f951a36c7c6485239857f9a6ce836936cba6411641ceee73918ead728ccc588f

Analysis

max time kernel
1800s
max time network
1591s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
29-09-2024 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KMS_pic0-setupz.bat
Size

672B
MD5

4d8017d360dfa9fe6fd0a3fe2381772d
SHA1

de69f37f69d6e20268be2bc8230ff595cb5932f7
SHA256

b690cb1a46cede9d4260a3f2746aa7c3e4c66c899c85716cb967014c7fe988e8
SHA512

18e9eb52805108a4b8175f09465a7618ea211b13fbf123e05f17c347174e81b3a0c098b2bfb019fea0b1fdd876e393ba8fb3faf483bca2f8bd2cfb5ee57a2b40

Score

4^/10

discovery

Malware Config

Signatures

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	info.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	info.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	info.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Delays execution with timeout.exe 2 IoCs

evasion

pid	Process
4212	timeout.exe
3960	timeout.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5116	taskkill.exe
4152	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 69c7c0e12e12db01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 008111316112db01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DXFeatureLevel = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$WordPress	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 1ce8cecb2e12db01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Discuz!	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$http://www.typepad.com/	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = b02ca4103232db01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\Extensions	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 8ab3cce12e12db01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$MediaWiki	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "433749100"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = 0000000000000000	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DummyPath	MicrosoftEdge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4184	info.dll
4184	info.dll
4184	info.dll
4184	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4644	info.dll

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
524	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2968	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2968	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2968	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1352	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1352	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1352	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1352	MicrosoftEdgeCP.exe
Token: SeShutdownPrivilege	1352	MicrosoftEdgeCP.exe
Token: SeCreatePagefilePrivilege	1352	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3928	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	3928	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4152	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4644	info.dll
4644	info.dll
1952	info.dll
1952	info.dll
4184	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4644	info.dll
1952	info.dll
4644	info.dll
1952	info.dll

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4644	info.dll
4644	info.dll
1952	info.dll
1952	info.dll
4184	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
4644	info.dll
1952	info.dll
4184	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
4644	info.dll
4184	info.dll
1952	info.dll
1952	info.dll
1952	info.dll

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3932	MicrosoftEdge.exe
524	MicrosoftEdgeCP.exe
2968	MicrosoftEdgeCP.exe
524	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 4644	3672	cmd.exe	74
PID 3672 wrote to memory of 4644	3672	cmd.exe	74
PID 3672 wrote to memory of 4644	3672	cmd.exe	74
PID 4644 wrote to memory of 964	4644	info.dll	75
PID 4644 wrote to memory of 964	4644	info.dll	75
PID 4644 wrote to memory of 964	4644	info.dll	75
PID 4644 wrote to memory of 4060	4644	info.dll	76
PID 4644 wrote to memory of 4060	4644	info.dll	76
PID 4644 wrote to memory of 4060	4644	info.dll	76
PID 964 wrote to memory of 4184	964	cmd.exe	80
PID 964 wrote to memory of 4184	964	cmd.exe	80
PID 964 wrote to memory of 4184	964	cmd.exe	80
PID 4060 wrote to memory of 1952	4060	cmd.exe	79
PID 4060 wrote to memory of 1952	4060	cmd.exe	79
PID 4060 wrote to memory of 1952	4060	cmd.exe	79
PID 4184 wrote to memory of 316	4184	info.dll	81
PID 4184 wrote to memory of 316	4184	info.dll	81
PID 4184 wrote to memory of 316	4184	info.dll	81
PID 4184 wrote to memory of 2392	4184	info.dll	82
PID 4184 wrote to memory of 2392	4184	info.dll	82
PID 4184 wrote to memory of 2392	4184	info.dll	82
PID 316 wrote to memory of 4212	316	cmd.exe	85
PID 316 wrote to memory of 4212	316	cmd.exe	85
PID 316 wrote to memory of 4212	316	cmd.exe	85
PID 2392 wrote to memory of 3960	2392	cmd.exe	86
PID 2392 wrote to memory of 3960	2392	cmd.exe	86
PID 2392 wrote to memory of 3960	2392	cmd.exe	86
PID 524 wrote to memory of 4208	524	MicrosoftEdgeCP.exe	92
PID 524 wrote to memory of 4208	524	MicrosoftEdgeCP.exe	92
PID 524 wrote to memory of 4208	524	MicrosoftEdgeCP.exe	92
PID 524 wrote to memory of 4208	524	MicrosoftEdgeCP.exe	92
PID 524 wrote to memory of 4208	524	MicrosoftEdgeCP.exe	92
PID 524 wrote to memory of 4208	524	MicrosoftEdgeCP.exe	92
PID 524 wrote to memory of 1352	524	MicrosoftEdgeCP.exe	91
PID 524 wrote to memory of 1352	524	MicrosoftEdgeCP.exe	91
PID 524 wrote to memory of 1352	524	MicrosoftEdgeCP.exe	91
PID 524 wrote to memory of 1352	524	MicrosoftEdgeCP.exe	91
PID 524 wrote to memory of 1352	524	MicrosoftEdgeCP.exe	91
PID 316 wrote to memory of 5116	316	cmd.exe	97
PID 316 wrote to memory of 5116	316	cmd.exe	97
PID 316 wrote to memory of 5116	316	cmd.exe	97
PID 2392 wrote to memory of 4152	2392	cmd.exe	98
PID 2392 wrote to memory of 4152	2392	cmd.exe	98
PID 2392 wrote to memory of 4152	2392	cmd.exe	98

