319294dd7b3973d1725020861ce5b7330496f81af4aec213f4a0b4800c62595e

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69.exe
Size

2.5MB
MD5

d446b22322adb2ee4d2f4b69fdc71dcd
SHA1

ac5129d56c1610b3ec337eb83e0ad3757753ade9
SHA256

460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69
SHA512

05489a6c87b3e6a4cdacf530143d9865243f63a3a2dc0c0bfd1ab4c6b12b183e8cdf4280d04ac27e29695e14af2663aa0584e24ace36a5bb6858e5e241fd3bf0
SSDEEP

49152:6z/PMA7iR4Hdl2c2sBKnglGbJtkDM4V39Ikn8qudLGPmin5jZFfNbO:WPp7GklmSKnglGdtoN1JWqn5jZ9w

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

Modifies Windows Defender Real-time Protection settings 3 TTPs 7 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	5Yz8NW2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	5Yz8NW2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	5Yz8NW2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	5Yz8NW2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	5Yz8NW2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection	5Yz8NW2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	5Yz8NW2.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FANBooster131.lnk	5Yz8NW2.exe

Executes dropped EXE 4 IoCs

pid	Process
640	Au8cc04.exe
4744	iO5NC20.exe
3188	2uw0433.exe
1780	5Yz8NW2.exe

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features	5Yz8NW2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Features\TamperProtection = "0"	5Yz8NW2.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	Au8cc04.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	iO5NC20.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MaxLoonaFest131 = "C:\\Users\\Admin\\AppData\\Local\\MaxLoonaFest131\\MaxLoonaFest131.exe"	5Yz8NW2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69.exe

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000700000002322f-20.dat	autoit_exe

Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs

pid	Process
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe
1780	5Yz8NW2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3632	schtasks.exe
3688	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
556	msedge.exe
556	msedge.exe
4852	msedge.exe
4852	msedge.exe
464	msedge.exe
464	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
6108	identity_helper.exe
6108	identity_helper.exe
3464	powershell.exe
3464	powershell.exe
3464	powershell.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe
5996	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1780	5Yz8NW2.exe
Token: SeDebugPrivilege	3464	powershell.exe

Suspicious use of FindShellTrayWindow 29 IoCs

pid	Process
3188	2uw0433.exe
3188	2uw0433.exe
3188	2uw0433.exe
3188	2uw0433.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
3188	2uw0433.exe
3188	2uw0433.exe
3188	2uw0433.exe
3188	2uw0433.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe
4784	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1780	5Yz8NW2.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4972 wrote to memory of 640	4972	460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69.exe	30
PID 4972 wrote to memory of 640	4972	460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69.exe	30
PID 4972 wrote to memory of 640	4972	460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69.exe	30
PID 640 wrote to memory of 4744	640	Au8cc04.exe	33
PID 640 wrote to memory of 4744	640	Au8cc04.exe	33
PID 640 wrote to memory of 4744	640	Au8cc04.exe	33
PID 4744 wrote to memory of 3188	4744	iO5NC20.exe	37
PID 4744 wrote to memory of 3188	4744	iO5NC20.exe	37
PID 4744 wrote to memory of 3188	4744	iO5NC20.exe	37
PID 3188 wrote to memory of 3720	3188	2uw0433.exe	51
PID 3188 wrote to memory of 3720	3188	2uw0433.exe	51
PID 3188 wrote to memory of 4784	3188	2uw0433.exe	64
PID 3188 wrote to memory of 4784	3188	2uw0433.exe	64
PID 3720 wrote to memory of 972	3720	msedge.exe	63
PID 3720 wrote to memory of 972	3720	msedge.exe	63
PID 4784 wrote to memory of 2128	4784	msedge.exe	60
PID 4784 wrote to memory of 2128	4784	msedge.exe	60
PID 3188 wrote to memory of 2332	3188	2uw0433.exe	61
PID 3188 wrote to memory of 2332	3188	2uw0433.exe	61
PID 2332 wrote to memory of 2972	2332	msedge.exe	62
PID 2332 wrote to memory of 2972	2332	msedge.exe	62
PID 4744 wrote to memory of 1780	4744	iO5NC20.exe	68
PID 4744 wrote to memory of 1780	4744	iO5NC20.exe	68
PID 4744 wrote to memory of 1780	4744	iO5NC20.exe	68
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128
PID 3720 wrote to memory of 3192	3720	msedge.exe	128

