Overview

overview

10

Static

static

10

21f28d08dc...4a.exe

windows7-x64

10

21f28d08dc...4a.exe

windows10-2004-x64

10

21f66f607b...31.exe

windows7-x64

10

21f66f607b...31.exe

windows10-2004-x64

10

2225aa5547...66.exe

windows7-x64

10

2225aa5547...66.exe

windows10-2004-x64

10

229543f6c7...72.exe

windows7-x64

10

229543f6c7...72.exe

windows10-2004-x64

10

229ce4ad22...42.exe

windows7-x64

10

229ce4ad22...42.exe

windows10-2004-x64

10

22ce8222d2...5b.exe

windows7-x64

10

22ce8222d2...5b.exe

windows10-2004-x64

10

22e982850d...20.exe

windows7-x64

10

22e982850d...20.exe

windows10-2004-x64

10

22f097b0a0...91.exe

windows7-x64

1

22f097b0a0...91.exe

windows10-2004-x64

1

22f1f6e81e...ff.exe

windows7-x64

10

22f1f6e81e...ff.exe

windows10-2004-x64

10

231f156f9f...36.exe

windows7-x64

10

231f156f9f...36.exe

windows10-2004-x64

10

23f2f3a3cd...99.exe

windows7-x64

10

23f2f3a3cd...99.exe

windows10-2004-x64

10

23f9b03d2d...b9.exe

windows7-x64

10

23f9b03d2d...b9.exe

windows10-2004-x64

10

23ff6ba14d...91.exe

windows7-x64

10

23ff6ba14d...91.exe

windows10-2004-x64

10

241c1d05ad...47.exe

windows7-x64

10

241c1d05ad...47.exe

windows10-2004-x64

10

243242e581...fc.exe

windows7-x64

1

243242e581...fc.exe

windows10-2004-x64

1

24333d13e7...f5.exe

windows7-x64

10

24333d13e7...f5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/03/2025, 06:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    231f156f9f4b328156bcb91a17f2a636.exe

  • Size

    3.0MB

  • MD5

    231f156f9f4b328156bcb91a17f2a636

  • SHA1

    4a152cf18df6e69aae5dc7188dc29cae5d58c062

  • SHA256

    703c6e6e766b8454ab69233c17b178c5e8cf75367a99195b00f969f0896ed15f

  • SHA512

    bbd3e640ad27a495b3c967c6d69951f061b70da3205416a547da735c003ada40e7ea64de0cf3652756f7cb07d957dfb00ee1e71d70ddddabd5a9e19546301136

  • SSDEEP

    49152:q/3iuoi0xrLIy5sx+3K0n+B87/2bHJC3H0oJK7rohky64a65KKRD:4SuMxAxKp+SDqHJq+zy86A

