rhadamanthys | hxxps://www[.]mediafire[.]com/file/wd7yw95x4qecopy/-boStrap-x86-[.]zip/file

Analysis

max time kernel
281s
max time network
282s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
11-02-2025 14:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/wd7yw95x4qecopy/-boStrap-x86-.zip/file

Score

10^/10

rhadamanthys discovery persistence privilege_escalation stealer

Malware Config

Signatures

Detects Rhadamanthys payload 17 IoCs

resource	yara_rule
behavioral1/memory/1500-233-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/4708-236-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1500-235-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/712-238-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2004-240-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3296-242-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3216-244-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/1764-246-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3852-248-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/560-250-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3252-252-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3460-254-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2484-259-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2096-263-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2284-264-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/3700-261-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/2824-256-0x0000000000400000-0x0000000000481000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 43 IoCs

description	pid	Process	procid_target
PID 1764 created 2936	1764	aspnet_wp.exe	50
PID 3852 created 2936	3852	csc.exe	50
PID 560 created 2936	560	csc.exe	50
PID 3216 created 2936	3216	aspnet_wp.exe	50
PID 1500 created 2936	1500	aspnet_wp.exe	50
PID 2284 created 2936	2284	aspnet_wp.exe	50
PID 3296 created 2936	3296	aspnet_wp.exe	50
PID 4708 created 2936	4708	aspnet_wp.exe	50
PID 712 created 2936	712	aspnet_wp.exe	50
PID 2004 created 2936	2004	csc.exe	50
PID 3252 created 2936	3252	aspnet_wp.exe	50
PID 3460 created 2936	3460	aspnet_wp.exe	50
PID 2824 created 2936	2824	aspnet_wp.exe	50
PID 2484 created 2936	2484	csc.exe	50
PID 3700 created 2936	3700	aspnet_wp.exe	50
PID 4768 created 2936	4768	csc.exe	50
PID 2496 created 2936	2496	aspnet_wp.exe	50
PID 3540 created 2936	3540	aspnet_wp.exe	50
PID 4524 created 2936	4524	aspnet_wp.exe	50
PID 1624 created 2936	1624	aspnet_wp.exe	50
PID 1776 created 2936	1776	csc.exe	50
PID 2904 created 2936	2904	csc.exe	50
PID 1152 created 2936	1152	aspnet_wp.exe	50
PID 3108 created 2936	3108	aspnet_wp.exe	50
PID 2204 created 2936	2204	csc.exe	50
PID 2844 created 2936	2844	aspnet_wp.exe	50
PID 3560 created 2936	3560	aspnet_wp.exe	50
PID 380 created 2936	380	aspnet_wp.exe	50
PID 1428 created 2936	1428	aspnet_wp.exe	50
PID 1500 created 2936	1500	aspnet_wp.exe	50
PID 3252 created 2936	3252	aspnet_wp.exe	50
PID 2932 created 2936	2932	aspnet_wp.exe	50
PID 3488 created 2936	3488	aspnet_wp.exe	50
PID 2764 created 2936	2764	aspnet_wp.exe	50
PID 5764 created 2936	5764	csc.exe	50
PID 5892 created 2936	5892	aspnet_wp.exe	50
PID 5804 created 2936	5804	aspnet_wp.exe	50
PID 5860 created 2936	5860	csc.exe	50
PID 5944 created 2936	5944	aspnet_wp.exe	50
PID 5788 created 2936	5788	csc.exe	50
PID 5876 created 2936	5876	aspnet_wp.exe	50
PID 5836 created 2936	5836	aspnet_wp.exe	50
PID 5820 created 2936	5820	aspnet_wp.exe	50