C:\Users\Admin\AppData\Local\Temp\460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69.exe
"C:\Users\Admin\AppData\Local\Temp\460be9287a7336de0f0996ef9f6bcedcfb72b693d5d7e8ad38057e64a8ae4f69.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Au8cc04.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Au8cc04.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iO5NC20.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iO5NC20.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2uw0433.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2uw0433.exe
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3720
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x16c,0x170,0x174,0x148,0x178,0x7ff8063546f8,0x7ff806354708,0x7ff806354718
        6⤵
        
        PID:972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,10296397082831064422,11585065076186685039,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,10296397082831064422,11585065076186685039,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2004 /prefetch:2
        6⤵
        
        PID:3192
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8063546f8,0x7ff806354708,0x7ff806354718
        6⤵
        
        PID:2972
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,111381628627029759,10967335654027256992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:464
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,111381628627029759,10967335654027256992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
        6⤵
        
        PID:3400
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
        5⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:4784
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
        6⤵
        
        PID:4152
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2564 /prefetch:8
        6⤵
        
        PID:392
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        6⤵
        
        PID:3132
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        6⤵
        
        PID:3556
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4852
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4040 /prefetch:1
        6⤵
        
        PID:5544
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
        6⤵
        
        PID:5624
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
        6⤵
        
        PID:6036
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
        6⤵
        
        PID:5340
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
        6⤵
        
        PID:2532
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
        6⤵
        
        PID:5948
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
        6⤵
        
        PID:5920
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
        6⤵
        
        PID:6072
      - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6108
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=7116 /prefetch:8
        6⤵
        
        PID:6020
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,14546924987316499739,17777813000976897868,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6200 /prefetch:2
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5996
  - - C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Yz8NW2.exe
      C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Yz8NW2.exe
      4⤵
      Modifies Windows Defender Real-time Protection settings
      Drops startup file
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1780
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        5⤵
        
        PID:5960
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        5⤵
        
        PID:4864
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
        6⤵
        Creates scheduled task(s)
        
        PID:3688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ff8063546f8,0x7ff806354708,0x7ff806354718
1⤵
PID:2128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5600

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
66b31399a75bcff66ebf4a8e04616867

SHA1
9a0ada46a4b25f421ef71dc732431934325be355

SHA256
d454afb2387549913368a8136a5ee6bad7942b2ad8ac614a0cfaedadf0500477

SHA512
5adaead4ebe728a592701bc22b562d3f4177a69a06e622da5759b543e8dd3e923972a32586ca2612e9b6139308c000ad95919df1c2a055ffd784333c14cb782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84381d71cf667d9a138ea03b3283aea5

SHA1
33dfc8a32806beaaafaec25850b217c856ce6c7b

SHA256
32dd52cc3142b6e758bd60adead81925515b31581437472d1f61bdeda24d5424

SHA512
469bfac06152c8b0a82de28e01f7ed36dc27427205830100b1416b7cd8d481f5c4369e2ba89ef1fdd932aaf17289a8e4ede303393feab25afc1158cb931d23a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
efd126b628044652a60b3d1a3ffad75a

SHA1
c7f0bff544b95f698b5cfa8bbf7d7c02f1e85497

SHA256
9b0e03d9a2c72cb07a0b4861ca4bb7670aae658f170fcd4242c16db5b5003b60

SHA512
b47501690dbf5a4af2f4523548dd4092163b532b71e49a7ea3e17f91865170fc37c2a1369392581c372dc97e59e3a921783e64cdd3f0026d247f0c66524981d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
5c7c7e6b107e28ceec522c8c780e2933