Score
10/10
dcratdefense_evasiondiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Modifies WinLogon for persistence 2 TTPs 10 IoCs
    persistence
  • Process spawned unexpected child process 30 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • UAC bypass 3 TTPs 6 IoCs
    defense_evasiontrojan
  • DCRat payload 5 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 20 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 4 IoCs
    defense_evasiontrojan
  • Drops file in Program Files directory 37 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 6 IoCs
    defense_evasion
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\231f156f9f4b328156bcb91a17f2a636.exe
    "C:\Users\Admin\AppData\Local\Temp\231f156f9f4b328156bcb91a17f2a636.exe"
    1⤵
    • Modifies WinLogon for persistence
    • UAC bypass
    • Checks computer location settings
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3300
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\231f156f9f4b328156bcb91a17f2a636.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3876
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4356
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\smss.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4480
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3940
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\explorer.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4448
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4040
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\dwm.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4700
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of AdjustPrivilegeToken
      PID:676
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\OfficeClickToRun.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\sihost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1156
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" -Command Add-MpPreference -ExclusionPath 'C:\0154351536fc379faee1\RuntimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
    • C:\0154351536fc379faee1\fontdrvhost.exe
      "C:\0154351536fc379faee1\fontdrvhost.exe"
      2⤵
      • UAC bypass
      • Checks computer location settings
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:432
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\4e8ff018-609d-46e7-8c26-f4d708fbbd9b.vbs"
        3⤵
          PID:4716
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\94b8bf3b-8985-4cfa-94df-14b7837345fa.vbs"
          3⤵
            PID:3596
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://localhost:12680/
            3⤵
            • Drops file in Program Files directory
            • Checks processor information in registry
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Modifies registry class
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of WriteProcessMemory
            PID:4440
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x2c8,0x2cc,0x2d0,0x2c4,0x2d8,0x7fff3c78f208,0x7fff3c78f214,0x7fff3c78f220
              4⤵
                PID:4492
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1916,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=2288 /prefetch:3
                4⤵
                  PID:2376
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2260,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=2256 /prefetch:2
                  4⤵
                    PID:748
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2564,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=2584 /prefetch:8
                    4⤵
                      PID:544
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3532,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3544 /prefetch:1
                      4⤵
                        PID:876
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3564,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3576 /prefetch:1
                        4⤵
                          PID:468
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=2592,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4596 /prefetch:1
                          4⤵
                            PID:2184
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4152,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4628 /prefetch:2
                            4⤵
                              PID:288
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3772,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3584 /prefetch:8
                              4⤵
                                PID:5344
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3620,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5228 /prefetch:8
                                4⤵
                                  PID:5492
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4688,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5300 /prefetch:8
                                  4⤵
                                    PID:5840
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4928,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5296 /prefetch:8
                                    4⤵
                                      PID:5848
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=5680,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:1
                                      4⤵
                                        PID:6008
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5884,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
                                        4⤵
                                          PID:6024
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5884,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
                                          4⤵
                                            PID:6048
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6196,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=6212 /prefetch:8
                                            4⤵
                                              PID:5596
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3504,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3624 /prefetch:8
                                              4⤵
                                                PID:3588
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6272,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:8
                                                4⤵
                                                  PID:4500
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3624,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:8
                                                  4⤵
                                                    PID:5480
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=3616,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3748 /prefetch:1
                                                    4⤵
                                                      PID:5400
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5696,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=6616 /prefetch:8
                                                      4⤵
                                                        PID:5968
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6552,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3512 /prefetch:8
                                                        4⤵
                                                          PID:4352
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3692,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3752 /prefetch:8
                                                          4⤵
                                                            PID:968
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6496,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=6288 /prefetch:8
                                                            4⤵
                                                              PID:1240
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=3592,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4692 /prefetch:1
                                                              4⤵
                                                                PID:8
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6008,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4156 /prefetch:8
                                                                4⤵
                                                                  PID:1640
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5980,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3780 /prefetch:8
                                                                  4⤵
                                                                    PID:348
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6532,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
                                                                    4⤵
                                                                      PID:5044
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=5304,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5316 /prefetch:1
                                                                      4⤵
                                                                        PID:4620
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4636,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4860 /prefetch:8
                                                                        4⤵
                                                                          PID:5932
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6220,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:8
                                                                          4⤵
                                                                            PID:1820
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5472,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4840 /prefetch:8
                                                                            4⤵
                                                                              PID:812
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3684,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=868 /prefetch:8
                                                                              4⤵
                                                                                PID:2136
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6184,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:1
                                                                                4⤵
                                                                                  PID:3008
                                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5788,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=4940 /prefetch:8
                                                                                  4⤵
                                                                                    PID:1432
                                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5416,i,359455068345979612,7835101270243134671,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
                                                                                    4⤵
                                                                                      PID:5728
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 5 /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2052
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3220
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:748
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\0154351536fc379faee1\smss.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4284
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\0154351536fc379faee1\smss.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4464
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\0154351536fc379faee1\smss.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4896
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2368
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:816
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2464
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\explorer.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3172
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\explorer.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:908
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\explorer.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4000
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:980
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1364
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3100
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\0154351536fc379faee1\dwm.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:836
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\0154351536fc379faee1\dwm.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1900
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\0154351536fc379faee1\dwm.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1508
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:556
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:2184
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\3ac54ddf2ad44faa6035cf\fontdrvhost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:920
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\es-ES\OfficeClickToRun.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1272
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4432
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\es-ES\OfficeClickToRun.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:884
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sihost.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:3540
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:4288
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\sihost.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:5036
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:760
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:1224
                                                                              • C:\Windows\system32\schtasks.exe
                                                                                schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\0154351536fc379faee1\RuntimeBroker.exe'" /rl HIGHEST /f
                                                                                1⤵
                                                                                • Process spawned unexpected child process
                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                PID:464
                                                                              • C:\Windows\system32\vssvc.exe
                                                                                C:\Windows\system32\vssvc.exe
                                                                                1⤵
                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                PID:3432
                                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                                                                1⤵
                                                                                  PID:3300
                                                                                • C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                  C:\Windows\system32\wbem\WmiApSrv.exe
                                                                                  1⤵
                                                                                    PID:5760

                                                                                  Network

                                                                                  MITRE ATT&CK Enterprise v15

                                                                                  Reconnaissance

                                                                                  Resource Development

                                                                                  Initial Access

                                                                                  Execution

                                                                                  Command and Scripting Interpreter

                                                                                  1
                                                                                  T1059

                                                                                  PowerShell

                                                                                  1
                                                                                  T1059.001

                                                                                  Scheduled Task/Job

                                                                                  1
                                                                                  T1053

                                                                                  Scheduled Task

                                                                                  1
                                                                                  T1053.005

                                                                                  Persistence

                                                                                  Boot or Logon Autostart Execution

                                                                                  2
                                                                                  T1547

                                                                                  Registry Run Keys / Startup Folder

                                                                                  1
                                                                                  T1547.001

                                                                                  Winlogon Helper DLL

                                                                                  1
                                                                                  T1547.004

                                                                                  Scheduled Task/Job

                                                                                  1
                                                                                  T1053

                                                                                  Scheduled Task

                                                                                  1
                                                                                  T1053.005

                                                                                  Privilege Escalation

                                                                                  Abuse Elevation Control Mechanism

                                                                                  1
                                                                                  T1548

                                                                                  Bypass User Account Control

                                                                                  1
                                                                                  T1548.002

                                                                                  Boot or Logon Autostart Execution

                                                                                  2
                                                                                  T1547

                                                                                  Registry Run Keys / Startup Folder

                                                                                  1
                                                                                  T1547.001

                                                                                  Winlogon Helper DLL

                                                                                  1
                                                                                  T1547.004

                                                                                  Scheduled Task/Job

                                                                                  1
                                                                                  T1053

                                                                                  Scheduled Task

                                                                                  1
                                                                                  T1053.005

                                                                                  Defense Evasion

                                                                                  Abuse Elevation Control Mechanism

                                                                                  1
                                                                                  T1548

                                                                                  Bypass User Account Control

                                                                                  1
                                                                                  T1548.002

                                                                                  Impair Defenses

                                                                                  1
                                                                                  T1562

                                                                                  Disable or Modify Tools

                                                                                  1
                                                                                  T1562.001

                                                                                  Modify Registry

                                                                                  4
                                                                                  T1112

                                                                                  Credential Access

                                                                                  Credentials from Password Stores

                                                                                  1
                                                                                  T1555

                                                                                  Credentials from Web Browsers

                                                                                  1
                                                                                  T1555.003

                                                                                  Unsecured Credentials

                                                                                  2
                                                                                  T1552

                                                                                  Credentials In Files

                                                                                  2
                                                                                  T1552.001

                                                                                  Discovery

                                                                                  Browser Information Discovery

                                                                                  1
                                                                                  T1217

                                                                                  Query Registry

                                                                                  5
                                                                                  T1012

                                                                                  System Information Discovery

                                                                                  5
                                                                                  T1082

                                                                                  Lateral Movement

                                                                                  Collection

                                                                                  Data from Local System

                                                                                  2
                                                                                  T1005

                                                                                  Command and Control

                                                                                  Exfiltration

                                                                                  Impact

                                                                                  Replay Monitor

                                                                                  Loading Replay Monitor...