Suspicious use of SetThreadContext 52 IoCs

description	pid	Process	procid_target
PID 536 set thread context of 1500	536	bootstrapper.exe	113
PID 536 set thread context of 4708	536	bootstrapper.exe	114
PID 536 set thread context of 712	536	bootstrapper.exe	115
PID 536 set thread context of 2004	536	bootstrapper.exe	117
PID 536 set thread context of 3296	536	bootstrapper.exe	118
PID 536 set thread context of 3216	536	bootstrapper.exe	119
PID 536 set thread context of 1764	536	bootstrapper.exe	120
PID 536 set thread context of 3852	536	bootstrapper.exe	122
PID 536 set thread context of 560	536	bootstrapper.exe	124
PID 536 set thread context of 3252	536	bootstrapper.exe	125
PID 536 set thread context of 3460	536	bootstrapper.exe	126
PID 536 set thread context of 2824	536	bootstrapper.exe	127
PID 536 set thread context of 3700	536	bootstrapper.exe	128
PID 536 set thread context of 2484	536	bootstrapper.exe	130
PID 536 set thread context of 2284	536	bootstrapper.exe	131
PID 536 set thread context of 2096	536	bootstrapper.exe	132
PID 536 set thread context of 4768	536	bootstrapper.exe	171
PID 536 set thread context of 3888	536	bootstrapper.exe	172
PID 536 set thread context of 1776	536	bootstrapper.exe	174
PID 536 set thread context of 1624	536	bootstrapper.exe	175
PID 536 set thread context of 2904	536	bootstrapper.exe	177
PID 536 set thread context of 4524	536	bootstrapper.exe	178
PID 536 set thread context of 2496	536	bootstrapper.exe	179
PID 536 set thread context of 3540	536	bootstrapper.exe	180
PID 536 set thread context of 4652	536	bootstrapper.exe	181
PID 536 set thread context of 1152	536	bootstrapper.exe	182
PID 2788 set thread context of 2636	2788	bootstrapper.exe	207
PID 2788 set thread context of 908	2788	bootstrapper.exe	208
PID 2788 set thread context of 3560	2788	bootstrapper.exe	209
PID 2788 set thread context of 2284	2788	bootstrapper.exe	210
PID 2788 set thread context of 1580	2788	bootstrapper.exe	213
PID 2788 set thread context of 380	2788	bootstrapper.exe	215
PID 2788 set thread context of 3108	2788	bootstrapper.exe	216
PID 2788 set thread context of 2844	2788	bootstrapper.exe	217
PID 2788 set thread context of 2204	2788	bootstrapper.exe	219
PID 2788 set thread context of 2764	2788	bootstrapper.exe	220
PID 2788 set thread context of 2932	2788	bootstrapper.exe	221
PID 2788 set thread context of 3156	2788	bootstrapper.exe	224
PID 2788 set thread context of 1500	2788	bootstrapper.exe	225
PID 2788 set thread context of 3488	2788	bootstrapper.exe	226
PID 2788 set thread context of 1428	2788	bootstrapper.exe	228
PID 2788 set thread context of 3252	2788	bootstrapper.exe	229
PID 2788 set thread context of 5764	2788	bootstrapper.exe	262
PID 2788 set thread context of 5788	2788	bootstrapper.exe	264
PID 2788 set thread context of 5804	2788	bootstrapper.exe	265
PID 2788 set thread context of 5820	2788	bootstrapper.exe	266
PID 2788 set thread context of 5836	2788	bootstrapper.exe	267
PID 2788 set thread context of 5860	2788	bootstrapper.exe	269
PID 2788 set thread context of 5876	2788	bootstrapper.exe	270
PID 2788 set thread context of 5892	2788	bootstrapper.exe	271
PID 2788 set thread context of 5924	2788	bootstrapper.exe	274
PID 2788 set thread context of 5944	2788	bootstrapper.exe	276

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 18 IoCs

pid	pid_target	Process	procid_target
1152	2484	WerFault.exe	130
2800	2096	WerFault.exe	132
3156	3460	WerFault.exe	126
1068	2824	WerFault.exe	127
4644	3888	WerFault.exe	172
220	4768	WerFault.exe	171
1164	2496	WerFault.exe	179
712	4524	WerFault.exe	178
3996	4652	WerFault.exe	181
1596	1580	WerFault.exe	213
1152	3156	WerFault.exe	224
5588	908	WerFault.exe	208
5580	2284	WerFault.exe	210
5716	2764	WerFault.exe	220
5972	5924	WerFault.exe	274
5544	5892	WerFault.exe	271
5512	5876	WerFault.exe	270
5556	5804	WerFault.exe	265

