Analysis

  • max time kernel
    80s
  • max time network
    81s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    08-11-2024 20:05

General

  • Target

    Remove-EdgeWeb.exe

  • Size

    7.7MB

  • MD5

    e593600b27b955018094cff096c98cea

  • SHA1

    ca675c0a032a5a646d6205180d0e18125876d47d

  • SHA256

    798a7c7a1dfe7d822f1c85c6f05965f54f03a3d695cad876f7586bd0f07735c4

  • SHA512

    71599f3558a9c7e3b6bfd1cd554a7821d6c8edce5d593cb9e76d17dbead8f4f467e6300e95e57cc2b3f9480115234be58e451355ad926b849754522ba953ba75

  • SSDEEP

    196608:D/8Olb2w9+L0YFqQxA10++MvJHDO6D3U/7F1gG:Dplq5L0HQK1HnEzFaG

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Possible privilege escalation attempt 4 IoCs
  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Modifies file permissions 1 TTPs 4 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Drops desktop.ini file(s) 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 13 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe
    "C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe
      "C:\Users\Admin\AppData\Local\Temp\Remove-EdgeWeb.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
        C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --uninstall --system-level --force-uninstall
        3⤵
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2444
        • C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
          C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x238,0x23c,0x240,0x210,0x244,0x7ff67524eb10,0x7ff67524eb20,0x7ff67524eb30
          4⤵
          • Executes dropped EXE
          PID:1900
        • C:\Windows\system32\wevtutil.exe
          "C:\Windows\system32\wevtutil.exe" um "C:\Users\Admin\AppData\Local\Temp\{3A5F2396-5C8F-4F1F-9B67-6CCA6C990E61}.tmp"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1972
      • C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
        C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --uninstall --msedgewebview --system-level --force-uninstall
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe
          C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 --annotation=exe=C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x234,0x238,0x23c,0x210,0x240,0x7ff67524eb10,0x7ff67524eb20,0x7ff67524eb30
          4⤵
          • Executes dropped EXE
          PID:4632
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell "(New-Object System.Security.Principal.NTAccount($env:USERNAME)).Translate([System.Security.Principal.SecurityIdentifier]).Value"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:956
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -NoProfile -Command "Get-AppxPackage -AllUsers | Where-Object {$_.PackageFullName -like \"*microsoftedge*\"} | Select-Object -ExpandProperty PackageFullName"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2388
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.22000.120.0_neutral__8wekyb3d8bbwe 2>$null"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3216
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell -Command "Remove-AppxPackage -Package Microsoft.MicrosoftEdge_44.22000.120.0_neutral__8wekyb3d8bbwe -AllUsers 2>$null"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\ProgramData\Microsoft\EdgeUpdate""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1400
      • C:\Windows\SysWOW64\reg.exe
        reg delete "HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}" /f
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4572
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /query /fo csv
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1192
      • C:\Windows\SysWOW64\sc.exe
        sc delete edgeupdate
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4864
      • C:\Windows\SysWOW64\sc.exe
        sc delete edgeupdatem
        3⤵
        • Launches sc.exe
        • System Location Discovery: System Language Discovery
        PID:4660
      • C:\Windows\SysWOW64\reg.exe
        reg delete HKLM\SOFTWARE\WOW6432Node\Microsoft\Edge /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies registry key
        PID:4692
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3424
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /r /d y
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4580
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe" /grant administrators:F /t
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:2828
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y && icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t && rd /s /q "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4508
        • C:\Windows\SysWOW64\takeown.exe
          takeown /f "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /r /d y
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2824
        • C:\Windows\SysWOW64\icacls.exe
          icacls "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe" /grant administrators:F /t
          4⤵
          • Possible privilege escalation attempt
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:1772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "rmdir /q /s "C:\Program Files (x86)\Microsoft\Temp""
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4828
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:4904
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:3192
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:3408
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      PID:5060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

      Filesize

      1KB

      MD5

      c0636f2d138baca01dbb2eedb99bf3d5

      SHA1

      3b927899db0f3e2cb510782592887dc02fc3e400

      SHA256

      10973e727e5b0eb3f12aba60a682d66e79dfd86e4b6cfc454fd8df70c6e1fa8a

      SHA512

      0187a6ccb6428fb24ad4bc4ca14e7ce6f40ae6ca4f352f8e86a15288deb05cb4dd317ef8e9d04dc9ffb24407ecf0924af2c7910830c79366f7e4e48cb4b82b1d

