4bbc8b70e00b04913c72fffbfe4d3f15f327c29ec24f6e6cdb27bd78e7c3dc32

Resubmissions

27-08-2024 14:08

240827-rfnhjawdkn 8

27-08-2024 14:06

240827-rer5bswcqp 8

26-08-2024 14:14

240826-rj5afsyhmk 9

Analysis

max time kernel
278s
max time network
278s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26-08-2024 14:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FORM_VENDOR_DECLARATION_BANK_INFO.vbe
Size

13KB
MD5

46a86b1e4d1136f04743b65d4c402b9f
SHA1

dc17d6fa8bdd838bf37efbbe60b8a169e3f794a3
SHA256

db7c3bb3fa1311b696574ba3048e627b3ce3298d911a5946972655433be476af
SHA512

5b7e79943a3d126b9879d34fd0c023e227477cb82b354855a81b4ca8b090d83a83ffbb3a1a7e63e5715ebccad3d42dc2e578ebd20b7fe5e8acf8a842d9d7f0b0
SSDEEP

384:9ECYUlp+y4DdVWrXDYifV9IG8TLtonspm:2yp+y4ZYv/fAG8TRoom

Score

9^/10

credential_access discovery stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Blocklisted process makes network request 1 IoCs

Processes:

WScript.exe

flow pid process

1 1184 WScript.exe

flow	pid	process
1	1184	WScript.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops file in System32 directory 16 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 14 IoCs

Processes:

powershell.exeAddInProcess32.exepcaui.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

description	pid	process	target process
PID 3152 set thread context of 5792	3152	powershell.exe	AddInProcess32.exe
PID 5792 set thread context of 3756	5792	AddInProcess32.exe	msedge.exe
PID 5792 set thread context of 6028	5792	AddInProcess32.exe	pcaui.exe
PID 6028 set thread context of 3756	6028	pcaui.exe	msedge.exe
PID 2872 set thread context of 4684	2872	powershell.exe	AddInProcess32.exe
PID 6028 set thread context of 2440	6028	pcaui.exe	Firefox.exe
PID 6068 set thread context of 5324	6068	powershell.exe	AddInProcess32.exe
PID 5712 set thread context of 5224	5712	powershell.exe	AddInProcess32.exe
PID 5260 set thread context of 2732	5260	powershell.exe	AddInProcess32.exe
PID 5776 set thread context of 2872	5776	powershell.exe	AddInProcess32.exe
PID 2244 set thread context of 2804	2244	powershell.exe	AddInProcess32.exe
PID 5328 set thread context of 5580	5328	powershell.exe	AddInProcess32.exe
PID 4992 set thread context of 1740	4992	powershell.exe	AddInProcess32.exe
PID 5940 set thread context of 2308	5940	powershell.exe	AddInProcess32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

pcaui.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language pcaui.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pcaui.exe

Checks processor information in registry 2 TTPs 48 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 35 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exewermgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

pcaui.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	pcaui.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 1 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

description	flow	ioc
HTTP User-Agent header	1	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exemsedge.exemsedge.exeidentity_helper.exepowershell.exeAddInProcess32.exepcaui.exepowershell.exepowershell.exeAddInProcess32.exepowershell.exeAddInProcess32.exepowershell.exepowershell.exeAddInProcess32.exe

pid	process
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
3232	msedge.exe
3232	msedge.exe
3756	msedge.exe
3756	msedge.exe
3804	identity_helper.exe
3804	identity_helper.exe
5560	powershell.exe
5560	powershell.exe
5560	powershell.exe
3152	powershell.exe
3152	powershell.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
5792	AddInProcess32.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
2872	powershell.exe
2872	powershell.exe
2872	powershell.exe
4104	powershell.exe
4104	powershell.exe
4104	powershell.exe
2872	powershell.exe
4684	AddInProcess32.exe
4684	AddInProcess32.exe
4684	AddInProcess32.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
6068	powershell.exe
5324	AddInProcess32.exe
5324	AddInProcess32.exe
5324	AddInProcess32.exe
5712	powershell.exe
5712	powershell.exe
5712	powershell.exe
920	powershell.exe
920	powershell.exe
920	powershell.exe
5712	powershell.exe
5224	AddInProcess32.exe
5224	AddInProcess32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

