xworm | 3dae4c211901decdd6381c72f584bea8f0604a954b44d98ac9c406d0e3730d03

Analysis

max time kernel
87s
max time network
86s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
13/10/2024, 03:27

Sharing

Copy URL Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

nigger.exe
Size

62KB
MD5

6cffd409d1e3a1a446fae15796f29509
SHA1

1b502700dd33751c64da20807e61b2a0dff0a930
SHA256

3dae4c211901decdd6381c72f584bea8f0604a954b44d98ac9c406d0e3730d03
SHA512

c43130dfe3b25262570e01abb4fe4bfb0825436f093f114a33706174927d39ee3c1048c6fd47e5061730438e9b1776b306a51e60491d2c100a53b6704a373346
SSDEEP

1536:IecJgnuA0vUsnTvxT+bRgP3IS6eO4MOY2:rP0vUsnTv9+bRggiO4Ml2

Score

10^/10

xworm bootkit execution persistence rat trojan

Malware Config

Extracted

Family

xworm

147.185.221.23:19686

Attributes

Install_directory
%AppData%
install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/4208-1-0x0000000000320000-0x0000000000336000-memory.dmp	family_xworm
behavioral1/files/0x000d00000001ab44-188.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3640	powershell.exe
3564	powershell.exe
2408	powershell.exe
2640	powershell.exe

Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	nigger.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System User.lnk	nigger.exe

Executes dropped EXE 4 IoCs

pid	Process
4848	System User
4436	System User
5176	Monoxidex64.exe
5308	箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Windows\CurrentVersion\Run\System User = "C:\\Users\\Admin\\AppData\\Roaming\\System User"	nigger.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
115	raw.githubusercontent.com
116	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{2D18989E-100B-487C-9D23-9A1818BD8E = 571ecf0d201ddb01	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\www.bing.com\ = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.msn.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\NumberOfSubdomains = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\msn.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "23"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "610"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\bing.com\Total = "658"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\EdpDomStorage\msn.com	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\002\Internet Explorer\DOMStorage\www.bing.com\ = "132"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = 90fb3370d635db01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Monoxidex64.exe.tl7pb3e.partial:Zone.Identifier	browser_broker.exe
File created	C:\Users\Admin\AppData\Local\Temp\箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.exe\:Zone.Identifier:$DATA	Monoxidex64.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1592	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3640	powershell.exe
3640	powershell.exe
3640	powershell.exe
3564	powershell.exe
3564	powershell.exe
3564	powershell.exe
2408	powershell.exe
2408	powershell.exe
2408	powershell.exe
2640	powershell.exe
2640	powershell.exe
2640	powershell.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe
4208	nigger.exe

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	nigger.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeIncreaseQuotaPrivilege	3640	powershell.exe
Token: SeSecurityPrivilege	3640	powershell.exe
Token: SeTakeOwnershipPrivilege	3640	powershell.exe
Token: SeLoadDriverPrivilege	3640	powershell.exe
Token: SeSystemProfilePrivilege	3640	powershell.exe
Token: SeSystemtimePrivilege	3640	powershell.exe
Token: SeProfSingleProcessPrivilege	3640	powershell.exe
Token: SeIncBasePriorityPrivilege	3640	powershell.exe
Token: SeCreatePagefilePrivilege	3640	powershell.exe
Token: SeBackupPrivilege	3640	powershell.exe
Token: SeRestorePrivilege	3640	powershell.exe
Token: SeShutdownPrivilege	3640	powershell.exe
Token: SeDebugPrivilege	3640	powershell.exe
Token: SeSystemEnvironmentPrivilege	3640	powershell.exe
Token: SeRemoteShutdownPrivilege	3640	powershell.exe
Token: SeUndockPrivilege	3640	powershell.exe
Token: SeManageVolumePrivilege	3640	powershell.exe
Token: 33	3640	powershell.exe
Token: 34	3640	powershell.exe
Token: 35	3640	powershell.exe
Token: 36	3640	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeIncreaseQuotaPrivilege	3564	powershell.exe
Token: SeSecurityPrivilege	3564	powershell.exe
Token: SeTakeOwnershipPrivilege	3564	powershell.exe
Token: SeLoadDriverPrivilege	3564	powershell.exe
Token: SeSystemProfilePrivilege	3564	powershell.exe
Token: SeSystemtimePrivilege	3564	powershell.exe
Token: SeProfSingleProcessPrivilege	3564	powershell.exe
Token: SeIncBasePriorityPrivilege	3564	powershell.exe
Token: SeCreatePagefilePrivilege	3564	powershell.exe
Token: SeBackupPrivilege	3564	powershell.exe
Token: SeRestorePrivilege	3564	powershell.exe
Token: SeShutdownPrivilege	3564	powershell.exe
Token: SeDebugPrivilege	3564	powershell.exe
Token: SeSystemEnvironmentPrivilege	3564	powershell.exe
Token: SeRemoteShutdownPrivilege	3564	powershell.exe
Token: SeUndockPrivilege	3564	powershell.exe
Token: SeManageVolumePrivilege	3564	powershell.exe
Token: 33	3564	powershell.exe
Token: 34	3564	powershell.exe
Token: 35	3564	powershell.exe
Token: 36	3564	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeIncreaseQuotaPrivilege	2408	powershell.exe
Token: SeSecurityPrivilege	2408	powershell.exe
Token: SeTakeOwnershipPrivilege	2408	powershell.exe
Token: SeLoadDriverPrivilege	2408	powershell.exe
Token: SeSystemProfilePrivilege	2408	powershell.exe
Token: SeSystemtimePrivilege	2408	powershell.exe
Token: SeProfSingleProcessPrivilege	2408	powershell.exe
Token: SeIncBasePriorityPrivilege	2408	powershell.exe
Token: SeCreatePagefilePrivilege	2408	powershell.exe
Token: SeBackupPrivilege	2408	powershell.exe
Token: SeRestorePrivilege	2408	powershell.exe
Token: SeShutdownPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeSystemEnvironmentPrivilege	2408	powershell.exe
Token: SeRemoteShutdownPrivilege	2408	powershell.exe
Token: SeUndockPrivilege	2408	powershell.exe
Token: SeManageVolumePrivilege	2408	powershell.exe
Token: 33	2408	powershell.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
4208	nigger.exe
4112	MicrosoftEdge.exe
2308	MicrosoftEdgeCP.exe
3068	MicrosoftEdgeCP.exe
2308	MicrosoftEdgeCP.exe
2900	MicrosoftEdgeCP.exe
2900	MicrosoftEdgeCP.exe
5176	Monoxidex64.exe
5308	箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.exe