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dllhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe10000000ea1f257d6c7cdb013b2f346e747cdb01ba1a5f08937cdb0114000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\6\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\0\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2855353826-2127742941-242596738-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	msedge.exe
3708	msedge.exe
3080	msedge.exe
3080	msedge.exe
2380	MicrosoftEdgeUpdate.exe
2380	MicrosoftEdgeUpdate.exe
2380	MicrosoftEdgeUpdate.exe
2380	MicrosoftEdgeUpdate.exe
440	identity_helper.exe
440	identity_helper.exe
952	msedge.exe
952	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
712	aspnet_wp.exe
712	aspnet_wp.exe
1500	aspnet_wp.exe
1500	aspnet_wp.exe
1764	aspnet_wp.exe
1764	aspnet_wp.exe
4708	aspnet_wp.exe
4708	aspnet_wp.exe
3296	aspnet_wp.exe
3296	aspnet_wp.exe
2004	csc.exe
2004	csc.exe
3216	aspnet_wp.exe
3216	aspnet_wp.exe
3852	csc.exe
3852	csc.exe
3252	aspnet_wp.exe
3252	aspnet_wp.exe
2284	aspnet_wp.exe
2284	aspnet_wp.exe
3460	aspnet_wp.exe
3460	aspnet_wp.exe
560	csc.exe
560	csc.exe
1764	aspnet_wp.exe
1764	aspnet_wp.exe
3852	csc.exe
3852	csc.exe
560	csc.exe
560	csc.exe
3216	aspnet_wp.exe
3216	aspnet_wp.exe
1500	aspnet_wp.exe
1500	aspnet_wp.exe
2284	aspnet_wp.exe
2284	aspnet_wp.exe
3296	aspnet_wp.exe
3296	aspnet_wp.exe
4708	aspnet_wp.exe
4708	aspnet_wp.exe
712	aspnet_wp.exe
712	aspnet_wp.exe
2004	csc.exe
2004	csc.exe
2824	aspnet_wp.exe
2824	aspnet_wp.exe
2484	csc.exe
2484	csc.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
936	msedge.exe
2840	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	2840	taskmgr.exe
Token: SeSystemProfilePrivilege	2840	taskmgr.exe
Token: SeCreateGlobalPrivilege	2840	taskmgr.exe
Token: 33	5576	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5576	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
3080	msedge.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe
2840	taskmgr.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
936	msedge.exe
3180	msedge.exe
5748	msedge.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe
5672	osk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 3952	3080	msedge.exe	81
PID 3080 wrote to memory of 3952	3080	msedge.exe	81
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 1668	3080	msedge.exe	82
PID 3080 wrote to memory of 3708	3080	msedge.exe	83
PID 3080 wrote to memory of 3708	3080	msedge.exe	83
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84
PID 3080 wrote to memory of 5076	3080	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2936
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2384
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  PID:1832
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4404
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2800
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4876
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3156
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2180
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2904
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:908
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2172
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1796
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4232
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:380
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2172
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3028
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:908
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3432
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2828
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1764
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1736
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1864
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5136
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5152
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5172
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5196
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:5228
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5252
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5312
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5368
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5472
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:572
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:60
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5236
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4948
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2448
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5184
- C:\Windows\SysWOW64\dllhost.exe
  "C:\Windows\System32\dllhost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5220
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/wd7yw95x4qecopy/-boStrap-x86-.zip/file
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffbdff346f8,0x7ffbdff34708,0x7ffbdff34718
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5748 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:5724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6992 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7024 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3504 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:5748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,15471771384471672519,681565171177228962,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3964

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\-boStrap-x86-\README.txt
1⤵
PID:2176

C:\Users\Admin\Downloads\-boStrap-x86-\bootstrp\bootstrp\bootstrapper.exe
"C:\Users\Admin\Downloads\-boStrap-x86-\bootstrp\bootstrp\bootstrapper.exe"
1⤵
- Suspicious use of SetThreadContext
PID:536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 388
    3⤵
    - Program crash
    PID:3156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2824
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2824 -s 392
    3⤵
    - Program crash
    PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2484
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 388
    3⤵
    - Program crash
    PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2096
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 368
    3⤵
    - Program crash
    PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:4768
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4768 -s 388
    3⤵
    - Program crash
    PID:220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3888
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3888 -s 368
    3⤵
    - Program crash
    PID:4644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:1624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:4524
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4524 -s 424
    3⤵
    - Program crash
    PID:712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:2496
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 392
    3⤵
    - Program crash
    PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 368
    3⤵
    - Program crash
    PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1764 -ip 1764
1⤵
PID:4316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 2096 -ip 2096
1⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2484 -ip 2484
1⤵
PID:1724