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      17KB

      MD5

      8d547fce56ed0e9d4fa26932afc975dd

      SHA1

      32ed15c80b49e22325b66b83dd55077ae3668c04

      SHA256

      5cfb18b79cb0dcf71b06ea0e51c1c16df74c42b07267d0c95dcc6e4ad6d3ac9f

      SHA512

      3ee4d7400034fcd98455c87befe775253d02dd2d839cd2fda3123ae3445f5784b7abcff90e7930be7af698ab2eb8cf50573f2d3b49eb0301585265f3dee50af7

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      17KB

      MD5

      84965f86b3aeb3c4a35b1c7403c9aa93

      SHA1

      5ec4076812a02462611b245212248e9cef52d601

      SHA256

      6173c20bd12cc5a16a388a39c7f9c0264e40e5d64ac2f8186f768a6a0f12321a

      SHA512

      758afe1e8da63718e5ea6623e0d73a3e73df98337e416e71a960713226701a221d2bd632327542f96fb2432b12ca5950dba2cf61b57c028fed84ed82d6e6917c

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      16KB

      MD5

      bd521d05655fd04d4f7c98c2da27a54a

      SHA1

      4e09d53317c019493797f1a29f74f168cc37584e

      SHA256

      94a03550df620e8d2768d1eb79a4c84566b2177f61af58840aa1a60eee7a6f5b

      SHA512

      79dccbc2a2a2bf75baf286ded8e39055b2e2429efd46854d1e6eecc331ec1f38628e91d5c709a9ea759a1640bf76a2f9baa24ea42a71588f461430bcac643cd3

    • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\0b9737ee-5465-4c08-8b33-cfb81831bd66.down_data

      Filesize

      555KB

      MD5

      5683c0028832cae4ef93ca39c8ac5029

      SHA1

      248755e4e1db552e0b6f8651b04ca6d1b31a86fb

      SHA256

      855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

      SHA512

      aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\VCRUNTIME140.dll

      Filesize

      88KB

      MD5

      17f01742d17d9ffa7d8b3500978fc842

      SHA1

      2da2ff031da84ac8c2d063a964450642e849144d

      SHA256

      70dd90f6ee01854cecf18b1b6d1dfbf30d33c5170ba07ad8b64721f0bdcc235e

      SHA512

      c4e617cd808e48cc803343616853adf32b7f2e694b5827392219c69145a43969384d2fc67fa6fa0f5af1ca449eb4932004fbcdd394a5ba092212412b347586f0

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\_bz2.pyd

      Filesize

      79KB

      MD5

      e4519f30e22cd8d4bfe7059d60183ce0

      SHA1

      40fb4def438aa07738961a9f25e7ea1be0c60e7f

      SHA256

      580f42dedd0e70bd7431916ee27db3202b822712af03f418546da89a4c0ad0b1

      SHA512

      5271a99202c9a1e5266a0deaf58c65f0a8fced8b2f1019e80260a79f64b3afdaf22dca72c218c9b3253afe12ac803c5d1ca955b8b29f1c481eff1d584352b02b

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\_ctypes.pyd

      Filesize

      105KB

      MD5

      9c2163d73a2ecdaf34a613c703a13440

      SHA1

      f4fcb291c311695d1f5da95020583ecc2aa18ec6

      SHA256

      3bdb7150ad0304035a5f25c69ec6d6ea25c87d056b6713f29a8be96f2b17d057

      SHA512

      fd1f96220421a3b63a6b6046cb985093aa41a17ea24adc114c9c54a80d7558be90fcfe56032787ab653ed340b3c8c5b75bd334875d68c85e9a725595cd53779f

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\_decimal.pyd

      Filesize

      194KB

      MD5

      75f984ae9e97d34293aa1b452baeb15d

      SHA1

      5d6de679ed6fd1155f997bdd2b686ec5d1be4f13

      SHA256

      edc9caa73ae4e606012152a6531336c667092cd14a1f03f3166ec8e0b25b48a7

      SHA512

      34a7c72ac5f3f9a28c3a64e6e7d318a5ec81c6e22e03a0e173d65745ba6d8eb1eb3bc411d43678345448977d078849171c506814f0b96f650024a51082b50fe4

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\_hashlib.pyd

      Filesize

      48KB

      MD5

      61ff2a1a01d6dcd0626441c6888f2bf3

      SHA1

      ecacdb63666d539c03d2a0efdf4b30b24824d3cb

      SHA256

      ae886b9bf59f27bbe4f846972bc22baf550cae46dc6dbc820eafad523ae7da04

      SHA512

      6c089ac9299efb84f6e48259726be799c51b0a2a6cd67104ca8b43cf1aaa6e838ec34c5cfc09c484c93efb59b24bd85aa3a83f098d3e95b6bc01a1fd09943638