Suspicious use of WriteProcessMemory 49 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 3640	4208	nigger.exe	73
PID 4208 wrote to memory of 3640	4208	nigger.exe	73
PID 4208 wrote to memory of 3564	4208	nigger.exe	76
PID 4208 wrote to memory of 3564	4208	nigger.exe	76
PID 4208 wrote to memory of 2408	4208	nigger.exe	78
PID 4208 wrote to memory of 2408	4208	nigger.exe	78
PID 4208 wrote to memory of 2640	4208	nigger.exe	80
PID 4208 wrote to memory of 2640	4208	nigger.exe	80
PID 4208 wrote to memory of 1592	4208	nigger.exe	82
PID 4208 wrote to memory of 1592	4208	nigger.exe	82
PID 2308 wrote to memory of 2712	2308	MicrosoftEdgeCP.exe	94
PID 2308 wrote to memory of 2712	2308	MicrosoftEdgeCP.exe	94
PID 2308 wrote to memory of 2712	2308	MicrosoftEdgeCP.exe	94
PID 2308 wrote to memory of 2712	2308	MicrosoftEdgeCP.exe	94
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 4324	2308	MicrosoftEdgeCP.exe	97
PID 2308 wrote to memory of 2780	2308	MicrosoftEdgeCP.exe	98
PID 2308 wrote to memory of 2780	2308	MicrosoftEdgeCP.exe	98
PID 2308 wrote to memory of 2780	2308	MicrosoftEdgeCP.exe	98
PID 2308 wrote to memory of 2780	2308	MicrosoftEdgeCP.exe	98
PID 2308 wrote to memory of 2780	2308	MicrosoftEdgeCP.exe	98
PID 2308 wrote to memory of 2780	2308	MicrosoftEdgeCP.exe	98
PID 2308 wrote to memory of 2780	2308	MicrosoftEdgeCP.exe	98
PID 1748 wrote to memory of 5176	1748	browser_broker.exe	103
PID 1748 wrote to memory of 5176	1748	browser_broker.exe	103
PID 5176 wrote to memory of 5308	5176	Monoxidex64.exe	105
PID 5176 wrote to memory of 5308	5176	Monoxidex64.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\nigger.exe
"C:\Users\Admin\AppData\Local\Temp\nigger.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nigger.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nigger.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3564
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System User'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System User'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2640
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System User" /tr "C:\Users\Admin\AppData\Roaming\System User"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1592

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4112

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:1748
- C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Monoxidex64.exe
  "C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\Monoxidex64.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:5176
- - C:\Users\Admin\AppData\Local\Temp\箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.exe
    "C:\Users\Admin\AppData\Local\Temp\箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    PID:5308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2308

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3068

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2712

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2900

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4324

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:2780

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:5652

C:\Users\Admin\AppData\Roaming\System User
"C:\Users\Admin\AppData\Roaming\System User"
1⤵
- Executes dropped EXE
PID:4436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System User.log

Filesize
654B

MD5
16c5fce5f7230eea11598ec11ed42862

SHA1
75392d4824706090f5e8907eee1059349c927600

SHA256
87ba77c13905298acbac72be90949c4fe0755b6eff9777615aa37f252515f151

SHA512
153edd6da59beea6cc411ed7383c32916425d6ebb65f04c65aab7c1d6b25443d143aa8449aa92149de0ad8a975f6ecaa60f9f7574536eec6b38fe5fd3a6c6adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\OHP8MVFQ\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f611758ceaf7bffa54f974e024d6122

SHA1
25d024b8bce018d5af85e9d89abec3606c46b89e

SHA256
c3228031daa553299f0fe66a44f68abdf9440b73add1e3440be42f6a57c60eab

SHA512
8a7e2d7b2dd34249c7c2e92abd3fe8a0affe59ba4680357be145fdc4840e75bd87121eb252fd8ff3156ca30ffa1c68933e4b016cc080c4963171b8c8abd89322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1c50f3054594d840123bb3b98baf068a

SHA1
a31661b5f118abcff55224f92310a07a452acb77

SHA256
4fb919b60a1e3c9bded3a73c29ec19a4be88379ec2b3c189732a0f6e7d91b5b0

SHA512
f08bad669fe8a84b81b6c2e1900aa1c34ac5c503646638e604c8db5005616ea5d772bdc786351fcfdc8e29bc904b652b2b01e97e8c70c4dba34cb6357f3450a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1e75d08efba7d575e8dedd5271fc5239

