d489c0c61d29be25e54b757e107d664b878fa7c019ccbbbb8a5e928cbb4529e0

Analysis

max time kernel
830s
max time network
856s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
03-12-2024 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

(no subject) - [email protected] - Stillwater Area Public Schools Mail.eml
Size

4.3MB
MD5

a1626045dffe5301844c952de610abca
SHA1

43c13ebd2688de0d223ec6d6998213c5c14c5907
SHA256

d489c0c61d29be25e54b757e107d664b878fa7c019ccbbbb8a5e928cbb4529e0
SHA512

14f548f82fed51f52838b7961e2f14cab9b91f03211440d547fe18b7f7dca16bd98b478c087b904073437f87ca7e7a708a34a68213ab84d6284aadb7dc29e6ac
SSDEEP

24576:/UjpY/kRHUgH/Le7/4gHjrA9ekHAFFTFS2zFMVNDBzjIG:MUgH/LedQ1vT

Score

8^/10

bootkit discovery evasion persistence privilege_escalation

Malware Config

Signatures

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

Sigma.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	Sigma.exe

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

Processes:

certutil.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Executes dropped EXE 1 IoCs

Processes:

Sigma.exe

pid	Process
2008	Sigma.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cleanmgr.exe

description	ioc	Process
File opened (read-only)	\??\A:	cleanmgr.exe
File opened (read-only)	\??\B:	cleanmgr.exe
File opened (read-only)	\??\G:	cleanmgr.exe
File opened (read-only)	\??\N:	cleanmgr.exe
File opened (read-only)	\??\V:	cleanmgr.exe
File opened (read-only)	\??\E:	cleanmgr.exe
File opened (read-only)	\??\J:	cleanmgr.exe
File opened (read-only)	\??\P:	cleanmgr.exe
File opened (read-only)	\??\S:	cleanmgr.exe
File opened (read-only)	\??\T:	cleanmgr.exe
File opened (read-only)	\??\U:	cleanmgr.exe
File opened (read-only)	\??\W:	cleanmgr.exe
File opened (read-only)	\??\Y:	cleanmgr.exe
File opened (read-only)	\??\I:	cleanmgr.exe
File opened (read-only)	\??\L:	cleanmgr.exe
File opened (read-only)	\??\M:	cleanmgr.exe
File opened (read-only)	\??\R:	cleanmgr.exe
File opened (read-only)	\??\X:	cleanmgr.exe
File opened (read-only)	\??\Z:	cleanmgr.exe
File opened (read-only)	\??\H:	cleanmgr.exe
File opened (read-only)	\??\K:	cleanmgr.exe
File opened (read-only)	\??\O:	cleanmgr.exe
File opened (read-only)	\??\Q:	cleanmgr.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
62	raw.githubusercontent.com
68	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

Sigma.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Sigma.exe

Drops file in Windows directory 1 IoCs

Processes:

dismhost.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\DISM\dism.log	dismhost.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
6152	5344	WerFault.exe	198

System Location Discovery: System Language Discovery 1 TTPs 43 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

CredentialUIBroker.exebthudtask.exeCameraSettingsUIHost.execharmap.execipher.exeCloudNotifications.execmd.execolorcpl.exeat.execmdkey.exeComputerDefaults.exeDllHost.exeattrib.exeauditpol.execalc.exeARP.EXEAtBroker.exebackgroundTaskHost.execacls.execliconfg.execmmon32.execomp.execonvert.exeSigma.exeBackgroundTransferHost.exeCertEnrollCtrl.exeCheckNetIsolation.execleanmgr.execlip.execmdl32.exebitsadmin.execertutil.exechoice.execompact.execscript.exechkdsk.execontrol.execertreq.exechkntfs.execmstp.execredwiz.exectfmon.execttune.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CredentialUIBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bthudtask.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CameraSettingsUIHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	charmap.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cipher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CloudNotifications.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	colorcpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	at.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdkey.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ComputerDefaults.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	auditpol.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ARP.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AtBroker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cliconfg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmmon32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	comp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	convert.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Sigma.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BackgroundTransferHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CertEnrollCtrl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CheckNetIsolation.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cleanmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	clip.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmdl32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bitsadmin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compact.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkdsk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	control.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certreq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chkntfs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	credwiz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ctfmon.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cttune.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chkdsk.exechkntfs.execonvert.exemsedge.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkntfs.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	convert.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

certreq.exeexplorer.exeMiniSearchHost.execontrol.execalc.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15301#immutable1 = "Manage your RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80922b16d365937a46956b92703aca08af0000	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	certreq.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-1#immutable1 = "Default Programs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-7#immutable1 = "Change advanced color management settings for displays, scanners, and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-51#immutable1 = "Date and Time"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-100#immutable1 = "Mouse"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-1#immutable1 = "Troubleshooting"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	control.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	certreq.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\RADCUI.dll,-15300#immutable1 = "RemoteApp and Desktop Connections"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-300#immutable1 = "Sound"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\NodeSlot = "3"	certreq.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-1#immutable1 = "Credential Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-3#immutable1 = "Region"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4249425805-3408538557-1766626484-1000_Classes\Local Settings	calc.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 355301.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid	Process
5168	explorer.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	Process
2176	msedge.exe
2176	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
4868	msedge.exe
4868	msedge.exe
3004	identity_helper.exe
3004	identity_helper.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

