exe	76
PID 5068 wrote to memory of 5064	5068	MEMZ.exe	76
PID 5068 wrote to memory of 4744	5068	MEMZ.exe	77
PID 5068 wrote to memory of 4744	5068	MEMZ.exe	77
PID 5068 wrote to memory of 4744	5068	MEMZ.exe	77
PID 5068 wrote to memory of 4924	5068	MEMZ.exe	78
PID 5068 wrote to memory of 4924	5068	MEMZ.exe	78
PID 5068 wrote to memory of 4924	5068	MEMZ.exe	78
PID 5068 wrote to memory of 1364	5068	MEMZ.exe	79
PID 5068 wrote to memory of 1364	5068	MEMZ.exe	79
PID 5068 wrote to memory of 1364	5068	MEMZ.exe	79
PID 1364 wrote to memory of 4980	1364	MEMZ.exe	81
PID 1364 wrote to memory of 4980	1364	MEMZ.exe	81
PID 1364 wrote to memory of 4980	1364	MEMZ.exe	81
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 1308 wrote to memory of 4240	1308	MicrosoftEdgeCP.exe	90
PID 4604 wrote to memory of 5112	4604	cmd.exe	91
PID 4604 wrote to memory of 5112	4604	cmd.exe	91
PID 4604 wrote to memory of 4428	4604	cmd.exe	92
PID 4604 wrote to memory of 4428	4604	cmd.exe	92
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 1308 wrote to memory of 504	1308	MicrosoftEdgeCP.exe	93
PID 4604 wrote to memory of 4616	4604	cmd.exe	94
PID 4604 wrote to memory of 4616	4604	cmd.exe	94
PID 4604 wrote to memory of 2684	4604	cmd.exe	96
PID 4604 wrote to memory of 2684	4604	cmd.exe	96
PID 4604 wrote to memory of 3588	4604	cmd.exe	97
PID 4604 wrote to memory of 3588	4604	cmd.exe	97
PID 1364 wrote to memory of 5100	1364	MEMZ.exe	98
PID 1364 wrote to memory of 5100	1364	MEMZ.exe	98
PID 1364 wrote to memory of 5100	1364	MEMZ.exe	98
PID 4604 wrote to memory of 1344	4604	cmd.exe	100
PID 4604 wrote to memory of 1344	4604	cmd.exe	100
PID 1308 wrote to memory of 5944	1308	MicrosoftEdgeCP.exe	106
PID 1308 wrote to memory of 5944	1308	MicrosoftEdgeCP.exe	106
PID 1308 wrote to memory of 5944	1308	MicrosoftEdgeCP.exe	106
PID 1308 wrote to memory of 5944	1308	MicrosoftEdgeCP.exe	106
PID 1308 wrote to memory of 5944	1308	MicrosoftEdgeCP.exe	106

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2996
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4744
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
  2⤵
  - Checks computer location settings
  - Writes to the Master Boot Record (MBR)
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4980
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\System32\explorer.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5100
- - C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
    "C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6328
  - - C:\Windows\splwow64.exe
      C:\Windows\splwow64.exe 12288
      4⤵
      PID:6376

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Windows\system32\taskkill.exe
  taskkill /f /in memez.exe /t
  2⤵
  - Kills process with taskkill
  PID:5112
- C:\Windows\system32\taskkill.exe
  taskkill /f /in memez.exe
  2⤵
  - Kills process with taskkill
  PID:4428
- C:\Windows\system32\taskkill.exe
  taskkill /f memez.exe
  2⤵
  - Kills process with taskkill
  PID:4616
- C:\Windows\system32\taskkill.exe
  taskkill memez.exe
  2⤵
  - Kills process with taskkill
  PID:2684
- C:\Windows\system32\taskkill.exe
  taskkill
  2⤵
  - Kills process with taskkill
  PID:3588
- C:\Windows\system32\taskkill.exe
  taskkill /fi memez.exe
  2⤵
  - Kills process with taskkill
  PID:1344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2824

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:1912

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4240

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:504

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4420

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Documents\Opened.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5304

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:5944

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x1e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
6738bbdd6f3d6b50c54b58e95861fd78