SHA1
00c3e9b3d030d55bd83cafa44b325067e471cf48

SHA256
edd975eaad75d986f4b7ea1b130c8c0e38c655be2965805880d0d49d3e51066a

SHA512
aa4e98fd0ca2c9fc3e7f984b6042ef66e7412fc1fa5ddbae3351336e78ac34389bc51b21e4f8301c853520d95e0e9c3d6c3602b6f3fb8fc9dcfe132468dc2aef

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8EXYBCYF\ReP1fn7xH2SlyMEr6cgsnGdGQbQ.br[1].js

Filesize
19KB

MD5
c24946d5ca51b44e36dd08157591b7ce

SHA1
df7afaa94daa05f1e183d66b72617d0edb22b713

SHA256
1b06ed138c18a7b8750ba1f703055d0f4815544ac4ee47315e32deed73318a27

SHA512
8367aced8c523d4972cf61a50d338db0fc660df5e7d7e82597857965743612983e116456ee3d46a959d040dd525f73a444eb7d660294a5da6980a49d37a3cc87

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8EXYBCYF\Yb-MiHwFpZo4XYbuuNLKCnyhd1M.gz[1].css

Filesize
715B

MD5
aca7b62ef304e4e17941914622bf3a91

SHA1
0d66f41d9084a43dd339dfa584d0c44fc3c438e3

SHA256
a4579184b85367432ce944bc8652024345ba631b3e16bcf6330a9be1c45c1591

SHA512
7bf21542a5b092d32ed1bee229447baecdb9c2e9bdc4ec7f6cd7101f84ce67039e2142ac6413b9a231a77a427e8959b99edbd2445c293af54c0135c7c303c344

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8EXYBCYF\_ykiGO1K5rjAQeICdJheT3jfLeY.gz[1].css

Filesize
589B

MD5
7a903a859615d137e561051c006435c2

SHA1
7c2cbeb8b0e83e80954b14360b4c6e425550bc54

SHA256
281d6234fd292800c2a5dbd14e524c9cee0d4438188b0b7d873abf41515a7666

SHA512
aa47efab7ec689b838d1e5adfe26e035e8b93f2b806f1954214447cb2065fa5906f81a70b4c656b3ce1490d8ac2009c7e7b0f96491d6d4559c41fb25d08fe35c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8EXYBCYF\g2mFaePdYzQOubI8JEItbebrED8.gz[1].css

Filesize
824B

MD5
6d94f94bfb17721a8da8b53731eb0601

SHA1
ae540db8d146e17cfc3d09d46b31bd16b3308a6d

SHA256
21829c74fce2c9bbbb3099a7a487de71465ed712410c32bc6c69884db07a90dd

SHA512
bf33fb4858b56f888108bcd5c2691613b68715e260e59c1e37a050a709be04a8e0eaf5509667183a0d51f1201e58c02df4f744a0772242ee5b61595c44c072e7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8EXYBCYF\nt6a1ZR520utsLoZmSYgwxdOPgI[1].js

Filesize
606B

MD5
0c2672dc05a52fbfb8e3bc70271619c2

SHA1
9ede9ad59479db4badb0ba19992620c3174e3e02

SHA256
54722cf65ab74a85441a039480691610df079e6dd3316c452667efe4a94ffd39

SHA512
dd2b3e4438a9deaa6b306cbc0a50a035d9fe19c6180bc49d2a9d8cdbb2e25d9c6c8c5265c640ac362dc353169727f8c26503e11a8a061a2517a303f61d0ccd3c

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8EXYBCYF\t1nvbgFHbi6nw5Gh_mTVw1j5C8Q.br[1].css

Filesize
51KB

MD5
043464dee028cbe6fa272058fa2d1270

SHA1
d216010e0a56972c4794343aa7b5dc2e6e9e0304

SHA256
fd3e041a0545af54d319c91ac78d402a08794f3c4408c75b91dddfd82cfeba7a

SHA512
41e4ea9b4956181e13296cba1b64ae19ce134e06fe9ccbeb6eb4de43a06d9bb8d54359d13ea325502d93071a195e57e487fd6e073fcbd891d80ef106443698c0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\8EXYBCYF\xvEz2IbMlyghPZ3oNAHr9N-xMOA.br[1].js

Filesize
6KB

MD5
dc221228e109f89b8b10c48f2678fb46

SHA1
1bfc85cba5c424136941ac1dfd779a563b5beed4

SHA256
f4fb7234959f48c2b2ca73fd6c35d36eaf65d8c431d982a1ba208f5cdc766419

SHA512
46f49e5ac18436251778d1f50c027729a2442ed6541c3162d878720703e37797b6028d96eb1568c23ec5006fb022c8e05855e250d6a1a590f41e890866529cd2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\5L3iD467J3iJWEPwIjxlK0MMDpY.br[1].js

Filesize
1KB

MD5
2ef3074238b080b648e9a10429d67405

SHA1
15d57873ff98195c57e34fc778accc41c21172e7

SHA256
e90558eb19208ad73f0de1cd9839d0317594bf23da0514f51272bf27183f01da

SHA512
c1d7074a0ebf5968b468f98fc4c0c7829999e402dd91c617e679eeb46c873dc04096cbf9277e115fc42c97516a6c11a9f16afa571e00f0d826beb463e2d1f7b0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\CcMXS8Oo0OUnUE0LzYK9AFJ6la8.br[1].js