Processes:

msedge.exe

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

AUDIODG.EXEauditpol.exevssvc.exeexplorer.exe

description	pid	Process
Token: 33	4852	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4852	AUDIODG.EXE
Token: SeSecurityPrivilege	2632	auditpol.exe
Token: SeBackupPrivilege	1868	vssvc.exe
Token: SeRestorePrivilege	1868	vssvc.exe
Token: SeAuditPrivilege	1868	vssvc.exe
Token: SeShutdownPrivilege	5168	explorer.exe
Token: SeCreatePagefilePrivilege	5168	explorer.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exeexplorer.exe

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
5168	explorer.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	Process
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe
1632	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MiniSearchHost.exeOpenWith.execertreq.exeCloudNotifications.exe

pid	Process
1060	MiniSearchHost.exe
2500	OpenWith.exe
448	certreq.exe
660	CloudNotifications.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	Process	procid_target
PID 1632 wrote to memory of 2524	1632	msedge.exe	81
PID 1632 wrote to memory of 2524	1632	msedge.exe	81
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 1124	1632	msedge.exe	82
PID 1632 wrote to memory of 2176	1632	msedge.exe	83
PID 1632 wrote to memory of 2176	1632	msedge.exe	83
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84
PID 1632 wrote to memory of 3656	1632	msedge.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
2424	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\(no subject) - [email protected] - Stillwater Area Public Schools Mail.eml"
1⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb50d43cb8,0x7ffb50d43cc8,0x7ffb50d43cd8
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:3360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4972 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6664 /prefetch:8
  2⤵
  PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6992 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7108 /prefetch:1
  2⤵
  PID:528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6576 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,10120373879143489091,11196379131342956132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1060

