lumma | hxxp://wechat-teams[.]com

Analysis

max time kernel
294s
max time network
297s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30/01/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://wechat-teams.com

Score

10^/10

lumma defense_evasion discovery persistence privilege_escalation stealer trojan

Malware Config

Extracted

Family

lumma

https://toppyneedus.biz/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4256 created 3452	4256	WeChateams_12.22.5_x64-setup.exe	55

Downloads MZ/PE file 1 IoCs

flow	pid	Process
49	2692	msedge.exe

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	lockpc.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	lockpc.tmp
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 37 IoCs

pid	Process
4256	WeChateams_12.22.5_x64-setup.exe
4972	MicrosoftEdgeWebView2RuntimeInstaller.exe
2464	MicrosoftEdgeUpdate.exe
5000	MicrosoftEdgeUpdate.exe
4460	MicrosoftEdgeUpdate.exe
3112	MicrosoftEdgeUpdateComRegisterShell64.exe
3528	MicrosoftEdgeUpdateComRegisterShell64.exe
548	MicrosoftEdgeUpdateComRegisterShell64.exe
3896	MicrosoftEdgeUpdate.exe
440	MicrosoftEdgeUpdate.exe
2408	MicrosoftEdgeUpdate.exe
1520	MicrosoftEdgeUpdate.exe
2884	MicrosoftEdgeWebview_X64_131.0.2903.99.exe
948	setup.exe
4124	setup.exe
4580	MicrosoftEdgeUpdate.exe
3736	teams-wechat.exe
3696	msedgewebview2.exe
3024	msedgewebview2.exe
1500	msedgewebview2.exe
3552	msedgewebview2.exe
4840	msedgewebview2.exe
4460	msedgewebview2.exe
3632	msedgewebview2.exe
5336	lockpc.exe
5292	lockpc.tmp
5624	lockpc.exe
5400	lockpc.tmp
5940	lockpc.exe
5828	msedgewebview2.exe
3120	msedgewebview2.exe
4784	msedgewebview2.exe
5260	msedgewebview2.exe
5508	msedgewebview2.exe
5832	msedgewebview2.exe
5772	msedgewebview2.exe
1572	msedgewebview2.exe

Loads dropped DLL 64 IoCs

pid	Process
4256	WeChateams_12.22.5_x64-setup.exe
4256	WeChateams_12.22.5_x64-setup.exe
2464	MicrosoftEdgeUpdate.exe
5000	MicrosoftEdgeUpdate.exe
4460	MicrosoftEdgeUpdate.exe
3112	MicrosoftEdgeUpdateComRegisterShell64.exe
4460	MicrosoftEdgeUpdate.exe
3528	MicrosoftEdgeUpdateComRegisterShell64.exe
4460	MicrosoftEdgeUpdate.exe
548	MicrosoftEdgeUpdateComRegisterShell64.exe
4460	MicrosoftEdgeUpdate.exe
3896	MicrosoftEdgeUpdate.exe
440	MicrosoftEdgeUpdate.exe
2408	MicrosoftEdgeUpdate.exe
2408	MicrosoftEdgeUpdate.exe
440	MicrosoftEdgeUpdate.exe
1520	MicrosoftEdgeUpdate.exe
4580	MicrosoftEdgeUpdate.exe
4256	WeChateams_12.22.5_x64-setup.exe
4256	WeChateams_12.22.5_x64-setup.exe
3736	teams-wechat.exe
3696	msedgewebview2.exe
3024	msedgewebview2.exe
3696	msedgewebview2.exe
3696	msedgewebview2.exe
3696	msedgewebview2.exe
1500	msedgewebview2.exe
3552	msedgewebview2.exe
1500	msedgewebview2.exe
3552	msedgewebview2.exe
4840	msedgewebview2.exe
4840	msedgewebview2.exe
1500	msedgewebview2.exe
1500	msedgewebview2.exe
1500	msedgewebview2.exe
4460	msedgewebview2.exe
1500	msedgewebview2.exe
4460	msedgewebview2.exe
4460	msedgewebview2.exe
3696	msedgewebview2.exe
3632	msedgewebview2.exe
3632	msedgewebview2.exe
3632	msedgewebview2.exe
5292	lockpc.tmp
5292	lockpc.tmp
5400	lockpc.tmp
5400	lockpc.tmp
5828	msedgewebview2.exe
5828	msedgewebview2.exe
3120	msedgewebview2.exe
3120	msedgewebview2.exe
4784	msedgewebview2.exe
4784	msedgewebview2.exe
5260	msedgewebview2.exe
5260	msedgewebview2.exe
5508	msedgewebview2.exe
5508	msedgewebview2.exe
5508	msedgewebview2.exe
5832	msedgewebview2.exe
5832	msedgewebview2.exe
5772	msedgewebview2.exe
5772	msedgewebview2.exe
1572	msedgewebview2.exe
1572	msedgewebview2.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	teams-wechat.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe

Enumerates processes with tasklist 1 TTPs 6 IoCs

discovery

Process Discovery

T1057

pid	Process
5156	tasklist.exe
5664	tasklist.exe
5496	tasklist.exe
5532	tasklist.exe
5724	tasklist.exe
5792	tasklist.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\edge_game_assist\VERSION	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Sigma\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\Locales\en-US.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\Locales\fil.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_as.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_lb.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Sigma\Other	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\sl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\identity_proxy\dev.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3696_1113869912\Part-FR	msedgewebview2.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\libGLESv2.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\fr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\notification_helper.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_el.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\de.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\mk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\concrt140.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\af.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\hu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\resources.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Sigma\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\MicrosoftEdgeUpdateOnDemand.exe	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\identity_proxy\win10\identity_helper.Sparse.Dev.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\Locales\pt-BR.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\hyph-de-1996.hyb	msedgewebview2.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\948_13382744666087051_948.pma	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\hyph-ga.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\hyph-it.hyb	msedgewebview2.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\hyph-mn-cyrl.hyb	msedgewebview2.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_tr.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_sr-Latn-RS.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\Locales\vi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\Locales\zh-CN.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\or.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\identity_proxy\win11\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Temp\source948_2010122743\msedge_7z.data	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Sigma\LICENSE	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_cs.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\edge_feedback\camera_mf_trace.wprp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\ar.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\Locales\ms.pak	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\hyph-pa.hyb	msedgewebview2.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_da.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_iw.dll	MicrosoftEdgeWebView2RuntimeInstaller.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Sigma\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\msedge_elf.dll	setup.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3696_1766752304\manifest.json	msedgewebview2.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\dxcompiler.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Locales\ml.pak	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lockpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lockpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebView2RuntimeInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lockpc.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WeChateams_12.22.5_x64-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lockpc.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	find.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	lockpc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3896	MicrosoftEdgeUpdate.exe
1520	MicrosoftEdgeUpdate.exe
4580	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133827447425797004"	msedgewebview2.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID\ = "MicrosoftEdgeUpdate.PolicyStatusMachine.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{2E1DD7EF-C12D-4F8E-8AD8-CF8CC265BAD0}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{42580F9E-2678-4BB9-A2BC-F22A1D432A1A}\InprocHandler32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ = "IAppCommandWeb"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C7931E4D-82F7-486C-9FFB-E44AB90B021F}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\NumMethods\ = "43"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LocalServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\ = "IPackage"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\ = "IPolicyStatus2"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.39\\MicrosoftEdgeUpdateOnDemand.exe\""	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32\ = "{C7931E4D-82F7-486C-9FFB-E44AB90B021F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{77857D02-7A25-4B67-9266-3E122A8F39E4}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0\ = "Microsoft Edge Update Legacy On Demand"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\ = "Microsoft Edge Update Broker Class Factory"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\ProgID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods\ = "13"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\ = "IGoogleUpdate3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusSvc\ = "Google Update Policy Status Class"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\CurVer\ = "MicrosoftEdgeUpdate.CredentialDialogMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32\ = "{C7931E4D-82F7-486C-9FFB-E44AB90B021F}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ = "IGoogleUpdate3WebSecurity"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\LOCALSERVER32	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9F3F5F5D-721A-4B19-9B5D-69F664C1A591}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\ProxyStubClsid32\ = "{C7931E4D-82F7-486C-9FFB-E44AB90B021F}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ = "IProcessLauncher2"	MicrosoftEdgeUpdateComRegisterShell64.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 873181.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
4436	msedge.exe
4436	msedge.exe
3844	identity_helper.exe
3844	identity_helper.exe
3332	msedge.exe
3332	msedge.exe
2464	MicrosoftEdgeUpdate.exe
2464	MicrosoftEdgeUpdate.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
2464	MicrosoftEdgeUpdate.exe
2464	MicrosoftEdgeUpdate.exe
2464	MicrosoftEdgeUpdate.exe
2464	MicrosoftEdgeUpdate.exe
4256	WeChateams_12.22.5_x64-setup.exe
4256	WeChateams_12.22.5_x64-setup.exe
5400	lockpc.tmp
5400	lockpc.tmp
5940	lockpc.exe
5940	lockpc.exe
5508	msedgewebview2.exe
5508	msedgewebview2.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
3696	msedgewebview2.exe
3696	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2464	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	5156	tasklist.exe
Token: SeDebugPrivilege	5664	tasklist.exe
Token: SeDebugPrivilege	5496	tasklist.exe
Token: SeDebugPrivilege	5532	tasklist.exe
Token: SeDebugPrivilege	5724	tasklist.exe
Token: SeDebugPrivilege	5792	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe
4436	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4436 wrote to memory of 612	4436	msedge.exe	82
PID 4436 wrote to memory of 612	4436	msedge.exe	82
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 368	4436	msedge.exe	84
PID 4436 wrote to memory of 2692	4436	msedge.exe	85
PID 4436 wrote to memory of 2692	4436	msedge.exe	85
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86
PID 4436 wrote to memory of 2696	4436	msedge.exe	86

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://wechat-teams.com
  2⤵
  - Enumerates system info in registry
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffaf7c46f8,0x7fffaf7c4708,0x7fffaf7c4718
    3⤵
    PID:612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
    3⤵
    PID:368
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
    3⤵
    - Downloads MZ/PE file
    - Suspicious behavior: EnumeratesProcesses
    PID:2692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
    3⤵
    PID:2696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:2408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4724 /prefetch:1
    3⤵
    PID:4816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
    3⤵
    PID:1976
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
    3⤵
    PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
    3⤵
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
    3⤵
    PID:3548
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
    3⤵
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5756 /prefetch:8
    3⤵
    PID:3688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6100 /prefetch:8
    3⤵
    PID:2796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6588 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3332
- - C:\Users\Admin\Downloads\WeChateams_12.22.5_x64-setup.exe
    "C:\Users\Admin\Downloads\WeChateams_12.22.5_x64-setup.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4256
  - - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebView2RuntimeInstaller.exe
      C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebView2RuntimeInstaller.exe /silent /install
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4972
    - - C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers"
        5⤵
        Event Triggered Execution: Image File Execution Options Injection
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4460
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3112
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:3528
        
        C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.39\MicrosoftEdgeUpdateComRegisterShell64.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:548
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODg3NkQ1NUEtNTM4NS00MTFFLTk5REYtOTJBRTdGRkQ1Qjc3fSIgdXNlcmlkPSJ7OTg3OTc0RUQtQjMwQi00QzMxLTlDNzgtNkM3NzA1OUJFM0M5fSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGMjk1NjcyQS1BMDlGLTRCODAtQjJFMi0yNTc4ODNDMURFODJ9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjM5IiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDYyOTg5NjQ1IiBpbnN0YWxsX3RpbWVfbXM9IjU3OCIvPjwvYXBwPjwvcmVxdWVzdD4
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3896
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20WebView2%20Runtime&needsadmin=Prefers" /installsource offline /sessionid "{8876D55A-5385-411E-99DF-92AE7FFD5B77}" /silent /offlinedir "{A44966B2-BEAB-4112-A874-DC2563951CF3}"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,6869416031814253394,2541757852524184589,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2544 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3124
- C:\Users\Admin\AppData\Local\WeChateams\teams-wechat.exe
  "C:\Users\Admin\AppData\Local\WeChateams\teams-wechat.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  PID:3736
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --autoplay-policy=no-user-gesture-required --disable-features=msWebOOUI,msPdfOOUI,msSmartScreenProtection --lang=en-US --mojo-named-platform-channel-pipe=3736.708.14488169155189951761
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Drops file in Program Files directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - System policy modification
    PID:3696
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.140 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=131.0.2903.99 --initial-client-data=0x178,0x17c,0x180,0x154,0x1ac,0x7fff9d0b6070,0x7fff9d0b607c,0x7fff9d0b6088
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3024
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=gpu-process --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1848,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=1844 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1500
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=1916,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2136 /prefetch:3
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3552
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=2268,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=2352 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4840
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=3536,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=3548 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:4460
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=renderer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --autoplay-policy=no-user-gesture-required --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --field-trial-handle=4440,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4792 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      PID:3632
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=4180,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5828
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=4940,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3120
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=796,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5224 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4784
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=5228,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5240 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5260
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5380,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5384 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      PID:5508
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=5240,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5152 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5832
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=5152,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=5552 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5772
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\131.0.2903.99\msedgewebview2.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations=is-enterprise-managed=no --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView" --webview-exe-name=teams-wechat.exe --webview-exe-version=51.2.1 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --subproc-heap-profiling --field-trial-handle=4356,i,12673930443163566881,956314868592661527,262144 --disable-features=msPdfOOUI,msSmartScreenProtection,msWebOOUI --variations-seed-version --mojo-platform-channel-handle=4960 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\A4mgWvdO\lockpc.exe
    "C:\Users\Admin\AppData\Local\Temp\A4mgWvdO\lockpc.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5336
  - - C:\Users\Admin\AppData\Local\Temp\is-7IGA4.tmp\lockpc.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-7IGA4.tmp\lockpc.tmp" /SL5="$301EC,1885749,119296,C:\Users\Admin\AppData\Local\Temp\A4mgWvdO\lockpc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5292
    - - C:\Users\Admin\AppData\Local\Temp\A4mgWvdO\lockpc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\A4mgWvdO\lockpc.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5624
      - C:\Users\Admin\AppData\Local\Temp\is-I3KOO.tmp\lockpc.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-I3KOO.tmp\lockpc.tmp" /SL5="$8005E,1885749,119296,C:\Users\Admin\AppData\Local\Temp\A4mgWvdO\lockpc.exe" /VERYSILENT
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH | find /I "wrsa.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq wrsa.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5156
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "wrsa.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH | find /I "opssvc.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq opssvc.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5664
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "opssvc.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH | find /I "avastui.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5404
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avastui.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5496
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "avastui.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH | find /I "avgui.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5464
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq avgui.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5532
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "avgui.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH | find /I "nswscsvc.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5604
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq nswscsvc.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5724
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "nswscsvc.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /C tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH | find /I "sophoshealth.exe"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5644
        
        C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FI "IMAGENAME eq sophoshealth.exe" /FO CSV /NH
        8⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:5792
        
        C:\Windows\SysWOW64\find.exe
        
        find /I "sophoshealth.exe"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\is-3HQ15.tmp\lockpc.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-3HQ15.tmp\lockpc.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:5940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1792

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
PID:2408
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODg3NkQ1NUEtNTM4NS00MTFFLTk5REYtOTJBRTdGRkQ1Qjc3fSIgdXNlcmlkPSJ7OTg3OTc0RUQtQjMwQi00QzMxLTlDNzgtNkM3NzA1OUJFM0M5fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RjA4QjJGOUYtNzNGNi00NjhCLThGNkUtNDVCQkYyMzVGRjE5fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxIiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzgxNDMwNjUiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MjYxNTUzNDAwMTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDY3MjA4NzQ0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:1520
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\MicrosoftEdgeWebview_X64_131.0.2903.99.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\MicrosoftEdgeWebview_X64_131.0.2903.99.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:2884
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\EDGEMITMP_2E6F7.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\EDGEMITMP_2E6F7.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\MicrosoftEdgeWebview_X64_131.0.2903.99.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:948
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\EDGEMITMP_2E6F7.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\EDGEMITMP_2E6F7.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=131.0.6778.140 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E805ED40-AD56-4444-A4D1-45DBEC560174}\EDGEMITMP_2E6F7.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=131.0.2903.99 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff737d22918,0x7ff737d22924,0x7ff737d22930
      4⤵
      Executes dropped EXE
      PID:4124
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuMzkiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuMzkiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODg3NkQ1NUEtNTM4NS00MTFFLTk5REYtOTJBRTdGRkQ1Qjc3fSIgdXNlcmlkPSJ7OTg3OTc0RUQtQjMwQi00QzMxLTlDNzgtNkM3NzA1OUJFM0M5fSIgaW5zdGFsbHNvdXJjZT0ib2ZmbGluZSIgcmVxdWVzdGlkPSJ7NzJDRDI5QjQtRjNFQy00MTZDLTlBMjYtNTFBMTU5M0JBMkQ4fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjEzMS4wLjI5MDMuOTkiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0NzIyMDg0ODgiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1NDcyMzY0NjgyIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTQ4MjM2NTM1MiIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjU0OTU0OTAyNjciIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY3NTciIHN5c3RlbV91cHRpbWVfdGlja3M9IjYwODkzOTAyOTQiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIGRvd25sb2FkZWQ9IjE3Njg1NTY0OCIgdG90YWw9IjE3Njg1NTY0OCIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjEiIGluc3RhbGxfdGltZV9tcz0iNTkzOTAiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\131.0.2903.99\Installer\setup.exe

Filesize
6.6MB

MD5
f6ef6691c60c40c1b64c857aa7140f65

SHA1
0a18181edb6539ace366e7d804e37ec558c52b79

SHA256
df10339c63d2f24162ffa7d61c797f46a4ec4d91f1f74c3290646a232c7e9c56

SHA512
bf2829c18f109ee181518b7819a23782fdee4f81644a9d062e060ccac7a2df27d2f49cb3c26d63e6c9e2aed6ff166f2af596c0365284ef1dc0a70363ea8fd404

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
182KB

MD5
d6092c49adbe6e336129589db40dd865

SHA1
f2727da0cd0fff082401adaf779c4ba8c961e3c7

SHA256
6474d531f1b8788451f9a0d9e421dfa236279466c09d783c3e6bdadf7306b909

SHA512
ff2a7ab954fec2c75e5e61bf752c23e127417eda22a332a40c0e0e7a44757645308c74f7852268eb7de1307907234421e0cf684bab2fea24e1e7a653e601bf1c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
9da54f5a8726349124dbdca094448a11

SHA1
a80642cf316be9570494a4c74949024f5d59f042

SHA256
f04efee822f9b2baf2f9b4ea576b9908804b6990497b82c549a34ba54b1b4807

SHA512
d84a5ac786f8bd0eabe4b1c50c7cbac8828ed2e3eb9a064936b65f0cf07f30e7362d44bda1c95a6652708ebb94e139781acf9cf7c0bdc642620136c6d01e2d62

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
215KB

MD5
d09470f63c3b544d68480425950c6954

SHA1
413c9b4059278aef05eb124028cda19329f9d5de

SHA256
16f4836dfd0647421e492b789928b5aa116f74b85ca91b46ba5873890d008334

SHA512
d47d74e1a80efc6ee775a664269c961f5514b15670d682e1c6e50771a55643b0a2e2b4945a36793a2fcde7d488370275a58ac5552f119e273bb6c84411f46938

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
262KB

MD5
db5cf5b7795b922a9f07561e7213ba01

SHA1
152552ce0f0bb080287b8a9b830577399a6814ee

SHA256
a8ce896d4e64a0246b1cfbba3d3f39a11350c017c7dc19e5bc4dabf0109fb0ef

SHA512
2a2df6ed810ce8fe30f1c42bec81ce8237609d8a490a8bceb31af22eaa6dbe17c39083b20c5100a0ee8b206632fc77854b3ecaac2a76de6ffda2d3d94c92a3e2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdate.dll

Filesize
2.1MB

MD5
3f84ac83fa44fb5e069640648e1660e7

SHA1
d54e05bbef5f9abad7f6b506cd699a281305ee73

SHA256
17c62e9ed5bebdcce2ac0cb41a255c5f63f6544fb5ab148b6810617b854f6319

SHA512
3c23d6d616249c20759ea3cdf8221dbab0684c745aa362fdf1e505547fb651b08ee33acc3471af27e32bc66e7b1397eb56cded5650b5f43da52291569d48a813

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_af.dll

Filesize
29KB

MD5
c3485f9e2bbd4462f969c1a2b1ade357

SHA1
a7884e39cb43e8272f586be7193211703ffd8a81

SHA256
6dc5593c42c16ebc1765afa6e8ef2af3fac6602a62197e0d614be330109e74cb

SHA512
0d7c1ed739e586e8a371e04117de6a5d4ee7d273ba550c13fb7b84e0500405a9fa4202bb8b96fa2a310baa639e3c4d0bc52764417bf7d75324c988b684d64628

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_am.dll

Filesize
24KB

MD5
908bbadc3ea726e2610ef6632b996694

SHA1
6246e19af8da064c725bcf384ececf1fe1aed43f

SHA256
fc8ef54504842074382f27576a36c7437429cfb876ad5b5332160a8e26255f1c

SHA512
60c05efc76f3bd1b4f1604d3f9c8d123752aa62726b6311ffd14cfb79d7c25023caad1932f5f146722bb0eb647e125277bec10cf1d18997c646b83f04d8e7de7

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_ar.dll

Filesize
26KB

MD5
01859e622da96bb235d0fd3a3e6b7871

SHA1
f12555f480c12c1aa10911116a5e37446524c0b0

SHA256
07718806c8a31133868cffaee5a07ca721e4f4c6ae4fd0deef67ef2a29eefae8

SHA512
72b5a421f5ff15620cd5e15fd8763b69dc1e9c84701655651992fffd9b79f3e25e11c864c955a5f9beb2f678c03cd59e5a89c10e13a68c57b406971ec6345903

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_as.dll

Filesize
29KB

MD5
96463afd6026b13c098019b02b0ad312

SHA1
96cfd64628e572db01d7fee237add6c48af43bfd

SHA256
b8a2774f687eaa0f25da96e7cf1497d5e6d84e567f7d0c89d5bd33931b2674fa

SHA512
df91cdcba5e6780fcc5ad9d24e25c3e714dd568f515a53dce3a05b9b49c3312a65860d7156fd5524c8ee907f15d3d9ad900b6ad37c0ff2a8631bc8932d397105

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_az.dll

Filesize
29KB

MD5
9772dfcec02c842821cfccbf066f61b9

SHA1
571326a12f51ee034ab9ce8224363c2050f3fbfc

SHA256
27035173c82bde66600ee0cea45d98f6c000575b7deb9e670346a521caababab

SHA512
d4104d310ddcf6ff7ac3a8f6df6b611848c0d0a0a716a958e2f1ce13a9096430081f99134068f0472a2a058d5e6ce2abf0f1ff9abcf4ce0bdbced07731de7f5f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_bg.dll

Filesize
29KB

MD5
5c4c5b2c1dfe89adf51d753e5a83f6bd

SHA1
e277714e69b3628586a4f74260e9c06ab00700d8

SHA256
ac722db8cd409584c7529b4791773b56454d91c404222c7e9bc3f8a4d4aec448

SHA512
d5fdbdaa9a0296262b37af95ba9e7f0bdd4de09e9b131f29afe37677ea9c22a9db374b4d2fa903875775a66a04543aed60661eabd1ad9d61cf40892bf593b1c6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_bn-IN.dll

Filesize
29KB

MD5
1771018a12f869ddfee465b4294d2b14

SHA1
9d13d4fe3ef612fe1cb55237eec340374f88f6c6

SHA256
6ef242c7e8d2b1002f739cbf5485afd67c4972e36042c26b8dfd0133ae5122d5

SHA512
23edf73610839ac089283306b54dad93975d64cfd799d64f71a330f184253565d7c90d452e9fe028c4b1ec4fca9296e98c524a1ca5eaf11e97738e4fe50fe3a8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_bn.dll

Filesize
29KB

MD5
987f13d745a887a41da69a0ce1db4c9c

SHA1
133b52d1529183e5fb90b6c8eab5115419e592c1

SHA256
08383c9fa45d4c1fe441cb259fa0722b55ec2236e8dea471e380fb4fa35977a1

SHA512
6abc8caa7da1b59014098e17a6d71d19edeb91184c41e16025d02218a7e1e6b908c27bbd342ddf2a7bf3e75ef23d086cdb7cc7b11af8e13f1ff0b7a002d34312

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_bs.dll

Filesize
29KB

MD5
1f906baf25ce4d4a48ccbe4c912931d6

SHA1
16ccdf2b6c9dcc9fd143973945c3d12c7e4fc716

SHA256
dff265bd7a3a50bd18212d9c58f1a61e32c6821e520e20e5d8a929fffd8ed65b

SHA512
e06228f79abd81c493a68c620682924b6ecaf11b7879f1bf216d6260824c4f6a3d99e3468b14e23387d14a0338868c47ae145eb3f08cfc80a7cc6add20f5d6ed

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
30KB

MD5
2dc7cdf70843a980a71adcc497d7f4b9

SHA1
f71d6e6ae98dd7116d6b586466bb16d8d21507d9

SHA256
20e69e1f8ddf7282d90b1c1c7593d7d3593eebb2e72b98bdd26d4c7a560cfecd

SHA512
c4be6389d67bb4b4607380c21ceddcfac20f2f747a584d64753bbdbeca03b868464cb8237ae567bffc4109e1bd17c6cda96b5936f3314fee6461cc50f16b9789

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_ca.dll

Filesize
30KB

MD5
d8ffca3af6de1085b758e43fa27d931f

SHA1
151e778acab2149253b2de643c6f0ce1d5a7a582

SHA256
3a5464f9dcbbdaa0248906a5595b7247fb59ac3eb1f3f22b27bb095430de8843

SHA512
2d1182e5fc17e928d1eda4b1749cc1a0f214bedfb4bac844994543a8d031af01d474adce2c3bd96dc33e4d7852e69d4424c3077f82a2d661cf3b5e40ba7eae5e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_cs.dll

Filesize
28KB

MD5
7a6d098cd7b6e8dfc510579d7c56e0e0

SHA1
da70f2875e796c4fd8c6e8bf58eb1ce232193925

SHA256
643163c67aa0f4e145c34a34e8fbf93a1a5779f8ebb30a91ac07032813695131

SHA512
6995bea3f571381ba6ad8fe0e66400fd9c98963db0ebd4f7064e575c383b0150024aa29cd56224daccad2c79354a2d662637b472b518840ed9b7210d614bd632

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_cy.dll

Filesize
28KB

MD5
8d67274407499bf8991c444c064d8829

SHA1
d02b897a797b019a1e70383b0797c751577bd3df

SHA256
edf8f2c128e9c73553aff7b06dc0c91a05adf576d4970715dc1f168ed233c1ad

SHA512
ce401b7b069ae27cafa7aa8efb5be4d01296307699c686a62da1a5556619a6ae88ecaa2fe4a3e03a6bd9651eaa1455695e08e46ef3771b581adf9c97f6d0b2b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_da.dll

Filesize
29KB

MD5
b2ccb7c497f7f253e6c5fd07450d4b7c

SHA1
1174e4dce062ed9cefd9e4ee6205dbbda80d116d

SHA256
72538c238927c342f953beb6b7e2b7423e75d12b0ca5c33d4e1d8701e890badd

SHA512
9838658d8f7e6073827ef614ca628b1883f79e9f0a78424e3c7779b972eff5549f9c4b9869c39c686eae9695268af9eb201d4b8320e97a53f629e48d8b835c75

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_de.dll

Filesize
31KB

MD5
d727efc2844c23ada09c756629250734

SHA1
e1d383a2690ea6eaf573286f2a8fef82bc42b5db

SHA256
7e06b7c22830140dcb56c0277541e789d115743e49c9410e6055f320bb88bbbc

SHA512
b475fc13c371ee121ae8a469bffdba1c3d54166f46e328d431d1a3237e2deebf6963365026c2b2308020a09fcd16d898dfc621466364bcc2e988a4ef88289b89

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_el.dll

Filesize
31KB

MD5
70cb181cedb9e7f2b7257f8347298886

SHA1
e6c89473c4460adc4f1fedf2ae86041ba13d93f9

SHA256
a845cf8f671920b538138717f40abddc5c830da4543cd9f7261245c3e3918824

SHA512
14c6257ddee56be56e2af07d2dafa4eb0dd015c5ae066e616f91de38b45a4001c422de927c0b96ea25c16800fb0a544b11b535c0cbe42ae725d1492515bbd644

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_en-GB.dll

Filesize
27KB

MD5
09f45cfda08e88e34b51a62c23e0e748

SHA1
c61fc721bb1db2a430ef76eaa95c82b513eda8d2

SHA256
56fa3d934380c73b1e1c32a2bdeed64a26fc2de92612a201ef7306d4a00be0c8

SHA512
b30b682647ce799c19a2a942d4e83d8438cf52da74f088802f9412ed4f18116736dccbcd8b230b7f3031455591e0eef7061a3ec379ef947a1ce207e6e9f08b4a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_en.dll

Filesize
27KB

MD5
ab3799e458126b774b1bc7a56e75fc5d

SHA1
fb929347c1f92654943a3a0b7611fcc978718ec2

SHA256
bdb3e5dbb6caa9fb77e23e1b5a363400402a6e88eed3e86e55bc9edae8b8bfad

SHA512
25cde70b3d51b1c1cfa7102a745d90ceb5d9c6324c2f9045b213dec000e79fe419744f07e6c87c77e84c0d374259d72cf52ffee26da864e0959d2f3d35f2c851

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_es-419.dll

Filesize
29KB

MD5
c94e2c9cb3f1b9ce990f131b32844db8

SHA1
98069c4e11f2ab03bce79717f208201c5549713a

SHA256
34e3bd8b21adc60adc614ce32a39dd424acc7c998f8d7901af5193348830b84f

SHA512
72f807a6786aa8c88b92a04aa19413412aff1d54218f31c942f40d42835267acb0249eb0fda0124efd0357b48a4c390cf0d7c1425b947e8f998b137e3ac03db0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_es.dll

Filesize
29KB

MD5
38559c9b8868faa3d5312aa9557ed1fc

SHA1
b430533a534625ca67a4bfdcd04c7d346feb705f

SHA256
9457f8915b6f1f644274c30f63831ebace766796cc9d570ed75575fd1dd88106

SHA512
342858b52017128d601c5d27b465b8939fcc609272c4c5ea4942b49320c2ef47932aa3ae62b17bd401925a69184e16b1d6e2febbb263d344ed2d3a33fce7b2e0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_et.dll

Filesize
28KB

MD5
8549f0990897525e445acb553dee4250

SHA1
f6a0549e6ce04c852a9593b430cf19556beb6277

SHA256
224aa029d124cccac05d1c38dd7db1ae46fd17fdbe29c32692cd6dd4e1666728

SHA512
729637b47d5ac009eb0cb5c12486879d4bad196ade6371f99d209fde74ec4ea5e231a4eb9f574ee7bb61605fe19fc9e035cb12cc8d93d05ec47a319c28d93085

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_eu.dll

Filesize
29KB

MD5
1f340c24a25186770479581d678a0f5f

SHA1
df7f1e6a8a5447a244a4d9fd29d7c2a3435e3cf8

SHA256
4db5fd9c0ccbbad69b90834e496a625fac6b479f561e2ecbdc2b5ee63ad35c66

SHA512
72b9067f339172b1df2795cad3505bf442dd8b2e3a05ab9a392f470dd047dabb82efc9bbabc32acdcdea326cb4f7bbafdf8c1ac1a2e375a88f7e2c6014ed930a

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_fa.dll

Filesize
28KB

MD5
9c454c79124119f8b1293d0c50b1b9a6

SHA1
2b91f6dcbb7897f9b3560d806ce6c6a17a37fcfc

SHA256
fcf333ce3065f755cf0033ee385a7f752132274a8c85da12ba5445f496875aac

SHA512
d5dd9d24518a0acea4d16d79385a1a5743695f8d8bf5a9fce37b90398edba90aab0ac1e18da6f6d8b4bf1b0ce5efda394871914ab620ba0075fb4bdbe950af63

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_fi.dll

Filesize
28KB

MD5
a72def19680fda48d3d526dcf3dee8e7

SHA1
37c9a46fc4483ee0d94ff5b92e4d9f462e5b232c

SHA256
9fabe5d1abb1baa74b18d41ff28913b3eb9c3fa985f4335b36623463c0c7c09f

SHA512
3fb8ff998053e74b9d18b29bb3626c3d10ab577227e1ec93964ad00b293ca23c92238dc5187646a3671b1fcfb4a192f5a031ef9d1796120c9e3020ab6398f196

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_fil.dll

Filesize
29KB

MD5
489692566a15cec4eccce35afffeecb6

SHA1
ca2711d9e70f9d4c41d1d98af33993bebb48e342

SHA256
fda26d0135a07a7512811a8ad206056db70e0ea0fe9236096f2f622305e590c2

SHA512
74e5090e2c7e8af1bdce7e544b3c15edabe54b577bea9c3b152003e361152bafce2a8e0e5c2cc55c6714004bffd33f4b793d51324b12abe9dfa6713d5e1f34d9

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_fr-CA.dll

Filesize
30KB

MD5
c52b6c282e5151fb9537d25275af31b5

SHA1
519ff118d3429cba4096a20191ef2fd0ddeb4099

SHA256
fe20198950089e92c74d42eb0353119165cc64ca4abc98446d73f0afd4757662

SHA512
298f5e6a337e73ab697542fbb8efd33231d48f7845fe6db4f42721588e5d73b12a3fc81cb3e90634b62b6edb1f803807d81eddcef7fe3f0e6491220cb90520f2

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_fr.dll

Filesize
30KB

MD5
a50e40e5fc5b4dc9d60815df15ac15f8

SHA1
410930070643657aec955f5748dd26c84682bd95

SHA256
138e5dc802fdf6072d6420521908a5951b16d62de318819a344e2bf615ba071c

SHA512
e85608d23eff9919c27ddbe957198a38637fb8d8cbe9b17790ffc6e8a5e465b40014e9fbd0a8ba573195eed7d4d050e50f176ff46d3b6f5ae4c18410e9241507

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_ga.dll

Filesize
29KB

MD5
dd73e427fd2b78ae375b2811b16cf354

SHA1
b4cc4230ab5f1d0fedabba69498b85b5e704ed8c

SHA256
e524a448471455deed6635a2163ca334898494c2c8e7dafc8f82fa64b870680e

SHA512
f7f821c3721dda4eb848d3eadf309e31879b9ff37cf0f9185789a855b835ab993dc5ef9a752d8c257b1805ff3aba27d824e3cc9c03bfaed01c47335a0f86daf4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_gd.dll

Filesize
30KB

MD5
91d3b120ef50e80372371cc7971cb517

SHA1
2c57a4cfe6607e6e25af84236635eba74b3d8bfa

SHA256
589178a57e5b434aef8df88f846f4baeeb0e8609452daca455e6978833235000

SHA512
76cd023d9fda7208c0ce8c4d48908ff8a6e210be582ae02fdde1ac2ff1a68801bb420aec52adac4358bdb664b4e0fb510cfc2ef7974553176904b42b37380db8

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_gl.dll

Filesize
29KB

MD5
f018be9cb93ea30d64c32075cbad6896

SHA1
86655e473957526e2906ae91f7d19fa44cb2ee3f

SHA256
64dd61bc661928249ca6de8074458f90ef7043c6687c223d99aaa69b41279ef0

SHA512
501bada423a815073f8a510319204234966ada88726c850c264d5cc5ca039a49f95d7d3d0711d5e7be5fa1bef5ec18f74dfd5dbad67a26070fb36321390ce686

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_gu.dll

Filesize
29KB

MD5
569a09382e5901f6d9aba5f7ee48c7f2

SHA1
ab27c3cd5ed9814f13c94c4370f992bda0298eba

SHA256
cfda4b12f03e0ca8dd1a208a3882b8c51ac1833d8f6b5677c707bb6a21a71f16

SHA512
3dd9a4f7a85509a376d28c47cb4008bb6572b347b4486cbba5e6d7d61d9419a1d49347801068d73ff3f680e0886e6b9d34201b03da5e83c398f483b8d62481bd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_hi.dll

Filesize
29KB

MD5
4b9eb0d35b4cd2f0b15db8df5f711c94

SHA1
74a4d4ea43dfc4f475d36f8d42d29d2c1765f96b

SHA256
f827ea5b8dd6a90eceb72ef944706be65196c61c8c1b611497fe323c3e6addd3

SHA512
1e7113ceb9205f0158fa5be0efc650c6f6249b681414fd2d203dd530960834de54471c430aea1ee8f51cf5d5060cac8359ffb245716889ffa0fa4b807c5a84b4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_hr.dll

Filesize
29KB

MD5
0ec6b4c082d8ade2df7ee3444651f556

SHA1
0519287e215c7a963f9aeefb128ae798cfb62a30

SHA256
0d5168dcc701ab29bc81346a3e9dae92a0dfdf39275d46c9b9484c7654d6c38d

SHA512
02a45510b0b06a9901a9a00b81d4d0b1cb195828b581f3010cf654029c5995f8f6bb1a7631d8235f9c75468796fdf23464c2c71b60f8550fac823e8f7137a96c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EU7CBD.tmp\msedgeupdateres_hu.dll

Filesize
29KB

MD5
9f47ddd94ecaf45dca0cec89cfa44804

SHA1
55900ef9810fd7a248e13fca8a9f0deb85f81f08

SHA256
89fe1cb0139d4c4901ddafe903a7662fc1d6309d88bf9ea30c88da5ed393a062

SHA512
4d5e07ebe3165d42ad0fb3f8331afbd5d73f369dbd9aca6372143538773c30d5c30a5b07f455066c7c742aebd98ab123b9e1b5a3b37d2784bb4a7fa5127c69db

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
0e28a2545040c99b27fb46483e3306a8

SHA1
92c911a4f8059a221165953438a2d91811e6a6f9

SHA256
94ccd5e12adac9469b7a48d341855c3239c41c724f582d18370e45d18083fce2

SHA512
b21690e896bc96147ecdb5853593af6090d872031aaee748b08ceb9abb8654f68ea0a309f15aaa2912a56afa6ff261761894e7df3d511f177c378cad0738a981

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_1113869912\manifest.json

Filesize
116B

MD5
2188c7ec4e86e29013803d6b85b0d5bb

SHA1
5a9b4a91c63e0013f661dfc472edb01385d0e3ce

SHA256
ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62

SHA512
37c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_1291943224\manifest.json

Filesize
134B

MD5
58d3ca1189df439d0538a75912496bcf

SHA1
99af5b6a006a6929cc08744d1b54e3623fec2f36

SHA256
a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

SHA512
afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_1455964688\crs.pb

Filesize
289KB

MD5
24a3775317d74ceea8fba6f0cfbce562

SHA1
fed5009eb51938d0894a9bb7aee8a97873d9b6f3

SHA256
192b206ad6f649f6c8767f6a3b11d9c5354710602bf0aeb4157eea08d7461ef7

SHA512
245951359283bff026aad50f7768a9aa59c1926ca7aa441c8f6a3715be34925332eeef4115a442a7841429400105d59d13937ee3aa9b80e83f1982893aefaa8e

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_1455964688\manifest.json

Filesize
102B

MD5
2c2e90b63e0f7e54ffc271312a3d4490

SHA1
4eb9d97e1efc368420691acb2e6df1c61c75f7e4

SHA256
72dbb7d6b647b664ef64b6a14771c2549c979b9c57712f3f712966edb02d7b2e

SHA512
9ec9e8a34cc56a694ac845a4344600b479d11347ec5279d955ab4cf55590440f3491e0a1b635ddb9db821630885e5fd63c269fc2a5d1abd0a0d0062ae21dea8b

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_1766752304\manifest.json

Filesize
43B

MD5
af3a9104ca46f35bb5f6123d89c25966

SHA1
1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

SHA256
81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

SHA512
6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\hyph-hi.hyb

Filesize
687B

MD5
0807cf29fc4c5d7d87c1689eb2e0baaa

SHA1
d0914fb069469d47a36d339ca70164253fccf022

SHA256
f4df224d459fd111698dd5a13613c5bbf0ed11f04278d60230d028010eac0c42

SHA512
5324fd47c94f5804bfa1aa6df952949915896a3fc77dccaed0eeffeafe995ce087faef035aecea6b4c864a16ad32de00055f55260af974f2c41afff14dce00f3

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\hyph-nb.hyb

Filesize
141KB

MD5
677edd1a17d50f0bd11783f58725d0e7

SHA1
98fedc5862c78f3b03daed1ff9efbe5e31c205ee

SHA256
c2771fbb1bfff7db5e267dc7a4505a9675c6b98cfe7a8f7ae5686d7a5a2b3dd0

SHA512
c368f6687fa8a2ef110fcb2b65df13f6a67feac7106014bd9ea9315f16e4d7f5cbc8b4a67ba2169c6909d49642d88ae2a0a9cd3f1eb889af326f29b379cfd3ff

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_2118705049\manifest.json

Filesize
82B

MD5
2617c38bed67a4190fc499142b6f2867

SHA1
a37f0251cd6be0a6983d9a04193b773f86d31da1

SHA256
d571ef33b0e707571f10bb37b99a607d6f43afe33f53d15b4395b16ef3fda665

SHA512
b08053050692765f172142bad7afbcd038235275c923f3cd089d556251482b1081e53c4ad7367a1fb11ca927f2ad183dc63d31ccfbf85b0160cf76a31343a6d0

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_25235915\manifest.json

Filesize
114B

MD5
e6cd92ad3b3ab9cb3d325f3c4b7559aa

SHA1
0704d57b52cf55674524a5278ed4f7ba1e19ca0c

SHA256
63dfb8d99ce83b3ca282eb697dc76b17b4a48e4065fc7efafb77724739074a9d

SHA512
172d5dc107757bb591b9a8ed7f2b48f22b5184d6537572d375801113e294febfbe39077c408e3a04c44e6072427cbe443c6614d205a5a4aa290101722e18f5e8

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3696_277559319\manifest.json

Filesize
76B

MD5
ba25fcf816a017558d3434583e9746b8

SHA1
be05c87f7adf6b21273a4e94b3592618b6a4a624

SHA256
0d664bc422a696452111b9a48e7da9043c03786c8d5401282cff9d77bcc34b11

SHA512
3763bd77675221e323faa5502023dc677c08911a673db038e4108a2d4d71b1a6c0727a65128898bb5dfab275e399f4b7ed19ca2194a8a286e8f9171b3536546f

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
96KB

MD5
d3d9697cefe1f16894d9344813677c98

SHA1
ebb36f4c15488c17df6e484cdf8c5920f145afed

SHA256
9e0f3e9054536510e28d373f1d12080407ac9bfc04c593e48c1e1de81de390fd

SHA512
395a555428700858fbfd38254fcb8d34f385f20a9449c4d81ed4ebed422cfebdc0e0d81207985508f1be459f73d9f40ded0ab1f633ad6da77c79e8e7512dbc5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a7b5a5433fe76697fec05973806a648c

SHA1
786027abe836d4d8ff674c463e5bb02c4a957b70

SHA256
c8d623536ebdf5ffbefb84013d1c8ff5f853b59f1b09c80364c32b8ed5e4a735

SHA512
27be4c82e26468bbb9ce698ef305320f6cac46c953f88c714a0372fa524d098b9af2a87a88b14a134ff0f5f4b3d671902908622d2c7ec48e2c7bc458d7f5cc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8ea156392347ae1e43bf6f4c7b7bc6ec

SHA1
7e1230dd6103043d1c5d9984384f93dab02500a6

SHA256
40b28bf59b3e2026ad3ebe2fecf464a03d7094fd9b26292477ad264d4efc1c75

SHA512
2479b86a9a31aa2f260ff6a1c963691994242ced728a27ffa2ee4e224945446a191bdb49ce399ec5a7d5d362499716133072e97d4253b5b4f09582d58b25144f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
dbba7299f237490e850f6b3bd7822817

SHA1
b981a21c5742eb47d687fb7316c7706657d5758f

SHA256
87c30fc1cebd700130f8c86107f6aa57bda2d42b7d76b42513cac7b61e536101

SHA512
d851e20d78268677ee432664da803d5d60787ce15f4ee8abe2b17cd6d77c3ff7ead3d23a364293bda97d333593c3d49edd351cbb6d70a252b7325b1233698ef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
905B

MD5
780752cefb328dfdc4d72285c83794a5

SHA1
b4230e88d654091b364137553f95c6adffd6de5c

SHA256
e58653ebb73c65714054d87ab2d7031db1682fa60c31942c5fa7017fdbfaa464

SHA512
862024195fc8b5fb49ed438728350802a49ed2687d815d7db1a0dbf65cbe288d2ffa3213078ea18e777537624ab7d9a5d4461dd78dd9c4fd4634a03301d78a7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
baafbcd35d3f47ff38079f3ca0e0716c

SHA1
9c6c626eabc6d369cb8641cf63294cda265d1868

SHA256
3bd405fbe66d19fef2995ae0758af242c6ce27d441fa9284b90f38fbcc43eee6

SHA512
dad86b2720d9a372f52ba826ad06889c007c6a681c8e80e711f48a3e1196349fc48cc212fe64d2cf70b5deb66bf9dae94c26d839bd6466904549b3f09ac5d06e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\bb9df1c8-927c-4bef-bbd1-5c19a140bed0.tmp

Filesize
6KB

MD5
d1efc7037119dfd887c8c7daa8db15fa

SHA1
0545237aafe90a6727e854e19c7fecf15acdae36

SHA256
9a736808bb466b43f273df846a822a5aa58a1c78516bc63b48182fbc3d1b5025

SHA512
267ac0942356d02f3218146b45c85ed54d12ff767f3c023210c47b1f0e43362255bcaa3065cf0d81c41af814abfd9732ff068c27142f44b8afdc619431e6cef8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f95de50b-eb37-4234-a4ef-fbbe0b420ee2.tmp

Filesize
6KB

MD5
456ab2f86f10f852809c36f2a8aa4f4f

SHA1
d2952bed4c404a104cf5eb088ecccee14e19df15

SHA256
18a08c12573b1d744673c473e53de2e40004b1f554dee2dfdccc11edf660ccec

SHA512
a09c4e25a969317031a2676c9ff5662b66ad55cd0e4c8852911f64f4c183bc284b2d8bac2caf200dcf0937c46a981e06876d96714b6a0a5cfa049ef5ee0a996b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ac4b6888343394df3f0791f89373d9e

SHA1
6f983268e22beb297b172e0d3f6e93ae40f09d96

SHA256
1fdc631f66bfb728f430bd478c56916ebc1fce6b477620f3960628dee9b9cb44

SHA512
ab4b8e80be3a54bd0561135b9e5d7654f101e3b0093106773cf57cbd42110e06c539a32c261a5ac64eb454362b53e0c5a61eb4cdd4f4a8cced5cd6069dee52f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9cb172d944d97e36deb1e1a950429388

SHA1
9efd5ade3355f9d7a987526479b55cfe599a7e83

SHA256
71c07bd0b21b5b9c53e432c37e26aa41d065650b47932466757fa025645b814c

SHA512
fac305e9ed959168b52adf5ad21aed1b20486cd5910ce0e7f544191c93a409561a86c99ce3f44f16c0dd332cebed03739939bca88c5a25f0e751e5d05d754244

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qgxmgbOvGgEFxScQKMjc.dat

Filesize
256KB

MD5
48800ee48acc8903356cea33130ea58a

SHA1
94470b55ed16c4eade14ac9fc6fb82c9db54c647

SHA256
9c54a4d5f11a0bf22c82f3ef22ee5070de4661ae73c521bdbec86cd14d92f6d7

SHA512
bbb977fdb3bf77984118efdfefff70edbc9c7d7886fc533ae312d4803e575c836bb39b60ed331bb42e9b31903f21a7e945459ddab3e716dc2248f7f8e39afa1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5qgxmgbOvGgEFxScQKMjc.dat

Filesize
1023KB

MD5
38b4da53f89b9201a0f6269cddc0266d

SHA1
7d9e99f78fe7bcbf76e59f7c72ba7c48aaf60d59

SHA256
6183dc9f0a985b36440b085cee8cfb56fa8a11483461c85350cde86a2e0bef90

SHA512
144ae2cf8a9a31aa7b7255af9c39bf892f02f0a59e700d0848a1dd9dcc37b029752b7f57321aa688dc217ea9aac3765c7be85e0f1d6935e886c54a1b82b66884

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bN7RZt0QNtKhqGJ7gTI.dat

Filesize
64KB

MD5
c5c21766e5ddeb058c22a0fa2ee1bf63

SHA1
6f125dd2142699054ab46d20fe26f66aaef40e7e

SHA256
a5aeded238934ae35a29cb36b46716418fc8eee934b7d1121f47a2f79d958b9b

SHA512
b63ab69005d2cb027f4f520708e47251a93c917c9955bda3a09a4171c10315161448146461a6271b9b4069e0c33a04a65efe674719411927f89ad35813ee9cfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bN7RZt0QNtKhqGJ7gTI.dat

Filesize
512KB

MD5
b93637fda8fa32394e0a59b094f18701

SHA1
b6a0764d6ca9cfecef9a4bd33fbc45abf7a33570

SHA256
9bd9115f3f6b619ef159f242cad6bbba00028f80317095a28c0cdb28415c30c8

SHA512
12de2e82eeb06d6e86f85b8af045a65cd9bbc6b751b9aa3f6466c9a5f9baf5205b3d5129c35fe4a569caf4f8b7120f7a677d2a435a3cdd60432b8924ec1c08da

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bN7RZt0QNtKhqGJ7gTI.dat

Filesize
192KB

MD5
b303fb83d373d4e1ec7a5816e406c91a

SHA1
35f4571d6f9acd13c407b96eb0cee40d021bcf18

SHA256
920a0fad9cbb096bd1fb50758e64d86a7110de68a054f24af4354b829bbe1069

SHA512
9924df6d7ef498f070f34caa2e050de7124b0ba2efcfb5395bff2297c2dcdd714ccdc1cd8b8d44a94d0e6d67c4ea6bb74f37d5c677b5e9f1a7a3a4bd02ad9dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bN7RZt0QNtKhqGJ7gTI.dat

Filesize
128KB

MD5
2ebcde2f22ba7b83cd668a6a0b3d799a

SHA1
267b67c1e2ba4db152772bcec83542089ab6a685

SHA256
f88758cd389431ecee912687c269d9202a79692fc4a38525e206de6735628979

SHA512
b95dde68037c5ff16325e7af0e9b8bccd49fcc0c0eea17085c470767692fabcb94cc8b89d26bca0ee0a77c013e2eefc7d94b55f7044db35cda8ee56a8d1bf48e

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bN7RZt0QNtKhqGJ7gTI.dat

Filesize
256KB

MD5
e64796f0ca0e09261b2e0ea8903decc1

SHA1
580c38825b318f885ea437172e288fc32902c893

SHA256
1e131c47d28c86d2b7377ff93154c4bdeb4baa2d4f15a1c2fc8d6602470542bd

SHA512
b303ca58b7221c8c0fd60ee2566596106459bcfa0d05a85f847dd7c05f16555cc98cdd0def0bd9fe5cfe4c3ddee8beb6b79703619eb4c43de89b4ddb2bb6eda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bN7RZt0QNtKhqGJ7gTI.dat

Filesize
768KB

MD5
574ecff3baad508e24398649d64ca86d

SHA1
60a9d1fb8a910ee7dd9816ed7584e4cdebb0c767

SHA256
027021fec8ccf3c2d15689067ae8b4d85604a89ef1711efabf1d4b24931534ca

SHA512
119f8cd9b1f87be962c7a972d23f220ccfba88931f5990bd26bc3738178bb1655db6e32f0f1397c2f835c9f8c2ad8fcd8f5acfb2b4489d25bd00b52f92455118

Download Submit
C:\Users\Admin\AppData\Local\Temp\69bN7RZt0QNtKhqGJ7gTI.dat

Filesize
1023KB

MD5
afe0094a6e267ef6edb1c5ca32dad23b

SHA1
69e09588827e2ed611ce4d0b60ccdc02e32f25fa

SHA256
60a8d1d517e5813f6f570b7e2d5b34d7f71ccad58e4cff577be9573ec47604d4

SHA512
d401c44aff9f47c00a64d63d3002b788738e30f1a9a25e3822d7a25bf760d0b45499213c0a103994996d0b040439f78859edcf1ea05daed9620c1c9b7f2b415c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Z5oDJ1zwefdUutb10DAz.dat

Filesize
1023KB

MD5
53ad0ff038e0385941037953250b6ad5

SHA1
713cbaa4e9d37e35dba465b473448c3dd4897c96

SHA256
6754723dca3fd8af2dd9dd1aa96313ac32f82385ec2ae30776e1d61834b87bea

SHA512
119b9f9d755be936dd70016f0974d19c4e187f9db7359cfa38d788b26427517219fe2b362e3e8e848b8ef094f6007cbf3f8caad840aad9de4f0564f786ffae2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Z5oDJ1zwefdUutb10DAz.dat

Filesize
1023KB

MD5
558d24cb6d945c4d5357b463abf4fb2f

SHA1
55bdce7d7be97a733ae12415829ac2ed9cb16e74

SHA256
25917720bed68ddb1cd0acedc18807a96ba9f10eb3c4f539dc1823862aa002be

SHA512
14116b624ae0d370ea53f734ab09b8e0f133bcc874bc0887a9d635ea50615759af42ba98c005c1aaa6443d11672962aee866ec228ede689d2bbef1232dc3ae88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bt2AwgrEXssDxxdExdZHG.dat

Filesize
1023KB

MD5
b8610a4bb8c065cac09430dfc176495a

SHA1
aaeef87fb531a4d30b9c49ae4547df6cf9558b44

SHA256
87332a46f6c990b080d93a2f26881dece79519ab231112ec39b15d44f01a63dc

SHA512
a97338c32516b44aad1d6177974951ee310428632b2dd015817161bf5e7507ee9145d82f064f67d6afc42eba0a00709eecd813d25446343b1aa95b537817eab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bt2AwgrEXssDxxdExdZHG.dat

Filesize
192KB

MD5
52ce62b97a7ce92d0a90370e0760f340

SHA1
69a9a2ef167389cffc97bde211ada8cfa417a5e7

SHA256
1f4841939862fd5a4fa2776eae4245519df67407f0baa8e232d01997aa27233f

SHA512
75629a786d8a520a70c292fec55bcdbcd8677dfa84b557c488101ccb41214ac7e9a3990cfb8f4fbaee1eed7f6500364657c3b7be4aaf4952673eec88692f83b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEfZXtMIF12VOHlXPRhv5.dat

Filesize
1023KB

MD5
defc929b6da42c8aa21d20dcbafaca7b

SHA1
fde406dd5e359ec1733f9195aba6d10faee15450

SHA256
f144a307e98080124777c72720c109f19d295319764649684a7a28012ea1c586

SHA512
1d6efc5fac2e99fff61ee384c3885b6300b2b639eab1e2ac07181cdc0012e5ea397c11edff6c9b3f951977c4f717b6cd48fe24a8038efb18cee2355743687c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\OaaXYim5zhMWH27pvKqBJ.dat

Filesize
1023KB

MD5
dd8b918f5be5e0742fea6a41ffd833c2

SHA1
dcdf05fdc15914fb6a8f05fbdcab6bc54935f069

SHA256
2554b7d1e579d98d90821057290147cbbcc91869dba9ed5080c9202edae252a4

SHA512
4e3bdba0a29e5ce0e2af18821dafe61057e030c2a8182ec439e391a9e3a3d4221fd0af4e3816190d3afbaa8356321c05f99b6e73fc30315de2de69a1d87a6dea

Download Submit
C:\Users\Admin\AppData\Local\Temp\QZ83f6dFljC7fhZa55KHM.dat

Filesize
128KB

MD5
8d68cd34edae15623e73f10bdd465114

SHA1
e6bdf504d5b4acdcdbd32304a307b36825b2b468

SHA256
7980195e1f0391864771ee184fe4f7613c048b2e701769c0f7472c4fc46236c5

SHA512
446202367e80fe516057248f9acc63a4c5b50397374245dc8dba9b8a3935f5f228f6a77ba2f7e9cb1ea321aefd1bd0419081591b6bfd3f5a688173dcc1e21abc

Download Submit
C:\Users\Admin\AppData\Local\Temp\QZ83f6dFljC7fhZa55KHM.dat

Filesize
1023KB

MD5
e258d40d27ae14a10f0761b59c22ce45

SHA1
67add5e50ca2b780b7d828661a6001107d07d52b

SHA256
583aa797dec8bb5607149e1a191cc71113bc4dddec33f43355abe9bccc148765

SHA512
4dc75d4e084a426251e92e52d8ae1fb1e64e7b63ff41365fbad063491537a20d6b2ba0a87307b77d57db8d07a5a266bd9690ec733e2e342dcb7864260b7dbedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddEspX1UUL1ABwVswQDxh.dat

Filesize
1023KB

MD5
691951ceacdaa217bb3ac6011bcf5fca

SHA1
7d88af370d9113c49f1020969df718d7c4d465f8

SHA256
e72160910e33a6aac8f122868731a4bc250a058ca03aa54e532eb1dc41992f09

SHA512
e2879513b87a0036feab634a4e7f5c96d516e14d4b03ba81354efd36fb9cfb4f92460f8fdbfede20dc79c77fe53a5b69b6fc27e8b1437b4c8f3de496b9090023

Download Submit
C:\Users\Admin\AppData\Local\Temp\divZJS7JuDO0IyqNDg782.dat

Filesize
128KB

MD5
785ba59eb0ee93d793d3325abeb00ab3

SHA1
19b3396c0dceff0fdee832613467b342b5287ab9

SHA256
da41dc2bd9a4b2040b001e55f12ced916f654e2fc97871599470cde472baf01c

SHA512
94383bce787a20d0938c05c12426bef9017f2fc40d140ab0e651855f4a84787393b24e43a0b3b79b1b9c68fdb7622d55ead737af71778a648fc91e635c34ca41

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3HQ15.tmp\_isetup\_isdecmp.dll

Filesize
19KB

MD5
3adaa386b671c2df3bae5b39dc093008

SHA1
067cf95fbdb922d81db58432c46930f86d23dded

SHA256
71cd2f5bc6e13b8349a7c98697c6d2e3fcdeea92699cedd591875bea869fae38

SHA512
bbe4187758d1a69f75a8cca6b3184e0c20cf8701b16531b55ed4987497934b3c9ef66ecd5e6b83c7357f69734f1c8301b9f82f0a024bb693b732a2d5760fd303

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-3HQ15.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2335.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2335.tmp\modern-wizard.bmp

Filesize
25KB

MD5
cbe40fd2b1ec96daedc65da172d90022

SHA1
366c216220aa4329dff6c485fd0e9b0f4f0a7944

SHA256
3ad2dc318056d0a2024af1804ea741146cfc18cc404649a44610cbf8b2056cf2

SHA512
62990cb16e37b6b4eff6ab03571c3a82dcaa21a1d393c3cb01d81f62287777fb0b4b27f8852b5fa71bc975feab5baa486d33f2c58660210e115de7e2bd34ea63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2335.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh2335.tmp\nsis_tauri_utils.dll

Filesize
29KB

MD5
c5bd51b72a0de24a183585da36a160c7

SHA1
f99a50209a345185a84d34d0e5f66d04c75ff52f

SHA256
5ef1f010f9a8be4ffe0913616f6c54acf403ee0b83d994821ae4b6716ec1d266

SHA512
1349027b08c7f82e17f572e035f224a46f33f0a410526cf471b22a74b7904b54d1befb5ea7f23c90079605d4663f1207b8c81a45e218801533d48b6602a93dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\pmByBbYmGTsXgKaZYR6qt.dat

Filesize
1023KB

MD5
d1f536cbba77928f6e8aa949669a8dac

SHA1
2c6cafc5c2e00a84c516f909838cfd0f5e9288d8

SHA256
a8ca1363e3011bddb8bbe10a7e5f146fe34ada12609991a0f3f61de024cf77d6

SHA512
365ba4edd6bfcc6f5cf22a519bf93d5bcab23946654998bee90f5810e96d29c1100ed4a8bf34d97847d84c2ee48287ab334abf8a1118a110f05caaf284ca0923

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEbmRJ0jwYOxWYaQgoMeW.dat

Filesize
192KB

MD5
0f15d0e366ef6bcb5e953209c4aad3cd

SHA1
2699f794a2cb80cb1778db0194f2042803040b2d

SHA256
334328196235918e7101072618c66120e43eaa53553c769988e5a189cbaa6918

SHA512
88c68efdfbd4088f247a493bd51ff40accf125f36a28f62b63f70a6aa55a77038504ad70626224261f20bcd9fec7cca69e6a797b5d16764a1e76ec4222ef4ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEbmRJ0jwYOxWYaQgoMeW.dat

Filesize
960KB

MD5
cace1c31808425a0247c636e3e520baf

SHA1
3c912cc088f6d47bac7a5c47f0aa69d32de14a92

SHA256
a5d7730adb455d166b162abea7422ae37d750e67b6152ea4918e201fd18ef197

SHA512
75f6aa3b6fb9d649469d0de3fcf46dadf682fbca57dbdf8c28997983cbf1198b5f69b280ee201f99a8e2ce1605bfdae88cf2c3d7200fa964f3dedd17a75ef8d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEbmRJ0jwYOxWYaQgoMeW.dat

Filesize
192KB

MD5
8f469847d611095ccc9fb255756d1c94

SHA1
f1974482a113dca48568a2ac03fef4e745c5dc63

SHA256
b34a89023693138cbfab41b0ef67656f4f90849d90103a172ffca0fcb8220150

SHA512
10dd6d785a0d67d695042242071ebac8d206de90040fdf8d0ac800b01cee1141817ccc41855cf941c2861c7572a37c27143fff9e3bd0d2bf001c5ad576b7a5d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEbmRJ0jwYOxWYaQgoMeW.dat

Filesize
64KB

MD5
529bafb0dd23f56698743af229cd31ad

SHA1
cad49a16f851974b9e9ce7b98249eac7ac967a07

SHA256
882206b3c92b368fe8475f6f6c538bc6f9f8be73b4132fe1e7b9eb94b3efe503

SHA512
71d293b8636e1a881cd0c0caaa7f24f650fd69735478ee6bb15bc227bc50db9247395e6dd8c0f84db1eca6233c6e50f8ae6a0b87e5347e4a18113b2de16ec4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tEbmRJ0jwYOxWYaQgoMeW.dat

Filesize
1023KB

MD5
f5eead7c7ae0d0aab9c21bbed24ff15b

SHA1
fbde69999558c12092f5d1a5ace9fe3474667a47

SHA256
56924b62f5edd95dd8d256a4b8b1d7a5d0d8327d3f0eaa20029f8cc68196b75d

SHA512
f2ab392dd3259734b62988b167a6e6199190d7ff55a54b93253753a1c8e157ec8eab6fcfa3a97972502dddeb3103ecc5b4aa7671dfccfde588ca36e9f820ecc4

Download Submit
C:\Users\Admin\AppData\Local\WeChateams\teams-wechat.exe

Filesize
21.1MB

MD5
a4aee7485c22b2f92d34fbdef0fdd3a8

SHA1
f1febbc51f4bfdc728a62a9d56417c226eccc3bc

SHA256
d095e952457921d4c92b69f3c92256bbd9c4bb02f7215bc9f8839a9d712e5c65

SHA512
39f6f51732c4fae42955195a441669e05d007e79c87c21fe918c0015dd44799fde2575e19c4dbf9cd0bacd33c235063404cf8254ed565b166f517ede0a50e92a

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json

Filesize
3KB

MD5
6bbb18bb210b0af189f5d76a65f7ad80

SHA1
87b804075e78af64293611a637504273fadfe718

SHA256
01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

SHA512
4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\CertificateRevocation\6498.2024.12.2\crl-set

Filesize
21KB

MD5
846feb52bd6829102a780ec0da74ab04

SHA1
dd98409b49f0cd1f9d0028962d7276860579fb54

SHA256
124b7eeba31f0e3d9b842a62f3441204beb13fade81da38b854aecba0e03a5b4

SHA512
c8759e675506ccc6aa9807798252c7e7c48a0ab31674609738617dc105cee38bce69d4d41d6b95e16731466880b386d35483cbeea6275773f7041ba6e305fae9

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
078ea331c629009883cbf93d85ad87dd

SHA1
a52f28cfe88053dd63baf8c18e0c2a54bea87303

SHA256
c545e4a61bd1479c4c8cb63c9aa3bc43e1a34f58b2d878d3d208c5cb80667315

SHA512
4b39af6320e6f521016e283c44e5d2ffed5a3d8f316fdb93561befbc32689a0d6d1121e3dbba3ec680f93d3cebdcdd1841a0501193181ce3d76da344474c206c

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
ce8b2370d30bb0beac0ce99246f9761c

SHA1
7dfbfbc50626aa0af0e22f943d8e54de9e0abd21

SHA256
638043d0be2a7318c8234a4fcdeda98b75bab6028d7d34abebbe86674cfeab67

SHA512
853ac7685ab6253496bb3515824a0995fd9b6e9c73347d390af2494b4d5111e4bd609580ee56ebf8ab6c36347c10d2806779c8f1a7c77f7fbf51bdcb9390b7fa

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Code Cache\js\index-dir\the-real-index~RFe5a836a.TMP

Filesize
48B

MD5
f1644a60ea1a7ec475c1c24bc97e9943

SHA1
6fb5d5d404ea78f804369616ce98972eeab064a3

SHA256
be58dc2ee5bf3a3a3a292e71816e5b6bca3ef232dd527bd127e104cfc9668166

SHA512
ccfe8be46061b7db0431ae8ecd1fbd7f77272ac448cc24a910c9b841356a3da30bf3ac65f8ddb236e77baeeac4bd2472919d2af44dfd3a9fbbd660618b8d606e

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Network\Network Persistent State~RFe5b24f9.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Preferences

Filesize
6KB

MD5
803be190b6571ade2a6b5a0bcf9f8e99

SHA1
67b93ea92ad928cc0dfe15cf659bc29a6a91af98

SHA256
2dd2de7c9e96749ffd06beb7d698e9c98d06360ffb4f6eb391f8102b75f0b732

SHA512
dedc5c73562f36725087bb0b4bb9371b8feea60cdcbc61b1355c63da82a0e631b638283270e50a48febc00ca66a2840f6b97473371538cfc9bcba2cbf2b42c1a

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Preferences~RFe5a5b21.TMP

Filesize
6KB

MD5
16c77a7c60a9a7694aad6dc2a2d20bdb

SHA1
65c7484f2619afc874ba777699f18b7cc3b52e0c

SHA256
4ac71a2a8810edc8180908d24c91e7a100d6195b22716f81f47e1403d7cb08dd

SHA512
cb4bf0101279ac25601b7714d6f123bee08f63012671c32b32c8e8723cb6e1045050066039499a38ffc9a045b36374d1f4f3c269c56522ff10b6c95128548767

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Site Characteristics Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\GrShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\GrShaderCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\GrShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\GrShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Local State

Filesize
1KB

MD5
eb7963ecda2eb6605e84ff0c9f79c8f3

SHA1
2b22206ab54de70e7d56917a34a0b7ace4b351c2

SHA256
4ec19ecda90f3eeb299c6eacd678255fe7585947fa633e6b6fb122286a23e3a4

SHA512
16eaed653582eb5def3bccc8ee9bf3ecf4395868a83cfcbf4e1b8a27f7ae96e7b5e385d2fbed05ff4aab2edcd43f53f307f905f242e881807996169790af424b

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Local State

Filesize
2KB

MD5
c37d18cd4f571ee831ef210db683ec94

SHA1
8606949c6d5f8392dcdced161bc90e66cdb389f4

SHA256
ef6ee6d70dfb385ecf3cae81520411a71922ffefe4ea88c80717bec2c6458d8d

SHA512
8504aef025c1d08f1cd8c05a05d1604380aa9d85d36dec4005dd4b27ecc752c3a3bb484120fe78abaac4baac96bdac12cc12b60de5cd1281fd6bb31303cc43fb

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Local State

Filesize
3KB

MD5
ae0ad3ebd38a7d9cbb85983520675152

SHA1
fb6f06f77edba46dfadb9940df842ecbe46af3d2

SHA256
279123ea3d523bb9b1552e93272f4d1af8f43de6feaa8f3624b10eabce4cd3a9

SHA512
ea7a7330c9e47c460cb655bec7403bac07d35d6cc4f954e5fe5102161abb5711ca629ce96c11be093d0e55efb438d81bdae29e07e7370b9429f25b48e82df601

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Local State

Filesize
16KB

MD5
afd49f9485094c6436a2448c60928078

SHA1
52c498db912c5f54a878ad989253d75b767910b9

SHA256
8654abe3046527b623863e0b74afaa37100910524322b77014b657431c6b41c0

SHA512
7e34d9d8bfa5eddd4532aaf8c66e4d8d403479019e70f8c0dd2b3a8a364e6a416f85f4cd9570ddfb573fcf557f65e58cb70d34706e28ffd32727218041fa90ad

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Local State

Filesize
17KB

MD5
49374d423a7eb86071938e68429dc328

SHA1
4a314fb2df870f08e9b9918e49d0784b5d4b9921

SHA256
719ace4b38c73ae877a86f09a8239ec80cda1f34e0a13b2b7591900faaac92b7

SHA512
7d044cb3704a6a1a768e342c82cd44a2705a4cef7fddea369996109276ea9c229988b8a56bf82a3f3d5f406ecb4ef4216b3ddc4c67643016914e56dc59e16773

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Local State

Filesize
18KB

MD5
098c5102c31fd6df6e6514ebe792df55

SHA1
404710481f018c4bf7d9d082c4fe6af9bb063f30

SHA256
71b8f37b26ac284f72d1e474480c9ef8f3d8c65fe4ab2793462c156384557331

SHA512
ab4cb68d248591e7884125efcad4fbfc1c2d7053e78e22932fd0b60f93ee1046a462a131080352c17c85408d327b18e469c7cd8e17365b2a1de0b97895b4e2c6

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Local State~RFe59fe4c.TMP

Filesize
1KB

MD5
b9a66f5c6c344d30407fa0213079c27c

SHA1
26767046d7abb960ff57742e94349c4dc9068a66

SHA256
75debc1e750084fc985f9c6d9f31bfed693f4d01e3f398289c8c09c8dfd9e4d7

SHA512
18b5a78423f15e9d2a22b1090145f94d00b73a5c1b6f6e62b132a261bb1a561143112afc4967ae2fc31dd495ac02d9644b79982fc5c456d185e848c2b93d80f1

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\PKIMetadata\21.0.0.0\ct_config.pb

Filesize
10KB

MD5
09b6469de61db3473bdfe04951f08529

SHA1
d64b455ae9c65d8d8629a128a9f3505ef3df3555

SHA256
1c435f4448dcf1784637fa9470546d12d7db2420a11cf8b5d6343439dd401c60

SHA512
049d3c0e05aa3ab1d4d51cc5bd72603f47aa33141bf771cb86baedc19b8973911445ce74256ff1118483175cf4a104262a22ae9431a6366cbd1f7d28553fcbb0

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\PKIMetadata\21.0.0.0\kp_pinslist.pb

Filesize
11KB

MD5
2d8bcb7c4b2dc669429bd40f7048f62a

SHA1
43a332c99105dcfb67893ea167879c3ce6bac8db

SHA256
7a0866cdd7bd21b8b08d166edb3f6adf8c859b47988b9b3ba3f0eaafabe10ff2

SHA512
15d3c7c6df2c3c75daf7ea9165687c5a6f8acac3dfe83573e20aa1bd425dde8fc659fc2c1b050b3e8ddb28358a96b9e0c083e61fa5d63ae34fa4b0bb63db8a76

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.57\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\Subresource Filter\Unindexed Rules\10.34.0.57\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\team.io.teamchatwe\EBWebView\hyphen-data\120.0.6050.0\hyph-as.hyb

Filesize
703B

MD5
8961fdd3db036dd43002659a4e4a7365

SHA1
7b2fa321d50d5417e6c8d48145e86d15b7ff8321

SHA256
c2784e33158a807135850f7125a7eaabe472b3cfc7afb82c74f02da69ea250fe

SHA512
531ecec11d296a1ab3faeb2c7ac619da9d80c1054a2ccee8a5a0cd996346fea2a2fee159ac5a8d79b46a764a2aa8e542d6a79d86b3d7dda461e41b19c9bebe92

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2a2e0412b8ad04a2.customDestinations-ms

Filesize
4KB

MD5
e67a9c014c9f09c2db5ce434b2b1670b

SHA1
7d3abcef645fd5e0203db930a06b1e788206d385

SHA256
e2f6b322641df220587662a534ee7c58b93cc52718bf0261c6451ccd7898aa38

SHA512
8614031900c99996f150cd9019364fa6f691f7def266c05fc33d8d176f875020302ffae92b7be6ad13c07e127299c8e9aa83fcee5bed546ffb2dafcc655666b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2a2e0412b8ad04a2.customDestinations-ms

Filesize
4KB

MD5
0912e7ecce0c4422bd32e3db388965f3

SHA1
cb551d3ec9e3f167c5b8a40bd451e8b89ab4e978

SHA256
1246f485f7beaae83e81e202cdb5162bbe42898f362de362da5b3ae3e30ba1f2

SHA512
6de03dd551c3b13ca3bb76e22e5653a7e18695025c1d4595b291ed20bbed4b97583f0fb2f82edbbc054525e03614f39c0f2c67dddb94e440d2ec355bf5c642cd

Download Submit
memory/1500-479-0x00007FFFBD060000-0x00007FFFBD061000-memory.dmp

Filesize
4KB

Download
memory/2464-410-0x00000000005C0000-0x00000000005F5000-memory.dmp

Filesize
212KB

Download
memory/2464-374-0x00000000005C0000-0x00000000005F5000-memory.dmp

Filesize
212KB

Download
memory/2464-375-0x0000000073920000-0x0000000073B46000-memory.dmp

Filesize
2.1MB

Download
memory/2464-397-0x0000000073920000-0x0000000073B46000-memory.dmp

Filesize
2.1MB

Download
memory/4460-552-0x00007FFFBD060000-0x00007FFFBD061000-memory.dmp

Filesize
4KB

Download
memory/4840-560-0x00007FFFBD060000-0x00007FFFBD061000-memory.dmp

Filesize
4KB

Download
memory/4840-561-0x00007FFFBE0D0000-0x00007FFFBE0D1000-memory.dmp

Filesize
4KB

Download
memory/5292-2638-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/5336-2640-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5336-2620-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5400-3473-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/5400-4703-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/5400-4698-0x0000000000400000-0x000000000052C000-memory.dmp

Filesize
1.2MB

Download
memory/5508-9564-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9561-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9531-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9565-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9529-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9563-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9562-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9530-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9560-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5508-9559-0x0000020697750000-0x0000020697751000-memory.dmp

Filesize
4KB

Download
memory/5624-2635-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5624-3472-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5624-4704-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/5940-5512-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download
memory/5940-5106-0x0000000002580000-0x00000000025DB000-memory.dmp

Filesize
364KB

Download
memory/5940-4696-0x0000000000400000-0x000000000080C000-memory.dmp

Filesize
4.0MB

Download