Filesize
1KB

MD5
0c0ad3fd8c0f48386b239455d60f772e

SHA1
f76ec2cf6388dd2f61adb5dab8301f20451846fa

SHA256
db6dde4aef63304df67b89f427019d29632345d8b3b5fe1b55980f5d78d6e1e7

SHA512
e45a51ef2f0021f168a70ac49bdcc7f4fb7b91ff0ddd931f8ecbd70f6494c56285b2d9bc1170804801ce178244ccf361745b677b04c388b608d1471e0695ebeb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\ID-70CBAEOXh6Nwxga-CxgpUq4k.br[1].js

Filesize
883B

MD5
fd88c51edb7fcfe4f8d0aa2763cebe4a

SHA1
18891af14c4c483baa6cb35c985c6debab2d9c8a

SHA256
51f58a23f7723b6cbd51b994cb784fbc2a4ab58442adaeda6c778f648073b699

SHA512
ffe417fa00113273fe7ac1b1bd83c98a3a9dc12d41c77b60c52cc5ffd461d9ca2020c2444ac43771d737c70c58eca40786a5c5762b60f30da523f709684510df

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\K3hC1_cQXGFr6cxRJVWYpzZJaAM.br[1].js

Filesize
891B

MD5
02b0b245d09dc56bbe4f1a9f1425ac35

SHA1
868259c7dc5175a9cc1e2ec835f3d9b4bd3f5673

SHA256
62991181637343332d7b105a605ab69d70d1256092355cfc4359bee7bdbfb9c6

SHA512
cbb43000a142807ff1bb3bfac715cef1240233117c728f357c824ce65b06be493df2306c7b03598817f09b02e9e36ec52314f88467679c5bef3ee1504a10c7e6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\K_V1CARn2Q2lTs5njJKUvUkHyi4.br[1].js

Filesize
242B

MD5
6c2c6db3832d53062d303cdff5e2bd30

SHA1
b7a064a64ceae5c9009ef7d6d8f63b90d3933c9d

SHA256
06b77ee16a2cd34acd210b4f2b6e423762ea8874bb26ae5a37db9dd01a00ff70

SHA512
bc2d115b53035b700d727af9d7efaf32dd2a39a2344f3f5fa1a82586be849ec7803e8320661e66ab7dd2a17e64b7897e95bbd84502b91997fa46eba4e67e8c7d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\Monoxidex64[1].exe

Filesize
330KB

MD5
692361071bbbb3e9243d09dc190fedea

SHA1
04894c41500859ea3617b0780f1cc2ba82a40daf

SHA256
ae9405b9556c24389ee359993f45926a895481c8d60d98b91a3065f5c026cffe

SHA512
cfdd627d228c89a4cc2eac27dcdc45507f1e4265eff108958de0e26e0d1abe7598a5347be77d1a52256de70c77129f1cd0e9b31c023e1263f4cf04dbc689c87e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\eKvcHdnNwo1WcxoSioV4ztnfZk8.br[1].js

Filesize
2KB

MD5
fb797698ef041dd693aee90fb9c13c7e

SHA1
394194f8dd058927314d41e065961b476084f724

SHA256
795e9290718eb62a1fb00646dc738f6a6b715b1171dd54a3d2defa013a74f3da

SHA512
e03c4ab727567be95b349b971e29cffb3890cfb1a1ddf997b34b9d69154294a00a5112f4ffca4df4e26bbf96afa75e5943e965edc8f8e21035ed2ef30b7688d8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\fRSNKQanUHk53F1a1Bi8UA71Qt4.br[1].js

Filesize
289B

MD5
9085e17b6172d9fc7b7373762c3d6e74

SHA1
dab3ca26ec7a8426f034113afa2123edfaa32a76

SHA256
586d8f94486a8116af00c80a255cba96c5d994c5864e47deac5a7f1ae1e24b0d

SHA512
b27b776cb4947eef6d9e2a33b46e87796a6d4c427f4759c08cf5aa0ee410a5f12e89ca6ab9cddd86c8471037e3c505f43c8b7fc6d8417f97f9fe3c5c47216bc4

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\lLk8XmbdNzzlnPRzVzDhaF9yjqw.br[1].js

Filesize
824B

MD5
3ff8eecb7a6996c1056bbe9d4dde50b4

SHA1
fdc4d52301d187042d0a2f136ceef2c005dcbb8b

SHA256
01b479f35b53d8078baca650bdd8b926638d8daaa6eb4a9059e232dbd984f163

SHA512
49e68aa570729cc96ed0fd2f5f406d84869772df67958272625cba9d521ca508955567e12573d7c73d7e7727260d746b535c2ce6a3ace4952edf8fd85f3db0dd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\tPLNa5UcMaQEzzg0acZfPM45N6I.gz[1].css

Filesize
2KB

MD5
9baa6773c6549250a3393e62c56eb395

SHA1
5bb4eead8609cd30b9b96b23ec4fd0082ae64c1d

SHA256
dadf403df8cfe888e59e6a051aee3783a2bf0bcc60dc1d09a7797daaee726ca2

SHA512
cf12319cf07897864828d9c950df4a98a0628d828a7fee75f1235fc5d3a57c90a40b5ded2743af2e62b1d13d3f6be0d302ada054e7c0d7164b8ba12054909b8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\tlifxqsNyCzxIJnRwtQKuZToQQw[1].js

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\uiannz55FdT0j3p9jGwegfI5aIY.br[1].js