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:236

C:\Users\Admin\Downloads\Sigma.exe
"C:\Users\Admin\Downloads\Sigma.exe"
1⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
PID:2008
- C:\Windows\SysWOW64\appidtel.exe
  "C:\Windows\System32\appidtel.exe"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\ARP.EXE
  "C:\Windows\System32\ARP.EXE"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:736
- C:\Windows\SysWOW64\at.exe
  "C:\Windows\System32\at.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1516
- C:\Windows\SysWOW64\AtBroker.exe
  "C:\Windows\System32\AtBroker.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3984
- C:\Windows\SysWOW64\attrib.exe
  "C:\Windows\System32\attrib.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2424
- C:\Windows\SysWOW64\auditpol.exe
  "C:\Windows\System32\auditpol.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\System32\autochk.exe"
  2⤵
  PID:3996
- C:\Windows\SysWOW64\backgroundTaskHost.exe
  "C:\Windows\System32\backgroundTaskHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3056
- C:\Windows\SysWOW64\BackgroundTransferHost.exe
  "C:\Windows\System32\BackgroundTransferHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3876
- C:\Windows\SysWOW64\bitsadmin.exe
  "C:\Windows\System32\bitsadmin.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3992
- C:\Windows\SysWOW64\bthudtask.exe
  "C:\Windows\System32\bthudtask.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3844
- C:\Windows\SysWOW64\ByteCodeGenerator.exe
  "C:\Windows\System32\ByteCodeGenerator.exe"
  2⤵
  PID:1192
- C:\Windows\SysWOW64\cacls.exe
  "C:\Windows\System32\cacls.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3148
- C:\Windows\SysWOW64\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4804
- C:\Windows\SysWOW64\CameraSettingsUIHost.exe
  "C:\Windows\System32\CameraSettingsUIHost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4380
- C:\Windows\SysWOW64\CertEnrollCtrl.exe
  "C:\Windows\System32\CertEnrollCtrl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3540
- C:\Windows\SysWOW64\certreq.exe
  "C:\Windows\System32\certreq.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:448
- C:\Windows\SysWOW64\certutil.exe
  "C:\Windows\System32\certutil.exe"
  2⤵
  - Manipulates Digital Signatures
  - System Location Discovery: System Language Discovery
  PID:4000
- C:\Windows\SysWOW64\charmap.exe
  "C:\Windows\System32\charmap.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3524
- C:\Windows\SysWOW64\CheckNetIsolation.exe
  "C:\Windows\System32\CheckNetIsolation.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3940
- C:\Windows\SysWOW64\chkdsk.exe
  "C:\Windows\System32\chkdsk.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:2872
- C:\Windows\SysWOW64\chkntfs.exe
  "C:\Windows\System32\chkntfs.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:2788
- C:\Windows\SysWOW64\choice.exe
  "C:\Windows\System32\choice.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:904
- C:\Windows\SysWOW64\cipher.exe
  "C:\Windows\System32\cipher.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:660
- C:\Windows\SysWOW64\cleanmgr.exe
  "C:\Windows\System32\cleanmgr.exe"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  PID:4276
- C:\Windows\SysWOW64\cliconfg.exe
  "C:\Windows\System32\cliconfg.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- C:\Windows\SysWOW64\clip.exe
  "C:\Windows\System32\clip.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1496
- C:\Windows\SysWOW64\CloudNotifications.exe
  "C:\Windows\System32\CloudNotifications.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:660
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:8
- C:\Windows\SysWOW64\cmdkey.exe
  "C:\Windows\System32\cmdkey.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624
- C:\Windows\SysWOW64\cmdl32.exe
  "C:\Windows\System32\cmdl32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2688
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\System32\cmmon32.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\System32\cmstp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5056
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\System32\colorcpl.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3192
- C:\Windows\SysWOW64\comp.exe
  "C:\Windows\System32\comp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5348
- C:\Windows\SysWOW64\compact.exe
  "C:\Windows\System32\compact.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5716
- C:\Windows\SysWOW64\ComputerDefaults.exe
  "C:\Windows\System32\ComputerDefaults.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6004
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\System32\control.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:6112
- C:\Windows\SysWOW64\convert.exe
  "C:\Windows\System32\convert.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:5384
- C:\Windows\SysWOW64\CredentialUIBroker.exe
  "C:\Windows\System32\CredentialUIBroker.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5428
- C:\Windows\SysWOW64\credwiz.exe
  "C:\Windows\System32\credwiz.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\System32\cscript.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5888
- C:\Windows\SysWOW64\ctfmon.exe
  "C:\Windows\System32\ctfmon.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5344
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5344 -s 756
    3⤵
    - Program crash
    PID:6152
- C:\Windows\SysWOW64\cttune.exe
  "C:\Windows\System32\cttune.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6200
- C:\Windows\SysWOW64\cttunesvr.exe
  "C:\Windows\System32\cttunesvr.exe"
  2⤵
  PID:6308
- C:\Windows\SysWOW64\curl.exe
  "C:\Windows\System32\curl.exe"
  2⤵
  PID:6356
- C:\Windows\SysWOW64\dccw.exe
  "C:\Windows\System32\dccw.exe"
  2⤵
  PID:6400
- C:\Windows\SysWOW64\dcomcnfg.exe
  "C:\Windows\System32\dcomcnfg.exe"
  2⤵
  PID:6424
- - C:\Windows\system32\mmc.exe
    C:\Windows\system32\mmc.exe C:\Windows\system32\comexp.msc
    3⤵
    PID:6440
- C:\Windows\SysWOW64\ddodiag.exe
  "C:\Windows\System32\ddodiag.exe"
  2⤵
  PID:6516
- C:\Windows\SysWOW64\DevicePairingWizard.exe
  "C:\Windows\System32\DevicePairingWizard.exe"
  2⤵
  PID:6652
- C:\Windows\SysWOW64\dfrgui.exe
  "C:\Windows\System32\dfrgui.exe"
  2⤵
  PID:6896
- C:\Windows\SysWOW64\dialer.exe
  "C:\Windows\System32\dialer.exe"
  2⤵
  PID:7048
- C:\Windows\SysWOW64\diskpart.exe
  "C:\Windows\System32\diskpart.exe"
  2⤵
  PID:6184
- C:\Windows\SysWOW64\diskperf.exe
  "C:\Windows\System32\diskperf.exe"
  2⤵
  PID:6136
- C:\Windows\SysWOW64\diskusage.exe
  "C:\Windows\System32\diskusage.exe"
  2⤵
  PID:6900
- C:\Windows\SysWOW64\Dism.exe
  "C:\Windows\System32\Dism.exe"
  2⤵
  PID:1292
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:6552
- C:\Windows\SysWOW64\dllhst3g.exe
  "C:\Windows\System32\dllhst3g.exe"
  2⤵
  PID:7020
- C:\Windows\SysWOW64\doskey.exe
  "C:\Windows\System32\doskey.exe"
  2⤵
  PID:6100
- C:\Windows\SysWOW64\dpapimig.exe
  "C:\Windows\System32\dpapimig.exe"
  2⤵
  PID:236
- C:\Windows\SysWOW64\DpiScaling.exe
  "C:\Windows\System32\DpiScaling.exe"
  2⤵
  PID:1432
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" ms-settings:display
    3⤵
    PID:4776
- C:\Windows\SysWOW64\driverquery.exe
  "C:\Windows\System32\driverquery.exe"
  2⤵
  PID:2872
- C:\Windows\SysWOW64\dtdump.exe
  "C:\Windows\System32\dtdump.exe"
  2⤵
  PID:6920
- C:\Windows\SysWOW64\dvdplay.exe
  "C:\Windows\System32\dvdplay.exe"
  2⤵
  PID:7200
- - C:\Program Files (x86)\Windows Media Player\wmplayer.exe
    /device:dvd
    3⤵
    PID:7216
  - - C:\Windows\SysWOW64\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
      4⤵
      PID:7248
    - - C:\Windows\system32\unregmp2.exe
        