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 2824 -ip 2824
1⤵
PID:2388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 3852 -ip 3852
1⤵
PID:2780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 3460 -ip 3460
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 3252 -ip 3252
1⤵
PID:2360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 724 -p 2004 -ip 2004
1⤵
PID:2884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 712 -ip 712
1⤵
PID:3048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 4708 -ip 4708
1⤵
PID:3064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3296 -ip 3296
1⤵
PID:1964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 2284 -ip 2284
1⤵
PID:220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 1500 -ip 1500
1⤵
PID:3888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 3216 -ip 3216
1⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 560 -ip 560
1⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 3700 -ip 3700
1⤵
PID:3356

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:2840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 768 -p 3888 -ip 3888
1⤵
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 4768 -ip 4768
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 2496 -ip 2496
1⤵
PID:2844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3540 -ip 3540
1⤵
PID:572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 4524 -ip 4524
1⤵
PID:2204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1624 -ip 1624
1⤵
PID:3264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1776 -ip 1776
1⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 2904 -ip 2904
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 652 -p 4652 -ip 4652
1⤵
PID:3308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 1152 -ip 1152
1⤵
PID:1428

C:\Users\Admin\Downloads\-boStrap-x86-\bootstrp\bootstrp\bootstrapper.exe
"C:\Users\Admin\Downloads\-boStrap-x86-\bootstrp\bootstrp\bootstrapper.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- - C:\Windows\SysWOW64\svchost.exe
    "C:\Windows\System32\svchost.exe"
    3⤵
    PID:5208
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:908
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 344
    3⤵
    - Program crash
    PID:5588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2284
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 340
    3⤵
    - Program crash
    PID:5580
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1580
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 12
    3⤵
    - Program crash
    PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:2204
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:2764
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 392
    3⤵
    - Program crash
    PID:5716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:2932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3156
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3156 -s 12
    3⤵
    - Program crash
    PID:1152
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:3488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:1428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:5764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:5788
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:5804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 392
    3⤵
    - Program crash
    PID:5556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:5820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:5836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:5860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:5876
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5876 -s 360
    3⤵
    - Program crash
    PID:5512
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - System Location Discovery: System Language Discovery
  PID:5892
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5892 -s 360
    3⤵
    - Program crash
    PID:5544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:5916
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:5924
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5924 -s 12
    3⤵
    - Program crash
    PID:5972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  PID:5944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 1580 -ip 1580
1⤵
PID:3788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 3156 -ip 3156
1⤵
PID:1796

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 908 -ip 908
1⤵
PID:1236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2284 -ip 2284
1⤵
PID:4708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 3108 -ip 3108
1⤵
PID:5280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 672 -p 2204 -ip 2204
1⤵
PID:5408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 2844 -ip 2844
1⤵
PID:5464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3560 -ip 3560
1⤵
PID:5528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 380 -ip 380
1⤵
PID:5568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 1428 -ip 1428
1⤵
PID:5596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 2636 -ip 2636
1⤵
PID:5608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 1500 -ip 1500
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 804 -p 3252 -ip 3252
1⤵
PID:5640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 2932 -ip 2932
1⤵
PID:5660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 3488 -ip 3488
1⤵
PID:5684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 2764 -ip 2764
1⤵
PID:5696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5924 -ip 5924
1⤵
PID:5936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5892 -ip 5892
1⤵
PID:2344

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 5804 -ip 5804
1⤵
PID:5216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 5860 -ip 5860
1⤵
PID:5420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 5944 -ip 5944
1⤵
PID:5152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 5788 -ip 5788
1⤵
PID:5496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 5876 -ip 5876
1⤵
PID:5500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 884 -p 5836 -ip 5836
1⤵
PID:5444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 748 -p 5764 -ip 5764
1⤵
PID:5392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 736 -p 5820 -ip 5820
1⤵
PID:5284

C:\Windows\system32\osk.exe
"C:\Windows\system32\osk.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:5672

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2f8 0x484
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b0ef518aae5676440f31d290976c2e8b