Filesize
1KB

MD5
45345f7e8380393ca0c539ae4cfe32bd

SHA1
292d5f4b184b3ff7178489c01249f37f5ca395a7

SHA256
3a40a1ff034448d68d92a75ababa09ba5f2b71d130f5f6bdf160dcf8851529a9

SHA512
2bfd00bf303ad5a1e8413b5ee6a162167605511fefb8df61a8f40f80382f5520df690a53b1058365f1d81562b2668376886d0f829517a642fcd87412801fe987

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\x6CS8glKlDAxrUISUqfsWELwuk8.gz[1].js

Filesize
10KB

MD5
a11c94339eeee97cb5970f1e67d968c8

SHA1
67ec6b6f0883da56cce10a9d704718a2e1879f81

SHA256
075448f2e460e6e3e64ef93c8aa1291710123c60bbaeeaa3677e9b5630a472ab

SHA512
6dbe79f332d83ad6edf5927ed8a1882d24903a1cf6afed53b1c313b2694faa247638f8e704f0ebabc89aaae61cb0d76cff43fd1803515fec8b36db8dd1f816ba

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\ydDuUFvQrnTEDpvE14Ya7abrPGk.br[1].js

Filesize
1KB

MD5
d807dbbb6ee3a78027dc7075e0b593ff

SHA1
27109cd41f6b1f2084c81b5d375ea811e51ac567

SHA256
0acdce370092c141b0c6617ed6e2163f04bb9b93d3213b62c2bc7a46fe0243c7

SHA512
e037dfc31d595b459660fe7d938eedb4f43d208d247174ee8d6fd0d125f211142cd73497e4601893cecb6f565b7e2e7815ce416d72bb95504d3f277e4e806d11

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MKPMX2R9\43BJuM7qM_8Wd1WfIZM2_oK9zrw.gz[1].js

Filesize
371B

MD5
b743465bb18a1be636f4cbbbbd2c8080

SHA1
7327bb36105925bd51b62f0297afd0f579a0203d

SHA256
fee47f1645bc40fbc0f98e05e8a53c4211f8081629ffda2f785107c1f3f05235

SHA512
5592def225e34995f2f4e781f02cc2b489c66a7698d2feff9ac9a71f09e5284b6bbdb065e1df9c06adfb1f467d5627fbd06e647abf4e6ab70cf34501232126ad

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MKPMX2R9\9MqrCXB0EVjVIRzDOArDGhu3yeM.br[1].js

Filesize
1KB

MD5
56afa9b2c4ead188d1dd95650816419b

SHA1
c1e4d984c4f85b9c7fb60b66b039c541bf3d94f6

SHA256
e830aeb6bc4602a3d61e678b1c22a8c5e01b9fb9a66406051d56493cc3087b4b

SHA512
d97432e68afdaa2cfaeff497c2ff70208bd328713f169380d5afb5d5eecd29e183a79bec99664dbee13fd19fe21ebae7396315ac77a196bfb0ab855507f3dacf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\MKPMX2R9\kFdRGnsF9oNJsnfvt_bKFj-yBxg.gz[1].js

Filesize
429B

MD5
0794c2ffc9aaf238496bf687a9c68799

SHA1
7938be485611f9d417e84b8c0a74bd3c589e052f

SHA256
805aaa9634639b2eaa912e117219727dfa6e92a63b8b92569c336a9ccde52dee

SHA512
fefbfbd39b9b86d8975d8faab62b50515488e9bf1e21ad72fed9fa93614e10adafc99da77349ead2501b89d422d766adc313b6024bcb9b331ab83a7b99bb135f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\8CgcSSLayxEVUBf0swP_bQGMId8.br[1].js

Filesize
226B

MD5
a5363c37b617d36dfd6d25bfb89ca56b

SHA1
31682afce628850b8cb31faa8e9c4c5ec9ebb957

SHA256
8b4d85985e62c264c03c88b31e68dbabdcc9bd42f40032a43800902261ff373f

SHA512
e70f996b09e9fa94ba32f83b7aa348dc3a912146f21f9f7a7b5deea0f68cf81723ab4fedf1ba12b46aa4591758339f752a4eba11539beb16e0e34ad7ec946763

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\8LIV7VPMYjV_ya4Ggnu8LBWQIQQ.br[1].js

Filesize
1KB

MD5
d81844c2ebcf5f3260a692e3e89dde7f

SHA1
5a3874fb9f597e42fdd94e5bc5da0a709b70d57a

SHA256
9905f086f3f40ac4b8ec2c9f0752a157ed637b2ffc2c87971e8306d6cb12fe9f

SHA512
8005f3ebd5bc8dc903917df581563595ea3e427f31992260aa4e6ed8bc30095442174ad153a83c378575ffb2de878338b0e87d8cdd57dfdc49e646ca9e4ada77

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\910ptS3pcIDQ7a5acMaHuQliuN0.br[1].js

Filesize
1KB

MD5
8898a2f705976d9be01f35a493f9a98f

SHA1
bc69bec33a98575d55fefae8883c8bb636061007

SHA256
5f30270aa2dc8a094d790e1e4a62b17c7d76a20b449d9b69af797a55fada9108

SHA512
c8575df93fbd1f65a285d484257adfe12733e47a6524a18d5910d33562eefd1d9da7197d16c7a3cad3bc5ad89546ff0fefe90e5c96e7850ecec9708c90334349

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\9cuwOQ_qE7qTGKohzrf_gIjTlPI.br[1].js