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\KMS_pic0-setupz.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Users\Admin\AppData\Local\Temp\info.dll
  info.dll reginfo.dll
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call Data\0\1\2\3\4\5\6\7\8\9\info.dll Data\0\1\2\3\4\5\6\7\8\9\data.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Users\Admin\AppData\Local\Temp\Data\0\1\2\3\4\5\6\7\8\9\info.dll
      Data\0\1\2\3\4\5\6\7\8\9\info.dll Data\0\1\2\3\4\5\6\7\8\9\data.dll
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:4184
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c timeout 300 && taskkill /f /im info.dll
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:316
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 300
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:4212
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im info.dll
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c timeout 300 && taskkill /f /im info.dll
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\SysWOW64\timeout.exe
        
        timeout 300
        6⤵
        System Location Discovery: System Language Discovery
        Delays execution with timeout.exe
        
        PID:3960
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im info.dll
        6⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c call Data\0\1\2\3\4\5\6\7\8\9\info.dll Data\0\1\2\3\4\5\6\7\8\9\check.dll
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\Data\0\1\2\3\4\5\6\7\8\9\info.dll
      Data\0\1\2\3\4\5\6\7\8\9\info.dll Data\0\1\2\3\4\5\6\7\8\9\check.dll
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:1952

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3932

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2344

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2968

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1352

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4208

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4320

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:3152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4RWS5CSS\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\NVYB3WZ7\icon[1].ico

Filesize
33KB

MD5
01f883489a9f80b1c07d6c3d147a4b75

SHA1
a60e83f273e7a0d4ba097f77bd6cdb890a548805

SHA256
657f68bfd98bbea2979035fdba943eb5c7c438c33f0ab9f586ca70692f647ab7

SHA512
38716d880b7d69ce50dc8876b2f5bcd34bff9d040c71267b7f168a3ed27258eec606d33c3df4bed3762b7bdbf4179f1a931a00b639229c503507889bd0ff7e48

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\ImageStore\hk3kw9m\imagestore.dat

Filesize
43KB

MD5
ed88bfed053c31bbfeca9898d6df7580

SHA1
cdb429433f0b1ff69959ff0a795e10cf79dd327b

SHA256
e5c8797ee3f5bc486a1ef4efbb3fb8c0518a027e8fb66dccc4cf6d05d75fbb08

SHA512
bc818ed59ed34ad0e005736f74b703625730b6b59eb137ebb218142246c4361bb79ca9c94c627b6521f8298977b629ad3d526e0ec33f6c042a81c25e8494ddd9

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\94QRFRGU\bootstrap.min[1].css

Filesize
137KB

MD5
04aca1f4cd3ec3c05a75a879f3be75a3

SHA1
675fcf28f9fbf37139d3b2c0b676f96f601a4203

SHA256
7928b5ab63c6e89ee0ee26f5ef201a58c72baf91abb688580a1aa26eb57b3c11

SHA512
890415fa75ed065992dd7883aed98bfbdfd9fa26eec7e62ea30263238adca4eecd6204f37d33a214d9b4f645ad7d9cc407d7d0e93c0e55cf251555a8a05b83ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\94QRFRGU\jquery-3.6.3.min[1].js