SHA1
eeca8337b269b5f596518dd3eb761866b04f3e6d

SHA256
7fdad3deaaa02633eb8ced58764519bb878a16318f9ea423e096a5c13c8f7a46

SHA512
6cae791d1e51b0f065149779b554289b395c235f96f9d4de436a73ea25aa580e1c53e545d5c20b3c9754010b816eb05e163b538d67cd3b2dbe7ada4561d3987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8c7d3492-6aa7-4969-b261-669557e36837.tmp

Filesize
538B

MD5
abf8d14e523aa4e4030f8dab8c7cb770

SHA1
6442df01bec7ecd03bdd0958c1408b24937c91c8

SHA256
1a943acbbd48ac2eab8a1b303d5e04aa9e3c5a5d9272a33538f92670b2ef1a86

SHA512
775aa5f0610f477be66ece443e59a7764878564e6c9c8077d6e6096e8e52a72fe96bc28ba85d42c832e277ae5227cfc107058980f6daa22f5ef7ece269f648f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
9db8bbe36ef7f4cfa112f19a5a4beeba

SHA1
29e7b5c11462e00820f39cc087d945eaebac0328

SHA256
54c150d74432bc3461e69bad483163b44562b9552527711465c8a5f85443262b

SHA512
2236b10dbfb425690bfa7fa7054f9906a2e1969f2db511d167278ad36b418b5fdfc9b7ffae24aee93f87f7ef238145df2db74dfbb94ad4c968ad4b1f22d9347b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
c91be2e02e1d518cf9e44f3456cecff2

SHA1
1dca41c7aaf2434af0907d51b21691b4603b94e5

SHA256
8d52b289b122d517b609cc3a0f55a0f01e0e279ba90eba8c031c1baac64b3a00

SHA512
da54bd6e31ef42494b660bb9c96767da2e9875fd9d8faf04516135b089420b64c7090002d725d9db2ff0de573b43a020d7540553155de408651b8f6bd1feb9a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
5a9d4ea5e942204be4a3e6e63ccffc62

SHA1
2c1d6114e51f092c00cf095a18e60e997c5838b2

SHA256
98df23253395ddc6711668be9e65a952edfa7f11223e74cc9b807a33ddc8559d

SHA512
632ee4e5bbaf184c3e57e969c172f15d025efe0c5b9993d241b4c6460e87af5435f601a574c16148744ce30a6854a56df31a7777e2e56de918e686cc3f56c1f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
265621f1acd69e2445ce223b697994ec

SHA1
bfaed5645e66a9f946f2384724daf3c678113b58

SHA256
81cf6035d58daf43f2acc108635486ed80c4048ef3c1f1dd3fc237901d90eed5

SHA512
a7a6198b42bd51b3d228a38c6e0e25cf6eaf274682cb14cd9292a89dad4037c6c43a9708ca67c21d5771262c19ef7b0864137f5d1d284dbc972f4492f5fa3402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1670c90ad9327c6a061149c803012778

SHA1
86ff04124b170dfe75930df1edeae86c4facd88a

SHA256
0775ddfa2e959e455073d8a957de10c897ad7b2385a2ed79efd56156f5de3268

SHA512
e636c32c7eb0c74a8c1a255aeca451ab421bcebb8647aae3e60f085cfca94a050ba4d542c4b492e5f2e788571ba16d23a154597d5aaf3878b15a9453d1c23033

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c84347294223ab5cc993e4e70cf26a9

SHA1
cf981f4788847206d8c9f64699725c1b56824b2a

SHA256
9a433569e1723b174beca4d598e99c7063ff0cc508a83089923ae6854218f548

SHA512
6de6ac5794673afbf485234c62083547d1a58784b2c588f7807c9360a61c2ab6a87238992fdfc04f84c79498e8a1ac8d16dd62f51cadc857f536cc13f147d629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4bc2e807237af4940145929e6f96dccb

SHA1
be5ec2e29148b9eff3cc3140fb9893c2763d00cf

SHA256
bc3cb2620a9f84e3abee7aa36c008d6f569efd140d3c1b51afa707aea0c2e154

SHA512
67d66a0ba76e9e652bea4277de92f2c41b17ae140a023868b01061f8a889505992a4d77f714be12a9a263f40d9d70517f32b49220e4ecbf88949911bb03dd08f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c42f1b72d2a7f69c8e9d2ed00303f01c