AddInProcess32.exemsedge.exepcaui.exe

pid process

5792 AddInProcess32.exe
3756 msedge.exe
3756 msedge.exe
6028 pcaui.exe
6028 pcaui.exe
6028 pcaui.exe
6028 pcaui.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3756 msedge.exe
3756 msedge.exe
3756 msedge.exe
3756 msedge.exe
3756 msedge.exe
3756 msedge.exe

pid	process
5792	AddInProcess32.exe
3756	msedge.exe
3756	msedge.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe
6028	pcaui.exe

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	5560	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	4104	powershell.exe
Token: SeDebugPrivilege	6068	powershell.exe
Token: SeDebugPrivilege	5712	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	5260	powershell.exe
Token: SeDebugPrivilege	5776	powershell.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	6132	powershell.exe
Token: SeDebugPrivilege	5328	powershell.exe
Token: SeDebugPrivilege	5864	powershell.exe
Token: SeDebugPrivilege	4992	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	5940	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

Processes:

msedge.exe

pid	process
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

Processes:

msedge.exe

pid	process
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.exemsedge.exe

description	pid	process	target process
PID 3532 wrote to memory of 3152	3532	WScript.exe	powershell.exe
PID 3532 wrote to memory of 3152	3532	WScript.exe	powershell.exe
PID 3756 wrote to memory of 4356	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4356	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 4796	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3232	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3232	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe
PID 3756 wrote to memory of 3188	3756	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\FORM_VENDOR_DECLARATION_BANK_INFO.vbe"
1⤵
- Blocklisted process makes network request
PID:1184

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:5792
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "3152" "2724" "2664" "2728" "0" "0" "2732" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5820
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5560
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5560" "2688" "2620" "2692" "0" "0" "2696" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5812
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2872
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4684
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2872" "2832" "2524" "2836" "0" "0" "2840" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:664
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4104
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4104" "2424" "2632" "2428" "0" "0" "2392" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4236
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6068
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5324
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6068" "2720" "2652" "2724" "0" "0" "2728" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:32
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5224
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5712" "2724" "2664" "2728" "0" "0" "2732" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:3692
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:920
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "920" "2676" "2608" "2680" "0" "0" "2684" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:6052
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2732
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5260" "2796" "2736" "2800" "0" "0" "2804" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5824
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2872
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5776" "2728" "2624" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5596
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2804
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2244" "2796" "2736" "2800" "0" "0" "2804" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1272
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:6132
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "6132" "2696" "2612" "2700" "0" "0" "2704" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:2016
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:5580
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5328" "2728" "2664" "2732" "0" "0" "2736" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1896
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:5864
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5864" "2680" "2588" "2684" "0" "0" "2688" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:4076
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:4992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:1740
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4992" "2732" "2664" "2736" "0" "0" "2740" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:1848
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2044
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "2044" "2412" "2632" "2452" "0" "0" "2428" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:892
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:5940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:2308
- - C:\Windows\system32\wermgr.exe
    "C:\Windows\system32\wermgr.exe" "-outproc" "0" "5940" "2772" "2196" "2776" "0" "0" "2780" "0" "0" "0" "0" "0"
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\StepLock.htm
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc9f0046f8,0x7ffc9f004708,0x7ffc9f004718
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:5384
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:6016
- C:\Windows\SysWOW64\pcaui.exe
  "C:\Windows\SysWOW64\pcaui.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:6028
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3260 /prefetch:2
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2192,12229801884309516331,22091259956346356,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4988 /prefetch:8
  2⤵
  PID:4476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3f01549ee3e4c18244797530b588dad9

SHA1
3e87863fc06995fe4b741357c68931221d6cc0b9

SHA256
36b51e575810b6af6fc5e778ce0f228bc7797cd3224839b00829ca166fa13f9a

SHA512
73843215228865a4186ac3709bf2896f0f68da0ba3601cc20226203dd429a2ad9817b904a45f6b0456b8be68deebf3b011742a923ce4a77c0c6f3a155522ab50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e174dabd3c2be42fed2c9d414c8f10c9

SHA1
dc28a0fc69d9afecb027e0fc820789c69d7de617

SHA256
ae0da20f6aed1da64bb75923fe300aff0825fed574c8af918b9244065fc923d1

SHA512
a713988b0e511b4458f283d411af90423e73d9a9746ba00b6fc868142a5e142f23414dc83ded2b90ea3bb2378762e521439d9c057f764c25da561974a1550643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53359473f9ea1caff98f045aa863a1cb

