nanocore | 5e7118d4d85c86fe2f3b98541694f1fcecb4cfc3c5de57ba2e9fffed7335a41f

Resubmissions

05-08-2024 18:52

240805-xjempavemr 10

05-08-2024 18:51

240805-xhhyqayejf 10

Analysis

max time kernel
38s
max time network
38s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
05-08-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

waveTool.exe
Size

544KB
MD5

a1d84d4f688025921352cd3d9f100461
SHA1

6d905fa87c926af0ba5ded4b6585417449fc5b1a
SHA256

5e7118d4d85c86fe2f3b98541694f1fcecb4cfc3c5de57ba2e9fffed7335a41f
SHA512

2a492172d3db0669eff0ac8c1f358638c38578c72d1311e3a80d3614d969728187c62643e0b53956f8cd86adf2d2383d91e74d51234f5c2f5cbde32a80a77ee6
SSDEEP

12288:2QnZ4kCDyG3HvxPUHLoSOaKjCObx3DXHcvPX1KeE9YJ:9nZ4kCTPxhDEOFzHc3X0eZ

Score

10^/10

nanocore discovery keylogger spyware stealer trojan

Malware Config

Extracted

Family

nanocore

Version

1.2.2.0

127.0.0.1:54984

Mutex

c2061050-265f-4002-913c-ea1f49d7f810

Attributes

activate_away_mode
false
backup_connection_host
127.0.0.1
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2024-05-17T20:07:09.307958536Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
false
clear_zone_identifier
false
connect_delay
3814
connection_port
54984
default_group
Default
enable_debug_mode
false
gc_threshold
1.048576e+07
keep_alive_timeout
29991
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
c2061050-265f-4002-913c-ea1f49d7f810
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
127.0.0.1
primary_dns_server
8.8.8.8
request_elevation
false
restart_delay
4997
run_delay
0
run_on_startup
false
set_critical_process
false
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

waveTool.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	waveTool.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

waveTool.exe

description pid process target process

PID 4924 set thread context of 3532 4924 waveTool.exe waveTool.exe

description	pid	process	target process
PID 4924 set thread context of 3532	4924	waveTool.exe	waveTool.exe

Drops file in Windows directory 5 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

waveTool.exewaveTool.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waveTool.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	waveTool.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\ = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000001cb0033c6efe36576e1f64916198b742a4999cc5e251ff141bf5918871a7d90a64bc73a695f90100f0cd317393c1327e25c8abbee625e68511ca	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = afb6a87f68e7da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\SyncIEFirstTimeFullScan = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\NumberOfSubdom = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com\Total = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VendorId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\microsoft.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 52ebd38868e7da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\learn.microsoft.com	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\learn.microsoft.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total\ = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ed3ed17f68e7da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

4132 MicrosoftEdgeCP.exe
4132 MicrosoftEdgeCP.exe
4132 MicrosoftEdgeCP.exe
4132 MicrosoftEdgeCP.exe
4132 MicrosoftEdgeCP.exe
4132 MicrosoftEdgeCP.exe

pid	process
4132	MicrosoftEdgeCP.exe
4132	MicrosoftEdgeCP.exe
4132	MicrosoftEdgeCP.exe
4132	MicrosoftEdgeCP.exe
4132	MicrosoftEdgeCP.exe
4132	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	pid	process
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4960	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3644	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3644	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

1376 MicrosoftEdge.exe
4132 MicrosoftEdgeCP.exe
4960 MicrosoftEdgeCP.exe
4132 MicrosoftEdgeCP.exe

pid	process
1376	MicrosoftEdge.exe
4132	MicrosoftEdgeCP.exe
4960	MicrosoftEdgeCP.exe
4132	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

waveTool.exeMicrosoftEdgeCP.exe

description	pid	process	target process
PID 4924 wrote to memory of 3532	4924	waveTool.exe	waveTool.exe
PID 4924 wrote to memory of 3532	4924	waveTool.exe	waveTool.exe
PID 4924 wrote to memory of 3532	4924	waveTool.exe	waveTool.exe
PID 4924 wrote to memory of 3532	4924	waveTool.exe	waveTool.exe
PID 4924 wrote to memory of 3532	4924	waveTool.exe	waveTool.exe
PID 4132 wrote to memory of 1844	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 1844	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 1844	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 1844	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 1844	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 1844	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 2524	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 2524	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 2524	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 2524	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 2524	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 4132 wrote to memory of 2524	4132	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe

C:\Users\Admin\AppData\Local\Temp\waveTool.exe
"C:\Users\Admin\AppData\Local\Temp\waveTool.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4924

C:\Users\Admin\AppData\Local\Temp\waveTool.exe
"C:\Users\Admin\AppData\Local\Temp\waveTool.exe"
2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
PID:3532