Filesize
87KB

MD5
cf2fbbf84281d9ecbffb4993203d543b

SHA1
832a6a4e86daf38b1975d705c5de5d9e5f5844bc

SHA256
a6f3f0faea4b3d48e03176341bef0ed3151ffbf226d4c6635f1c6039c0500575

SHA512
493a1fe319b5c2091f9bb85e5aa149567e7c1e6dc4b52df55c569a81a6bc54c45e097024427259fa3132f0f082fe24f5f1d172f7959c131347153a8bca9ef679

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
1KB

MD5
1fcc9f6b7c300e4e23c18bdfd7bf454e

SHA1
df7e142e47dce735dda0781e136dd41fb591f5f5

SHA256
0edff5c77bca2992bf414cfecdc9a2f27b6fd9711a20480d1a847e21dbdade58

SHA512
b47f77d4be0cf2ea0bd0fe6f0ec89fa9db581c8ac0432ba3500ffbb8d5f58514c75a25373d13b747a775c2fcced6433d5f8aba6ad56a3c5f1ee8c37ee4f706c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
7fb5fa1534dcf77f2125b2403b30a0ee

SHA1
365d96812a69ac0a4611ea4b70a3f306576cc3ea

SHA256
33a39e9ec2133230533a686ec43760026e014a3828c703707acbc150fe40fd6f

SHA512
a9279fd60505a1bfeef6fb07834cad0fd5be02fd405573fc1a5f59b991e9f88f5e81c32fe910f69bdc6585e71f02559895149eaf49c25b8ff955459fd60c0d2e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
2KB

MD5
e346e541a26c634136bccebea4c3b88b

SHA1
285c70b0b6dc9064664e81c0ec4d1f1647d1bb49

SHA256
140763b9c25c8b4edcb956734f9ac58abb1794aac0a56df88d040ea625d829d4

SHA512
7d548ff683bedfa6e798c71f73a1f0ab03dc3691fc515f25c1eedbcb5df3a3b9b7c921d7e6159dc175ee5537fb8f4c5fb5b129bd514c4753bb88895a5edd76bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
1KB

MD5
e69f794d44ad0384d26707477c427cb7

SHA1
4406db0a0be3b0ab06d0320cb47669a8f6064798

SHA256
df7eb807f3ada780c1010944b10dec51d07a27195671e2b1628eaf6b1b7353df

SHA512
c37eb6421aa423efec20b6502732582d552e3dd710c25c6643d37a5e3442ed2b573badf69a5e3c4b6c93a59a38a7292e82be90d741a77e9f5a36d6a9b2a02089

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_59B4B55A6B001CCF01BC4A01A1C52900

Filesize
471B

MD5
3099d54406e51ba4e820b7103bce1dca

SHA1
8ef202b3cb586f7683a6889e9c968c77932f12fa

SHA256
3e6433c9cff73dacd4cf0c504a08084ad41537e9fa3d6a86001c5d5b325c9855

SHA512
fce125900d59a2999dc821bea9e110e128450e6959d992e73016dbdb0f6c1f0ae9159d70dc626a9501c0ce11a815bb9f2972413147130f1fa66e86f18cf7ad61

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
2c225a647fe0b38db2728729354a6f01

SHA1
6e3e71ad722f07bae585a4b47cdb39611ee6f18e

SHA256
bb7c8eb35757f303f58e9537f8326d8c558d71832717c2c82727d9566c1d2448

SHA512
8e07b5ac8b22c162a61dc736082620161174cb2a8262831b94caa025104640dd6fb7a3b12a03c372cf6497f8bea012c1b0e761a5472b73d35fdaba218c5c00df

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
338B

MD5
905060eee2b5dfabc062b4c5662d4d75

SHA1
f90553824a8320571bd7f1f69b4ca7cc54313582

SHA256
c09e84661693078a20d520bf1c24ea400687c08049c8e1350ad0dc3b2c49054d

SHA512
746229e12a7842408304baf5fa3bd7e6ae392a25486e0c581d38c51a5ad1695e5a860e50065e04e5196bfb086a1af6cbf8909aea61f42da5a79a0c9d0fbe785a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

Filesize
434B

MD5
25da20c2ea02b9c90202a29e5645ad59

SHA1
9bef8d64f65ff0822b6dd5a0b6460c80abb6e799

SHA256
8e9af529b909d2d9f3644ffd23a353b0c132d57fccffd5d138402304c2b75f79

SHA512
b0917cd9584112d071cdf44c16bd6d382965750a9693189f46d9740897042cbb9de415436c7f1260ef10fed081c32e2808a9f887d3e2d40080cee82ad6bc4881