SHA1
ae60eb1812a1db2b0cca8925eedc05a06e710278

SHA256
581c2c35cd4e3f305ec4153aecaee19292a02b43f1ead84d61d4aec505efdac9

SHA512
b0c09b8ed7ffc22f55636e493aac1bc482aaf1274e6a80b1ad7c36439ccc7e4471f41a5038adf20599045bed87610de9245fd01f681799c098c29adc4d9b9889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24972e14b3f22066305a3ba8dedde5f4

SHA1
f38326076187ef66f01e2ed898d1b7c39d8cd9f2

SHA256
62394a53dcf88849a3d940129d030590b875b3e22f838296e2ad4e581ff99247

SHA512
0a35f5bd0a4ebda421ce1f5f587119f496fcbb54bcc88bbedb41e16ea424bf794071c5db12ab545c7915bbba0b86771c444e3ea1100b241837408a163195f46f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0132d1c1d5eee605b5392515773cac68

SHA1
aaffb78dc56e90643eb0c5758b37a13af7ba1905

SHA256
b9eacb6a5efa035d1eafc60ba7e2606f2eac658d4ad3f4bcb747e1578373f075

SHA512
86821c7b1d7c1c4de0180c6390da68a34de71fe9ace4377b0fc7a207ad9bbe0f7edcd70933972e3a4c8c71b39e5bec8e7466e19bd787a65ad316176f26dbee47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e66eaf7f2b29d3179918a81b69c07a8

SHA1
de89f8bac011f9edcb0ad6c5213e220c4e25c28d

SHA256
ac3b99202efa57a20871dd9ea077d41d64d9d748a9ec58ae4f135b51b26b4714

SHA512
ad23adab0de34cea60669b5676c3b971a6aaf34bde0e1c27b7075bd70e5524fe8f4e8adc70301c375b85cece293077ff2fd644223256c8cb29b6ef808feb14ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
a26df49623eff12a70a93f649776dab7

SHA1
efb53bd0df3ac34bd119adf8788127ad57e53803

SHA256
4ebde1c12625cb55034d47e5169f709b0bd02a8caa76b5b9854efad7f4710245

SHA512
e5f9b8645fb2a50763fcbffe877ca03e9cadf099fe2d510b74bfa9ff18d0a6563d11160e00f495eeefebde63450d0ade8d6b6a824e68bd8a59e1971dc842709c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
6e809f4c18466a0a63db912fb7a2441c

SHA1
d88653e1426406c3175c3fee38d55cd94a1ec5b1

SHA256
2a684a0f36716559ec3fef1d5cdcd0fa7d48cd59e40457b7adc4d7b1f9a0c9fa

SHA512
b47bb55f42d8930277dcab4d3850aba5b1f40b794f07cf1a0858b7280dc8bab243f445c50d2a45fa183c8f664c4864f476d4565c85380fc10cf45fe53d16100c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
825f4672b2b13dbc5e318c95292623b7

SHA1
ad2cd0fcbdc8ed92893a226fd248aaaca8fd09ef

SHA256
7d68fbd624740af913ab26a235ab6cc0458cfd7dfd2279aee4649bbd0a629549

SHA512
426ef6baf1782674f51d104d325b0c17efcfaa6dd552aab697e385d620619a211589faed3f0775f774c0d57aec1aa96831b5730e26e7bf2b1d75cc46d89d0e09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
0eaa2f26ba348678f88c2aba5a532466

SHA1
dacd74d4c997ac1e792c9aea46d33834e677f8b2

SHA256
75fc5deba71551842b69e10de531e635b11025603d9660b285e79b10bb978cc3

SHA512
9e58cd5393e824ab3e30eb99d137bb736bfa7df9f818d0ede6af4ac8fc88ac5673161b05b3ccfb9798999ebe8ef6b7f09166913a428ebfd4c928ad3cb5ad5424

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
35df9c974b47833678277c3aa04c3a0b

SHA1
e913859b7705bec5888b2d2623b884814875c363

SHA256
7fc51e6c659d11ab1720d24b3de27e0aa33be5f989003deb4f9c68d18c9437a6

SHA512
bcac037dc2fff9366b89c726671ea7939ffa03291fa900384ecc23b66230998b809b24a410b263d4a476ea65fb754975266cad22ec078c0b69ac3d294479a6ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
2f48018b4836aade689d815b8704c967