Filesize
3KB

MD5
fabb77c7ae3fd2271f5909155fb490e5

SHA1
cde0b1304b558b6de7503d559c92014644736f88

SHA256
e482bf4baaa167335f326b9b4f4b83e806cc21fb428b988a4932c806d918771c

SHA512
cabb38f7961ab11449a6e895657d39c947d422f0b3e1da976494c53203e0e91adfc514b6100e632939c4335c119165d2330512caa7d836a6c863087775edaa9f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\9xGNA8UskvA9WHF58zbLOHZ5HvI.br[1].js

Filesize
511B

MD5
d6741608ba48e400a406aca7f3464765

SHA1
8961ca85ad82bb701436ffc64642833cfbaff303

SHA256
b1db1d8c0e5316d2c8a14e778b7220ac75adae5333a6d58ba7fd07f4e6eaa83c

SHA512
e85360dbbb0881792b86dcaf56789434152ed69e00a99202b880f19d551b8c78eeff38a5836024f5d61dbc36818a39a921957f13fbf592baafd06acb1aed244b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\Gw7eETSwe7GHmKwW1lRqGPQJXRo.br[1].js

Filesize
2KB

MD5
17cdab99027114dbcbd9d573c5b7a8a9

SHA1
42d65caae34eba7a051342b24972665e61fa6ae2

SHA256
5ff6b0f0620aa14559d5d869dbeb96febc4014051fa7d5df20223b10b35312de

SHA512
1fe83b7ec455840a8ddb4eedbbcd017f4b6183772a9643d40117a96d5fff70e8083e424d64deba209e0ef2e54368acd58e16e47a6810d6595e1d89d90bca149a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\Gyuq2bqitqDJM0BeAkbKXGlQXNw.br[1].js

Filesize
1KB

MD5
a969230a51dba5ab5adf5877bcc28cfa

SHA1
7c4cdc6b86ca3b8a51ba585594ea1ab7b78b8265

SHA256
8e572950cbda0558f7b9563ce4f5017e06bc9c262cf487e33927a948f8d78f7f

SHA512
f45b08818a54c5fd54712c28eb2ac3417eea971c653049108e8809d078f6dd0560c873ceb09c8816ecd08112a007c13d850e2791f62c01d68518b3c3d0accceb

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\NfTD8Ovh04Y_Ni14YxqYB8R_2_Q.br[1].js

Filesize
888B

MD5
f1cf1909716ce3da53172898bb780024

SHA1
d8d34904e511b1c9aae1565ba10ccd045c940333

SHA256
9abac0cbfa6f89106b66cd4f698ead5ccbf615ecf8cd7e9e88567a7c33cfec01

SHA512
8b641e93405565b4a57c051edefc8e02d6c929ddd4c52f9bfbd19c57896aa40426bf5ed6760dbd479719561c4f0a25bfc4102f0f49d3d308035c9ca90b1d0fce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\V_fBQ_iVmAgE_Ta_T-6BNXc0ZY4.br[1].js

Filesize
576B

MD5
f5712e664873fde8ee9044f693cd2db7

SHA1
2a30817f3b99e3be735f4f85bb66dd5edf6a89f4

SHA256
1562669ad323019cda49a6cf3bddece1672282e7275f9d963031b30ea845ffb2

SHA512
ca0eb961e52d37caa75f0f22012c045876a8b1a69db583fe3232ea6a7787a85beabc282f104c9fd236da9a500ba15fdf7bd83c1639bfd73ef8eb6a910b75290d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\_2I169N92jVtSc_VEsV0nma5sRY.br[1].js

Filesize
622B

MD5
3104955279e1bbbdb4ae5a0e077c5a74

SHA1
ba10a722fff1877c3379dee7b5f028d467ffd6cf

SHA256
a0a1cee602080757fbadb2d23ead2bbb8b0726b82fdb2ed654da4403f1e78ef1

SHA512
6937ed6194e4842ff5b4878b0d680e02caf3185baf65edc131260b56a87968b5d6c80f236c1de1a059d8158bc93b80b831fe679f38fc06dfb7c3413d1d5355aa

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\awRIKLY04rWw5wNlVL186SolQSo.br[1].js

Filesize
33KB

MD5
e4fb9b839186660b1f729b8df8c994b4

SHA1
931792cd70ced4ad586f6329c30c294ebea1548e

SHA256
6838611c8ab6539005e11c84ca308158f89a51db57a62caf21faab48bf576177

SHA512
625436bb52cbd7df7ed03be05fea52c5d54b6cc15037d70c268d9598e648a22246db902b9c6f097ba8b18bd924f6ab17120736285d54dce13773237f1669853a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\gKwIRAF4fg7noG1zyeUz8x3Jdhc.br[1].js

Filesize
924B

MD5
47442e8d5838baaa640a856f98e40dc6

SHA1
54c60cad77926723975b92d09fe79d7beff58d99

SHA256
15ed1579bccf1571a7d8b888226e9fe455aca5628684419d1a18f7cda68af89e

SHA512
87c849283248baf779faab7bde1077a39274da88bea3a6f8e1513cb8dcd24a8c465bf431aee9d655b4e4802e62564d020f0bb1271fb331074d2ec62fc8d08f63

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\n21aGRCN5EKHB3qObygw029dyNU.br[1].js

Filesize
1KB

MD5
cb027ba6eb6dd3f033c02183b9423995

SHA1
368e7121931587d29d988e1b8cb0fda785e5d18b

SHA256
04a007926a68bb33e36202eb27f53882af7fd009c1ec3ad7177fba380a5fb96f

SHA512
6a575205c83b1fc3bfac164828fbdb3a25ead355a6071b7d443c0f8ab5796fe2601c48946c2e4c9915e08ad14106b4a01d2fcd534d50ea51c4bc88879d8bec8d