        "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
        5⤵
        
        PID:7296
- C:\Windows\SysWOW64\DWWIN.EXE
  "C:\Windows\System32\DWWIN.EXE"
  2⤵
  PID:7604
- C:\Windows\SysWOW64\dxdiag.exe
  "C:\Windows\System32\dxdiag.exe"
  2⤵
  PID:7716
- C:\Windows\SysWOW64\EaseOfAccessDialog.exe
  "C:\Windows\System32\EaseOfAccessDialog.exe"
  2⤵
  PID:7740
- C:\Windows\SysWOW64\edpnotify.exe
  "C:\Windows\System32\edpnotify.exe"
  2⤵
  PID:7820
- C:\Windows\SysWOW64\efsui.exe
  "C:\Windows\System32\efsui.exe"
  2⤵
  PID:7872
- C:\Windows\SysWOW64\EhStorAuthn.exe
  "C:\Windows\System32\EhStorAuthn.exe"
  2⤵
  PID:7916
- C:\Windows\SysWOW64\esentutl.exe
  "C:\Windows\System32\esentutl.exe"
  2⤵
  PID:7956
- C:\Windows\SysWOW64\eudcedit.exe
  "C:\Windows\System32\eudcedit.exe"
  2⤵
  PID:8120
- C:\Windows\SysWOW64\eventcreate.exe
  "C:\Windows\System32\eventcreate.exe"
  2⤵
  PID:8136

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004CC 0x00000000000004D4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5336

C:\Users\Admin\AppData\Local\Temp\E8E6A18C-322A-4119-8B70-8B633B6CAC3A\dismhost.exe
C:\Users\Admin\AppData\Local\Temp\E8E6A18C-322A-4119-8B70-8B633B6CAC3A\dismhost.exe {AC09BAB4-BF94-4F14-AE40-2F34671820A0}
1⤵
- Drops file in Windows directory
PID:6012

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5168

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5344 -ip 5344
1⤵
PID:5992

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:6560

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:6672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:6756
- C:\Windows\system32\dashost.exe
  dashost.exe {0552b02b-ebda-40bf-8264346b876ed0cf}
  2⤵
  PID:6828
- C:\Windows\system32\dashost.exe
  dashost.exe {a0d3c3d7-ba2e-4516-807c011ca0e3b49d}
  2⤵
  PID:6968
- C:\Windows\system32\dashost.exe
  dashost.exe {c93e7dd4-c556-49bb-9947f1fab1284deb}
  2⤵
  PID:5992

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:7076

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:6364

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:5748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k McpManagementServiceGroup
1⤵
PID:6428

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
PID:7072

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:4408

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
PID:7528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7145ec3fa29a4f2df900d1418974538

SHA1
1368d579635ba1a53d7af0ed89bf0b001f149f9d

SHA256
efc56eb46cf3352bf706c0309d5d740bca6ac06142f9bdc5e8344b81d4d83d59

SHA512
5bb663ede88f8b7c96b09c1214aac68eda99bc09525ac383baa96914ff7d553ea1aed09e3c9d16893d791c81ddb164c682dfbb4759ac0bc751221f3e36558a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d91478312beae099b8ed57e547611ba2

SHA1
4b927559aedbde267a6193e3e480fb18e75c43d7

SHA256
df43cd7779d9fc91fd0416155d6771bc81565e98be38689cb17caece256bf043

SHA512
4086c4ebe410a37d0124fc8bd00c58775e70ab2b7b5a39b4e49b332ce5b4866c6775707436395467aff9596507c96fb4896f3bf0249c5b9c99a927f31dcc1a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
38KB

MD5
4a6a239f02877981ae8696fbebde3fc9

SHA1
5f87619e1207d7983c8dfceaac80352d25a336cf

SHA256
ac546e02b937ee9ac6f6dd99081db747db7af6a4febf09cbe49e91452d9257b8

SHA512
783cf2ae4ba57031c7f4c18bdac428a1074bb64f6eb8cef126ad33f46c08767deeac51917bef0f1595295b9f8a708cb297b7cf63fc3f7db0aa4ac217ce10f7cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
37KB

MD5
a6dd8c31c1b2b06241a71e43a49a41a6

SHA1
dc871c551fa802ed8dfcc0e754b3d4d373fddd88

SHA256
0def324bda1cf4872a205e006d8fd6aafddb19880c1678bf66f18b304eeda99c

SHA512
f3437729f25077e830e5381e4468ce8222dc893ece8527159721f07e5f85977acde921af3d47ae07ac9f35e3ad06ae06faaa23d715a207d76ba6746c55aeddbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
20KB