SHA1
84cac4e4991163c8b2a0e626ff3a16a9c65a9e3c

SHA256
eefdab0504747c7723dae95fb5ae28693f00fb5e06fdf1fcd288da0ef5da07fc

SHA512
c3e3cdd118ae0cff84e209f1b2b3724fecc0ab815de34877786f0255b8b6fcc82397ab270a510feb7fb93ed090aff20f1552f62b5002b854bdfbcd8e756e2b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
fccdcf76ecf6cb549943ffdac954a420

SHA1
46df140471090127507403198e090361bb3df8f6

SHA256
be9ff4b68d92785417781711d7dc66ee8f1832f288e8790e96f53bbdacb1b2c9

SHA512
6fc8e303ddd1b4f27a0149fb89535982877a4e69834fa82be731142e0931c2704c7403a17ebe58f5687b9ba723a0c4ad5a316f5774b6418febf27f3509889375

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
a43bccccac00a160cd373a683ecb47f2

SHA1
de22006005900956c7d62eae7bb17187351c5dbe

SHA256
ff2f42d0880123a8c5d72153daeb04f8b3520b850486619af56705e154d21033

SHA512
40c2fdc90cc8983dc9eee19f8d5b647e76f7cfd351f064fd72f05688b43bc10b466e31abb58fd10f678d448165bcc19f55be17903a1f2d79a94c76c838757ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
09ffd75104bacd9f4ed2c22e78652fdb

SHA1
a12c88581e3d7ea39e4ab82154fbcf7517e52fed

SHA256
5068ba6923cacd5a312b1b1e7a67577a2202a9ab2108f8700188abd41aea44ef

SHA512
855a1a6e3116d79d888bdb656a3af7efc3ff07b4b90d16704f54f71d3def4ae588c33d774064e5de11ced625fb2612940387e57138c7dd64951766aed6a7954c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Filesize
3KB

MD5
be6480088f364f6365e40b5f37c7bf32

SHA1
28a8aad7c538b4bc774ba03943448e51a676e2e2

SHA256
64452d75f7153db9d5165ff3835605599e85382f3503f19c3f11559f64a7dcab

SHA512
751630e7a692c807621d6430b7adcf829ab4de08e05958ef5a72424907da015e4f6015192b8a69479f231ed83733066acdc2f5de3ce2381151e083de1e25c997

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ifyews2i.nhj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
252B

MD5
ebfba0e023f4d03fb71b92b8fb113e56

SHA1
311f3b6718bf19dd9de149a7d4595114b72102e7

SHA256
7e32c1334a9d505c09dfa297be19f05ba79f35f976a281215cc2bfbc4077fa30

SHA512
495334f85fd1c7d8dcb9e89c8bb0e7b6c801c589775abc59361ccd477a65c1be27347b83dadb50aaba86f2458574470715ebdfb001d3dbc77b0a103a8ce197c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
504B

MD5
b84ef05fc58b25ab60a168534d8bd20d

SHA1
d71dd5fcb3cc64cf0b5cfe21edc10c5ae75abbb6

SHA256
96593c74c478435dbc154ed3882a3c4859b61662e13984d34e7d1ff41d7e00cf

SHA512
32c5f8b5b5a9515770ec06a4dc8ef29ff3b171a8ea4f34b6b6d1cd546eef2bd166007b1e90e4c14adbc50e9b50e71a45219e1c244f5c179802d8277a429a2bca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
756B

MD5
e116fe4ed638310b72c2d9ba4db38106

SHA1
1ff1a127ab5f8a5e3b4ecd18dd90505831c6d4b6

SHA256
b8c6dba50fb16df88a7d7d8a63711391a0268a64a838a7f39ca86ff430c7f5ff

SHA512
3dc41a3676d7ed28fba2ced94ed3eb8accc4e4f31a1f0372dbafea23cb6e5d6bbf8d2a1a8eeae057c1d035c4e82bc1b9e2d4b1b185ec08e6fe7ca8f561c37c26