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\_lzma.pyd

      Filesize

      145KB

      MD5

      e40cbb898cb17b0f60a67216a6b5cc4d

      SHA1

      dc724af9e03a02e1121697a94603bda9d4cff345

      SHA256

      ceb38183cc7f2b513588f9d6d1713d115cee127ad06d146de5b230504e126538

      SHA512

      5646ecbf555d8ab369c2c03dca720aa738d1af515fb7302ceffbfcfa65661083c009d6a5aa723d09bb330e10b10ec8509450f4c1b90733c4aeb85c895d4d63bd

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\_socket.pyd

      Filesize

      67KB

      MD5

      943124d117b6e9548f6a9d0c34009b52

      SHA1

      1acacb610ed41ab78eea2d093a35f48284698bd0

      SHA256

      5a60284ec53036fedad0057a564f709ab328c8ac77084191d6350d2001004fe2

      SHA512

      89eb4b4163fc3ae29dce7cdd7ca28392c378e5858bbd43a3f556c836284c067406d67eb228047767202c955539cbeaef4228bd2aa8c25627f96d56c35877e89d

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\base_library.zip

      Filesize

      1.4MB

      MD5

      81cd6d012885629791a9e3d9320c444e

      SHA1

      53268184fdbddf8909c349ed3c6701abe8884c31

      SHA256

      a18892e4f2f2ec0dee5714429f73a5add4e355d10a7ba51593afc730f77c51dd

      SHA512

      d5bf47fad8b1f5c7dcaa6bef5d4553e461f46e6c334b33d8adc93689cf89365c318f03e961a5d33994730b72dc8bde62209baca015d0d2d08a081d82df7dfd73

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\libcrypto-3.dll

      Filesize

      3.3MB

      MD5

      9a76997e6836c479c5e1993cbb3cefae

      SHA1

      6747a82434daa76239c68e1f75c26f4420f4832d

      SHA256

      bdbf2ff122354b0e219df81293de186cecfd966fce64e3831b798ffd7c3fc815

      SHA512

      5fb3f7eeb770f1bdcb06558081441e9fc9bbc618059e33f6864afeb3474033ec1be036cbc5503b74cb56b82894976f03f87e15f1ef5e5bf779de78e15a0c2cdf

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\libffi-8.dll

      Filesize

      34KB

      MD5

      74d2b5e0120a6faae57042a9894c4430

      SHA1

      592f115016a964b7eb42860b589ed988e9fff314

      SHA256

      b982741576a050860c3f3608c7b269dbd35ab296429192b8afa53f1f190069c0

      SHA512

      f3c62f270488d224e24e29a078439736fa51c9ac7b0378dd8ac1b6987c8b8942a0131062bd117977a37046d4b1488f0f719f355039692bc21418fdfbb182e231

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\python311.dll

      Filesize

      4.7MB

      MD5

      9c83364db2337cedb50cefce5772bf28

      SHA1

      6a65ce4bec369e2e2f6aa19e52ac556ceb3445fc

      SHA256

      89b71fca8d164d6e7a98967036212aa1fb28f5554e2a1b1042556c22c514ac16

      SHA512

      e3608ced277fce1e64a0d371b928a5bfc0e00d93a3f020a56f698b1aa2f18a80fc726a9f7c25b8d8d98a2b95ca49a03a254b3c704c08772abaadee0b01f8aa48

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\select.pyd

      Filesize

      26KB

      MD5

      e64bdec75ee2e467343742db636c6105

      SHA1

      32645de632215f6410abc1e7102a98cac127ae95

      SHA256

      109146def651028ad4d788a7c6712558f246417410248e2cbcdf0e8c11efad77

      SHA512

      7219b52f4f71048ce1c96aeba4b14d12e8366f7265bc06292f036511ee4b47df7be56e438d88915d92772879ec4d25bb1217e34dfea427b391334edc16705f60

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\setup.exe

      Filesize

      3.6MB

      MD5

      593b7497327222d69048f7f6204b1886

      SHA1

      56ee397b91b5235ad5fb3259e35676c633b46022

      SHA256

      4963532e63884a66ecee0386475ee423ae7f7af8a6c6d160cf1237d085adf05e

      SHA512

      45999be23e1ae2229575e6f32e56b57a732f51f015b2edb31653837a5592d6ed0edb29783eb21a18a42585ea5c0a50a8a996732233a2202f66eb1242d2a56fc1