SHA1
383a550383b6ee6172937f227f7a0ccf2b0121de

SHA256
130f38ac30bde56fa456b30353afd43121133f2f442ad731dfc82b8d53c3c45a

SHA512
ccb90bc158c6a2523e78fffede26d14212de5d1bcad54172608fb503f4162751c5ac893381dc86219a92c295070104f9a68855561bea446c9303096645de0013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c47d023d4dc08ddcf1c9418fb36d094f

SHA1
af5605ff2ccbfff4a61e768dfca764e20a7c5330

SHA256
c01e4324530288c650cfd30341c4028b005da0f0ff013e4c877236a2100b835f

SHA512
f32ab1f59f6d4e1192a00ae07ac66e7fdbd1360d54b2184d7e5932102749395e08d74533343698bf68b14ce1a8864f5552aa66e069a6319cdde9e82347fffc98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7079f21755f8c233180a292636cad281

SHA1
509fe54ed98e717f78a82b512c356504f4213a28

SHA256
61859679933f8507abe7356f4d491b4f6fac044afb9c6f79b7fc9ee261808f2f

SHA512
40b15435d9f180ed4b6826e45442e3ad74bea4aa57191db886ee40970ce0a146e4b3f3e02765beddd44f6687d18b3d303df0d05a9ee871514c433e3689c6dc9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38563385375fd1d5c73ac6b13382553c

SHA1
ceb8ab845e11978be511d71d25226e8b1f48544f

SHA256
74ccc15739374329708ea76829fb324eca678f72279bdddd75bc55788affcfbf

SHA512
4d0061a32849b21a1c3641619b80bed3a6e9b91edad250292674416508f8fa612408e7863551e826242186abbc8ea457a28b2521ebe7c8bf9b0204fb66a90273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
886e57b32ac7f436338035676f283451

SHA1
18ca2c9b87cc03d0871e8c6964f30f090fb2eeca

SHA256
4acfec50bf7287e6019224ede46886fbe73111cfb04bd001ebf35a05229b4edf

SHA512
9612bed802e79799c3f0cf97e6a19ba415fab0207852b6a1b698039686e6cb581d4411e572be1ba3244e5c47a909fa652adab5296a8732d54f59c56c6d62793d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
32c88ced6b34593bc1627edef6fc6687

SHA1
8c2aa05504a89ec290442bb8af628227bcbd7f57

SHA256
f0c80dec65ba9f466c28e43dbf42fbd22650f77d22b5581a6b77f93356a4c174

SHA512
3a91ad6e1af5de33b734b1d9051f37ea39b15c4434ab749064cddf4251a143c56580c4b5dc7764da020ce0c0e9c8fb1fbdd8b7154c56d7314f6772c8b153d849

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fae8d755ad3e5379547d84527a45fd79

SHA1
ffdc7ac52286020c3d2357922bb80a2a349d785b

SHA256
79fa097c2d798b353cd95bc3f2b81517e7d0ad57dfd43300e4d371856e1afce2

SHA512
674266c22b6032298689072ec25ac0896820ef6a9db74231c660c0bfbe91797f88b6d33f144b77a1070646eed2bfb5a466f8c3575ca0a97ce8465125454fe9e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ae01eec15b51e6e860c72c9e4b3efa0f

SHA1
51ee7f4da972961c66afac087c815d0827995ab2

SHA256
4e903c108237f954ead383509f01a8285b8fac4a3311eff2ee470363385e678b

SHA512
e7bf98cc6b04227cbb84ac353503a1edea881bf85d94cd67ebffb72d4d30e5ab137e97403cd57c5ceeb23c5ced72c7e8f4153c4918f135e2e6f6a1157b3b59b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
44491274d260a01975e2d99f65a9ad33