                                                                                  Downloads

                                                                                  • C:\0154351536fc379faee1\smss.exe
                                                                                    Filesize

                                                                                    3.0MB

                                                                                    MD5

                                                                                    40ccc2b1dc17e6e7228f8fe5b2627c83

                                                                                    SHA1

                                                                                    58b34b00ed56c84e9872b1a8f6e5b79d7bf9e309

                                                                                    SHA256

                                                                                    198291f9126fe3bf09d579acd1f2b2f884820aa0665d285265583b90a6a21520

                                                                                    SHA512

                                                                                    356e065185516d2b8e8942ccc738dfd8549bdacf1f873c0d78ea50b8d353475b4be15fef8609263a6b0a7d304d2bde6f1e18378d5d7c2ff5bd3230d19ab0b605

                                                                                    Download Submit

                                                                                  • C:\Program Files (x86)\Reference Assemblies\Microsoft\sihost.exe
                                                                                    Filesize

                                                                                    3.0MB

                                                                                    MD5

                                                                                    231f156f9f4b328156bcb91a17f2a636

                                                                                    SHA1

                                                                                    4a152cf18df6e69aae5dc7188dc29cae5d58c062

                                                                                    SHA256

                                                                                    703c6e6e766b8454ab69233c17b178c5e8cf75367a99195b00f969f0896ed15f

                                                                                    SHA512

                                                                                    bbd3e640ad27a495b3c967c6d69951f061b70da3205416a547da735c003ada40e7ea64de0cf3652756f7cb07d957dfb00ee1e71d70ddddabd5a9e19546301136

                                                                                    Download Submit

                                                                                  • C:\Program Files (x86)\Windows Media Player\Media Renderer\explorer.exe
                                                                                    Filesize

                                                                                    3.0MB

                                                                                    MD5

                                                                                    fff388c8c20018581bf9a6cbbf8f58b5

                                                                                    SHA1

                                                                                    13208262a458c81ea14ef254a57e234db6332d03

                                                                                    SHA256

                                                                                    265295417b486f2051c3f10d2ca1cbae636227835c8ebbed46794dce1cdca9e3

                                                                                    SHA512

                                                                                    9181e81f60b32728a910231db5849fbb467cf2de0fbb9c808fabbc5f8d189880b64e433bced8d7b3d5c26415846d1e5180e963acace219a4c32dfecc7f58d87e

                                                                                    Download Submit

                                                                                  • C:\Program Files\Windows Media Player\es-ES\RCXB325.tmp
                                                                                    Filesize

                                                                                    3.0MB

                                                                                    MD5

                                                                                    3de5e00123842e1d167abd1fbf08ddcc

                                                                                    SHA1

                                                                                    37c7a3921b6a782fe4864605c667ff5ab64d2073

                                                                                    SHA256

                                                                                    4ad5f549b106aa81a1dc1bcd35d1569020d447898c37df3550eae9dc21c1454c

                                                                                    SHA512

                                                                                    b8f7af236b910bd1218ea7198ad0127f6324bc48d1bb5b6b6ba07b658333e4a7c08c130561b8e5cba3a146b9994375f3116de79b2c6658a08a0bbc1117c8e425

                                                                                    Download Submit

                                                                                  • C:\Program Files\chrome_Unpacker_BeginUnzipping4440_102802763\manifest.json
                                                                                    Filesize

                                                                                    160B

                                                                                    MD5

                                                                                    a24a1941bbb8d90784f5ef76712002f5

                                                                                    SHA1

                                                                                    5c2b6323c7ed8913b5d0d65a4d21062c96df24eb

                                                                                    SHA256

                                                                                    2a7fe18a087d8e8be847d9569420b6e8907917ff6ca0fa42be15d4e3653c8747

                                                                                    SHA512

                                                                                    fd7dfec3d46b2af0bddb5aaeae79467507e0c29bab814007a39ea61231e76123659f18a453ed3feb25f16652a0c63c33545e2a0d419fafea89f563fca6a07ce2

                                                                                    Download Submit

                                                                                  • C:\Program Files\chrome_Unpacker_BeginUnzipping4440_1369421381\manifest.json
                                                                                    Filesize

                                                                                    134B

                                                                                    MD5

                                                                                    58d3ca1189df439d0538a75912496bcf

                                                                                    SHA1

                                                                                    99af5b6a006a6929cc08744d1b54e3623fec2f36

                                                                                    SHA256

                                                                                    a946db31a6a985bdb64ea9f403294b479571ca3c22215742bdc26ea1cf123437

                                                                                    SHA512

                                                                                    afd7f140e89472d4827156ec1c48da488b0d06daaa737351c7bec6bc12edfc4443460c4ac169287350934ca66fb2f883347ed8084c62caf9f883a736243194a2

                                                                                    Download Submit

                                                                                  • C:\Program Files\chrome_Unpacker_BeginUnzipping4440_1768757503\manifest.json
                                                                                    Filesize

                                                                                    160B

                                                                                    MD5

                                                                                    c3911ceb35539db42e5654bdd60ac956

                                                                                    SHA1

                                                                                    71be0751e5fc583b119730dbceb2c723f2389f6c

                                                                                    SHA256

                                                                                    31952875f8bb2e71f49231c95349945ffc0c1dd975f06309a0d138f002cfd23d

                                                                                    SHA512

                                                                                    d8b2c7c5b7105a6f0c4bc9c79c05b1202bc8deb90e60a037fec59429c04fc688a745ee1a0d06a8311466b4d14e2921dfb4476104432178c01df1e99deb48b331

                                                                                    Download Submit

                                                                                  • C:\Program Files\chrome_Unpacker_BeginUnzipping4440_207141104\manifest.json
                                                                                    Filesize

                                                                                    43B

                                                                                    MD5

                                                                                    af3a9104ca46f35bb5f6123d89c25966

                                                                                    SHA1

                                                                                    1ffb1b0aa9f44bdbc57bdf4b98d26d3be0207ee8

                                                                                    SHA256

                                                                                    81bd82ac27612a58be30a72dd8956b13f883e32ffb54a58076bd6a42b8afaeea

                                                                                    SHA512

                                                                                    6a7a543fa2d1ead3574b4897d2fc714bb218c60a04a70a7e92ecfd2ea59d67028f91b6a2094313f606560087336c619093f1d38d66a3c63a1d1d235ca03d36d1

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                    Filesize

                                                                                    2KB

                                                                                    MD5

                                                                                    d85ba6ff808d9e5444a4b369f5bc2730

                                                                                    SHA1

                                                                                    31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                    SHA256

                                                                                    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                    SHA512

                                                                                    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\665166f3-da70-42f8-b2a4-6e5891083351.tmp
                                                                                    Filesize

                                                                                    34KB

                                                                                    MD5

                                                                                    25ac2e378536d5a6f98d70a19f4e9f69

                                                                                    SHA1

                                                                                    5b26883fca8c977795b661b1349cf6f5ed49e7b1

                                                                                    SHA256

                                                                                    961e4aeb20dd37f51b28db58709843aed162d5a84b855d35363893971d4019f8

                                                                                    SHA512

                                                                                    77d1536d8fc155f9c5955fad55c4ff087b5ffa0485715be6ed13b2e60fa8bc1269d8b38b9e9c82d148d60ce54ef3622420c653d6704102eb609c0522eb5e2af9

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.8\protocols.json
                                                                                    Filesize

                                                                                    3KB

                                                                                    MD5

                                                                                    6bbb18bb210b0af189f5d76a65f7ad80

                                                                                    SHA1

                                                                                    87b804075e78af64293611a637504273fadfe718

                                                                                    SHA256

                                                                                    01594d510a1bbc016897ec89402553eca423dfdc8b82bafbc5653bf0c976f57c

                                                                                    SHA512

                                                                                    4788edcfa3911c3bb2be8fc447166c330e8ac389f74e8c44e13238ead2fa45c8538aee325bd0d1cc40d91ad47dea1aa94a92148a62983144fdecff2130ee120d

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                    Filesize

                                                                                    280B

                                                                                    MD5

                                                                                    fed4ab68611c6ce720965bcb5dfbf546

                                                                                    SHA1

                                                                                    af33fc71721625645993be6fcba5c5852e210864

                                                                                    SHA256

                                                                                    c41acdf5d0a01d5e9720ef9f6d503099950791b6f975ba698ccd013c4defa8c4

                                                                                    SHA512

                                                                                    f9ab23b3b4052f7fda6c9a3e8cd68056f21da5d0fcf28061331900cac6f31ef081705804d9a9d4103ee7d9c9bdb6aa4237987b7e821d2d96cd52da24219e55ee

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                    Filesize

                                                                                    280B

                                                                                    MD5

                                                                                    4013ebc7b496bf70ecf9f6824832d4ae

                                                                                    SHA1

                                                                                    cfdcdac5d8c939976c11525cf5e79c6a491c272a

                                                                                    SHA256

                                                                                    fb1a67bdc2761f1f9e72bbc41b6fc0bf89c068205ffd0689e4f7e2c34264b22a

                                                                                    SHA512

                                                                                    96822252f121fb358aa43d490bb5f5ce3a81c65c8de773c170f1d0e91da1e6beb83cb1fb9d4d656230344cd31c3dca51a6c421fda8e55598c364092232e0ad22

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\777fd329-f693-4e01-83b7-138137282acb.tmp
                                                                                    Filesize

                                                                                    36KB

                                                                                    MD5

                                                                                    602a679477295d59ead7f05992cac90f

                                                                                    SHA1

                                                                                    8351305619f14ecca55b51fdc1ef3b318407aea8

                                                                                    SHA256

                                                                                    f5278e3ef7e319acecfa052d585d9e9f504b4b4d62d519a0daa13be1c8a3757a

                                                                                    SHA512

                                                                                    8550792860ef1b6b377939685c227aeeae48ad9c4687847185d548176d5dcc0d99f8d9a2d0608c4b9f09207c2656e8474a46ec1c06056a897685169ace596216

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                    Filesize

                                                                                    3KB

                                                                                    MD5

                                                                                    125b9629223b90b506d26a715c92fcd6

                                                                                    SHA1

                                                                                    96365042b299738a100f0d6e5900733c54fce077

                                                                                    SHA256

                                                                                    746412275a07459c11fd10decc64aa1420155c8caee0dc82866df63c577a1c91

                                                                                    SHA512

                                                                                    f7d30365ad788da386550d695500fac823b17fdb727dfaab8cb0febf9fd65a25bf3e63ef445a3fbf76f0a875cc8703a4e1dd6c1b69888facba93092255f4d529

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe583bfa.TMP
                                                                                    Filesize