    • C:\Users\Admin\AppData\Local\Temp\_MEI12882\unicodedata.pyd

      Filesize

      1.1MB

      MD5

      53f8f7e0caaece4a0977a1a6a4663197

      SHA1

      37a259658c970c3aaf527e32454c208cd19331a7

      SHA256

      cb85c4932833fc0f5606c6e774a4b9661adcd1a0f8146294eca7ff27418de26c

      SHA512

      a3ffa42bc0c7c0529e7936397a4b644f38fec3fae13ac4890f23dd905ce33fe81fe208e0d7f2fcb6f34515f6c95dd030f457d2725bae5b6d4f58646fd84ebf6d

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mfco2ndu.vcz.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

      Filesize

      3KB

      MD5

      35af4fe2fcee7a6fd6d5093cb736f40a

      SHA1

      efdbdbea83a0a98526455494412724691b4c81a3

      SHA256

      ab35f3af6970168ad6029946075bf3ba91d5a0d2da3f4ba70f75fd2959a1ddc9

      SHA512

      8fbf989ab022f028505297c042b3e352606b5e04e2a7f75e3a7e95dcd00a307835c56b5fa80d8cac7c3bbfb6735245521ff6347577503cb6c7060256d6129fc4

    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Microsoft Edge.lnk

      Filesize

      2KB

      MD5

      c8551bf731bde8d889808accf13236a4

      SHA1

      de78afa8a7291719b899dde04fdbcdf4f5c502d2

      SHA256

      d7c59d4b06cc1dbfbd075ade51660edc8f796ec7966c5f065291a87fae379041

      SHA512

      03acbd75fa6e7299d491b018e8d6d839e8d7bbe0aa3a232a1a30bd34a1cae929b51742b8195d607c75d97514393bea203fb986aed273c0585d87c340384ff1a8

    • C:\Windows\TEMP\MsEdgeCrashpad\settings.dat

      Filesize

      152B

      MD5

      6564bf4e6e4d0e214e3589ac4b3e2d38

      SHA1

      7998f237ca2bfc96c4bdf13514784d1aede205e6

      SHA256

      b6c7af6f5e534b76f2b754b47ad193ff25f897d218402eedbc3a78293d113ed0

      SHA512

      daa08428d41753e59919a37999eda7a8b4149a115671b5dda01e2d23389d306d37fe7b52e88005263f3dda1c3eaa644a3bb7befd7ce388c28f5d11a353f8fe28

    • memory/956-75-0x0000000007F90000-0x000000000860A000-memory.dmp

      Filesize

      6.5MB

    • memory/956-73-0x0000000006730000-0x000000000674E000-memory.dmp

      Filesize

      120KB

    • memory/956-74-0x0000000006780000-0x00000000067CC000-memory.dmp

      Filesize

      304KB

    • memory/956-62-0x0000000006190000-0x00000000061F6000-memory.dmp

      Filesize

      408KB

    • memory/956-76-0x0000000006C80000-0x0000000006C9A000-memory.dmp

      Filesize

      104KB

    • memory/956-60-0x0000000005930000-0x0000000005F5A000-memory.dmp

      Filesize

      6.2MB

    • memory/956-63-0x0000000006200000-0x0000000006266000-memory.dmp

      Filesize

      408KB

    • memory/956-59-0x00000000052B0000-0x00000000052E6000-memory.dmp

      Filesize

      216KB

    • memory/956-61-0x00000000058A0000-0x00000000058C2000-memory.dmp

      Filesize

      136KB

    • memory/956-72-0x0000000006270000-0x00000000065C7000-memory.dmp

      Filesize

      3.3MB

    • memory/2388-101-0x00000000074E0000-0x0000000007584000-memory.dmp

      Filesize

      656KB

    • memory/2388-100-0x00000000073F0000-0x000000000740E000-memory.dmp

      Filesize

      120KB

    • memory/2388-102-0x00000000076C0000-0x00000000076DC000-memory.dmp

      Filesize

      112KB

    • memory/2388-103-0x0000000007880000-0x000000000788A000-memory.dmp

      Filesize

      40KB

    • memory/2388-104-0x0000000007930000-0x0000000007956000-memory.dmp

      Filesize

      152KB

    • memory/2388-91-0x0000000070820000-0x000000007086C000-memory.dmp

      Filesize

      304KB

    • memory/2388-90-0x0000000007410000-0x0000000007444000-memory.dmp

      Filesize

      208KB

    • memory/2388-80-0x0000000005D00000-0x0000000006057000-memory.dmp

      Filesize

      3.3MB

    • memory/2640-133-0x0000000005E80000-0x00000000061D7000-memory.dmp

      Filesize

      3.3MB

    • memory/2640-135-0x0000000070820000-0x000000007086C000-memory.dmp

      Filesize

      304KB

    • memory/3216-115-0x0000000070820000-0x000000007086C000-memory.dmp

      Filesize

      304KB