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
1008B

MD5
052d6c382ea1b9a64ae0f11b6f984f13

SHA1
e2c42be53d679c2aa531088e714829a2aee1b4c6

SHA256
e8de1f387db3bc28c86343ccd8ff5048b0f18fa9b02686dd283bbf52d2037fdd

SHA512
b0e095384a63c5cff40c87ac8e87cc304f8308cd0361b86d9dfb7fc28ccc0cb3513cb3ac54be26aee3dab8fd35ecfb47caabb970ca9fc81f858af69f354595fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
1KB

MD5
cd1669b2c9c29f951010e624b46cafe6

SHA1
f1febc6301039dfc5805912b1f4adea4583359dc

SHA256
aa6106dbc53a1829e3acc42ff3384cc4667e4e992b18c04d8d48f8010bd41e27

SHA512
824339b727c82b2e194d6b0069bf1ffe3fcfb344802f1e18d1d61facf70007582bb32c1aa6f6e278e8d43f36f980238ae5856dc43302bed71d8cce7e2aec2616

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
1KB

MD5
786e7f7a632891fde98d0948af9d8632

SHA1
6c361f0c1687f83690afed79959f85cefb5d653a

SHA256
57db94c769519ec55de2db69aacc7af1f1547674af1a5faf55b0c3b605d12a55

SHA512
ce2c890a136f72ed959f488d4bca1def750a9cdcf38c220d20770816ad26f85c448d24afedc34bc8181c4aeef3fa5c40a26112c82f6aedd1bbb409445b86275c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
1KB

MD5
e67ba1c2e3f90b995427f4b6e894689a

SHA1
7599bab891f094d89bfb44ce79f48fa074a7c85f

SHA256
23759f609c7ad78cbbf1c9713589463b49160b5aae50ce1c14f37e095aec872c

SHA512
9fbdde267bef7bc99b43b493d3e07e817700c8b232688f711cde1dc6a704b7f4c4b342757f7be31a046c67697076db6d61a5374315d3c878d83bdef11dc281c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
1KB

MD5
93732752bef5f372c2166ffead8012ca

SHA1
ae396f879584371b84096f31464be1fb8672ae24

SHA256
2bd6d8e72430a7205d7d1468a5982a536f1d98d164c6ce503fd0c54ce17ef6bf

SHA512
eb3ac730a6855947c85daf48f43ef45d8e6d6fca80012f11b1c01af33a507ac17457ae3c06e2f3f05026c515e8bcbcc49a21c6b6900ff2d1c34dbc18249aafbf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

Filesize
2KB

MD5
e7b3f0075d0fb3f0cb2ab14f0ccdb990

SHA1
469f45113cd468a5280aa0193477f6c309f199fe

SHA256
d13786557e31cc3a6e63995c46419249629351b6f6f0025ad8d9580097b359dc

SHA512
6c48149ad7d3c383fe8dcec44e7a225f255d3208e60e4312bde576cf4ec6cc85a81e2f465be3e4f44f20988a0cb5cbf2b1078fa85cf328745ce7ff3139d1d16d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
18a37f6a17aaee493b56b779751c1929

SHA1
52ca388815760079efd47b2fe1c77b35db376a0a

SHA256
433b4bf82f20dd81eb23a3ffbe803f8d7c34ec42795a526b4ed9336b13b6c79b

SHA512
e4dea92d3bc7dca21d55d12201f6b5f62b238bf1fbfc4559d5d1d6ca067389514b50e3f1edf50cbd4eeadf4e2a25fd0d96f0c3f1631908a28cfdcc517fd5d6d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
7640ec0ff85f8943d085450db04fa3dd

SHA1
70684dcb93afa11f3cf9fde3738f05f762af2b0a

SHA256
c61bd36cdbe5f1cd73b03ca0b627d89e86b1698739956e093e34b25878ba08d1

SHA512
052950f4c1c3398757c98b4a3bf77acafd1ea3a6eb14c5b34284149d4cba7d60a8ec1201190b61c4227ceee0e64ab491a39281d7cafba0ccd195027a35da7c9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
b2cf6dc7012b8b33ea25e10260ad1bdf

SHA1
a75dcb9375dc30df32eba05e8b8284ed227c2e05

SHA256
12411b0b200bba543cf0c2fb6cb086172bccdff061e89c435a959b2c239dfe2e

SHA512
98219ad375d32e63bf7b8d892cb86ef89330ff3746e55f29fa73d5920433fe190d1122c0ba0e3bd77a7e9b44c426e4db1f14ca5465f93fa07839032b14d4fce4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
ad998265ec14f84e3d28dfb47bd4bded

SHA1
d38b3a671f7f24f330d304a7b7f31e3fcd3a943d

SHA256
d151e185b185834e24e8cff453e132a1d8d50a16a5a22a28d4a97bbdbabd5aa7

SHA512
030af0dbe7db6e4a7edbcac3cb4b0b245ff29d71cb5881c36568a04d9fa6e2ccadea4b4fc856a85bb59d4bc92549d8e0347253594e45de3bb7b92fd8808984bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
bfa7da20ed1ac7e1ade17010175632e8

SHA1
7a8e0874311cb58e71bb62e2e0a71953445077b1

SHA256
3407504cb1cbf0d0730196d8f787582f5e088952cd57b021941bc56fef32e3cd

SHA512
1f144c485338b3022e84b935ea9e21115cde7756a4a3f21a76ec9a708e05d90d91057e99279486a313bd92dbbd43b2b4688b418f9a371db36e99ee63fb3ac592

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
a07b35b17bd6915546e0a713b2bf54c8

SHA1
36b199e1637c15de1df903e76ab513d1142a818f

SHA256
f065e174c6155109c77140e8166d90241386d83b260dacf0a68bdbf7a7062c1d

SHA512
a56fb46c60188c09517a44259a28d31d2fe4204af41ffa756fd7f9c999f3d733e5b22241758737675bcfffef41283a3be8a2a74b993925f838633c060905fa32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
6bedfa769bd07cbf00557a06ed48b5b2

SHA1
16331a5f3dd9d9335766c08b5eb1770484dde1fe

SHA256
cddfb0c3b3437f7a7861255d534e123b876bcf8bc8ce55e856177ad62b8856e3

SHA512
526b72ec18cf4eabbd8039c744ba0203d5f7c28c8d8280183a1f8bb5284d257988d302097f593e1a9eadd3403a4853a62ad72ad54c3c06380fe39321dcbbd43c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
fd2ce1dcae9beb3f2be3e5541774e184

SHA1
2e5bd1eb8d83c9b9f85f084c46f0e1f7a43d3dd0

SHA256
4fd022400f7fd6a398d0e04113aad918809ecba0dd42142255635851e72be64f

SHA512
bee358c7b6aacf41c71651b88de88f4dc0191ac4d46dc64d9238df514f480f9a55f7ac7168023c2c9caa6169516c89ade80b718ff3e676038d05de66f00eadcf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
5eb69ac7feea5c53e8f0ef7092b57d7c

SHA1
572b5bfaaad9451c2b68f59a04d70095f5f1fbbb

SHA256
acbfe4cff91ae6274361b304779743adfc1985c35e0ec8f60eaee824df04e8c9

SHA512
311665c99c832b03fdeb34e82d7cc952146476ba34601176cb58bdb41c6a38a2de167ccd0e48e1dcd3f6cc4068a758091bc5f7dd8d51141b316e0ea9345ad725

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d5bd161fa48267b2130659ab89a941fb

SHA1
1238faea8eb643197c96e023e6ad2c50a42d43a0

SHA256
8ee1392d7b83dd55f0c4e679860f66d15e510d2b40e46d840711c913bebd4d37

SHA512
e9bca457a8211e4ff3473dbacd8c4ed43befe9fa66a7c9de257a274a4bf548cb0018a90878d4277ddd0eaf351acf712fee09c3435067d8493aaf8f7de120832a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
465f9a161e58e9a3383645021589762a

SHA1
b12eb81a26861d30e5c602d875cf977e1a27e88b

SHA256
c0ebe68359e234bdeb3f8f054382dacf3da6941e57de35cb1ad3f878994a7cf0

SHA512
2155f435e5b0172febff05d8dc41e0831049eea6c9cfe1f4cf185f7582abe9cb9798793340592840a085682e7afbc9b3f4dcb3c1fc54ef054ed7b286f2341571

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
d1f6b4a96d105b6f7a33d924eab75a93

SHA1
3043b4c39c6a5ea9201dcfab33420aa2b020409a

SHA256
a8190046131e56c76b2b6d6df3efb6b2fc1591a712715f58e8a490643844e521

SHA512
55e96cb5b77a232c126f73a497c6ef6f0ace3acafe89f249d808614046c9aaaaf131dbc81ff18cae37b35bb132acfb85ddbda5ff542e6e8a3b98d2e520321d1f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
9b7bee3f3d420e2bec97f1c705686a4b

SHA1
139070826b3217e7bce4c94c200e15d9dfa5f785

SHA256
a9f61b2cadf3fe008fa8aaa6bfeb80b148b5e46e4f46bbba474272205eacdbf6

SHA512
660bd4ab007c56f28497eb03345546f6c56c076bcab637cd7799753de01cf82da4a6782adfbcf88dbfeca45b87b7abbb74fd63923a05970c64e40ec19ceea211

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
adb7ec3ffe881349b3efd40bb771ce3b

SHA1
2c852d3d58572111effcde76c69d8bba54a81bb6

SHA256
74a4c3a6e1b05dbab239edf1cd46ef0742c0668ecada68454cc808452bc43dba

SHA512
0e19e97e68dfdd340d09ce28f164088ee35e9ed5f7e35469158145261a43097ba63ec65bf136c8225f60e577844b0e7ff365e4e5d008b5e9e3088e68205c8b12

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
6KB

MD5
f8419876dd071678805978e6b21f497d

SHA1
00d84e6119b9e90a89f69080a36f7c4482afafe9

SHA256
cbce357860c52943901fda61230cabd163e71178461a351e7c7c8d17d07586e2

SHA512
6b0fb18c8e15e8e2ae74495f7abe8457f5f00c137c5c119ff805bd136e47254372790dc7660ebf528097853dc13ce974e679aac96304fa374e639a7c3c7eeb9c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MHNO4UK72FOCR46MRLOB.temp

Filesize
6KB

MD5
1a79f0a2bca009d5ecdabdb5565a7b69

SHA1
b38c7ff64cc5edcd9e4fd5dde480da36cf4585d4

SHA256
6ee4549983ca99e573f41efbbfb6f3d4258082ae9b7df9cce39549ce76490bd0

SHA512
1e86295489590461ab3691d2455faf1aadf5c49874ec98b6725de615d2c037589b6b45ab93ecab13180a1421ce101f837bbd25654c1da2a27ec99085771e4a1a

Download Submit
C:\Users\Admin\AppData\Roaming\mBUojysElnsNYdM.vbs

Filesize
2KB

MD5
48a6b987d0cde29aca20f8162a24e89b

SHA1
44cc5f173979e6ca893f9cb14f6b0c3bfab0992f

SHA256
693d00bde18e9246ea67b1c6db570d5092aa1c1a5f48d582e0905c518f7560c2

SHA512
00a4e31e5b7a6db0ea3849d5711f37c431d641bf871bdcbc7e382cd840fc496f4ae12601b7ad10fe64b451532caa91d79c6b0fdae93c6a1ece2057aa2a93ec4b

Download Submit
\??\pipe\LOCAL\crashpad_3756_PBYKUVRBFZOZAZKC

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2440-193-0x000001A7F6E30000-0x000001A7F6EE2000-memory.dmp

Filesize
712KB

Download
memory/3152-87-0x000001DEACD10000-0x000001DEACD1A000-memory.dmp

Filesize
40KB

Download
memory/3152-86-0x000001DEACD00000-0x000001DEACD0A000-memory.dmp

Filesize
40KB

Download
memory/3152-4-0x000001DEACBB0000-0x000001DEACBD2000-memory.dmp

Filesize
136KB

Download
memory/3152-15-0x000001DEAF1C0000-0x000001DEAF236000-memory.dmp

Filesize
472KB

Download
memory/3152-14-0x000001DEAF0F0000-0x000001DEAF134000-memory.dmp

Filesize
272KB

Download
memory/5792-117-0x0000000000DA0000-0x0000000000DE7000-memory.dmp

Filesize
284KB

Download
memory/5792-88-0x0000000000DA0000-0x0000000000DE7000-memory.dmp

Filesize
284KB

Download
memory/6028-118-0x0000000000590000-0x00000000005D3000-memory.dmp

Filesize
268KB

Download
memory/6028-128-0x0000000000590000-0x00000000005D3000-memory.dmp

Filesize
268KB

Download