                                                                                    3KB

                                                                                    MD5

                                                                                    a71078ab36b55c1a1e11ed07c4bce98e

                                                                                    SHA1

                                                                                    41c6e4349cd190a87a6f6513c8a5310ea47f8f11

                                                                                    SHA256

                                                                                    3d7b175f2d8d547955471903f0772726186d32dad586183222abcbbedb395944

                                                                                    SHA512

                                                                                    aa53f6fdb03786a8fbd0221242f64df7691dc0151348d1b36a65c8e0cb673d16e6dd4cb0b1c2fd3032314aa71ac3a47e1bcd253d6c9945db618e9308d34fe93b

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json
                                                                                    Filesize

                                                                                    2B

                                                                                    MD5

                                                                                    99914b932bd37a50b983c5e7c90ae93b

                                                                                    SHA1

                                                                                    bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                                                                    SHA256

                                                                                    44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                                                                    SHA512

                                                                                    27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
                                                                                    Filesize

                                                                                    69KB

                                                                                    MD5

                                                                                    164a788f50529fc93a6077e50675c617

                                                                                    SHA1

                                                                                    c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

                                                                                    SHA256

                                                                                    b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

                                                                                    SHA512

                                                                                    ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js
                                                                                    Filesize

                                                                                    9KB

                                                                                    MD5

                                                                                    3d20584f7f6c8eac79e17cca4207fb79

                                                                                    SHA1

                                                                                    3c16dcc27ae52431c8cdd92fbaab0341524d3092

                                                                                    SHA256

                                                                                    0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

                                                                                    SHA512

                                                                                    315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps
                                                                                    Filesize

                                                                                    107KB

                                                                                    MD5

                                                                                    40e2018187b61af5be8caf035fb72882

                                                                                    SHA1

                                                                                    72a0b7bcb454b6b727bf90da35879b3e9a70621e

                                                                                    SHA256

                                                                                    b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

                                                                                    SHA512

                                                                                    a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
                                                                                    Filesize

                                                                                    111B

                                                                                    MD5

                                                                                    285252a2f6327d41eab203dc2f402c67

                                                                                    SHA1

                                                                                    acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                    SHA256

                                                                                    5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                    SHA512

                                                                                    11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State
                                                                                    Filesize

                                                                                    1KB

                                                                                    MD5

                                                                                    db27e560f0043b1e9504fbc7451332c9

                                                                                    SHA1

                                                                                    58bb47b34d97a8bbf873ef83c8c8525ab95b3a4c

                                                                                    SHA256

                                                                                    6a73b24aa610a2be07dbfc988caa995020f8b03f8f2f82cdbf2649ce976ccfb8

                                                                                    SHA512

                                                                                    c17d14d5d85fdbd19a2a8e2fd26ff7f2f42590af3960c65b01820769518ac2e0a71addcbe7304d754091eeff45437ecc92ad55fd7bebc6f9a3cb6e6fc28bbe7b

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports
                                                                                    Filesize

                                                                                    2B

                                                                                    MD5

                                                                                    d751713988987e9331980363e24189ce

                                                                                    SHA1

                                                                                    97d170e1550eee4afc0af065b78cda302a97674c

                                                                                    SHA256

                                                                                    4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                                                                    SHA512

                                                                                    b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                    Filesize

                                                                                    13KB

                                                                                    MD5

                                                                                    0b254e0655a6e0aa1587f7d2dd32d5f0

                                                                                    SHA1

                                                                                    1d437d75eb07936c6c5443c29e6e857c43e5bec6

                                                                                    SHA256

                                                                                    b036cf317a66e654640b3a8f7bac500fd12be6773bab92f88dc04ba6b03b3488

                                                                                    SHA512

                                                                                    dbe5993a819d47997647c05e84d2de88f7b9df170fbac1bcedf8cd84dc0adba53e38b51ad77b2838f6a0267ffbd06899873aeb15e36818406cef9f3360245344

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log
                                                                                    Filesize

                                                                                    4KB

                                                                                    MD5

                                                                                    4dd187d461b2992f30c0074359e9ae81

                                                                                    SHA1

                                                                                    8b4aef9de25d49680839ce5c2fa35556028adc83

                                                                                    SHA256

                                                                                    0e0f977787c70ede71f7577e60cbbd7b118c44407b0262103db31a780521c40b

                                                                                    SHA512

                                                                                    d324ec95cc7945ac2cdae0e77818e4bf05cefb6c4fb6c910a2c7329e785ee5899f2e693cbf2970ba21b695d4b0f2e25625430a09b9e725f72b25ee75200338e4

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
                                                                                    Filesize

                                                                                    872B

                                                                                    MD5

                                                                                    5129d83295371687842d346111a8561c

                                                                                    SHA1

                                                                                    310664916b5ccf43e4a1760a3b361b8855538507

                                                                                    SHA256

                                                                                    30fa1af6bd8a7d532c13806898265a566255244781dd71118c80bed37285d860

                                                                                    SHA512

                                                                                    645fb801a9a552a58b2018a24af11915d3e02d1e764cd7c10ed303875caf57fdf136507a25824255f44b042d02c64a31df6143f1ba73cd22c53eab50dc52858d

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog
                                                                                    Filesize

                                                                                    22KB

                                                                                    MD5

                                                                                    9279abd17448f1119c4262497afbfb46

                                                                                    SHA1

                                                                                    d4208c0fe243307999fc338d98eeb60d835ac34b

                                                                                    SHA256

                                                                                    27fbf5faba28b24b442b94c9dce11a78e93471228d09e2622cac999c2bf91b30

                                                                                    SHA512

                                                                                    bb6a0b10da6866d9465ca4d28460a8bfa9166ba6309fbfad669c4416a2ca848b1c33ae10520509a50a7d66be2a8f7ef43a11cf2c9f8336686d777559f234180c

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog~RFe58efe9.TMP
                                                                                    Filesize

