Analysis

  • max time kernel
    27s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 01:50

Errors

Reason
Machine shutdown

General

  • Target

    https://github.com/Zusyaku/Malware-Collection-Part-2

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 3 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Blocks application from running via registry modification 3 IoCs

    Adds application to list of disallowed applications.

  • Disables RegEdit via registry modification 2 IoCs
  • Disables Task Manager via registry modification
  • Disables use of System Restore points 1 TTPs
  • Downloads MZ/PE file 1 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 12 IoCs
  • Executes dropped EXE 1 IoCs
  • Modifies system executable filetype association 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs
  • Modifies WinLogon 2 TTPs 1 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Control Panel 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 17 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 13 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Zusyaku/Malware-Collection-Part-2
    1⤵
    • Drops file in Program Files directory
    • Checks processor information in registry
    • Enumerates system info in registry
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffac977f208,0x7ffac977f214,0x7ffac977f220
      2⤵
        PID:4320
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1832,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=2632 /prefetch:3
        2⤵
        • Downloads MZ/PE file
        PID:1772
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2184,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=2640 /prefetch:8
        2⤵
          PID:5052
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2604,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=2600 /prefetch:2
          2⤵
            PID:4400
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3480,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:1
            2⤵
              PID:4676
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3496,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1
              2⤵
                PID:4664
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5200,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
                2⤵
                  PID:2892
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5208,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:8
                  2⤵
                    PID:5200
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5580,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:8
                    2⤵
                      PID:4412
                    • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5628,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8
                      2⤵
                        PID:1988
                      • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5628,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6052 /prefetch:8
                        2⤵
                          PID:4872
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5108,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:8
                          2⤵
                            PID:216
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5136,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=5072 /prefetch:8
                            2⤵
                              PID:2980
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3448,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6248 /prefetch:8
                              2⤵
                                PID:2752
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=5728,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:1
                                2⤵
                                  PID:5100
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6732,i,17444921794816992252,13729094362427816794,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:8
                                  2⤵
                                    PID:5084
                                  • C:\Users\Admin\Downloads\666.exe
                                    "C:\Users\Admin\Downloads\666.exe"
                                    2⤵
                                    • Modifies WinLogon for persistence
                                    • UAC bypass
                                    • Blocks application from running via registry modification
                                    • Disables RegEdit via registry modification
                                    • Event Triggered Execution: Image File Execution Options Injection
                                    • Executes dropped EXE
                                    • Modifies system executable filetype association
                                    • Checks whether UAC is enabled
                                    • Modifies WinLogon
                                    • Sets desktop wallpaper using registry
                                    • Drops file in Windows directory
                                    • System Location Discovery: System Language Discovery
                                    • Modifies Control Panel
                                    • Modifies registry class
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    • Suspicious use of SetWindowsHookEx
                                    • System policy modification
                                    PID:5892
                                • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                                  1⤵
                                    PID:4644
                                  • C:\Windows\system32\cmd.exe
                                    C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                    1⤵
                                      PID:5952
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
                                        2⤵
                                          PID:5356
                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                        1⤵
                                        • Modifies registry class
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2984
                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                        1⤵
                                        • Modifies Internet Explorer settings
                                        • Modifies registry class
                                        • Suspicious use of SetWindowsHookEx
                                        PID:4436
                                      • C:\Windows\system32\LogonUI.exe
                                        "LogonUI.exe" /flags:0x4 /state0:0xa397c855 /state1:0x41c64e6d
                                        1⤵
                                        • Modifies data under HKEY_USERS
                                        • Suspicious use of SetWindowsHookEx
                                        PID:736

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                        Filesize

                                        280B

                                        MD5

                                        df2d1721cd4e4eff7049314710dc7c11

                                        SHA1

                                        f5aed0158b2c0a00302f743841188881d811637a

                                        SHA256

                                        ba336ffd1b01965d7ab0e5fac5415e43cb594139c76b19e4c0d9b5b3b67c1e93

                                        SHA512

                                        11fd520176193f284563c7d050e6a7ab4e9895bac49fdc05759bab2c8a69f224858ccc784b351fc1d3ee5d39345430f9234623c9390978d7daf6a08ff5576ef4

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

                                        Filesize

                                        2B

                                        MD5

                                        99914b932bd37a50b983c5e7c90ae93b

                                        SHA1

                                        bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

                                        SHA256

                                        44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

                                        SHA512

                                        27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

                                        Filesize

                                        107KB

                                        MD5

                                        2b66d93c82a06797cdfd9df96a09e74a

                                        SHA1

                                        5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

                                        SHA256

                                        d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

                                        SHA512

                                        95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

                                        Filesize

                                        2B

                                        MD5

                                        d751713988987e9331980363e24189ce

                                        SHA1

                                        97d170e1550eee4afc0af065b78cda302a97674c

                                        SHA256

                                        4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                                        SHA512

                                        b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

                                        Filesize

                                        40B

                                        MD5

                                        20d4b8fa017a12a108c87f540836e250

                                        SHA1

                                        1ac617fac131262b6d3ce1f52f5907e31d5f6f00

                                        SHA256

                                        6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

                                        SHA512

                                        507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                        Filesize

                                        16KB

                                        MD5

                                        5c83e107d31aa5cb971356cfd32b931e

                                        SHA1

                                        dbd69ae500064da7068693f9d63fb87ccbba0fe2

                                        SHA256

                                        5c0138218ff3e1b2c4bfe7cbb5e53781dd744ae99d5755f7db818c0619e498d3

                                        SHA512

                                        f79640e09c54ddd9a34f15b5d83d260c28391b77995a4ae5e3f6640ca8840ffe6e37830b9a7cd64fc60ebfa14dd09c50de29419508dddef859c442000b6231a9

