49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69

Analysis

max time kernel
0s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2024 20:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69.exe
Size

1.9MB
MD5

48cca537bfc1077877a1227b5d074868
SHA1

6dfab03c599aabc5aff8b3c4e2836cc123b149e4
SHA256

49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69
SHA512

544da6e33c5e0402d754b6bd751f290d0d8106ffbde262eda4c55aed4bef3baf58cac3bd722c0df63d57c4b27f7aa8a8110de942c8dc4246ce730ceda1b26884
SSDEEP

49152:WU5z1o02R2cFNGLoygKtsbEMZV1rvX50VeV4mhQ:NE03yNFRbEMR5cea

Score

7^/10

persistence

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
4680	3jW32Wv.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69.exe

AutoIT Executable 2 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral2/files/0x000d000000023200-6.dat	autoit_exe
behavioral2/files/0x000d000000023200-5.dat	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2160	schtasks.exe
5960	schtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4680	3jW32Wv.exe
4680	3jW32Wv.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
4680	3jW32Wv.exe
4680	3jW32Wv.exe

Suspicious use of WriteProcessMemory 5 IoCs

description	pid	Process	procid_target
PID 1564 wrote to memory of 4680	1564	49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69.exe	27
PID 1564 wrote to memory of 4680	1564	49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69.exe	27
PID 1564 wrote to memory of 4680	1564	49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69.exe	27
PID 4680 wrote to memory of 3744	4680	3jW32Wv.exe	54
PID 4680 wrote to memory of 3744	4680	3jW32Wv.exe	54

C:\Users\Admin\AppData\Local\Temp\49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69.exe
"C:\Users\Admin\AppData\Local\Temp\49e2bff42b7cbe36126efe24979390bb0ed6028d9b42ae8160275dcab150ba69.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jW32Wv.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jW32Wv.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
    3⤵
    PID:3744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
      4⤵
      PID:64
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
      4⤵
      PID:3756
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
      4⤵
      PID:3212
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:972
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
      4⤵
      PID:3400
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdad1746f8,0x7ffdad174708,0x7ffdad174718
      4⤵
      PID:2568
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2888 /prefetch:1
      4⤵
      PID:4068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
      4⤵
      PID:1468
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
      4⤵
      PID:5488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5216 /prefetch:8
      4⤵
      PID:5636
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5888 /prefetch:8
      4⤵
      PID:6132
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
      4⤵
      PID:5504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 /prefetch:8
      4⤵
      PID:1656
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
      4⤵
      PID:1916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
      4⤵
      PID:1476
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
      4⤵
      PID:2408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
      4⤵
      PID:3464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,3934107025538259049,2404839049694572617,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5532 /prefetch:2
      4⤵
      PID:1336
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/
    3⤵
    PID:5112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,13675972666609659881,5185189830458328876,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
      4⤵
      PID:4404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://facebook.com/login
    3⤵
    PID:4704
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Lh2xz6.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Lh2xz6.exe
  2⤵
  PID:5088
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" Get-MpPreference -verbose
    3⤵
    PID:5324
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
    3⤵
    PID:1340
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 HR" /sc HOURLY /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    "cmd.exe" /c schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
    3⤵
    PID:5472
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /f /RU "Admin" /tr "C:\ProgramData\OfficeTrackerNMP131\OfficeTrackerNMP131.exe" /tn "OfficeTrackerNMP131 LG" /sc ONLOGON /rl HIGHEST
      4⤵
      Creates scheduled task(s)
      PID:5960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x140,0x16c,0x7ffdad1746f8,0x7ffdad174708,0x7ffdad174718
1⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x164,0x168,0x16c,0x140,0x170,0x7ffdad1746f8,0x7ffdad174708,0x7ffdad174718
1⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9247922073576934936,3523989822145909253,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
1⤵
PID:4312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5196

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x3a0
1⤵
PID:5600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bcaf436ee5fed204f08c14d7517436eb

SHA1
637817252f1e2ab00275cd5b5a285a22980295ff

SHA256
de776d807ae7f2e809af69746f85ea99e0771bbdaaed78a764a6035dabe7f120

SHA512
7e6cf2fdffdcf444f6ef4a50a6f9ef1dfb853301467e3f4784c9ee905c3bf159dc3ee9145d77dbf72637d5b99242525eb951b91c020e5f4e5cfcfd965443258c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba867085de8c7cd19b321ab0a8349507

SHA1
e5a0ddcab782c559c39d58f41bf5ad3db3f01118

SHA256
2adaff5e81f0a4a7420d345b06a304aafa84d1afd6bda7aeb6adb95ee07f4e8c

SHA512
b1c02b6e57341143d22336988a15787b7f7590423913fcbc3085c8ae8eb2f673390b0b8e1163878367c8d8d2ee0e7ca8ed1d5a6573f887986f591fcababc2cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a6beaff79147f1eac2214cf330f148e3