SHA1
3d235c95a7d3472d5b25ce6c51802c2e5ca10b49

SHA256
f7cffc7be296bfedf41151fc4cfff0b55859182168c69f59b3ee85238c6ca916

SHA512
945f17e065df26137fe702b5fb3beb3f826bee88146eb1b693601c03ae3ee21c64fce5af6f291358e83a880b8c798d66250f8c154170aa03ef22b1e2c7a2841c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5881fc.TMP

Filesize
48B

MD5
957350a5a3fb28d1596f58c13fb8d6c1

SHA1
cab41585c657eb172c6302e074b88dd4b14a9b53

SHA256
3451a50f594afdf670a616d1cf846167c18a9b20c03ad2efbb3b1943d44585ea

SHA512
b097b4713353482380c7818c9eca99009226dd62da2f9396fb253b1b8a1571458b7f15a3e06d5103c01f2d410aa4faac9d75c811742ae3689773b6b3d5a33819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
47b4fb287224e81ec4ad7ee2ee8a9df3

SHA1
59ec3c32ec8eae95e8a83e07e3dd77c2c38d20fb

SHA256
a5ec98b1842f4c86a48afaf318c3835609077bd1654e7e6bd180cfae4c5fb8ee

SHA512
e0daf35ecd7ff43ec4bcf5212dd800b7717407fa190779f1b06c548ec1c2d55a3de6d223ca65fa2f67a22e563a00e234ff7ac1f8d59236f10edf0e2e75099275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d792a7d64351a9c17cbb37d18c03a8a

SHA1
a8fbf651f370c30ca8de5a15b6848427117c4ef8

SHA256
93d8b884fa436b182412fd09d1be26a11549c8516ed124b218f61e07cf728b97

SHA512
4f09ee48930b32ade26f0db5728d0145e2c058fe1ca0984ad441d2fc656426cec17cba3b801163c62f5876f1037cf3da7aa9b7c72c6eee30c2f02b58f8067f2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
18c065356a6e7dd4e563cc4a0efe4c11

SHA1
2ed4182819853389a54cb07fc454eba8f56a59d9

SHA256
0701247fa21ba60992a1876545c0eb62a7d17c0859105998a5b0f6aa07ca20ab

SHA512
bb3664fa39502f64c7742e79e9eae9ff84182f9f86f5a4c25d5486c0aeb691f930d7b4b9881d59ab69b7989a1b8da803cedd786d82f6c54a5c9f7b498e5072e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8872bf44ed24e7c8307110f82d204a62

SHA1
9913de2749c7b3dd92cd4be81ab46fa0f1599698

SHA256
2606de683e9eb5f08fcb6055e39495ae0e6e2fb925aaf6d1ae06afd989ccd447

SHA512
28c2fd7521b382b22a263cacd350183612c6d5ac2aa64a9cbeece379a630c7559615cab4e5009a19cff304f0d50127213203c9f4254e553eacc3f4ca563fd3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580d97.TMP

Filesize
538B

MD5
b944e9bc65a0276a7d3bb463e8148b58

SHA1
18785f1bc1bbaca6c56f929e8bd2960810e0d04b

SHA256
43b70dbbe7207a86d916fe253ea71372d506d6f3cc6ce924715d27206827de39

SHA512
979a619f17b1d9a1371d26523cff5687d8640ffb6be9056767993011e48e64f342a25efbab91595343ddf47543adf156655d4e16a0b93dd1779816f69beb6a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
4e8d7992d26a86b013933bf32bc8f8e7

SHA1
3a9c1a91f453f8772a2b2ba8ff288a49f51d3292

SHA256
51c48e5b995c60b3e94c6870727b859e13739254e09ff685490b82c0b83e5b91

SHA512
99b9c3f24d1514b22f4aaf91fa01d35ba101989b8e2088e0b72cd0d62ca6a10c1e9ef69d694e1e3b7576a9fc80e3f7b5b4bb1a740ea0dfd25e56a352e62aac57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
398403357ed458cfa9068a618601f6cc