MD5
dcc13e096885e2192da2ddae75ba5b26

SHA1
56bf42f76e81ebdc98f418788d239e7fef36326a

SHA256
dd359fd72402c351b879f263e6fd703008e6d641776ee6bb46a853199173f725

SHA512
15a357ecefce6278417d0d7dd6359a39882178226dcae1bd6514594837be7fde8773fa944c35764cd0f6cbeb43303158a5cb0aef9e9445718eb6cc49b10676da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
16KB

MD5
06b438d5e1a8ac9850ebaa924c67684e

SHA1
943849718ba03f7788c14ec43fb29cf503a0b0e3

SHA256
406f8ac9d271e8e74ff9b7dd5bd4f36d6782cd3d036fb9f62f8a252a6050f946

SHA512
0d21fe32b24b27807e96ef5c963dd1e78a89646638217c37ae0075689ad6f683895f942ae3d9b0542e74a9af22bb3756a885606c70d7ed351385bb2770533ee3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dfd167d127459ca689dd2139bfd8f7f4

SHA1
51c35221c0396afca80928fb140bd4ed52e5aaa1

SHA256
eea41e16915d62cc4b0acfa752d91a3202d0338e7812772b593da924b772e24c

SHA512
ef1a1e4b842328a2e49304f64645675ef342fe2961b237c046c93497b5f5434bda660f39d450ce9b1d6eda08fb63e60de3ba65b9abf26b87be2e51974dee4060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
233a02951bd38d68528139dc4552667e

SHA1
593b745648157d2e4c8959f14e131db89be433de

SHA256
29740943f719f75dc1e69eb314d45c5942b3119ee84a9f104817832849ab5d3c

SHA512
e7a65fc3bf91ed55a9380f5db0fd8a5ddeecef8e71a3fbb185ef7d232a08cbb37e6ab9e2fa09334e9efb2693d3f661f9868e3b7053148b96b437e1840a702933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
79200d4bf9e366757de3bfdf675b3c0d

SHA1
4278f5a078e975e013cdab7a6230f9689532b633

SHA256
aabab0372d737a64661c80eb7184b781729fc8933acbf3055858e6c0fca8317a

SHA512
c826990b0b3eae9eb3b1931e38ab30a61faaad3ce9461381282323592257952097e8bab427aed8af7e70bdd0e249fc5d54f7c517753accfebbdfcdc87e562827

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
c8b18228e90197025edcada1fbcbd7e0

SHA1
de7a439bfabf6d213e86c611851eeb69637d7588

SHA256
dbb6c0a35d435bf79081395fcdd7ee6064c5d6498d18c672cec951a538ed18e5

SHA512
2adfd228c73b77215125957355b92127c1e86c6edbddb042fbe1a9615a5e3302cacbbe4e0d3ee321c9b6fb807c96061aa8e4327ade8df2fc01d0a21b49f746a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
701B

MD5
98a9431ef128d8f497e74571fea0204c

SHA1
4628eaa4c5191556bc6eec06c30b6885266e7e0c

SHA256
4e9d32852c4f58583d2e9b29c39a38f2d7331925ba1a6c9ee367aa70181703c3

SHA512
4a70aaaa8e753be05e434ba8c828b130572315d4b65fe18806e037f3ebcfed45b68780f70672dbf75a00adce017fb110a94b72a09f0a26f1e78a1fd390c31b1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
894c24f964b622e64382997cc83a78a2

SHA1
a8a7bc15999e28f0dcc98c389da09b1118fb850a

SHA256
8706bab6a4ee1c3cfb1579ca9033459703be89aff979af672d59bc5f92535b1c

SHA512
d873c0520cae9446e98b1ac8d738708e033ee01d7a418b0319ad62836fddb1f73a41cc2066cb55712b4f8c41fc4e450a1f37762f620b296ddefdd0bd6ac029cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
940B

MD5
82ac7837c348cb8a6e880fc2f326ab72

SHA1
4b361e29d7858e589b433346e3b6540e6ef5b5e8

SHA256
96a75170580f10577cfa846a787791ef5b1983163ab062c5ce09cd8cb9269d43

SHA512
5f6d74ae1874674188e7bc350195dbc846635ef04186321c203cad9ca11d4279760d4821c72f6eba1ffbcc333a40f942c66066808bf7fb4f4b0decbbce4c8e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
3289271f4227cf81d96f5ddf780d80be

SHA1
796008d9ce797bc75330e41e84d66045b0fed79a

SHA256
2de675c5cc5c5fbfe79be32a53b161110f51429a3887d79cdef1caedede9f33c

SHA512
69f2cd136ceaa33cbd9dd3ae628bb6fc4537a2284bb2b0c271a0e81fa88ad13c10e943ec38568b5898e45c130b3643e18e23a7ea2439980c324ada03b80ba966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
29efd64046292d072fe4c049a38e1212