SHA1
cbc7bdc4d1f8e1af165236572751e98315187b18

SHA256
bd43df0240e7a54a0c0dbf761ad40c20adf686ebfdb30e1e096fadd851e989ae

SHA512
38de210cdf718aa732f6adba9b34cb8e8fb12a0ce876fababf711f34d82d49c333ba11f05d455271a22c034909fd5d2d86c7b8d54477337db104393dccadad4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
5bd8691e14fe98b78e57b0bb049caf71

SHA1
6b081c7ca8d8a745c428aaa921e684e5b5d6b806

SHA256
a358dc7547c4ebcd2cfa24d4139ebad5ed2f79432de1da2def9372e86f22d80e

SHA512
f3fa22dfba67f0bb2c132e6031928c0d33a1f8f533b042ed145b6d0dffa68b8c8d2f79af0764e1cf4a2c2fd21a539819cea6c57e1c923b9d8bdebd07cc5c1da2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
fafaa16db4b5e093915388c339983632

SHA1
8cd5412f0dadbd89e6d7f91ee6b0a991fcb0c73b

SHA256
71cd00716696885583f10d452bff1e574d70e84f39e4c05420a51207057743f0

SHA512
ab23dcc4f62f7e85f028729723260fa7061c2203efcd7ffd63cd40bae0753a8eb07ef216459abc0b2ca21ea3dd9df60989ebcf2a06234957a493256f4fed3fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b906c472db68588657dde3d4b84a8430

SHA1
cf6df162382f751b37ac4de0110969949c4000ae

SHA256
17cf6a24408c9c7f98b98d4edc263b8693138be5f384edaa9b7f87730265e21c

SHA512
5dcbf3c224cf63430bb8fe213f50d2eb2aa0c1b86d60c5aafc50c1c85db85188eea68f3ed3ffeaea63b191ec8dff3167c9e8bcbb74f7e4d855d9ef8a3963fb09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ce0a1d87c2e900f49a00f8c0e5a732ae

SHA1
471f234ba6c62a594fde9ec0a96d703bb0658e67

SHA256
685e471aae79b1bb875e53fb43cbaa4694ed4fb4b9046e695063a5b92d4163b6

SHA512
acfa6e5ba76a037c04720020e6f1131b2962acb51136993fd1480a81d5b791aca1e1e1d52c4fe379fc40712c84299837c3d2c52e6ca2cd173ba22410cb8349ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00602492827871d2b0538123413033f2

SHA1
0d02c709b05dd9df78496d21dd8a20fe04875345

SHA256
0c0310c29d67cdf550ae8e3d25e96d9f050cc857a21c1a2903e1990204540571

SHA512
e98465544a844c307220e0527e50cf604943807d384ade3eb62ecbb4c058240953adf9efc2c4fbc51083755dc751f812bf108c226dca85acbbfa12d44c1ab416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
2KB

MD5
09230c9f0eb801fc9819bd568cd2a619

SHA1
9e0cc1bc56689579977b7277b09cab131ebf7a30

SHA256
fff9c572a00ffb7808c3e29fe85785c013cbeebf46bb4b41a3f32bcdc9c42a61

SHA512
190124c90fd4b3847a08337cb7fff13e91db1f8738a363e2ac03792990092c50a63ebfda8f1fa36ea2df3620ed76542557631b46041bfb9fa801707ed8208404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f5c5866c-ba37-4e0e-b765-49d7323a890d\index-dir\the-real-index

Filesize
2KB

MD5
4f4a906b855c7b22fd46a32d15114fd3

SHA1
9d361ef044a5e0f566666538f3e7ae19d8cfd0a4

SHA256
b1b2da0723eca8f6ef3dc8e2cad28dfe541e62d73e2d435089de2717cbf470b9

SHA512
5be51be8c399fbf1bdf2c529c62b59ef464f615021f2b1598a7f01e42a7e2fedac829f88475d387060b6cfb420c9965c4cafb00498acbb877366f0512353734e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\f5c5866c-ba37-4e0e-b765-49d7323a890d\index-dir\the-real-index~RFe57ad66.TMP

Filesize
48B

MD5
8060404ee0772f63d0a41269c6c21a2e

SHA1
f982d51808499bae4cc9418d6cee57c09eaaa424

SHA256
dceb7f4b8bb938e6b965f69adf68df74568f7dcfafea8b020328be05e841d197

SHA512
4186c72279cbee3e6719245ebf100f63b9cf42525e141ac9d13eee51274bb86d53423b2b53c74e47339702be2346e243915f99822f2e1c314174c06ac84aef71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
04cfdf0ec19848f96a2811110f632d6b