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4976

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4132

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4960

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1844

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\ZZV07RIF\favicon[1].ico
Filesize
16KB

MD5
12e3dac858061d088023b2bd48e2fa96

SHA1
e08ce1a144eceae0c3c2ea7a9d6fbc5658f24ce5

SHA256
90cdaf487716184e4034000935c605d1633926d348116d198f355a98b8c6cd21

SHA512
c5030c55a855e7a9e20e22f4c70bf1e0f3c558a9b7d501cfab6992ac2656ae5e41b050ccac541efa55f9603e0d349b247eb4912ee169d44044271789c719cd01

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\sid288c\imagestore.dat
Filesize
26KB

MD5
57c53ae377bb992dcb080097e776562f

SHA1
ce24b43514d249111c969c2e5d5b8171ae7db131

SHA256
52fff46b8eed512bdb803a6c5ae9c8bb1cdaf583f503e0dddbd07472ff8a0809

SHA512
32092646f5b8b4dd0bc2b1bdda391774b6f55a017eabefe5364c5586bd7371e1d2df8e085ae880bebcbfe10d38a23eda4f32228d5c728066d75e86a1fbf0e91d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\13OTCO78\SegoeUI-Roman-VF_web[1].woff2
Filesize
115KB

MD5
bca97218dca3cb15ce0284cbcb452890

SHA1
635298cbbd72b74b1762acc7dad6c79de4b3670d

SHA256
63c12051016796d92bcf4bc20b4881057475e6dfa4937c29c9e16054814ab47d

SHA512
6e850842d1e353a5457262c5c78d20704e8bd24b532368ba5e5dfc7a4b63059d536296b597fd3ccbd541aa8f89083a79d50aaa1b5e65b4d23fc37bfd806f0545

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\13OTCO78\application-not-started[1].htm
Filesize
48KB

MD5
2d1d565f73e8a03ce77aa1004fe8dc69

SHA1
80e8c2d09f581130936e5f944430fde1cacc6a71

SHA256
efec3cf06c3ddf587df0ce0d9315c143533680319151d5bd629fcb03b1663be3

SHA512
99ef5bf7f1aed730a180c74ba0d7254c34b3d3ca7b782cc081342ea1368bb3d10e4f935fed8ba082f4c2c6985670b1cf18a162f0c9d7698ec8f7ec17c04f2431

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\13OTCO78\index-docs[1].js
Filesize
1.6MB

MD5
58a3382a541fc5e6380bef200eb894c1

SHA1
e98d2db79ff953d2f260acda7996f659705e7025

SHA256
7f35beb590c85017758f3a66b61773e3b51b533e2681796da3b5991818d3150b

SHA512
50c88e9ac21b9ecbbfbf7f93c3609f0b86e6ec2a02627337900c5f05a384e04f50b410c4571a6d9760a9b83d8f6bb50091b85d1600b3836b936c0ed1110e2c19

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\13OTCO78\ms.jsll-4.min[1].js
Filesize
202KB

MD5
deaa16321132c38272bda251563f48a1

SHA1
0209a287d78181b0a8fc3644e8e99be2105f46f0

SHA256
80934d21b5493c94ee3aa1f35745543326cf6c9d695c85c635bad9c19ce0d84f

SHA512
0473bf532047268b569b54b23c1b0117fb25a21058c2e985e9d245e695a523abc983df4d64a2420d635a02fff6a83e5393a75608fb8ec10db2834d54456dda91

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\13OTCO78\repair-tool-no-resolution[1].png
Filesize
17KB

MD5
240c4cc15d9fd65405bb642ab81be615

SHA1
5a66783fe5dd932082f40811ae0769526874bfd3

SHA256
030272ce6ba1beca700ec83fded9dbdc89296fbde0633a7f5943ef5831876c07

SHA512
267fe31bc25944dd7b6071c2c2c271ccc188ae1f6a0d7e587dcf9198b81598da6b058d1b413f228df0cb37c8304329e808089388359651e81b5f3dec566d0ee0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7FDLW5XG\docons.aa8255ca[1].woff2
Filesize
18KB

MD5
870b357c3bae1178740236d64790e444

SHA1
5fa06435d0ecf28cbd005773f8c335c44d7df522

SHA256
0227bd6a0408946e9b4df6f1a340e3713759a42a7677bdb8cb34698e4edf541e

SHA512
7fc902e787b1f51b86d967354c0f2987ea9fd582fef2959831ea6dbc5e7bf998a8f24ba906f0ee99ae8493aeb0c53af06bee106d60b448ac50b827c63b1ed169

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7FDLW5XG\logo_net[1].svg
Filesize
1KB

MD5
37258a983459ae1c2e4f1e551665f388

SHA1
603a4e9115e613cc827206cf792c62aeb606c941

SHA256
8e34f3807b4bf495d8954e7229681da8d0dd101dd6ddc2ad7f90cd2983802b44

SHA512
184cb63ef510143b0af013f506411c917d68bb63f2cfa47ea2a42688fd4f55f3b820af94f87083c24f48aacee6a692199e185fc5c5cfbed5d70790454eed7f5c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7FDLW5XG\tex-mml-chtml[1].js
Filesize
1.1MB

MD5
2e00d51c98dbb338e81054f240e1deb2

SHA1
d33bac6b041064ae4330dcc2d958ebe4c28ebe58

SHA256
300480069078b5892d2363a2b65e2dfbbf30fe5c80f83edbfecf4610fd093862

SHA512
b6268d980ce9cb729c82dba22f04fd592952b2a1aab43079ca5330c68a86e72b0d232ce4070db893a5054ee5c68325c92c9f1a33f868d61ebb35129e74fc7ef9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\7FDLW5XG\wcp-consent[1].js
Filesize
272KB

MD5
5f524e20ce61f542125454baf867c47b

SHA1
7e9834fd30dcfd27532ce79165344a438c31d78b

SHA256
c688d3f2135b6b51617a306a0b1a665324402a00a6bceba475881af281503ad9

SHA512
224a6e2961c75be0236140fed3606507bca49eb10cb13f7df2bcfbb3b12ebeced7107de7aa8b2b2bb3fc2aa07cd4f057739735c040ef908381be5bc86e0479b2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\A59LIN70\app-could-not-be-started[1].png
Filesize
34KB

MD5
522037f008e03c9448ae0aaaf09e93cb

SHA1
8a32997eab79246beed5a37db0c92fbfb006bef2

SHA256
983c35607c4fb0b529ca732be42115d3fcaac947cee9c9632f7cacdbdecaf5a7

SHA512
643ec613b2e7bdbb2f61e1799c189b0e3392ea5ae10845eb0b1f1542a03569e886f4b54d5b38af10e78db49c71357108c94589474b181f6a4573b86cf2d6f0d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\A59LIN70\repair-tool-changes-complete[1].png
Filesize
13KB

MD5
512625cf8f40021445d74253dc7c28c0

SHA1
f6b27ce0f7d4e48e34fddca8a96337f07cffe730

SHA256
1d4dcee8511d5371fec911660d6049782e12901c662b409a5c675772e9b87369

SHA512
ae02319d03884d758a86c286b6f593bdffd067885d56d82eeb8215fdcb41637c7bb9109039e7fbc93ad246d030c368fb285b3161976ed485abc5a8df6df9a38c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\A59LIN70\repair-tool-recommended-changes[1].png
Filesize
15KB

MD5
3062488f9d119c0d79448be06ed140d8

SHA1
8a148951c894fc9e968d3e46589a2e978267650e

SHA256
c47a383de6dd60149b37dd24825d42d83cb48be0ed094e3fc3b228d0a7bb9332

SHA512
00bba6bcbfbf44b977129594a47f732809dce7d4e2d22d050338e4eea91fcc02a9b333c45eeb4c9024df076cbda0b46b621bf48309c0d037d19bbeae0367f5ed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\A59LIN70\site-ltr[1].css
Filesize
432KB

MD5
292738f607e9473924e7e0466204c0bb

SHA1
91bcbc56c4ecabf8384b56c827ca30e104ee2398

SHA256
5998382ac31ef321a7df947e9d5e0d5cdaa7efad47a8f1ecc06e301526575f00

SHA512
446f78a622db7caebaad0fb50e8ad0d696c70bf802a4e9f0fae0c475d9687baf55cd8ad4e6fdf72ce58e82ec680df4281c45b38b4ba8643a1dc20f66b9d3fc84

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\X3NOJDS5\deprecation[1].js
Filesize
1KB

MD5
020629eba820f2e09d8cda1a753c032b

SHA1
d91a65036e4c36b07ae3641e32f23f8dd616bd17

SHA256
f8ae8a1dc7ce7877b9fb9299183d2ebb3befad0b6489ae785d99047ec2eb92d1

SHA512
ef5a5c7a301de55d103b1be375d988970d9c4ecd62ce464f730c49e622128f431761d641e1dfaa32ca03f8280b435ae909486806df62a538b48337725eb63ce1

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\X3NOJDS5\install-3-5[1].png
Filesize
13KB

MD5
f6ec97c43480d41695065ad55a97b382

SHA1
d9c3d0895a5ed1a3951b8774b519b8217f0a54c5

SHA256
07a599fab1e66babc430e5fed3029f25ff3f4ea2dd0ec8968ffba71ef1872f68

SHA512
22462763178409d60609761a2af734f97b35b9a818ec1fd9046afab489aad83ce34896ee8586efe402ea7739ecf088bc2db5c1c8e4fb39e6a0fc5b3adc6b4a9b

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\X3NOJDS5\latest[1].woff2
Filesize
26KB

MD5
2835ee281b077ca8ac7285702007c894

SHA1
2e3d4d912aaf1c3f1f30d95c2c4fcea1b7bbc29a

SHA256
e172a02b68f977a57a1690507df809db1e43130f0161961709a36dbd70b4d25f

SHA512
80881c074df064795f9cc5aa187bea92f0e258bf9f6b970e61e9d50ee812913bf454cecbe7fd9e151bdaef700ce68253697f545ac56d4e7ef7ade7814a1dbc5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\89XF8HRO\learn.microsoft[1].xml
Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_0C4CF5196B6676C60436CD17DE56BD63
Filesize
314B

MD5
e86d41a8b5323e2946776d0354cbf019

SHA1
02035efd1d7fd2932d634ef902d3a7b0e7bb675e

SHA256
990d4833780da05394bfadd303bb79c8e06f3a3bcc9886bad982554efe6f05d7

SHA512
a351eeebfdff57ef856af62cf82ccf98aa272e99c08494e0d884c2b2066377f8ef1b3cb8918ae3c57327ed99e877b2cd9d8a6eb2e259d2e66eb7f7d67073eca2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
471B

MD5
c19de00f3e511be3e749d20ae38c26bf

SHA1
595de622a2dc9429897ce22cb84b570cc25f0794

SHA256
3e1709ba67f224d85dabc4555b20b1ff96233ae58bef32d93419de93f4c19b89

SHA512
dbef57403487244a9d98ab74cc4008bc1cf869ecc3047eedc0613c593e42f6af791d6489b17c33b3d73de215a17627847750cec3d8da47628ab855cccd20c2d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_0C4CF5196B6676C60436CD17DE56BD63
Filesize
408B

MD5
5b48b2da06f79cef1c568378ee5d3f23

SHA1
c8b67a40c60ad7f69f403aa15bd4ef672c98479c

SHA256
a30b078afe6db306ed93e30ca47185d5bf74e2d7b156bec0d3f450c8df43b365

SHA512
3805209af553293907e04c575cf3c2f5d2ca49ff09762fe7fed50311c559b426918db7813fb8013a0ee552ca5dbf906c33112dc52112c3e601baf6b84e2b70a2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize
412B

MD5
dc7b46ea07bc64f4a81c6c95a0c79dcd

SHA1
c5b2b16b80c4b198e730eef457eb70e18dfbc7d2

SHA256
15d1dc0e7cfedae1e7ccb5df8857e579cb9b651a4cb4941a8fda791674ebf091

SHA512
e28bf548b8fd2005761cf88eb8191631f06782d2cd75bce73663caef70682166773c0ceea30140620cc68349e0e130c1c5f53712db597570b6d23efb927cafd2

Download Submit
memory/1376-37-0x000001B614EA0000-0x000001B614EA2000-memory.dmp

Filesize
8KB

Download
memory/1376-197-0x000001B61E1F0000-0x000001B61E1F1000-memory.dmp

Filesize
4KB

Download
memory/1376-198-0x000001B61E200000-0x000001B61E201000-memory.dmp

Filesize
4KB

Download
memory/1376-2-0x000001B617C20000-0x000001B617C30000-memory.dmp

Filesize
64KB

Download
memory/1376-19-0x000001B617D30000-0x000001B617D40000-memory.dmp

Filesize
64KB

Download
memory/1844-89-0x0000014979A70000-0x0000014979A72000-memory.dmp

Filesize
8KB

Download
memory/1844-185-0x000001497B460000-0x000001497B462000-memory.dmp

Filesize
8KB

Download
memory/1844-137-0x000001497ADD0000-0x000001497ADF0000-memory.dmp

Filesize
128KB

Download
memory/1844-82-0x0000014979990000-0x0000014979992000-memory.dmp

Filesize
8KB

Download
memory/1844-85-0x00000149799B0000-0x00000149799B2000-memory.dmp

Filesize
8KB

Download
memory/1844-80-0x0000014979970000-0x0000014979972000-memory.dmp

Filesize
8KB

Download
memory/1844-183-0x000001497B3E0000-0x000001497B3E2000-memory.dmp

Filesize
8KB

Download
memory/2524-228-0x000001533BB00000-0x000001533BC00000-memory.dmp

Filesize
1024KB

Download
memory/2524-270-0x0000015354000000-0x0000015354020000-memory.dmp

Filesize
128KB

Download
memory/2524-279-0x000001534CF00000-0x000001534CF20000-memory.dmp

Filesize
128KB

Download
memory/3532-0-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4924-1-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/4960-45-0x0000020813600000-0x0000020813700000-memory.dmp

Filesize
1024KB

Download
memory/4960-46-0x0000020813600000-0x0000020813700000-memory.dmp

Filesize
1024KB

Download