                                                                                    465B

                                                                                    MD5

                                                                                    e3b428e362e92743d2edcb191f53c9f4

                                                                                    SHA1

                                                                                    b3f8a97c5e3151f0f9eb07dbe30d15da0deecf22

                                                                                    SHA256

                                                                                    d26058bbc55447f156463c7c6d6519dde18cd5435caab75505518639bb28f8b7

                                                                                    SHA512

                                                                                    b3cd446b3309c32c9f9d566cde7cfc9055fde717e79809f1c7eb93a7dc01b168e74d6aee2c4ef538b55011b7333fb16e8243fce66c99c8c2c3a01d6bf2de638f

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\c4c567eb-6ac5-447e-a454-cab25d622e45.tmp
                                                                                    Filesize

                                                                                    21KB

                                                                                    MD5

                                                                                    e4dfd0504387a1ebcc4a48846e44a23e

                                                                                    SHA1

                                                                                    a5a91da421e3d8728ae857694dbeb24ea72b7866

                                                                                    SHA256

                                                                                    d3c39babd9652bcdb02ae17f895437ed85f617cb04f7ba4bbaf7ad7e8ab78cb6

                                                                                    SHA512

                                                                                    94a1d4ab7b18763b55c9246d73feb0ed64a7e506572884a2940696b12910d6ff2a03a0b1aca3e4035a81548633acd437e762e758952ba72dafc97f191e46d419

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Data Protection Lists\2.0.0.0\office_endpoints_list.json
                                                                                    Filesize

                                                                                    3KB

                                                                                    MD5

                                                                                    94406cdd51b55c0f006cfea05745effb

                                                                                    SHA1

                                                                                    a15dc50ca0fd54d6f54fbc6e0788f6dcfc876cc9

                                                                                    SHA256

                                                                                    8480f3d58faa017896ba8239f3395e3551325d7a6466497a9a69bf182647b25e

                                                                                    SHA512

                                                                                    d4e621f57454fea7049cffc9cc3adfb0d8016360912e6a580f6fe16677e7dd7aa2ee0671cb3c5092a9435708a817f497c3b2cc7aba237d32dbdaae82f10591c3

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                    Filesize

                                                                                    7KB

                                                                                    MD5

                                                                                    c0689a59cc31e5ae72d2e06898dc79c5

                                                                                    SHA1

                                                                                    5a785cd228628a91f7ebdd44aee6dabf547aeef1

                                                                                    SHA256

                                                                                    4c55e7ab46a634e5e7253e78e1b5f243933c2d3f6662af550af348d957f940db

                                                                                    SHA512

                                                                                    3f69841f716c124229ea013d12bc1bb64f590e762cdd872d8ad87c784c9640fc77d83cc0337d7c5e9c029f9f40c20ec6ae8376647fe0b8fe038cda1a46e743de

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                    Filesize

                                                                                    6KB

                                                                                    MD5

                                                                                    bd233e47fcaf74cb1de56621c105a4f3

                                                                                    SHA1

                                                                                    bdce6c2e989028f4e5f72cab3d8aa9f2a825de7a

                                                                                    SHA256

                                                                                    c36b68d1d6a6b401a7c1b6c4478aa13af7ac3d111a3528f9b86c652b102d4f2b

                                                                                    SHA512

                                                                                    7aaac60ecf7bb1e051d703c22641da3f745550d8355eb45a7791b255fa0e7b15e21ebabe172349a0af93b1b7f1ed6ab8ab3da7c67bd793eb1401d9066773ace4

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                    Filesize

                                                                                    30KB

                                                                                    MD5

                                                                                    1c3f848205635f2a680e6f711f1c1542

                                                                                    SHA1

                                                                                    7f93cf5d0f2334390ed8c37f58b1fb87e977b4a8

                                                                                    SHA256

                                                                                    003751c21bf783684c2f7017e252dac891912f11e10e6680540304d94289c4cb

                                                                                    SHA512

                                                                                    74bee67cf63d2e994d7fb0e34fe4dc9b216a7a5c4db561a5f31c6ab915afe1a7e198d08f38f1ebcd7b90bf53bf4129cf3fec008b478470ddcd1cea06416e2c77

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\WorkspacesNavigationComponent\1.0.0.5\nav_config.json
                                                                                    Filesize

                                                                                    2KB

                                                                                    MD5

                                                                                    499d9e568b96e759959dc69635470211

                                                                                    SHA1

                                                                                    2462a315342e0c09fd6c5fbd7f1e7ff6914c17e6

                                                                                    SHA256

                                                                                    98252dc9f9e81167e893f2c32f08ee60e9a6c43fadb454400ed3bff3a68fbf0d

                                                                                    SHA512

                                                                                    3a5922697b5356fd29ccf8dcc2e5e0e8c1fd955046a5bacf11b8ac5b7c147625d31ade6ff17be86e79c2c613104b2d2aebb11557399084d422e304f287d8b905

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres
                                                                                    Filesize

                                                                                    2KB

                                                                                    MD5

                                                                                    71d146861eb8aadc91fc351fbc1a5352

                                                                                    SHA1

                                                                                    de03101c9816af881f8dd1a1adb0643eea100390

                                                                                    SHA256

                                                                                    034340c9b88cfe64dbb9aea4206f132e3c836ead610a754861f55b0a7f0d41fe

                                                                                    SHA512

                                                                                    ea215eddfdda7699c1d9ee145618dab31659ab1bda6557fc5da92cdf97a78a18b032b745c09e80e7705a609cee46acd77e41d8c6bfb57159aaee1fc5cd50e3c1

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    eacd6f21bd79c66ba1cac51b32c2b6ee