SHA1
d57fbad41fdac008257fa4538986cabc1d5e5849

SHA256
f0a21f5870f729ccd2528ec1e4cb4ebacf51faaa8fd5de09f63cd6bd31d600ac

SHA512
00c6c92b23a3fc07b54d8cf9a939cded441a301e53cfcff2734dabc89beb265ecddfbbeac71b44e18281f2053c6390ec35024ea9c5ab24278335b20ae4554027

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc93ef7625f37de22e73d92040f19126

SHA1
049cf4743e67dcc3d7631203942f481801484f99

SHA256
a65b972c13104e06b9f63ed1e576629a4e8792daa43c99a4c9ad588e31fd615d

SHA512
6612e892d00dbdfada2f8fead5e42f77403e63ea7be5526190dcd70e8a5bbb658a13cafe2f365c38d08cfb60efd7d3eee40180741aa9a9f682691a9931c58b1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c36c00daf543631201e7dc189ab2008d

SHA1
5cd7ad67fe6f6a88a7a746422132bbde9a5a91c8

SHA256
b578f9a662c1a96942d5d4cb5b1f35846eceaccaa3e3517477749508ed4a0081

SHA512
ae9ebc42e7a987b32451cc3dfbdac27c191d20b14b4bdb46c8a1c432d5ecb9df61577b3683a5847a538b921f9cb6883eadf23e2037ece3ac5107cbc7a35b8a8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42398289dc3ba88c160d99c8c715e2f7

SHA1
de53da10333387388f47c16aa06d65eb5c05bdf9

SHA256
ce0e2dbca6eb7ce09e2e708d20f4364e616ca9ee5a33a6e607ab1d1d845c48c3

SHA512
1350252d0a1c19f35d162fdca757928dc1de1d3b41fd84b0ea32ffacbbb087cd07326955dd8c664bc8381b0f46f595d2f7a14ed7165c283ce240420461ee2382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5f3bb859666765cec8440f638e33c942

SHA1
7b7cf2dd9adaace78181ed05b071701061ba35d6

SHA256
6a3ec09088349a397259479bffa928351c6e91d007a09f8b09446e8a7fe014ae

SHA512
008deaec783afef319cceca7afce4b71a91db363242b549b2fae8c7a09cb201ea3cb3181e712838083b391e594cb9e74420a6209d088c4ecf131926acf119e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
72fe5988c04cbed4c2f6a0240bc885b9

SHA1
329205c018f013dac51e2006104bdf6fc1358d36

SHA256
ee2cef208cc0c0c0109f15c87d75ccdb2302bc9af1d3bfa38ddc92a77630c76c

SHA512
053db5b430efad17fdeaec126257c5f873b3703ec6ec697da2ad07509e8c3fd937eda10fc7d00ddf74c79523f0d1b0ce293b876326ca0c58029d09fe5a79c910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
34816eae8336400d114582efcdd31038

SHA1
f525b70f6279330d70e7dab4a512c244239ccc43

SHA256
61bdb9f33eb1839c5eafa0527ceb81b43626d68bd3a5388070f64d9da6e6e46f

SHA512
7a6b854d1a15b9d788ab79a84beebb82a185ca6328bf2704c5b089f6faf72618099b3975d5fb2e7e6f915a3335f10539c490fb0357b99f174098f50cb303e16e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7fbff3e3e69939488d1524adc2bc76c8

SHA1
e24b696774c90aec8933acee608f2b2940c049f9

SHA256
f481213621dddd9245ca17bd619d707bcc8afbe7020ce70ae240fa443119b4e3

SHA512
021a687a26dcafb3cb9e10be520e75864bf0754121f92e080c1098000bbab4ed287de1b3e436e58553e9ec102fedbce84f772afe4347c8b61aa00f9598d59539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57bc70cd1fcae434baa35474cf405508

SHA1
d706df196a045b7307ea6f515657943f07fbfecb

SHA256
5473a016fc69584ab40302d749325a29369a53d726c13c675a4d7fde0f1afe37

SHA512
fcdcea5f18d9753b2c7e860b76ffdb33bcabdf98ccb6514017083358071ce7fe4efd92fbc669c9c8d0faa196d4b4260502b844bb4658e97603f823c2b551c86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
006bb3d5a8a9e54917fc0c722e973897

SHA1
f715e0dd5e2c69270675fcf87574d51ae77e9d13

SHA256
113d282262e7120122d04ccd0a1143a12d7cf6213acd6dee1f4f8c743e8c8e22

SHA512
45b3c4703176d43308036af9329595dd33d523622fd0d40c334ae661ebcd800379aea19bab0e0e50b932946899d79d26e6bc8c7992e25563bde24259560c79e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d94c5b36c708c813fc2831d15c73902

SHA1
e789dec816daf0a8fdf99f46a2f8d34aed717fa4

SHA256
4b453c81464c61827c902879b310c4330e99a6cee6eba6300fd67a9fe57d68d4

SHA512
1660545ed20306f3b6cb5f9a7ed40195a46a3c35635ad43721bb26991bac4c8b988e692d45819aa6f4b5aefdf269c25fe0adbeda0453c118d082830e6c43108c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c4eeaf81f3a177996553b34a83d1362f

SHA1
99d681dd339bd0457acf75696919549d40682552

SHA256
cefb532684f5d8e0bc6f8b090452c22eb4c91cefec150cbd6fe9838a9222871d

SHA512
ae5a2b60990ca912dcfffa1ff5d7f79ee8f6517013944b40a25da45118b367bc006f646262c0a5a1d98daffc55c90ab3dd61a727a82ae323f6213ac38437f326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
96e56ed3e9dc729e8648feb2306eb220

SHA1
0417f5168b628050280b7e8ed71a68c16b21bddd

SHA256
45f443f3550d7962d5aed9d08fda8ad94893ecc899f5b8014317953d24d975ab

SHA512
d9b3c092acdf3e0d57abc5aeb672b8410edbff3ef09f76bea8a2e71c28c88a7f235072eed1c2245b6189b65741d118c425c6ca9fbfb5d8a1dc847b77e9ed9d13

Download Submit
memory/560-250-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/712-265-0x0000000000C70000-0x0000000001070000-memory.dmp

Filesize
4.0MB

Download
memory/712-238-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/712-268-0x0000000000C70000-0x0000000001070000-memory.dmp

Filesize
4.0MB

Download
memory/1500-235-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1500-282-0x00007FFBEECB0000-0x00007FFBEEEA8000-memory.dmp

Filesize
2.0MB

Download
memory/1500-233-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1500-270-0x0000000000F50000-0x0000000001350000-memory.dmp

Filesize
4.0MB

Download
memory/1764-246-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1764-275-0x0000000000AF0000-0x0000000000EF0000-memory.dmp

Filesize
4.0MB

Download
memory/1764-290-0x00007FFBEECB0000-0x00007FFBEEEA8000-memory.dmp

Filesize
2.0MB

Download
memory/2004-240-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2004-283-0x0000000001130000-0x0000000001530000-memory.dmp

Filesize
4.0MB

Download
memory/2096-263-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2284-264-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2284-297-0x00000000011B0000-0x00000000015B0000-memory.dmp

Filesize
4.0MB

Download
memory/2484-259-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2824-256-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3216-287-0x00007FFBEECB0000-0x00007FFBEEEA8000-memory.dmp

Filesize
2.0MB

Download
memory/3216-286-0x0000000000CF0000-0x00000000010F0000-memory.dmp

Filesize
4.0MB

Download
memory/3216-244-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3252-294-0x0000000000ED0000-0x00000000012D0000-memory.dmp

Filesize
4.0MB

Download
memory/3252-252-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3296-285-0x00007FFBEECB0000-0x00007FFBEEEA8000-memory.dmp

Filesize
2.0MB

Download
memory/3296-242-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3296-284-0x00000000010E0000-0x00000000014E0000-memory.dmp

Filesize
4.0MB

Download
memory/3460-254-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3700-261-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/3852-276-0x0000000000F80000-0x0000000001380000-memory.dmp

Filesize
4.0MB

Download
memory/3852-289-0x00007FFBEECB0000-0x00007FFBEEEA8000-memory.dmp

Filesize
2.0MB

Download
memory/3852-248-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/4708-280-0x0000000000FB0000-0x00000000013B0000-memory.dmp

Filesize
4.0MB

Download
memory/4708-281-0x00007FFBEECB0000-0x00007FFBEEEA8000-memory.dmp

Filesize
2.0MB

Download
memory/4708-236-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download