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\pULrRpvNB_IVlF00-EcgY1amxmk.br[1].js

Filesize
2KB

MD5
8db6af34e15752fcc8dd1db27883888b

SHA1
22dae88b4aa6e1943a7f4142264ee7c1b60e41fc

SHA256
3207d4044fa2485477eb984fa69e16b67753146bcc319043530c25dc60b9c6ca

SHA512
7d4fe0bcd7fabe09f94ed708ace4548cfb0b9aea33bf33016808a8855a77be39c133b4b4a1a320771c789cfd0b073fff5bcdd37982f26c878bd71bf1024f5709

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\O5B106IF\psgXZvzYJMEW2ydikIk493Va1d4.br[1].js

Filesize
1KB

MD5
f4da106e481b3e221792289864c2d02a

SHA1
d8ba5c1615a4a8ed8ee93c5c8e2ea0fb490a0994

SHA256
47cb84d180c1d6ba7578c379bdc396102043b31233544e25a5a6f738bb425ac9

SHA512
66518ee1b6c0df613074e500a393e973844529ca81437c4bafe6bf111cba4d697af4fe36b8d1b2aa9b25f3eb93cd76df63abfc3269ac7e9f87c5f28a3764008e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!002\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\70SBRIA3\favicon[1].png

Filesize
7KB

MD5
9e3fe8db4c9f34d785a3064c7123a480

SHA1
0f77f9aa982c19665c642fa9b56b9b20c44983b6

SHA256
4d755ac02a070a1b4bb1b6f1c88ab493440109a8ac1e314aaced92f94cdc98e9

SHA512
20d8b416bd34f3d80a77305c6fcd597e9c2d92ab1db3f46ec5ac84f5cc6fb55dfcdccd03ffdc5d5de146d0add6d19064662ac3c83a852f3be8b8f650998828d1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DGGD1FX1\favicon[1].ico

Filesize
758B

MD5
84cc977d0eb148166481b01d8418e375

SHA1
00e2461bcd67d7ba511db230415000aefbd30d2d

SHA256
bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

SHA512
f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\KYVP7BOY\favicon[1].ico

Filesize
4KB

MD5
da597791be3b6e732f0bc8b20e38ee62

SHA1
1125c45d285c360542027d7554a5c442288974de

SHA256
5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07

SHA512
d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\PXUP7PWL\favicon-trans-bg-000-mg[1].ico

Filesize
4KB

MD5
5879b2763fc53367a29f1e64721976db

SHA1
edee687feb0438fbb4fdf6e0b9bc941f2a0c464d

SHA256
b5f794efdee46f6e8759441cfb2bdc36640f50e47cad9f11cea18bed48e6c43b

SHA512
6b04809dad6d927b7c9fe0d674b8e14c9bb374ea069558e53468e33da76be44c8de6221f90f719462bcea90bec1a90ece58a706e440229ec78d81ba9063ad0f1

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF13047F9669982A4C.TMP

Filesize
16KB

MD5
b8f7c73383b50b84784d84da4001c1d1

SHA1
f0a496164d929b2f5b224a643cd8fdac8cfdcb4c

SHA256
1b93f7014fcd2cd1676b10fe8dd04a2e250c3aec1f6b315d9a798162f3a0cc07

SHA512
9ff5a6f0db2cda2de5bfa82c001a974a459814ee14f71029a606c97ca0a59151508d04590c721dca1fef3065f50df90d68989efd5800435958c08ef0c56ee17c

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\EOZF4CBE\Monoxidex64[1].exe

Filesize
32KB

MD5
3ae2849710c77ea4d899a58bb1afaf9e

SHA1
805d176d937f56357807e956791e9e81af206ed1

SHA256
c148407b8de37e973f4658d033567d29cd5aad0ae9507470a80de7ebffde9d55

SHA512
2f419bfaad19c51f5f6a3c45a48905965462e11a8872efb265019279c897c137602411b962142db6b26c4172d0f6e1afe1cfff7547a540566d334e5be5977b5a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Filesize
313B

MD5
9e708e3dad013b26a8a9ee94457f8a95

SHA1
89d7f3aba9dcef364cdf2d6803972f2bab7a919e

SHA256
78b2c3bea9d022e036a1be1b21a4b3beacf43d78efc10745b6bbd28c0e0d0e21

SHA512
5007224c04a66be084f9e9489699a3070bd4871b4efc4d7b9fb81830daeb8f4354ace9d5540920c8766ffdb28eb6729c085ce4f02071a58eac2c10ff066d1f91

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10D

Filesize
400B

MD5
b962f1375d532be4072c3bdafbfe1268

SHA1
ae0502dcf486cf397374664546b15685cf2f3358

SHA256
d6cc3eea1d5859f914b5d24797d001e13b4677fdf6632065ed7d726c0aa31395

SHA512
809f1692315e834224d3b138a6d8833c2b44695600d2caca69871787ec4e96cde1269f09edb2f2bf3449242f021b68fe928e0a4102512e6eb422b728276c1826

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sdqllrgk.tg4.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.exe:Zone.Identifier