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                                        Filesize

                                        36KB

                                        MD5

                                        d673ddf81b82ad3bfdd207f046cccb6a

                                        SHA1

                                        eb20483237fb10caa785090dac086e19d1430925

                                        SHA256

                                        3e744697dd06351c93d7e96197234822b6e17a216199359edcfa9299f3b51242

                                        SHA512

                                        fa0b8fa734c033ab9800dd708e6c9dab681338f8c0fb736cc348b2111700e68f960f0c4425651c7b711bf8a3bb47adbd5496ff90fc7b4c0975ee41f1440883d2

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

                                        Filesize

                                        21KB

                                        MD5

                                        ec136f9a5175bf1eb52d396d73460233

                                        SHA1

                                        b97e0b16facab3b17d6db7cae9628df1b74bf176

                                        SHA256

                                        81688aa8ca09253d2007f2a078bba68b98d3ceaee49d41e97ef910b471b96df2

                                        SHA512

                                        1a07cc9f7cfdcbc619443067e73365d13e9db9d82a8808f2356a82cb0ff3c252504402321a57edd1546c66a9ded32f563c14ebc69ac397557215f62394741898

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        40KB

                                        MD5

                                        3751368ac66ab9f9d890f0a2ee64c436

                                        SHA1

                                        fb1ec5f4959d07be0eb68b817e5e69d6e0e8deed

                                        SHA256

                                        b5c504535097e9354c12e3999722b9d8b591a3f1dc38b07c1dee54f239be0076

                                        SHA512

                                        acdf6b8ab0c9f85592101ad9bbf17e91da8670ac2c52cf6abc7b1db9029f8921ba23df2a61879503731a29d71fb1eacf841da9af2563c9da2a448121145e5588

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        40KB

                                        MD5

                                        a9beb6977a18f364f29caae4776bec12

                                        SHA1

                                        1a67c54333078b07041f5bea778c70568a76284a

                                        SHA256

                                        367c56b2c6644109736e966f7d24641e596b96be6b48db4ba9a2cf698d2ecd00

                                        SHA512

                                        d10a57cc65bcd78a81ac7a3325e8e5674bfdeaae88adf665f570ad3d9c7d71a917c32ac369ac9734be6cf3c905b27f4408bbdb8c7979c45fa3f1424daef9c2d5

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                        Filesize

                                        49KB

                                        MD5

                                        8d536ba5dae7d8819039906231fd701c

                                        SHA1

                                        ca2e277a608dfb5db4cf885c7bc9a098c5f71eca

                                        SHA256

                                        e7dfa0f015f4cbb729103f28b58f5c9b1c5f0548b390f730456e62e447d8fe11

                                        SHA512

                                        8d35ecfbf1ea2b55f644e990b2b9ac13f3d86745d025d667287f7a63f99f899a72896909c72841cf6be9497d38a933b6cb19a6c8a65f07f27b3d27820d34b845

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

                                        Filesize

                                        152KB

                                        MD5

                                        dd9bf8448d3ddcfd067967f01e8bf6d7

                                        SHA1

                                        d7829475b2bd6a3baa8fabfaf39af57c6439b35e

                                        SHA256

                                        fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

                                        SHA512

                                        65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

                                      • C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

                                        Filesize

                                        2KB

                                        MD5

                                        892d44f4bc2ac71aa95a431846ba0b9e

                                        SHA1

                                        dadc9a7f3e19addfdf7b8725d3144ca0335d109e

                                        SHA256

                                        8eb9ea94df80ced7fe3de33be62d6e66078edf380a805890c1ce0feefc6364b5

                                        SHA512

                                        36cf55409ed8fc6e9b10c8cf58ceb248867306ae8ca8fd3ff03e020f36f10912773a7c6f5caac0b91c24aeb4710ee8e53efc6bd0811ec79647df2e4ce3a74ad2

                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133882050755172422.txt

                                        Filesize

                                        85KB

                                        MD5

                                        b6cc1b03395e59dfb431bf8590770495

                                        SHA1

                                        23ccc50ed8cfe65a61ea20fb1571232175a673c2

                                        SHA256

                                        645a99b8dbb436cf436819b794c4855319e33812e8aed0110dd303be4d718023

                                        SHA512

                                        108a191f20e2a5d67d5f6f0b1a3d995dc4d0c6e135ab7fae67fb5477fa2d23ec31680c849f9e1f26177a27d5c1708ad6ad403395cf2b9765ce20089726880fac

                                      • C:\Users\Admin\Downloads\666.exe.crdownload

                                        Filesize

                                        4.0MB

                                        MD5

                                        fb06afbe05e9006fb0974b34db9b3e47

                                        SHA1

                                        798adfdf387a81d4e4784508b1c7a45c2574e5fb

                                        SHA256

                                        4958c554787a589449e918fc5e3acc61b0ca61fdbf7ce0b658d4f60e2052f48e

                                        SHA512

                                        5a7d0ae0e43cce249f4a8bd1239697a36b6f903336b23dd0b9c7aec415e0209dd24385e4f90d14a911208214415625f4a90ac490c1439f48be34cabde1c89080

                                      • memory/4436-776-0x000001CE05500000-0x000001CE05600000-memory.dmp

                                        Filesize

                                        1024KB

                                      • memory/4436-781-0x000001CE06410000-0x000001CE06430000-memory.dmp

                                        Filesize

                                        128KB

                                      • memory/4436-792-0x000001CE063D0000-0x000001CE063F0000-memory.dmp

                                        Filesize

                                        128KB

                                      • memory/4436-803-0x000001CE067E0000-0x000001CE06800000-memory.dmp

                                        Filesize

                                        128KB