SHA1
3dea24f5e3c92332bba4e703e45e4a4b6a932ddb

SHA256
226b1c67a14c217e66b8123983888c3e34f56262b654d2f9f92f1cf9a5d98923

SHA512
85068a0ba815617f4b813123e503374000d93f4cd1c68490267b40577777c3a350c86dcb859bd7e7807565be7a520990a6b184b656bc67215ea040f86f3600d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e619f51088efb86d3fecf80c53134c8f

SHA1
d5cbb1f10ec0d33e5ade88cee12d4b886b1017eb

SHA256
3002176965c50103f6244167e626d678049682985fb633288fa8e0652ec239a5

SHA512
886ea62b3059b408bebcd650a075115e0e2235ae7c45d689d77e8cb2884034e9b2c9ef05b813aae7779ca347267eac5f397dad594f31599113d2569848b3e687

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
338003d90834fc06efec39b1914b5c9a

SHA1
a2228a09c09435cd5b90cf1d0ed1708b6ecae39d

SHA256
393b326f689f456a91cc1d0a945baa39c9aadd36f6384b853085833676b6c383

SHA512
95eddfda33ed9563e3406614b1e8da8f36db12352908bb4cbce804fdaf15d13a78c108c2ab4ea67414ca3eb798dc359ab87e8eeb4dd316ee0402e175a2ac52cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5683057e4403ffd236b0f283ee7cf737

SHA1
b41b63ca56af390fb9aa897319cbdbaf9fef16d4

SHA256
609bed86dc2acd3cb364e34d3ee5ed10dcdcba67cb33e8d5ad785704e4dafbe0

SHA512
5f6c082126485e73dd56616868718952959f7cd69d64a0a96af67c6b3c1996211ad3a4cc1726b920b978d0333c3ec7dbaf7f1e9c611684b5032b5e6c58ae1fa6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b0a4034003d96b8152bc55a70ba813c2

SHA1
9e44e6d1af069b71a04313431153626ea24eca8c

SHA256
ae0bcea0c4fab709b10fc5b71c7708867d5d1246b77f64acf8d7f55f91cf0a04

SHA512
3d4df34f5e7309a9ce5c0364bf08783931da55eb0618043210b783e51f9222fb63ea6dfe36d6c44f692a5b2d4b948a0ada3f932061099f26cf7c5fc1ca5010fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6bdf16d2b59c1903c6507d07073e30da

SHA1
05c5bd60e16ccfc550e5379fd5e07693b8c71cd4

SHA256
9e2e61be0779b70e9c74f1495a90f22e4e936c2c376538e8dc1767e15515d548

SHA512
b3f0baeed34e7ef40a73ab3cc46290a3873b3f21b84c2e2f248118175ecfcbdde75d135b4ec67c0b3cb7eed4a91de731ff05277c97b2c50c27ce5e39e7c6e2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc3266f9a6c4ca741b5f58cc86ccd96d

SHA1
b8c636d40a251647caa9bf63ec9e97cedd74fe67

SHA256
99233a416d7e4e9ad98e681daa058e9a3cc73251ed687a64ddf1de2523e9ab11

SHA512
c9cb89b19e61124321155041dc9e9d5d7dfe719ae9bb32aae6264d17a99dc10061e49466eded10f5327d328d3208736350e5feaff418b73fe3bfef3d07b551b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c0930a4e6e423450e42781c32571d583

SHA1
b4a4b1afe44721f142a1bed0a4a1bea1e9fbf80f

SHA256
c687d19d0a047d54bfda09cc1b479cd8e52d86e8526aab471c3416800f6821ad

SHA512
c9f544e1e89b5608eb60c616bdef2d05e2a049593dbed52140135ed34d9c454e0e0b7d7ca216673c4298c10884dcdf12f18c28e51ddf7fee94d7c6eaa6ec35e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9dadf4c8ebaded40b2c2a4fc345381a6

SHA1
694a687f9fe81b3e49fa943a0f1b5c31a16a1e51

SHA256
d38168a489a774e91a2789f46e637d899eb01697661c6f6024c6d847a4828780

SHA512
99b6e306039e60d5bab59405880aa8edd5fed133e3ac34ec61e5367fd6c60ca47b43e279eac8d367982e73ba385e14e611b186c8c2a670c643a863bb02183bfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b56e3af01759f599e9dcccc881396f18

SHA1
bbb3c1eab6a57f004d81116f00a3bbec65d6fc04

SHA256
d4db22073b2107a0e0fd1520b8f3bcb86121dff4d39c8d009e785fd50b8aee3b

SHA512
018ce1bbcb33baeb55ce7c69ec48f49466e587ed7b33ef491b319200fad5e3bac3603c15ccf34859f22bb6f86db52018764a5178d6349b4f5fd988926c899022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bf51fc84145614e85f8b1d89e3403aef

SHA1
5737b814d29629317eba584e61050947ebed0399

SHA256
7a75fefebe2520cf7d39d5ef068dc34aca1206613a82f1f3496c17d219927579

SHA512
fbec5cb0124f640eb6b5261543ac1c8288ae76d583ffcbdd2110ce514f0dc1ccca3b5b3ef5283d191b81daa7fedbf8dcdb458ed53387c9a5bd3033f082b94e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d9626051b597729c5fa725df93930a7