SHA1
66138b15cf887fb718f18007e05787d1099a5bbe

SHA256
d5d820e20c7d5ea05fc0b4e741e6bfb9defaf9850a7d7ed60bf9d93623a99b88

SHA512
4184d09f817ed5552c57ff15f0484b397e5b62d353e281b0d39bbbc3d422e7e2daebd9adea10147226da62aeb37830cf147df6dc592e1fb7a2a15a54957f265a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
5ad9925f53dc3d6dc4cdd076fb694ed9

SHA1
36f7559d7db499553eff7f6aaa480416a4177689

SHA256
ddb006aa73ed187bd84a9423867fb710f486cc806148013218c104ace0edd354

SHA512
0a16ade543c3a954db6e6cf628aed7870f4b5793eb0925d927c92676be0885fe8a6d9d9eb3e47795a36068d4e4d4facbae8e91aa43fef5dcf96a71f68872beeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
fb294b31a266094294a29b4c8d0f84dc

SHA1
0124c7bdf806dac64f54e4634ca5a408bbafe39f

SHA256
50e40bc58a2005f57bc982423f548a05a7d2a94fe93e6d6faa869769f37e93e1

SHA512
21cd613a0d7ad7fca37730234c11559a43e79fdc6fe160a10192b2d38abe43c8397d0e12bcea57f5819179c6be54b53fb2ebe92883f4a2fbca250b9470dccb8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
1c3f7088db2a32e2add0ac8996989d34

SHA1
b63fe6b65c8620f28b59829c927d59df5a96ffed

SHA256
25c028c44d6911c836bc37e26fb0bdcb0f0f69d8fcdb80fc4ae778cbad1c88cc

SHA512
04331220e237cc898b233f2e978c003c858ecebec372f7a2c1781f38a990428696c8605fec9b6deae4973751684aaaf3f0796f4b71ca90c8fab8fdec763aca5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
c03b644d8ce57898b3c86e152b351374

SHA1
e4cf64ef526a8b57aa0efec62ef8cb6d1221c713

SHA256
3aad791f0365165a9eeade2f30317cf490c2d1feed07661f4c304a3499512b67

SHA512
c7866608aa95ff705b311dd65145db4e822647a0794ff18f54ab956305e90f7247b5e6d3c0210b479018127b4dbc0bcd39673262872ecdd87506b55b0124e99d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57a7aa.TMP

Filesize
48B

MD5
72d5a56199c70f08cec9e8bd9581d068

SHA1
1c9519cc64e10b9a05961c148cccea7ecf9f3f7e

SHA256
1262069a86264a0373b27e11a0d951e266163a045e0049e1b92131d640fa61c5

SHA512
3527befefff101021a943b11be6530f5ad453ef687163a5b6983853a9b7e141cd1bb96bddff4541f2397558dbe9cc762a1dc706b9c201b5624517750523fbeb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3d5dfe55e19ccffcf7fa137646340d83

SHA1
6d712969cdde96f0d86ceef8b72347d4759d03ed

SHA256
19fb848d34917c8cda24d267bf995b7e2d5848aba34852503793d5b01ac03e30

SHA512
a4e59fe5d100d9cffc8769b7490500f534041991e8c1c41d0b66ddb1c21c7f6395831378c21ecf90e30e3b51c68732ccc7b00b09ad9587f9e314d475b7d2b8a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a21533d2ccfa0b84cc6e59a61509b0af

SHA1
d7c7a244550b8308afb90e0dbb73e5b0e4c2d93d

SHA256
206f4b4731ac8d1e8138e32d4749af46cce79f624f1bed6ba4ccf48b2bcb4027

SHA512
c7fbbf2c7cab699a9747e3d310584b0c4784dba06a0a2339e57f0b4ecc5b70d3321acbfc9534ede1c1a6f3859873e7608b284f5d93775e601b87d900ff212a62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe579dd6.TMP

Filesize
1KB

MD5
2c0eb16ed1f1740948a59181f3209e5a

SHA1
798b46e668b2b11c50154a0d752715ba84cf8436

SHA256
4469b99b1ffbef4c6f23f8612208c14dd2a940faf321bc4a6e46b1927a65e04b

SHA512
742dea771331edaa6f11673711e9a744e7b0ecbf762c141c6d8906cadaab50010d47f2033fddedbe243cd7fe33e4c31e5bc4e57fcf9e1021d25b17c42cb6700d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
7e45899d8c429cd152753685ad3234ed