                                                                                    SHA1

                                                                                    bb7cb9c7f52a7684be8d6f542ff0ac82efe7ca90

                                                                                    SHA256

                                                                                    cbcee0ee9ea9cc8a4890866756ce5156648ea08b753b7e63862115976a33a08d

                                                                                    SHA512

                                                                                    2de49f28a9c78cce7b963e347048202595359958816a1f9b54cc6b1dde93b92f8bfa6e9c234712f624cc8d34b5178e69206e7c3758497f7530708cf4729f5c97

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    c28c89b905a6babc25b3137b8561fa1b

                                                                                    SHA1

                                                                                    c1c98e515e028ed34c4137a9474e0b13feb72bcc

                                                                                    SHA256

                                                                                    699a3f7a6c6f48c5cc2d8f62331db88e8d03aa0ee1e740ed2ebf4b9a83678848

                                                                                    SHA512

                                                                                    b531e5b1391324e4671789833f77b663448a25fd29284e1987a78a8976959cc8ebfd2fbf075caf02cb750a6dad2ab6da26a2d81f2e837369772f0182ba550ecb

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    fca4b7e7b015afa14b14096953385809

                                                                                    SHA1

                                                                                    c4bb12c79cc281956c6241fed6f5f52e2bcbd580

                                                                                    SHA256

                                                                                    9bfd435d2956557a1819ffc9614c3d6d2ab87c84ce84cd872ac0088abec4e600

                                                                                    SHA512

                                                                                    13461500116c25f37f10e1ff415e48bda8655825c22fb821e2b248b87a162be796e1c405b4616b1bd3e78565c1d773ece3775e1b6dee9ada211f5f1afc6239fc

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    9ea4fdbf8bad883929456091a1e50194

                                                                                    SHA1

                                                                                    fc3b6026729ad36729c2cc4349b8e7a94255ad71

                                                                                    SHA256

                                                                                    ca2f5b4e41b386c2f09fb10d2cf78cd395b614ea6c7c11ec155b415550262e2e

                                                                                    SHA512

                                                                                    27bdd15bf73b9fe22005834e083c1e05919532a4f3eb4c4c41727f8175f35ab2119625ee7d8cc0ab86e00631393c8c839f05dcd3cdcd6644b83de41649472211

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    5e4343881dc5fcb6305d29ef34a5ce28

                                                                                    SHA1

                                                                                    823b588ad6905d682cc3b7ac7bf7184d71da3d45

                                                                                    SHA256

                                                                                    27e82cc6e13b0db3a8b74798dffe21837cd4ef1f519519227bbd41ef05f428ac

                                                                                    SHA512

                                                                                    7a8c265e8dc6b4ad85132c4182270322023b4d59c97b466b5cce24402426c32fe14500343938c069cb17f985c73ef00f06187669d5b0c2050839a4cf6eb91762

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                    Filesize

                                                                                    944B

                                                                                    MD5

                                                                                    c2e67766ebbf9a065d2d6698d1e76a22

                                                                                    SHA1

                                                                                    880bd6eb37a65027fd6b100beb69326469e62786

                                                                                    SHA256

                                                                                    2123e4031ccd3bb8f144c209b0d0b1fc37623a472caa18fa31b6ccf787001120

                                                                                    SHA512

                                                                                    d39497ddd1abb45733a35e4fa7a9958cc736addbd37e18820cc3149b704814e9db4d8146e6737fcb2e3c93c0e945d567d0995c7657e982c574886b29dfdd8a73

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\4e8ff018-609d-46e7-8c26-f4d708fbbd9b.vbs
                                                                                    Filesize

                                                                                    714B

                                                                                    MD5

                                                                                    604fff46d6b59fe0cb9570c6d762921c

                                                                                    SHA1

                                                                                    cce6e036a76661d486d22ef381daf43a8905f405

                                                                                    SHA256

                                                                                    77952f1ad882939e499df117e8f5fc46242069de9a7ee6b57792f3d7a92d0eae

                                                                                    SHA512

                                                                                    f61dd08cfee9af44a7f07e5db0f2e8d36db20b95cd2b9a7d5982a44b579eddd08913af14c51aaad393659cd038191a45ee71bbe37a6ba6c3be05fa404effeefd

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\5500faee-bdd4-44e5-bd85-fe38ad3059cd.tmp
                                                                                    Filesize

                                                                                    10KB

                                                                                    MD5

                                                                                    78e47dda17341bed7be45dccfd89ac87

                                                                                    SHA1

                                                                                    1afde30e46997452d11e4a2adbbf35cce7a1404f

                                                                                    SHA256

                                                                                    67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

                                                                                    SHA512

                                                                                    9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\94b8bf3b-8985-4cfa-94df-14b7837345fa.vbs
                                                                                    Filesize

                                                                                    491B

                                                                                    MD5

                                                                                    adeed78fdcef8b1f3d092c98ff2c1d32

                                                                                    SHA1

                                                                                    e53ce909561a57ad24e1fd3b0cf356986f4c5f30

                                                                                    SHA256

                                                                                    476f200c9754db584cd5d70917f3d9869988b485f86f97223816c8a5f47f01a3

                                                                                    SHA512

                                                                                    68fce76dc7ff97cc1913c96772162de90bb227b4e7b8ad75596a0eed7db3970c5c8be039c6d27906f30aab1ae7cc29e56f44427400c352b07d7d345f8f979213

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0pku5ra.kla.ps1
                                                                                    Filesize

                                                                                    60B

                                                                                    MD5

                                                                                    d17fe0a3f47be24a6453e9ef58c94641

                                                                                    SHA1

                                                                                    6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                    SHA256

                                                                                    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                    SHA512

                                                                                    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\c68b2b0c-861b-4d1c-b0be-c2ea28e75e00.tmp
                                                                                    Filesize