SHA1
c00ab4166eed9b0ace74f862ff87822927f2f0d7

SHA256
e3e53e3748c7ec2845aec87927bdcc5a6bf7cde43ebb5f273a904558cd1314c6

SHA512
a1b685154d35f71c8f65d7af7faea99285b0a530763f5092781a1f2bfb4ec776c9e0bac5ff1c30c432f02fd602927d915e6f0c33263e4c161ad443bfd7f7e2f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
49e8485186a8a375bf6a59d8a981f2bd

SHA1
4ed5ef378cb9ded404d81d089d329572e3cf588a

SHA256
908cbf4e244a1cb941f09eef2fb431ace219f75f4bac8f5cde84d256ddc8959f

SHA512
cc9350a976b22522d33150a1a2075b41ec60a34208b1d7c79c1c6f88964166bbc030141431f6845d2782d850f1fcabf2f0c7fcd8f09e7d3b2d8ae9cf586648e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
89c0133f4bda71e21c69327fd78934a6

SHA1
851aa0e4610e7ae8b4f539a690d98fada68314c6

SHA256
3add1ff68d735e8a6620056cfe2034f671048a4ea33c35f9aa2b414a4113151c

SHA512
bf3241ffa313c6afab84e6a45d9be92b91f26a41ca4e851d8790cf750b3886a716219e762c4d113cf7a43d8aab07e6e100069bcaa95d040c8822560060eda8e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
92KB

MD5
b529f88671b143d21eb3b707dcf869ea

SHA1
a0268a3de143d06b97f98d85ebee83c17242f964

SHA256
7c2616cf6dbcd8c9235807af3cb3dc13cc5d3d7da708bd99c66f9e4b6e0d21a2

SHA512
63150915306d5f1412a3f0ba0b37f81dd012652465e382c1248c85720cb2d143e52cc9c147df7ac0fd9d57a88bc5f5f2c8524f12cb45501d113080e0f12bc508

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Au8cc04.exe

Filesize
3KB

MD5
14980af0dfc8ed32d53a99c65a194f2b

SHA1
c2e5efb8875b4ae752b189d9432949288d7e8ee9

SHA256
3f0df1404ee3e2f98f3bda4df34315099afbc124cdc9685ca07e854dbfdda2e4

SHA512
178359c56001bc129689d05ddfa1dc2cedd27303c6cc587d3eba5129467ba7b02747edc68ccef57ba34c1fc27f48d71514bdae79ddde0fa2c77d6388a129688f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iO5NC20.exe

Filesize
28KB

MD5
59ec5346a7578286a6dd4a5f46ef2c90

SHA1
94878da1828f38808f82892827d7b27c0900ec07

SHA256
af20a2068a04a444d278c67d1f2d7d5190c5e3a3bb9ec986d28d1512648bff27

SHA512
070812a0ddb910e5e31beb4a36e10ccb2c445263e0afc05ac3332373300294e0afcb6f06020a8820e85d1fc14c69e881a6fb585c1739a8f5e195b71b0b66940a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\iO5NC20.exe

Filesize
7KB

MD5
bc044c48bd49d605befde7c362d5e0b4

SHA1
80c0c89de1c768b1ebc04347622db5594e2b243b

SHA256
165dce406f5518e987c2c46d3741fd72e2e88034e71033593fa46985662b0ac4

SHA512
4367077c856846f6e9419028b5aff500abe11912c826ea5d69ecf5e50e3dc87a46726855ad370c3f63032c04cf97c164d8836a1ecd10c44e2047b2c2ab4554f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\2uw0433.exe

Filesize
31KB

MD5
c2021b0471176c82e6fb9ebabec3c602

SHA1
12eef87e394d1924ec83b395a61a29e6b3e97e2a

SHA256
03d4150037ff42c1b565bdcc717de8a5a635a6a4a216ea14d7122952cfd9aa6d

SHA512
7c663de828b1e0643b345a37e348d612ddfd747aaadd47e9e320232a310ebcc702d365c2e3cd11fae2637d72a9d9b07e5cb097865dcfae56577cab292cac40b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\5Yz8NW2.exe

Filesize
31KB

MD5
132bae3edfb3b049db1851b4816969d1

SHA1
d72c7662e92794d8e764dd0ec659cee5c9c9adac

SHA256
fc8acbb7ccf413f34ee7080eb5e43dcbdc4b35a3ba8f9ceae0bc047f51cfc310

SHA512
1115c0be2873d60feb1a74c923969cf2238be746f59f3f2d8c3701e29d624b4b5a41efc337497b7e0f4c2e3a069bd5e2746d16586ce9420fac690e91b32de331

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hoqdccnh.abt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1780-162-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-425-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-564-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-44-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-69-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-545-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-544-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-529-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-71-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-510-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-508-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-507-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-102-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-159-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-163-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-465-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-219-0x0000000008810000-0x0000000008886000-memory.dmp

Filesize
472KB

Download
memory/1780-452-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/1780-244-0x0000000000A00000-0x0000000000E5E000-memory.dmp

Filesize
4.4MB

Download
memory/3464-323-0x000000006FB40000-0x000000006FB8C000-memory.dmp

Filesize
304KB

Download
memory/3464-339-0x00000000076F0000-0x0000000007D6A000-memory.dmp

Filesize
6.5MB

Download
memory/3464-369-0x00000000073F0000-0x000000000740A000-memory.dmp

Filesize
104KB

Download
memory/3464-372-0x00000000073D0000-0x00000000073D8000-memory.dmp

Filesize
32KB

Download
memory/3464-377-0x00000000734B0000-0x0000000073C60000-memory.dmp

Filesize
7.7MB

Download
memory/3464-245-0x0000000004F70000-0x0000000005598000-memory.dmp

Filesize
6.2MB

Download
memory/3464-246-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/3464-367-0x00000000072E0000-0x00000000072EE000-memory.dmp

Filesize
56KB

Download
memory/3464-247-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/3464-345-0x00000000072B0000-0x00000000072C1000-memory.dmp

Filesize
68KB

Download
memory/3464-344-0x0000000007330000-0x00000000073C6000-memory.dmp

Filesize
600KB

Download
memory/3464-240-0x0000000002460000-0x0000000002496000-memory.dmp

Filesize
216KB

Download
memory/3464-341-0x0000000007120000-0x000000000712A000-memory.dmp

Filesize
40KB

Download
memory/3464-368-0x00000000072F0000-0x0000000007304000-memory.dmp

Filesize
80KB

Download
memory/3464-340-0x00000000070B0000-0x00000000070CA000-memory.dmp

Filesize
104KB

Download
memory/3464-321-0x000000007FCA0000-0x000000007FCB0000-memory.dmp

Filesize
64KB

Download
memory/3464-253-0x0000000005610000-0x0000000005676000-memory.dmp

Filesize
408KB

Download
memory/3464-334-0x0000000006F80000-0x0000000007023000-memory.dmp

Filesize
652KB

Download
memory/3464-333-0x0000000006360000-0x000000000637E000-memory.dmp

Filesize
120KB

Download
memory/3464-322-0x0000000006380000-0x00000000063B2000-memory.dmp

Filesize
200KB

Download
memory/3464-299-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/3464-288-0x0000000005DA0000-0x0000000005DBE000-memory.dmp

Filesize
120KB

Download
memory/3464-289-0x0000000005DD0000-0x0000000005E1C000-memory.dmp

Filesize
304KB

Download
memory/3464-284-0x0000000005730000-0x0000000005A84000-memory.dmp

Filesize
3.3MB

Download
memory/3464-243-0x00000000734B0000-0x0000000073C60000-memory.dmp

Filesize
7.7MB

Download
memory/3464-268-0x0000000005680000-0x00000000056E6000-memory.dmp

Filesize
408KB

Download
memory/3464-252-0x0000000004EE0000-0x0000000004F02000-memory.dmp

Filesize
136KB

Download