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
54f789130bdaef70ab780bc0f81eb4e6

SHA1
2c6aa52b9b7b82139e1d27cf95d16158d980432c

SHA256
4d45fb49362a0f6cf3e22b0ff792e48ee7edfc5eb91381d20d901ddecb4b5b88

SHA512
e463dd41ac41ff267a36c40866e67d3169464b3570970853fc90c4bd43527ad400dccb55a334bb5572cee35bbdf5fdbc9b2351348322c07d8dd8fc53f16bab8e

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
bb983c095ddba07c1a8f945c26c57635

SHA1
4b4ccceeb69f3aa06a441f01362dd7fc54f97ee4

SHA256
4ea8638e5a7507513c328b7a4554d7aaac3c0c8f8eb834a57557a5b5c4809437

SHA512
ff5df165e1f50c522394bde08e17c3655b1540ed17dda61732a28815fb41c60107b88c9b813a5c9303321f62e27f51ec4565f9db8311b38a6b07341ff7759427

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

Filesize
458B

MD5
1d88dc6507be5d034a0994eacfe51550

SHA1
88d6a403eb9640a5b39475c2e9ec6c75b5be6c9e

SHA256
36e38cc6a264ee97078a4717c9df1cccb3f7021f8195dce3c2281af58375d7d2

SHA512
506392ade140a6052d3917638f820842384b2d839f84772112b9dc8664dcdd766362d05a66aef9b40465ca511e7ce688baab9106accc3fad944f790c0f98aebe

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

Filesize
432B

MD5
d200e8b65b6d3637c79f2879159c8d11

SHA1
55b2276742b8b56e308441568f043eb80d5bf49b

SHA256
e66e187151073b9321f84108e8577e0c12dccb55940857510b242957caaeb912

SHA512
d9f1aa8a2fa44566482094211af19147c3c977c00002886e3b124b7f70bb641e59006176d450b084af15b9f58fafa984d174967229d987dda1f4b43c03430be4

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_59B4B55A6B001CCF01BC4A01A1C52900

Filesize
426B

MD5
58f8197afd33ae890090f6746a67d2bc

SHA1
84864ec6637032180cfe1672e525ece9199c48a2

SHA256
28e29b74843a6ae69c857829e4755f9b6b9885a19b33c59d2ccbef53cee6ba93

SHA512
5eb8191b0e42aa3b1f1b03a37640b4dcdb2ee1a2dd676ff176d15b5fcfef8e556ae12dc33664bc875b874f361f1ae221133d7fee4e0efddb998385e0b8dd8131

Download Submit
memory/1352-219-0x000001A564510000-0x000001A564512000-memory.dmp

Filesize
8KB

Download
memory/1352-217-0x000001A564500000-0x000001A564502000-memory.dmp

Filesize
8KB

Download
memory/1352-213-0x000001A562DA0000-0x000001A562DA2000-memory.dmp

Filesize
8KB

Download
memory/2968-50-0x000002DD684C0000-0x000002DD685C0000-memory.dmp

Filesize
1024KB

Download
memory/2968-48-0x000002DD684C0000-0x000002DD685C0000-memory.dmp

Filesize
1024KB

Download
memory/3932-6-0x000001FABF520000-0x000001FABF530000-memory.dmp

Filesize
64KB

Download
memory/3932-41-0x000001FABCBF0000-0x000001FABCBF2000-memory.dmp

Filesize
8KB

Download
memory/3932-186-0x000001FAC5CE0000-0x000001FAC5CE1000-memory.dmp

Filesize
4KB

Download
memory/3932-187-0x000001FAC5CF0000-0x000001FAC5CF1000-memory.dmp

Filesize
4KB

Download
memory/3932-22-0x000001FABF620000-0x000001FABF630000-memory.dmp

Filesize
64KB

Download
memory/4208-107-0x000001D944340000-0x000001D944342000-memory.dmp

Filesize
8KB

Download
memory/4208-137-0x000001D955670000-0x000001D955672000-memory.dmp

Filesize
8KB

Download
memory/4208-139-0x000001D955690000-0x000001D955692000-memory.dmp

Filesize
8KB

Download
memory/4208-104-0x000001D944310000-0x000001D944312000-memory.dmp

Filesize
8KB

Download
memory/4208-109-0x000001D944360000-0x000001D944362000-memory.dmp

Filesize
8KB

Download
memory/4208-135-0x000001D955650000-0x000001D955652000-memory.dmp

Filesize
8KB

Download