                                                                                    1B

                                                                                    MD5

                                                                                    5058f1af8388633f609cadb75a75dc9d

                                                                                    SHA1

                                                                                    3a52ce780950d4d969792a2559cd519d7ee8c727

                                                                                    SHA256

                                                                                    cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

                                                                                    SHA512

                                                                                    0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

                                                                                    Download Submit

                                                                                  • C:\Users\Admin\AppData\Local\Temp\scoped_dir4440_1533000079\d0d0e3f7-67ca-4f99-a7db-0ecbc2f3ee5d.tmp
                                                                                    Filesize

                                                                                    152KB

                                                                                    MD5

                                                                                    dd9bf8448d3ddcfd067967f01e8bf6d7

                                                                                    SHA1

                                                                                    d7829475b2bd6a3baa8fabfaf39af57c6439b35e

                                                                                    SHA256

                                                                                    fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

                                                                                    SHA512

                                                                                    65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

                                                                                    Download Submit

                                                                                  • memory/432-338-0x000000001B0A0000-0x000000001B0F6000-memory.dmp

                                                                                    Filesize

                                                                                    344KB

                                                                                    Download

                                                                                  • memory/3300-20-0x000000001AEF0000-0x000000001AEFC000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-19-0x000000001BCA0000-0x000000001C1C8000-memory.dmp

                                                                                    Filesize

                                                                                    5.2MB

                                                                                    Download

                                                                                  • memory/3300-335-0x00007FFF45050000-0x00007FFF45B11000-memory.dmp

                                                                                    Filesize

                                                                                    10.8MB

                                                                                    Download

                                                                                  • memory/3300-1-0x00000000000B0000-0x00000000003BE000-memory.dmp

                                                                                    Filesize

                                                                                    3.1MB

                                                                                    Download

                                                                                  • memory/3300-176-0x00007FFF45053000-0x00007FFF45055000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                    Download

                                                                                  • memory/3300-33-0x000000001BA20000-0x000000001BA2C000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-25-0x000000001B9A0000-0x000000001B9A8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-31-0x000000001BA00000-0x000000001BA08000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-32-0x000000001BA10000-0x000000001BA1A000-memory.dmp

                                                                                    Filesize

                                                                                    40KB

                                                                                    Download

                                                                                  • memory/3300-27-0x000000001B9C0000-0x000000001B9CE000-memory.dmp

                                                                                    Filesize

                                                                                    56KB

                                                                                    Download

                                                                                  • memory/3300-29-0x000000001B9E0000-0x000000001B9E8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-30-0x000000001B9F0000-0x000000001B9FC000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-28-0x000000001B9D0000-0x000000001B9D8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-26-0x000000001B9B0000-0x000000001B9BA000-memory.dmp

                                                                                    Filesize

                                                                                    40KB

                                                                                    Download

                                                                                  • memory/3300-22-0x000000001B770000-0x000000001B778000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-24-0x000000001B790000-0x000000001B79C000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-23-0x000000001B780000-0x000000001B78C000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-0-0x00007FFF45053000-0x00007FFF45055000-memory.dmp

                                                                                    Filesize

                                                                                    8KB

                                                                                    Download

                                                                                  • memory/3300-21-0x000000001AF00000-0x000000001AF0C000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-337-0x00007FFF45050000-0x00007FFF45B11000-memory.dmp

                                                                                    Filesize

                                                                                    10.8MB

                                                                                    Download

                                                                                  • memory/3300-18-0x000000001B760000-0x000000001B772000-memory.dmp

                                                                                    Filesize

                                                                                    72KB

                                                                                    Download

                                                                                  • memory/3300-17-0x000000001B750000-0x000000001B758000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-16-0x000000001B740000-0x000000001B74C000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-15-0x000000001B730000-0x000000001B738000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-14-0x000000001B720000-0x000000001B72C000-memory.dmp

                                                                                    Filesize

                                                                                    48KB

                                                                                    Download

                                                                                  • memory/3300-13-0x000000001B6D0000-0x000000001B726000-memory.dmp

                                                                                    Filesize

                                                                                    344KB

                                                                                    Download

                                                                                  • memory/3300-12-0x000000001AFB0000-0x000000001AFBA000-memory.dmp

                                                                                    Filesize

                                                                                    40KB

                                                                                    Download

                                                                                  • memory/3300-8-0x000000001AF10000-0x000000001AF26000-memory.dmp

                                                                                    Filesize

                                                                                    88KB

                                                                                    Download

                                                                                  • memory/3300-9-0x000000001AF30000-0x000000001AF38000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-11-0x000000001AF50000-0x000000001AF60000-memory.dmp

                                                                                    Filesize

                                                                                    64KB

                                                                                    Download

                                                                                  • memory/3300-10-0x000000001AF40000-0x000000001AF48000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-6-0x00000000024B0000-0x00000000024B8000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-7-0x00000000024D0000-0x00000000024E0000-memory.dmp

                                                                                    Filesize

                                                                                    64KB

                                                                                    Download

                                                                                  • memory/3300-5-0x000000001AF60000-0x000000001AFB0000-memory.dmp

                                                                                    Filesize

                                                                                    320KB

                                                                                    Download

                                                                                  • memory/3300-4-0x0000000002490000-0x00000000024AC000-memory.dmp

                                                                                    Filesize

                                                                                    112KB

                                                                                    Download

                                                                                  • memory/3300-3-0x0000000000B80000-0x0000000000B88000-memory.dmp

                                                                                    Filesize

                                                                                    32KB

                                                                                    Download

                                                                                  • memory/3300-2-0x00007FFF45050000-0x00007FFF45B11000-memory.dmp

                                                                                    Filesize

                                                                                    10.8MB

                                                                                    Download

                                                                                  • memory/3876-234-0x000002984F050000-0x000002984F072000-memory.dmp

                                                                                    Filesize

                                                                                    136KB

                                                                                    Download