SHA1
cb4b3169ba419ee7fd592c975359d1a83f33bd4e

SHA256
5f7c4f1f6c7bb879cbe67a470193211105b34f2503516af850a702df118aff3d

SHA512
3eb81c1868c1e997a72ebc43b0363b5ce8e16a72146c4b4011bee666a256034b45b68623253de9965e920c64ddb7fd2e8a8da6ab2f12b90c81a59246abbe055e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d74bc5c66fabc4af73e33ec5d31ff051

SHA1
75793e46b037ae5dd483f533b1e8f5795be5351a

SHA256
89c44e01acda57ad7bd458df06df515d0bc19bf1fd830f693b9a523393ed50e5

SHA512
6235f9ea37767957efc5fe1f883e5583a247736b671387646ca415e507efd92e0fbe572c57f4a5484f94bdb1069831a50c52e441a7030e82bb2127bd1b8a9dfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1E18XCS6\recaptcha__en[1].js

Filesize
531KB

MD5
1d96c92a257d170cba9e96057042088e

SHA1
70c323e5d1fc37d0839b3643c0b3825b1fc554f1

SHA256
e96a5e1e04ee3d7ffd8118f853ec2c0bcbf73b571cfa1c710238557baf5dd896

SHA512
a0fe722f29a7794398b315d9b6bec9e19fc478d54f53a2c14dd0d02e6071d6024d55e62bc7cf8543f2267fb96c352917ef4a2fdc5286f7997c8a5dc97519ee99

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2D749XUF\styles__ltr[1].css

Filesize
55KB

MD5
4adccf70587477c74e2fcd636e4ec895

SHA1
af63034901c98e2d93faa7737f9c8f52e302d88b

SHA256
0e04cd9eec042868e190cbdabf2f8f0c7172dcc54ab87eb616eca14258307b4d

SHA512
d3f071c0a0aa7f2d3b8e584c67d4a1adf1a9a99595cffc204bf43b99f5b19c4b98cec8b31e65a46c01509fc7af8787bd7839299a683d028e388fdc4ded678cb3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4PVGC4I5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\6QIPW3VW\b80692[1].ico

Filesize
1KB

MD5
ac0cd867e03ed914827807d4715bdfe7

SHA1
4051a8c23756c10d9cc00fcde6f7215c780fdf6f

SHA256
b50546da121186fbffd2aec430249cb21c7c2e2c85e561a393a9df9abfc4477c

SHA512
fa11d1d76c39719c218b4ffa34de8dd44d398bdcbb236a666f0be6eeee96bcbe4da9ac65a89441ad284c0de21788c135dc4fd21f6f82c7039f00c8a7c705c8e2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\HB8HUMO3\favicon[1].ico

Filesize
5KB

MD5
f3418a443e7d841097c714d69ec4bcb8

SHA1
49263695f6b0cdd72f45cf1b775e660fdc36c606

SHA256
6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770

SHA512
82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF42B19300DD70489A.TMP

Filesize
16KB

MD5
45f280e4eecb3814e9e8915e191d2f6b

SHA1
33ae522487f06ee3edbb1828102ba09828f92151

SHA256
b154949922f8fbb939c71d1fbae8ff553dfd80212ff453b694ba81b71d406569

SHA512
166d04e362e46f459f3cb1b2d2468842b85a259ecd206dbb69174241bf407f57efd56155d6f4c1e20d46c0632c37e16b2110b6efca6b0858254192e11b50e72b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1E18XCS6\KFOlCnqEu92Fr1MmEU9fBxc4EsA[1].woff2

Filesize
7KB

MD5
207d2af0a0d9716e1f61cadf347accc5

SHA1
0f64b5a6cc91c575cb77289e6386d8f872a594ca

SHA256
416d72c8cee51c1d6c6a1cab525b2e3b4144f2f457026669ddad34b70dabd485

SHA512
da8b03ee3029126b0c7c001d7ef2a7ff8e6078b2df2ec38973864a9c0fd8deb5ecef021c12a56a24a3fd84f38f4d14ea995df127dc34f0b7eec8e6e3fc8d1bbd

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1E18XCS6\KFOlCnqEu92Fr1MmEU9fCBc4EsA[1].woff2

Filesize
1KB

MD5
52e881a8e8286f6b6a0f98d5f675bb93

SHA1
9c9c4bc1444500b298dfea00d7d2de9ab459a1ad

SHA256
5e5321bb08de884e4ad6585b8233a7477fa590c012e303ea6f0af616a6e93ffb

SHA512
45c07a5e511948c328f327e2ef4c3787ac0173c72c51a7e43e3efd3e47dd332539af15f3972ef1cc023972940f839fffe151aefaa04f499ae1faceaab6f1014f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1E18XCS6\KFOlCnqEu92Fr1MmEU9fCRc4EsA[1].woff2