Filesize
226B

MD5
7b6d0c97817d1751ea027d98f6596c17

SHA1
19dfd773b69d0d7d310f455389bca73164a68e56

SHA256
ef9a2ddf25e8131a266851efb3e50e198149d299358f24e902b26fb2f05c1dea

SHA512
cc28ddc9eb592b491df2dcff4b0b2f9bb1a93b45c1e9fb0f34589b4230f4ac80fb160f57a619735070d97727481a549b7e9a0b865c4449bffb18cb6890d516c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\箾莝鳕窐巙蠛蝜嶇祥罤豨崙鉴屜猞輍.txt

Filesize
260B

MD5
aee8ba88e1c946a344e9a4baf694a7b6

SHA1
77068729d19bd94d26b5d25efebfbe5e4de9d924

SHA256
90385271a052bee5b70398c81f93e4f33320923831c44b7fceea7ce4be0a1da1

SHA512
ab1aab5a77cec2a86f8b5c459b046fcd580bb9a62e727c7c373f7ab50dd6481ac57adb9669a5a3fc42f41b71dc82590db0c58af7d091168367452dd305fab96e

Download Submit
C:\Users\Admin\AppData\Roaming\System User

Filesize
62KB

MD5
6cffd409d1e3a1a446fae15796f29509

SHA1
1b502700dd33751c64da20807e61b2a0dff0a930

SHA256
3dae4c211901decdd6381c72f584bea8f0604a954b44d98ac9c406d0e3730d03

SHA512
c43130dfe3b25262570e01abb4fe4bfb0825436f093f114a33706174927d39ee3c1048c6fd47e5061730438e9b1776b306a51e60491d2c100a53b6704a373346

Download Submit
memory/2712-311-0x0000019ACE2B0000-0x0000019ACE2B2000-memory.dmp

Filesize
8KB

Download
memory/2712-316-0x0000019ACE2F0000-0x0000019ACE2F2000-memory.dmp

Filesize
8KB

Download
memory/2712-258-0x0000019ABDB00000-0x0000019ABDC00000-memory.dmp

Filesize
1024KB

Download
memory/2712-319-0x0000019ACE8D0000-0x0000019ACE8D2000-memory.dmp

Filesize
8KB

Download
memory/2712-313-0x0000019ACE2D0000-0x0000019ACE2D2000-memory.dmp

Filesize
8KB

Download
memory/2900-292-0x000001D4F1C60000-0x000001D4F1D60000-memory.dmp

Filesize
1024KB

Download
memory/2900-347-0x000001D4F3760000-0x000001D4F3860000-memory.dmp

Filesize
1024KB

Download
memory/2900-658-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-657-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-655-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-653-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-654-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-652-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-650-0x000001CC90F40000-0x000001CC90F60000-memory.dmp

Filesize
128KB

Download
memory/2900-649-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-647-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-648-0x000001D4E0D30000-0x000001D4E0D40000-memory.dmp

Filesize
64KB

Download
memory/2900-622-0x000001CC90F40000-0x000001CC90F60000-memory.dmp

Filesize
128KB

Download
memory/2900-599-0x000001CC90F20000-0x000001CC90F40000-memory.dmp

Filesize
128KB

Download
memory/2900-457-0x000001D4F1A00000-0x000001D4F1B00000-memory.dmp

Filesize
1024KB

Download
memory/2900-444-0x000001CC90BC0000-0x000001CC90BE0000-memory.dmp

Filesize
128KB

Download
memory/2900-439-0x000001CC90930000-0x000001CC90950000-memory.dmp

Filesize
128KB

Download
memory/2900-393-0x000001CC802A0000-0x000001CC803A0000-memory.dmp

Filesize
1024KB

Download
memory/2900-392-0x000001CC802A0000-0x000001CC803A0000-memory.dmp

Filesize
1024KB

Download
memory/2900-252-0x000001D4E1400000-0x000001D4E1500000-memory.dmp

Filesize
1024KB

Download
memory/2900-287-0x000001D4F16E0000-0x000001D4F1700000-memory.dmp

Filesize
128KB

Download
memory/2900-659-0x000001CC90F40000-0x000001CC90F60000-memory.dmp

Filesize
128KB

Download
memory/2900-315-0x000001D4F2760000-0x000001D4F2780000-memory.dmp

Filesize
128KB

Download
memory/3640-52-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/3640-6-0x000001BCD8AD0000-0x000001BCD8AF2000-memory.dmp

Filesize
136KB

Download
memory/3640-9-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/3640-10-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/3640-12-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/3640-11-0x000001BCD8B80000-0x000001BCD8BF6000-memory.dmp

Filesize
472KB

Download
memory/3640-27-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/3640-51-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/4112-194-0x0000023B75F20000-0x0000023B75F30000-memory.dmp

Filesize
64KB

Download
memory/4112-211-0x0000023B76030000-0x0000023B76040000-memory.dmp

Filesize
64KB

Download
memory/4112-229-0x0000023B73490000-0x0000023B73492000-memory.dmp

Filesize
8KB

Download
memory/4112-357-0x0000023B7C690000-0x0000023B7C691000-memory.dmp

Filesize
4KB

Download
memory/4112-358-0x0000023B7C6A0000-0x0000023B7C6A1000-memory.dmp

Filesize
4KB

Download
memory/4208-183-0x00007FF833F83000-0x00007FF833F84000-memory.dmp

Filesize
4KB

Download
memory/4208-187-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-191-0x00007FF833F80000-0x00007FF83496C000-memory.dmp

Filesize
9.9MB

Download
memory/4208-0-0x00007FF833F83000-0x00007FF833F84000-memory.dmp

Filesize
4KB

Download
memory/4208-1-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads