xworm | e8fd34b40b83391a855905620e4beeb153d256df196b063bc7845d747f1e7d67

Analysis

max time kernel
149s
max time network
151s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
08/08/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Steam.exe
Size

51KB
MD5

eb794f3819b32c9fbc747309bb04cd68
SHA1

a6c24bfb6c2ea4cdf10f0f54c0a4e8ac0380beb3
SHA256

e8fd34b40b83391a855905620e4beeb153d256df196b063bc7845d747f1e7d67
SHA512

0b6cf31c799513b4e0f5ac21180cc7a26451fc54504f03ace353a5a8c598885c594b3375e990ac442e08ffaa1f3e9692cbf6dfb8c035b4380497cefd57288aaf
SSDEEP

768:juMMmVn76G3rspEacCIQgttZX+2V2ltnq7oTmggkbm1t+tuXSWCalOIhu//t/:SMDnv7sKEIHLXyBqCmjkbmn/weOImF/

Score

10^/10

xworm rat trojan

Malware Config

Extracted

Family

xworm

tree-cleaning.gl.at.ply.gg:33027

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral2/memory/3320-0-0x0000000000720000-0x0000000000734000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Control Panel\International\Geo\Nation	Steam.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1172	timeout.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "429877517"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\guns.lol\NumberOfSubdomai = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\guns.lol\Total = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cacb9edb7ce9da01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 408b451a7de9da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\guns.lol\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath\dummySetting = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$vBulletin 3	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = ef8e451a7de9da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8875bdf07ce9da01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 7c5975f67ce9da01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3699363923-1875576828-3287151903-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe

Suspicious behavior: MapViewOfSection 22 IoCs

pid	Process
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	Steam.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4628	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4224	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4224	MicrosoftEdgeCP.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1116	MicrosoftEdge.exe
1468	MicrosoftEdgeCP.exe
4628	MicrosoftEdgeCP.exe
1468	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1468 wrote to memory of 3344	1468	MicrosoftEdgeCP.exe	77
PID 1468 wrote to memory of 3344	1468	MicrosoftEdgeCP.exe	77
PID 1468 wrote to memory of 3344	1468	MicrosoftEdgeCP.exe	77
PID 1468 wrote to memory of 3344	1468	MicrosoftEdgeCP.exe	77
PID 1468 wrote to memory of 3344	1468	MicrosoftEdgeCP.exe	77
PID 1468 wrote to memory of 3344	1468	MicrosoftEdgeCP.exe	77
PID 1468 wrote to memory of 3344	1468	MicrosoftEdgeCP.exe	77
PID 1468 wrote to memory of 1372	1468	MicrosoftEdgeCP.exe	80
PID 1468 wrote to memory of 1372	1468	MicrosoftEdgeCP.exe	80
PID 1468 wrote to memory of 1372	1468	MicrosoftEdgeCP.exe	80
PID 1468 wrote to memory of 1372	1468	MicrosoftEdgeCP.exe	80
PID 3320 wrote to memory of 4976	3320	Steam.exe	82
PID 3320 wrote to memory of 4976	3320	Steam.exe	82
PID 4976 wrote to memory of 1172	4976	cmd.exe	84
PID 4976 wrote to memory of 1172	4976	cmd.exe	84

C:\Users\Admin\AppData\Local\Temp\Steam.exe
"C:\Users\Admin\AppData\Local\Temp\Steam.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4976
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:1172

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1116

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:4584

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1468

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4628

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:3344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4224

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
PID:1372

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5064

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\V28C7N3J\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XY1QSUNQ\crypto-js.min[1].js

Filesize
46KB

MD5
cf3402d7483b127ded4069d651ea4a22

SHA1
bde186152457cacf9c35477b5bdda5bcb56b1f45

SHA256
eab5d90a71736f267af39fdf32caa8c71673fd06703279b01e0f92b0d7be0bfc

SHA512
9ce42ebc3f672a2aefc4376f43d38ca9ed9d81aa5b3c1eef60032bcc98a1c399be68d71fd1d5f9de6e98c4ce0b800f6ef1ef5e83d417fbffa63eef2408da55d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4K0KA2MN\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DO1Z1BGH\guns-solid[1].svg

Filesize
732B

MD5
48817a08ba7e68c843c044f272f9f6f7

SHA1
ac3a03887ef169327cca4fed5632453611da39a8

SHA256
e07f17964bb0c49b975f385542abb2f6c55e67b3b0d3b77c4d743fe3416553c4

SHA512
a3d4296d8a408af9e412fdb60554f63bf2005bc0eb3a863f7a47f2bc9f311e0a5672b68e318c0600cb099b3c64f6037a02c97e875b9fd91808d336ca8a7e50ef

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FX2TZODS\css[1].css

Filesize
601B

MD5
42b7433e70976a2368aa5c2fd1268144

SHA1
5b1c9c0b9d025f81caa138fb3c4b1248cf413835

SHA256
5e801ed8112f0bc4c701c2cbed74a90e3c7f0aa08532ac0b2adf553b346929cd

SHA512
8c6eef9f4c2a2384a75472bb622b6667d0b4087bcd70fed506d030010ea12b44dd3d0d3f8dab2a0e1dfd0b897e036dbcad95673dc05605b1422772436a44c35a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\FX2TZODS\guns_logo_c[1].png

Filesize
35KB

MD5
0bf48ead8eef6e287bb3738993236be6

SHA1
be9f6d95513902571b89116d39068578eac601cb

SHA256
455ccaf35154db5e8e984be4a68e2a1bbd5f884063b7765855cd3bb51ca420cb

SHA512
4f9354ddcd79ea18c6c1b42ec9a4b8c9814c4f8e397e48f3838a38ef4007ceb31d30b02ab10a6b28d107c4d063a5d7ca634114d0ec8473cc3f29d8c1f1c5677e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TN1O8NT7\_pow[1].js

Filesize
3KB

MD5
29523af8a267e83b324b6cdb29c340e2

SHA1
3e98bcf6902e65df2333d09ae47e43921354f7a3

SHA256
7ee75a615b122fdd8e963f63f4b0294a987b664fb66dfe4abccf3b33aeca666d

SHA512
86c656139c751142eb0432c72187ca12d5e52effc1ca6186a8a7e57cf0bad51a30727520a8c4001e3ad695797cb1d3667ae9d2443e0eacb93ac3f2c980fc7c0e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\TN1O8NT7\vcd15cbe7772f49c399c6a5babf22c1241717689176015[1].js

Filesize
19KB

MD5
ec18af6d41f6f278b6aed3bdabffa7bc

SHA1
62c9e2cab76b888829f3c5335e91c320b22329ae

SHA256
8a18d13015336bc184819a5a768447462202ef3105ec511bf42ed8304a7ed94f

SHA512
669b0e9a545057acbdd3b4c8d1d2811eaf4c776f679da1083e591ff38ae7684467abacef5af3d4aabd9fb7c335692dbca0def63ddac2cd28d8e14e95680c3511

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WT1A27X4\X6XYTKIVDUW7GZTZPZNN4EUM5KH54KHF[1].woff2

Filesize
41KB

MD5
70880e42f07b0386e261974cd14820a1

SHA1
2d34d398b398a7fd88d21fae7642cdca908bf3ee

SHA256
e739aff9b4d02c264341d6d4872edcda28e79373aeda936f659566a1cd3eb47f

SHA512
6a5cb0cbee5f49a4b96df82bc37f3f2aa7abbc8fdb304962a3f492c7f63772b81e753a86e01da2a7a74785cf3196795408065e0bf30695166311e324d813d83c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WT1A27X4\api[1].js

Filesize
43KB

MD5
66e93c1f0c53bb0a4a34c2be54427e6c

SHA1
24346c2941c3d92c9f3634fc594079f4706650f7

SHA256
ce9b46c18d0769c78a7e889eb237606cb96b602061b39b4c1159a22a015b51df

SHA512
30e800eaa414a0f571e5100b71b19ac23743814a8fd2b7c991da97fea844b18f4ef64fc4aa90c3c300cc94f6ff47ea201e410f19f80cee84d2e307aaa10ef1de

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WT1A27X4\gradient_background[1].png

Filesize
238KB

MD5
5a45b1497b5e00ce306612d84f451297

SHA1
55c235ccf6e028b235fd2c09c444214f5383526a

SHA256
058ac033824f0fda4d87e4574a9b2d49d14e0e3c3f6c719cda30bc94ad43d6e6

SHA512
9a26acf4dbbd8138748ccc46006e96e3ffcdd6f419d4af341256879ae6009d6df135b20df1fe592f10d15a1e9de858852098d23a76929346cf3c4bb5f1dc9218

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\XY1QSUNQ\iconify.min[1].js

Filesize
25KB

MD5
e03e81386c237437b6e309ad988c7273

SHA1
595144883cf473fbdd9e88d55109d698b2f70f64

SHA256
98d393ba8bc8f81c23d5337f45bac1618c355308a57eccfd30b4af1be8e6469b

SHA512
a10d7243048421cf424dc2bba5f7c4c92f1fc689b6894590ac02e4de3dfec1f7520e343bec465bcc63067b665899fa02f0cf6f478edaa5b4b56586d6d39cbfa6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\570001A32834D3C73AD807B8ADA70A85

Filesize
504B

MD5
7f29e5f9b12a5bf33e25f288f9eae006

SHA1
f0a4b3cda9db5c25bfa4b030d426e9d7da6f3f61

SHA256
ac8fbec42d5cbf7dc51ebe1ddd60335a8497f6a592dcb93fe21dfd1a521cdc28

SHA512
1b95a3504312b91706afb1189f6603ae0482beffbbf08203624b6e69044168d52288b97415024c49c9ba980c5b6cc769dd3f064cc39911b8e4e4168e84c94e3e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
1KB

MD5
9729642c4b4651829268982d94ed88f8

SHA1
7cbfaeff1682d492e29a394de774a623047c9a07

SHA256
1ef5a6923ca603197c616e65ee8415b739d1656c6e3d60e07dcfa00f2813ea47

SHA512
07ad4e4d283d021c8571f68e6d43a522b27d74fbaf51881191938f6abe97df0d1ec58c9913910ee8933e512b0935343591fe567c5fcaa7e63a4c6a6672fea769

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
1KB

MD5
59278184a1cc55312289f6f18c09e72c

SHA1
e77aacc3d75e6d4f392608caef6af2abdd0a11f0

SHA256
ebd064bc191bb8cd8084a0f8b41bb35e47e8b7ca665ecd200b6177dd0e70316d

SHA512
f75ff0ae22ce8c766c928b3a26ab9ee7476050fd87da46b180052a99f0c8fc2f46a4a8f38ba60043939d56819b593b363db87b12cf4400983a47f84364c26583

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\83D863F495E7D991917B3ABB3E1EB382_1A61BBEAB3B4E45FBFC402B2664CF5AD

Filesize
471B

MD5
8d3b393d51b0be2b132d4e217030e7d4

SHA1
74422d02845a2be364262b67796d19074424c1d4

SHA256
bbefc2eef757bc58f0ed3f013c558f67662f175aeb47a7c79542825b140e8b26

SHA512
1b143ad7cac5794229e4a49b4d74fe067f2f1760cdd3e0500a4d0aa418d1275bb63b092eee6d5a8cb79d1dafe5fd2b77896c2640ba551b1acdd45e0968d51c40

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
4aa24ea4fb16d785c08904e03a4202db

SHA1
b78e66d2526bd8e175107b79ef84aa6ea182b16c

SHA256
0fc4841579c14f0108d2c57c67785b4cd87d3c343d3518e0e828ac348f870489

SHA512
a3e41f753e6f96942ace467ea7ca42d765d1b36e1705c3db6e102a40667a28cf37727559b73e378a945913c582e9ee504dc39040768cac2184ad84a6fa6a6087

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
1fd6f1b2993d12d94377a46e3c7451a0

SHA1
b72e96219ef0a756d69ed0979e22df17c4a83708

SHA256
c3f030f39da80a77eec8995b2fe1df76ce8b7e65ec87b88fb1f6c54a4f04d2cc

SHA512
ee66f69f74d31380198dd31d4db80aada715c59084ee033777a1cc446669fe655a6f07a5447df930c61dac5d259f378a7d616965246d605e18cdff49b32ea03d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
130ee7ab73ddc600996373417025ddda

SHA1
42a9c58d887ba8fc13cc427c80aa2a6859cd555d

SHA256
6d24e3046e0b2f16f5c8af995cc001ad661242a74f6310b4734d024c58d7d1d2

SHA512
b0b1782968c0ed76de87c8d0814783280325dec8f8c29bf9b00e364bfda11245e901663d09712f5d561f1bbeffa6262c2810cbe8ea03250b15cda4cee844677c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\570001A32834D3C73AD807B8ADA70A85

Filesize
546B

MD5
869a3554f9630fce43cb59db1215abf7

SHA1
b91bbd1dec22741cb227ffbb98e1fccb0b03b2d1

SHA256
448dbc5d5ed521378d4e271e7db5d5aff3f7c69efb77d2c8b5b7c64390f09e15

SHA512
c080c292d637579f6e31b624d449d707e667c8d7202c9a63721ed7629595944323c638350330fec705b66ae52ccd2c3d3263fce9684849295b96a046ec45b654

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_28DEA62A0AE77228DD387E155AD0BA27

Filesize
408B

MD5
36e1aeffb0dd669932d6339b204045af

SHA1
62e3981714aa62acfffd624ec6de00714d805ce6

SHA256
216c71ab4322653280e4e8e7b6d9fab95a90703749c86cc7bcaedf917232446c

SHA512
a049e5ea90244578b758f1bb182e52717fabd3b090e813ae41e383b1f2fe5e0f3627c8b0a11fa3ff655251910603110f6cc1909bd2985332abc59abd891ee40c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_645BC4A49DCDC40FE5917FA45C6D4517

Filesize
434B

MD5
d23f8e653b3b9feebd139a85fdcf21d9

SHA1
fc39e39435743aa68ddf87a377d84e5f3e57f785

SHA256
223cf8838b067d8d04afab1c6b83c88ced871bd86d9a70c9f04ceb6ddf845f9b

SHA512
fa9b94157447feec80b9eec18ec23fe0bebb26d055e1037ce6afde3c8175e1d3e0b671cd527e8c90e7a74cdda1a52b6b15792dd8c6a977f9b771aa9d5819baf2

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\83D863F495E7D991917B3ABB3E1EB382_1A61BBEAB3B4E45FBFC402B2664CF5AD

Filesize
422B

MD5
6cc54eed31bc6a1f14db85b63b0ab7bd

SHA1
ec378150315e26977d9901cc3c85aafa51f4a298

SHA256
5f153b7740759c4ffb54115447990f49507c2ed7609518a14b472234e3d42fbd

SHA512
3afd438755a1219f68ed333d01b52073f410dc11f98e888e03e97d320ccc874ea5ea7a6e96ef1a62f9668849c12c4b3fea5440d03bb1f693ba8ff3a69a09ddba

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
859fc1c07f70251dfdfc7eb0de57b483

SHA1
67e7715a25197ea8216ca6c4b1058bfba67933b3

SHA256
d737b7394d8c1e016673d7efeb105faf625b144e08aef76090e381cc559dfc91

SHA512
df4c2b4d8d48eefab3eaa689a0f9257592d94122731aef1be025639b76f3672be819dd8039531177696ec6e39584e78ab70cd38929c6cce124369c769b693534

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
4e337129e7a82154509126acc834ace7

SHA1
3d847cc5cade4fab1605a3620ecf7db8dca1a6c3

SHA256
ee19c8c7fb8fe67e74717be2339246f364c75618424095326e3afd1771ca4a03

SHA512
a3c6378b108e93d49ca84b2766377b3d00bf1a488d256d8d168705ed59be3b63579e7f9717ee32653fe04b8bbd44c4419dccd31652e60d2e41b066181130a465

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
de1c2a1d1d0dccb0fae6338f00609148

SHA1
fccae337e404b0ac2dca785ba9fe732b7d889f26

SHA256
fe4c92feb2adec86a0c6227c579435763e1367b96b85fe1e693a151db0d82490

SHA512
ce97569ced6f4e24372d7864f405a768365a00f67003a84222ba0398a5e7089c27e65a95402251fec0b0eb343bbd57a3a2fa7457f92f8877915b71ee9d6e411d

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
e2c93a6e927c85a93f1957eaf066367c

SHA1
cc2cb5fc04dcf130e99b126333fd803da1c86ab8

SHA256
58ccfc18191538de6fb69006fa7ae21dfd6c51b7a31fff020d9a37eaf43743cc

SHA512
2ad5d161fcd0105b788af6ce06cc9d3e8df2fcd784a50b887bfd38e010e6533cee2a6346eeeb58b93b29f6be6c64ad85a64294571c56a682c945ff2eea14d27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3F13.tmp.bat

Filesize
157B

MD5
e1f1986ad810f4094f9880a229cb791c

SHA1
c063e7d38a1a92c1f00fa71cba0678a8c23bdb20

SHA256
f56f788ad872b8b0f000f300bd357cbb4970540c6fa9850c603e29acefd4cc6b

SHA512
373f1058476ea92f8de8d156d81373825e41c85a5c5fac028ad7c753a7aaeb4a235c3ca0887d1bde9adbb9739a4838bd4d3978b17aed6fee125e86c40cae9726

Download Submit
memory/1116-39-0x00000182D35B0000-0x00000182D35B2000-memory.dmp

Filesize
8KB

Download
memory/1116-20-0x00000182D6020000-0x00000182D6030000-memory.dmp

Filesize
64KB

Download
memory/1116-4-0x00000182D5F20000-0x00000182D5F30000-memory.dmp

Filesize
64KB

Download
memory/3320-3-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp

Filesize
9.9MB

Download
memory/3320-0-0x0000000000720000-0x0000000000734000-memory.dmp

Filesize
80KB

Download
memory/3320-2-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp

Filesize
9.9MB

Download
memory/3320-1-0x00007FFB5F763000-0x00007FFB5F764000-memory.dmp

Filesize
4KB

Download
memory/3320-869-0x00007FFB5F760000-0x00007FFB6014C000-memory.dmp

Filesize
9.9MB

Download
memory/3344-114-0x0000029E7BFF0000-0x0000029E7BFF2000-memory.dmp

Filesize
8KB

Download
memory/3344-306-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/3344-60-0x0000029E59DA0000-0x0000029E59DA2000-memory.dmp

Filesize
8KB

Download
memory/3344-156-0x0000029E5A4A0000-0x0000029E5A5A0000-memory.dmp

Filesize
1024KB

Download
memory/3344-112-0x0000029E7BFD0000-0x0000029E7BFD2000-memory.dmp

Filesize
8KB

Download
memory/3344-300-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/3344-116-0x0000029E7C280000-0x0000029E7C282000-memory.dmp

Filesize
8KB

Download
memory/3344-308-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/3344-304-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/3344-307-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/3344-312-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/3344-57-0x0000029E59D70000-0x0000029E59D72000-memory.dmp

Filesize
8KB

Download
memory/3344-62-0x0000029E59DE0000-0x0000029E59DE2000-memory.dmp

Filesize
8KB

Download
memory/3344-292-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/3344-66-0x0000029E5A4A0000-0x0000029E5A5A0000-memory.dmp

Filesize
1024KB

Download
memory/3344-311-0x0000029E59D80000-0x0000029E59D90000-memory.dmp

Filesize
64KB

Download
memory/4628-46-0x00000196AD8C0000-0x00000196AD9C0000-memory.dmp

Filesize
1024KB

Download
memory/4628-48-0x00000196AD8C0000-0x00000196AD9C0000-memory.dmp

Filesize
1024KB

Download
memory/4628-47-0x00000196AD8C0000-0x00000196AD9C0000-memory.dmp

Filesize
1024KB

Download