Filesize
14KB

MD5
79c7e3f902d990d3b5e74e43feb5f623

SHA1
44aae0f53f6fc0f1730acbfdf4159684911b8626

SHA256
2236e56f735d25696957657f099459d73303b9501cc39bbd059c20849c5bedff

SHA512
3a25882c7f3f90a7aa89ecab74a4be2fddfb304f65627b590340be44807c5c5e3826df63808c7cd06daa3420a94090249321a1e035b1cd223a15010c510518df

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1E18XCS6\KFOlCnqEu92Fr1MmEU9fCxc4EsA[1].woff2

Filesize
5KB

MD5
6bef514048228359f2f8f5e0235f8599

SHA1
318cb182661d72332dc8a8316d2e6df0332756c4

SHA256
135d563a494b1f8e6196278b7f597258a563f1438f5953c6fbef106070f66ec8

SHA512
23fb4605a90c7616117fab85fcd88c23b35d22177d441d01ce6270a9e95061121e0f7783db275ad7b020feaba02bbbc0f77803ca9fb843df6f1b2b7377288773

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1E18XCS6\KFOlCnqEu92Fr1MmYUtfCxc4EsA[1].woff2

Filesize
4KB

MD5
133b0f334c0eb9dbf32c90e098fab6bd

SHA1
398f8fd3a668ef0b16435b01ad0c6122e3784968

SHA256
6581d0d008bc695e0f6beffbd7d51abb4d063ef5dedc16feb09aa92ea20c5c00

SHA512
2a5a0956ecc8680e4e9ef73ec05bc376a1cc49ddb12ee76316378fe9626dccedb21530e3e031b2dae2830874cc1b6bfd6cce2d6d0dce54587ff0fc3780041ace

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\1E18XCS6\KFOmCnqEu92Fr1Mu4mxK[1].woff2

Filesize
14KB

MD5
5d4aeb4e5f5ef754e307d7ffaef688bd

SHA1
06db651cdf354c64a7383ea9c77024ef4fb4cef8

SHA256
3e253b66056519aa065b00a453bac37ac5ed8f3e6fe7b542e93a9dcdcc11d0bc

SHA512
7eb7c301df79d35a6a521fae9d3dccc0a695d3480b4d34c7d262dd0c67abec8437ed40e2920625e98aaeafba1d908dec69c3b07494ec7c29307de49e91c2ef48

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2D749XUF\KFOlCnqEu92Fr1MmEU9fABc4EsA[1].woff2

Filesize
9KB

MD5
df648143c248d3fe9ef881866e5dea56

SHA1
770cae7a298ecfe5cf5db8fe68205cdf9d535a47

SHA256
6a3f2c2a5db6e4710e44df0db3caec5eb817e53989374e9eac68057d64b7f6d2

SHA512
6ff33a884f4233e092ee11e2ad7ef34d36fb2b61418b18214c28aa8b9bf5b13ceccfa531e7039b4b7585d143ee2460563e3052364a7dc8d70b07b72ec37b0b66

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2D749XUF\KFOlCnqEu92Fr1MmYUtfCRc4EsA[1].woff2

Filesize
14KB

MD5
e904f1745726f4175e96c936525662a7

SHA1
af4e9ee282fea95be6261fc35b2accaed24f6058

SHA256
65c7b85c92158adb2d71bebe0d6dfb31ab34de5e7d82134fe1aa4eba589fc296

SHA512
7a279d41c8f60806c2253cba5b399be7add861bd15bf0ac4fa7c96fa1eee6557bf1ebd684e909086d9292739f27fa18947af5c98f4920fe00da3acf209c6260a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2D749XUF\KFOlCnqEu92Fr1MmYUtfChc4EsA[1].woff2

Filesize
11KB

MD5
29542ac824c94a70cb8abdeef41cd871

SHA1
df5010dad18d6c8c0ad66f6ff317729d2c0090ba

SHA256
63ef838f895e018722b60f6e7e1d196ff3d90014c70465703fc58e708e83af64

SHA512
52f91e02b82f9f27d334704b62a78e746c80023ee8882b96cb24cb4043f9a256f395d24830b1f4513bd7597f8c564af20db9c715ab014eb2ab752fd697156591

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2D749XUF\KFOmCnqEu92Fr1Mu4WxKOzY[1].woff2

Filesize
7KB

MD5
7aa7eb76a9f66f0223c8197752bb6bc5

SHA1
ac56d5def920433c7850ddbbdd99d218d25afd2b

SHA256
9ca415df2c57b1f26947351c66ccfaf99d2f8f01b4b8de019a3ae6f3a9c780c7

SHA512
e9a513741cb90305fbe08cfd9f7416f192291c261a7843876293e04a874ab9b914c3a4d2ed771a9d6484df1c365308c9e4c35cd978b183acf5de6b96ac14480d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\2D749XUF\KFOmCnqEu92Fr1Mu7mxKOzY[1].woff2

Filesize
1KB

MD5
57993e705ff6f15e722f5f90de8836f8

SHA1
3fecc33bac640b63272c9a8dffd3df12f996730b

SHA256
836f58544471e0fb0699cb9ddd0fd0138877733a98b4e029fca1c996d4fb038d

SHA512
31f92fb495a1a20ab5131493ab8a74449aabf5221e2901915f2cc917a0878bb5a3cbc29ab12324ffe2f0bc7562a142158268c3f07c7dca3e02a22a9ade41721e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\43WNFCYV\8AXZAK1i6BpqK69J99oN0p3RtJQ1PGMK6D_RgjsU7ps[1].js

Filesize
17KB

MD5
52eda304985090c1a4f3f1f2c51c771a

SHA1
558bfcfda8e27769903d2e1ee56da7cdbb15b76b

SHA256
f005d900ad62e81a6a2baf49f7da0dd29dd1b494353c630ae83fd1823b14ee9b

SHA512
00a1548b1d6ca865e6fd147a0ff429396f78647957f5edc09cac484971c7552676c31de0ef4d03ee05b0ac99b20682a7f1714b9a3bd9bb31a315d1ae6a2f608d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\43WNFCYV\KFOlCnqEu92Fr1MmEU9fBBc4[1].woff2

Filesize
15KB

MD5
285467176f7fe6bb6a9c6873b3dad2cc

SHA1
ea04e4ff5142ddd69307c183def721a160e0a64e

SHA256
5a8c1e7681318caa29e9f44e8a6e271f6a4067a2703e9916dfd4fe9099241db7

SHA512
5f9bb763406ea8ce978ec675bd51a0263e9547021ea71188dbd62f0212eb00c1421b750d3b94550b50425bebff5f881c41299f6a33bbfa12fb1ff18c12bc7ff1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\43WNFCYV\KFOlCnqEu92Fr1MmEU9fChc4EsA[1].woff2

Filesize
11KB

MD5
16aedbf057fbb3da342211de2d071f11

SHA1
fdee07631b40b264208caa8714faaa5b991d987b

SHA256
7566a2f09ff8534334b7a44f72a1afaba6bdbb782209be8804636ee8b963c75f

SHA512
5cd45dfb0d0ee44afd9b3ffd93c2942c2f04e359d067d4631edd67a2ee09149766294b29c75aaab7436dacc775a8ca02392c5e4cfb8d7fede19c028448507e0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\43WNFCYV\KFOlCnqEu92Fr1MmYUtfBBc4[1].woff2

Filesize
14KB

MD5
19b7a0adfdd4f808b53af7e2ce2ad4e5

SHA1
81d5d4c7b5035ad10cce63cf7100295e0c51fdda

SHA256
c912a9ce0c3122d4b2b29ad26bfe06b0390d1a5bdaa5d6128692c0befd1dfbbd

SHA512
49da16000687ac81fc4ca9e9112bdca850bb9f32e0af2fe751abc57a8e9c3382451b50998ceb9de56fc4196f1dc7ef46bba47933fc47eb4538124870b7630036

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\43WNFCYV\KFOmCnqEu92Fr1Mu5mxKOzY[1].woff2

Filesize
9KB

MD5
efe937997e08e15b056a3643e2734636

SHA1
d02decbf472a0928b054cc8e4b13684539a913db

SHA256
53f2931d978bf9b24d43b5d556ecf315a6b3f089699c5ba3a954c4dde8663361

SHA512
721c903e06f00840140ed5eec06329221a2731efc483e025043675b1f070b03a544f8eb153b63cd981494379a9e975f014b57c286596b6f988cee1aaf04a8c65

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\43WNFCYV\KFOmCnqEu92Fr1Mu72xKOzY[1].woff2

Filesize
15KB

MD5
e3836d1191745d29137bfe16e4e4a2c2

SHA1
4dc8845d97df9cb627d9e6fdd49be1ef9eb9a69c

SHA256
98eec6c6fa4dcd4825e48eff334451979afc23cd085aea2d45b04dc1259079dd

SHA512
9e9ec420cf75bf47a21e59a822e01dc89dcf97eec3cc117c54ce51923c9a6f2c462355db1bc20cdf665ef4a5b40ffcfa9c8cee05bb5e112c380038bfef29c397

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\43WNFCYV\api[1].js

Filesize
870B

MD5
aa2728d09997079c4292657aabe3e50f

SHA1
12deb1b28ea79952fb582cb6840e5e53e3d01667

SHA256
1bd9d97ca6363b413d3721647ec0cb1cf6d0639221e47c91b62ce31b63862d50

SHA512
4d758d4197335f8d703a69802180adf7d75e3cfd6446301597736875dcabdde0a15ebaa4f177a39ea22f8082e1ec3bd705b66c7563be0c5b41b59f7225d8a3d6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M7GNYNP5\KFOlCnqEu92Fr1MmYUtfABc4EsA[1].woff2

Filesize
9KB

MD5
797d1a46df56bba1126441693c5c948a

SHA1
01f372fe98b4c2b241080a279d418a3a6364416d

SHA256
c451e5cf6b04913a0bc169e20eace7dec760ba1db38cdcc343d8673bb221dd00

SHA512
99827a3fab634b2598736e338213e1041ef26108a1607be294325d90a6ba251a947fd06d8cb0a2104b26d7fe9455feb9088a79fe515be1896c994c5850705edc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M7GNYNP5\KFOlCnqEu92Fr1MmYUtfBxc4EsA[1].woff2

Filesize
7KB

MD5
585f849571ef8c8f1b9f1630d529b54d

SHA1
162c5b7190f234d5f841e7e578b68779e2bf48c2

SHA256
c6dcdefaa63792f3c29abc520c8a2c0bc6e08686ea0187c9baac3d5d329f7002

SHA512
1140c4b04c70a84f1070c27e8e4a91d02fda4fc890877900c53cfd3a1d8908b677a412757061de43bc71022dfdd14288f9db0852ef6bf4d2c1615cb45628bebc

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M7GNYNP5\KFOlCnqEu92Fr1MmYUtfCBc4EsA[1].woff2

Filesize
1KB

MD5
7cbd23921efe855138ad68835f4c5921

SHA1
78a3ae9ec08f2cf8ebb791a2331b33a03ab8cc76

SHA256
8eaae4c8680e993b273145315c76a9a278f696467c426637d4beab8cb3dc4a3d

SHA512
d8a4db91d2063273d31f77728b44557612b85f51143973caa3cfd60ab18f8c3e4b8cdaab43af843fe29441cd1d8299bf2f139a78e47bf740277b33a377377177

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M7GNYNP5\KFOmCnqEu92Fr1Mu7GxKOzY[1].woff2

Filesize
11KB

MD5
15d8ede0a816bc7a9838207747c6620c

SHA1
f6e2e75f1277c66e282553ae6a22661e51f472b8

SHA256
dbb8f45730d91bffff8307cfdf7c82e67745d84cb6063a1f3880fadfad59c57d

SHA512
39c75f8e0939275a69f8d30e7f91d7ca06af19240567fb50e441a0d2594b73b6a390d11033afb63d68c86c89f4e4bf39b3aca131b30f640d21101dc414e42c97

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M7GNYNP5\KFOmCnqEu92Fr1Mu7WxKOzY[1].woff2

Filesize
5KB

MD5
a835084624425dacc5e188c6973c1594

SHA1
1bef196929bffcabdc834c0deefda104eb7a3318

SHA256
0dfa6a82824cf2be6bb8543de6ef56b87daae5dd63f9e68c88f02697f94af740

SHA512
38f2764c76a545349e8096d4608000d9412c87cc0cb659cf0cf7d15a82333dd339025a4353b9bd8590014502abceb32ca712108a522ca60cbf1940d4e4f6b98a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M7GNYNP5\logo_48[1].png

Filesize
2KB

MD5
ef9941290c50cd3866e2ba6b793f010d

SHA1
4736508c795667dcea21f8d864233031223b7832

SHA256
1b9efb22c938500971aac2b2130a475fa23684dd69e43103894968df83145b8a

SHA512
a0c69c70117c5713caf8b12f3b6e8bbb9cdaf72768e5db9db5831a3c37541b87613c6b020dd2f9b8760064a8c7337f175e7234bfe776eee5e3588dc5662419d9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\M7GNYNP5\webworker[1].js

Filesize
102B

MD5
cfb75de5b30bf427c44f5a02e8616345

SHA1
25ced704596e89f7a2e50227129d71b0e9bd5da2

SHA256
82d3b76db4d62ac71bfd0abd0528fc3a03a8dc2ce3c65eb90ca4a3b0181122ec

SHA512
8327c6e09830f0c3526c439dbe2213bfae5de2485575ca8b74fa83fcc2d3b1f824a94ef324511c16e8aa2d35a8655da0d5792eff46b9e37ca3202db175802be4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\3GYXF35M\www.google[1].xml

Filesize
99B

MD5
b902cd0c9dbb52627a1e18e0ae522db1

SHA1
8e7bc5cc3edb6179d580a54757d7247327e9f2b0

SHA256
9274df1ddaac31f1f3b612e7e0926aac5995a78fa12985c2081ef11c176b8761

SHA512
3a9828d27112bfa2160554fe5260d4ad01c49d983835fd52730c6459fdd288ed644d29043d7c91a9bde74893afad9a8fd97e1618efc52279dbc9fc21805cdf6e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
854B

MD5
e935bc5762068caf3e24a2683b1b8a88

SHA1
82b70eb774c0756837fe8d7acbfeec05ecbf5463

SHA256
a8accfcfeb51bd73df23b91f4d89ff1a9eb7438ef5b12e8afda1a6ff1769e89d

SHA512
bed4f6f5357b37662623f1f8afed1a3ebf3810630b2206a0292052a2e754af9dcfe34ee15c289e3d797a8f33330e47c14cbefbc702f74028557ace29bf855f9e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
1KB

MD5
db56dcf3237b6abf7f9a110279dd5347

SHA1
3cf157915f7b185f9f8f0b3578fad7366ada8255

SHA256
07f7a6f0ec54900aa76dcbc75d87b5412bbceb88d62b0448c4444d90a10c0b63

SHA512
ca522a58bfd544a0863f8aacfc9a3de5dbdd6d2da50e9ece44f830b6e46704faed3ecfd8c790efbd759972c615ec943fc0339bab7fa8b65878540893c2255a3f

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\C02877841121CC45139CB51404116B25_0FE7F9E544828605E8602D3A6629EA0D

Filesize
471B

MD5
46c1f4dd839c04fc186a01d22c9b10e6

SHA1
c9714d91da36dffc206423bcb5f08515b466b754

SHA256
5d18f05bd8b186c4b6833be61a23dde618edd1eb3b69962c5b67525115271235

SHA512
1f98bec5a41b55072a0de677870dda4a341714cf3a9bb978f78c66a8c24cac25d5f65b2a036b624d06b32524c1b90d5fcbd042d2cfa9554b5230c1078f971f73

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199

Filesize
170B

MD5
49ab500a6c22f6a114c1e1e223607f11

SHA1
0412b5dfcdb283d34794397e52ed4f5fecef700e

SHA256
db18b3b3c6f5b8b58bff2f3bdb7852a1bbe3530ff94cfd78859c26a243474f83

SHA512
3d2dfa09b0ac212b7a91b51a38e9c991a5dcf2d83efac6c37d4e70553237aeb7e6fb006ab37e804be6b72cffebfb54d8aa7013ed7fef30bd10cce98f4d0b50e1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

Filesize
410B

MD5
23c6d7a048540e205f3102dbed8a4f1b

SHA1
3d03a2e0e99ccce351f6edaf127460d67dfabb9a

SHA256
7ef65470c89645786ec199f0a782590ad17560df7255a9a9ba835d07521b66f5

SHA512
fa17aa99f7465d4bb2c8e5c26f3d91783c16198278d75fb31f86fdfe60bdcb0d817a8169645dadf214d4a1ddd1bd86c1cd378b634ceb01357e2ced033c826821

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\C02877841121CC45139CB51404116B25_0FE7F9E544828605E8602D3A6629EA0D

Filesize
402B

MD5
2fb88708f2166f0902132a6c43365047

SHA1
c57f6a16d3502bc94aa8d87a5f209a95b2209a42

SHA256
5505dfe2a5ca2f156d5abc2c832f895eb4f1c792ee75ba8d7ef6a29d8c8d37d1

SHA512
024400eec7e482bfa030c6582c34d4ab629f1bf8b6aeaaf7a2db3ce936c0d394082bbbb80640a6fd63c2eb702bb7daa2c8cd36d08a2bbc4ccce07e3fb36c94ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
225B

MD5
f184cc45cbe6f8ec72bb8e2cfc9bf359

SHA1
98718a5d45f587d78a4f6416db6a01ff9d8dbb44

SHA256
d3e8807d2df288ff98ff781912021e3d3f852a00da47493526ee0cd7a985bbc2

SHA512
3610e87638ce554e794cfef98a12f2e3b216aa58fb54f6541c91330b4e9b465f8f691fab6099de6a99c4dd6294bc4a50ff181660ea0b9e0b56a1d58ca74bfff9

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/504-501-0x000001644AD00000-0x000001644AE00000-memory.dmp

Filesize
1024KB

Download
memory/504-500-0x000001644AD00000-0x000001644AE00000-memory.dmp

Filesize
1024KB

Download
memory/504-575-0x000001645CE00000-0x000001645CF00000-memory.dmp

Filesize
1024KB

Download
memory/504-571-0x000001645C7E0000-0x000001645C7E2000-memory.dmp

Filesize
8KB

Download
memory/2824-488-0x0000016F237D0000-0x0000016F237D1000-memory.dmp

Filesize
4KB

Download
memory/2824-37-0x0000016F1C1A0000-0x0000016F1C1A2000-memory.dmp

Filesize
8KB

Download
memory/2824-18-0x0000016F1D120000-0x0000016F1D130000-memory.dmp

Filesize
64KB

Download
memory/2824-487-0x0000016F237C0000-0x0000016F237C1000-memory.dmp

Filesize
4KB

Download
memory/2824-2-0x0000016F1D020000-0x0000016F1D030000-memory.dmp

Filesize
64KB

Download
memory/4240-450-0x0000020598E10000-0x0000020598E12000-memory.dmp

Filesize
8KB

Download
memory/4240-57-0x0000020599700000-0x0000020599800000-memory.dmp

Filesize
1024KB

Download
memory/4240-443-0x00000205B0840000-0x00000205B0842000-memory.dmp

Filesize
8KB

Download
memory/4240-445-0x00000205B0860000-0x00000205B0862000-memory.dmp

Filesize
8KB

Download
memory/4240-447-0x00000205B0880000-0x00000205B0882000-memory.dmp

Filesize
8KB

Download
memory/4240-441-0x00000205B03E0000-0x00000205B03E2000-memory.dmp

Filesize
8KB

Download
memory/4240-464-0x00000205B0210000-0x00000205B0310000-memory.dmp

Filesize
1024KB

Download
memory/4240-468-0x00000205B12C0000-0x00000205B12C2000-memory.dmp

Filesize
8KB

Download
memory/4240-391-0x00000205ACB40000-0x00000205ACC40000-memory.dmp

Filesize
1024KB

Download
memory/4240-454-0x0000020598E50000-0x0000020598E52000-memory.dmp

Filesize
8KB

Download
memory/4240-456-0x0000020598E70000-0x0000020598E72000-memory.dmp

Filesize
8KB

Download
memory/4240-452-0x0000020598E30000-0x0000020598E32000-memory.dmp

Filesize
8KB

Download
memory/4240-465-0x00000205B0C80000-0x00000205B0D80000-memory.dmp

Filesize
1024KB

Download
memory/4240-474-0x00000205B12F0000-0x00000205B12F2000-memory.dmp

Filesize
8KB

Download
memory/4240-472-0x00000205B12E0000-0x00000205B12E2000-memory.dmp

Filesize
8KB

Download
memory/4240-463-0x00000205ACD80000-0x00000205ACE80000-memory.dmp

Filesize
1024KB

Download
memory/4384-46-0x0000019729E00000-0x0000019729F00000-memory.dmp

Filesize
1024KB

Download