SHA1
35a5ce69bc13f2485dfec6980219e1ff68e4becf

SHA256
a5810cbb582dede842bc9b974ce364d7a74ae8adb3e27f3e9eb879394bdded8d

SHA512
96f040d9dee404bf96de71e81ca2494ccb092ec1e9aa5b8562b554110f544a1cf6f76db3954865655dd26a6838cba7616809c4a4353bd93855ce1ab45a939449

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51f63512e5c503eb6ffc2c436a6c9e47

SHA1
8aaa392581e629cc0be7b24bd2ef4cdf23f07f5c

SHA256
1ed282dc6d706790616dd97061dd3ec271b20ea1d4f5435666eedd145d663509

SHA512
c358db30e460c2d74d3c13ba78a8a742b75089ce4f7fb29a432f18a0edd6222b963651376fd045329475043a1687742ac90be3266ac26ebdfdf94e583b04fe9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c60b1b80a2c8d5b52467ec2fb48cf6d2

SHA1
083a13450858dca2e8e1af37f774f443d0c95b89

SHA256
ca03a5ef3f0350b0fa36d6ee4961993a26fc89dd8073b5f162e5f8e73d70922b

SHA512
1063234d80e0a302a24adef0fb0ad93e036006761fc4bccfd42588f48742269eb01bd723ac6c1227d2c0463b01d3cd6902da8da277f8ad6ae0abb3a1bfc10a33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
25b3995cd9a397b1924ae6f62b554338

SHA1
3eadf5b41fae596b255d77d70cb69b4a48f97e8a

SHA256
8d7fd6ac3d49491ab5e18a88f7688c48eb0c0fc041dd5755c0c64b365158cff8

SHA512
6fc56573ae162405b4fdf7eab891c46472ab0572672de60afa0d3e1b68e8b7d57488b2613985408342eacddc2aff692beb9fbf94151468498eefbacdc73dbabe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3774d5281525f61d0cd6499483215531

SHA1
0e7f2f09d0c5d89960755d277614604d83dcb9e3

SHA256
18cfce69b4b20cecd4cdc24db36bb17a8de735579631efc756d123e05a26e3bb

SHA512
a2ae8a9320b0757b70bbe86c2505c032d21def74bfc41d41736234d1b336b1a81863b979c86780493530333bb4e23576d91569deabf64c584a958e6986a6e99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d4f3e0dc82ecc9f206c55a07961d81f0

SHA1
10b3bc81bfbe80f18678cfa79818885366f28225

SHA256
11d4a2bab83fe2e8f080a21918315e214205575d1eeaed4e3fc9715b6b7c72cd

SHA512
5dcdb1cdb75bbd6fff9fb83638a51e6af1b96a4667c561c38e9e62578c8bfaab07149b2fb510225149354f8ee26c4675464dd09f6290c1fc0f71d43425691a71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5dc120.TMP

Filesize
1KB

MD5
89a0fce8d2bfe92f65913c2999758ba8

SHA1
a3076b1d79e88538c598e42f363827b11564a62d

SHA256
c02f0e897008e5f9fc734449f1570f779e10c42864240bb0b10af6c988e53091

SHA512
62fabcd88062cc832db61ab2165afbec2a0f142c55eb49eb0b12aaf690014293bcd42c49a7c8e95e3df828d95c8b3e4c06eb7429da4622dff2be5c57cb49e621

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
415d88014c3f8550d91323f49a1ed178

SHA1
40c5cc8e2573a5a520d77a7c1d17635900f6a44d

SHA256
aa0af88fecf2350a0ca7846101447d668798026d14d73da409688e6e64030d38

SHA512
556efeb1f9b75209b24651617c0b79dee11637e3ff9e64906df9c6575972328fcd79621e61af415cf59abca6eae26a7a8c64dae1a589d02bbb1e6fb3703dd8d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
10b49d46cd6d5b0be95148f42f347f7a

SHA1
620a849d89f1274a65985fd0d6e943e31f8f8c66

SHA256
f866c1556e9a538e9c9413f3688bbb786f4510238d791e48a35a85ad03ef3079

SHA512
c50b51e3f86768ee221204f028ee735ca0f45468835fa87028d2ecb2d80d3cd01aa0a04ebb2d58b59dd32d7ea8727649f42e8ee9ec7e09af4c277ff00ee9f070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d501d2301a125f0f1548dcea1f00ebc

SHA1
2ef771bff4e3f77177aeb59597067952e5e794a6

SHA256
6aa0f52c370c6a450b467680cb083000cc709730476ececa4978dadfcdd09b5c

SHA512
e39b8fe610b0be9f2d8a6ff6b6f734ffed78698aaed02c7dfcd616023a1afec28fd9a2f204ed81bf67560932bffd9a09ba6b691add32d45c151d0dc6658b046b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6aa290ff1037085129972c3bc27ec39

SHA1
fa3f53ec42cb57250d82567b8e7c90446ec46ae7

SHA256
169cdcd849568a750b1a6a1cc9bd429d78709658fa4dd2453e3e6968b32cd80d

SHA512
247ea01cff770bd93986d4e5d98690c7c6bca5a8ad370256c493c38958920bf521b9cbecac7c9dc953da9766d307150e65b1aedcae79d78bc14bcc078d613a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
640KB

MD5
4c2ef1389f6d3567768b20b1b1ee99aa

SHA1
55612c97160c8ed0371738010313a4481452e102

SHA256
30f9ef3256a596ae28f6014d4960793dac4843d0791c802e82f9c771ba4d76ca

SHA512
fc884482292c0713cfa924d9ef5a7083cca0ee8c1529cf9ba2aef13e47b175be5b48f1b5facf5082ae8889a89756be4647a1076c8b4092877ed97e74a5aae2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
e156accfea08f3e27535a94b169acc2f

SHA1
657fed4f5d42cb8cf19bbb9654dac85f9ef48c5d

SHA256
67b4a2f65e52e8aacffee9281c5a70857f31975cd40bef26af68790eee8a5b7f

SHA512
d66e6e51d48c4a793f0e77d0975bfae57c238b0c4e24cce36ffd3c87f5b3594d537bd388385671d258c87ef2fd5ab51967370a1b1284ff126a1ae9ad7223b355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\LocalMLS_3.wmdb

Filesize
68KB

MD5
7bd809d4c07f943a61f1d1fcb7a5c392

SHA1
a967fe1fd5accb7fa530d459859eed7c0cdd123a

SHA256
951d8644434457e85231a7b0afd236dc44f0b991b7f4354502eb584f9564916c

SHA512
a435b032548a8c91a65f2ce5bdef803cd461423c06f87bf5b77dc60a7c60d9a29776cc15a458d013f00bbed6ea59865bf9550c6771bbdb01a8a98c77fdd87735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
96329c73cc49cd960e2485210d01c4d2

SHA1
a496b98ad2f2bbf26687b5b7794a26aa4470148e

SHA256
4c159cab6c9ef5ff39e6141b0ccb5b8c6251a3d637520609dfbdd852fa94d466

SHA512
e98736a879cad24c693d6c5939654b2fd25bf9d348f738668624214f22d541a9b781c967201ab2d43cbac9207946824a0299d482485f4b63c48d5d2a839e5baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
23a77e4ff4ea174f3fe338633f3e0ee4

SHA1
583bcc0dc5c7aff298de027f348c0c2eea1dc6c4

SHA256
53d6bbaa5f97fec7a38a0e4b6ad62c280c20290c643da2d0ccb119939dfdc7fc

SHA512
9281eef0149b25c2b5fa7fa81ac37bf4df5614adbc43184c42e0dfe3ad0c81f5a2a658c5c52c615f0355f549f5d4f86486c8ce992afb00824f0ed64375646059

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 355301.crdownload

Filesize
191KB

MD5
ec8982bb5bc336fe8803c4ce78ca6b3a

SHA1
98d52086cb0fbeacdf6e722ea77553f701506ceb

SHA256
d8e07b6a5984bec06dc7507fcecb31c7260b9367bd25ae4e9c6598f30d7c93b3

SHA512
c312605e5ae560dbb8e8ceb6db164235b115fc85739d46ffc9c19d534cb8f0d6e5800993b301a4bee175d7a8508a4fb39c9e7200efa1c52f5e736ee46d86303e

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
265KB

MD5
a94cc2bd8c4eb8adde33df2ca853ab0f

SHA1
9a82859b244badf412e34873dd1add9917f0ed3e

SHA256
b1de11e02441aceaeca3297b6c17658350682513469d076a58bab295c5adbe56

SHA512
3312b1e5ce7969151f7e7c103192b0806498ad829294f49a7b2846df4482d5c3564bfd4407c038e4ba2bb3a679bdc7381869d7cdfa642949e5f499c6bb8044e0

Download Submit
C:\Windows\Logs\DISM\dism.log

Filesize
266KB

MD5
04e63a34efbb0e8f5d60c158bd3a55e1

SHA1
ae688b528ad38e0f276057f14ccbd2f9e9835f11

SHA256
c9c661394c60cc0bed9834baaf28fa47d62472bf31e50efa3dc56bffd571363a

SHA512
109602425eb1ef70cfeca3fcb076c64b92da61f52d039f7a31616b3539ba6f230fdd973d0c3a3c1778de9761962d364cb1842b235526edcce75e5c18cbee1e20

Download Submit
\??\pipe\LOCAL\crashpad_1632_INLTAKRDIUJHNLNM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/7216-1197-0x0000000006D50000-0x0000000006D60000-memory.dmp

Filesize
64KB

Download
memory/7956-1181-0x0000000001430000-0x0000000001440000-memory.dmp

Filesize
64KB

Download