SHA1
ca68f83c3b3d2cbec8c697fa88755f5c8f3aa4ab

SHA256
f863089dcf53cf3f8f93e082367f29ddd5f88dc41438bac7d22426aa9ac50cc8

SHA512
ecfdc8744f6f7a43995070df317d1548f2000d51d4acd0dc31b3b1a02b647f23cad8aa607f0fc9657344123d05c1a08c36af43df3282132b344636572af17137

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
57b1b752544b0da1073f89cca2c9669e

SHA1
90216c57803537d1d5d8c68588f7ddec5d39c59e

SHA256
3dca3d47c24847cec771cf7b8b0af589c0b6ebe51826178a64a60e0f378e1da8

SHA512
cd521bfed1b91055a18978710372545ec1c207f841f5044b7ea40dffc02fd5e018dc63dc5d10b71acc078c0ebe1ca9b251445ff13ec49a08b80089d75ed04b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
2KB

MD5
1685bcceee90a48701709f89da0c07e3

SHA1
8d62c1adaab4e913f4285c3a9a838723afe35d26

SHA256
153a57c507eb408ee0baeea07f5a23778a4bca5646747ad9ed344f676a18d28c

SHA512
608e4e23210ae59d1d1f49423ff39ff3edd4e069688776aee470d443ceb24774bd1b11a4bcde090d73e67a2e2c9b76c454eb890fb899c568ebc736b33d6ecf07

Download Submit
C:\Users\Admin\AppData\Local\Temp\FANBooster131\FANBooster131.exe

Filesize
318KB

MD5
4059eec723d08dce6805ac2e28a0ef2f

SHA1
3fcbbf6a7d62276a31d96f66b114d1ae192c11d0

SHA256
0041c4f9d67486e998e2f681400ffd32962cb41fa12fe96ac157731bc408ee1a

SHA512
7d97819b08e085f2414765e0c3a11de9118db6586c0c8013435fe86defb7d6a6c4d6303932c1684faa1c170687e10b78dbd938721c7c780025dc940854c98b05

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jW32Wv.exe

Filesize
82KB

MD5
6c9067f13598dd14994c334bfccdd49f

SHA1
410f769ea5cda77f33f19ce432c34d46476f2daa

SHA256
270bed5b59e70ced9a4b3fcec2209fd4eeda6b3f46add684d0551c44fb7315ee

SHA512
62d8c99fafbb8ff2dc179d1477b51ecfc3b6a2267d20c2e810c9751723dc78aedfc2734049f1f8ce5b309f65824e21707f8255b3c69ff66902fd43dca99e23ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\3jW32Wv.exe

Filesize
166KB

MD5
ef0f6a08bbff0252319623dc5c789746

SHA1
3f720882d99b1ca3704132940e6b6182f75cb973

SHA256
7fae7bfba1661cf3d98e4e84bda3c6eeffdc48c60549fafedf3dce85ef9b1d39

SHA512
80fb7c80f946d6bf7e61b265fc5834d9007c7a19fab883ccd853e2c8f3f39be24cbaa2e731e55d47c09b0838268e70ee2009f76d8966814000dcd61ec28a1281

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Lh2xz6.exe

Filesize
220KB

MD5
273b51055d11ef30af7437b72f07c173

SHA1
1d06a6c637bc79d0a79fbb818b06c6f1ad9ec0ee

SHA256
bd8b0d688b56c67ee264cc6a4284d64cd4f6c0bb3bddf9e8abf13c5c1e7d0952

SHA512
5ffa01685f6e80bb88587e66d4bc988f5c353924f24d07a5dd862d069b2f7cb3e78cac862f10b3fed987b161d9071c9aface87fefb8a4e75098ad11e8d5adc8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\5Lh2xz6.exe

Filesize
282KB

MD5
4d5ba8c806ffb0556f7431e9963850a1

SHA1
36b050d9dc2c7781f79643bcee1e4303dd472b42

SHA256
d3017e2660696c73a5838fbe799082471299316948bef3f67b171484aeb4664e

SHA512
aa2d2d1c9a6e8e1ec02083172b2440559d53fa58c4cd40c0cfe3167d0bab0aa59f15f3796e18d2c964c1f0428fa1bb4f01f50bab103177c72224f193d8edd94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j51hf0zz.1pe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/5088-560-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-515-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-40-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-516-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-25-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-535-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-541-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-589-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-482-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-59-0x0000000008780000-0x00000000087F6000-memory.dmp

Filesize
472KB

Download
memory/5088-576-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-461-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-577-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-454-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-570-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-571-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-572-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5088-573-0x0000000000570000-0x00000000009CE000-memory.dmp

Filesize
4.4MB

Download
memory/5324-82-0x0000000005AF0000-0x0000000006118000-memory.dmp

Filesize
6.2MB

Download
memory/5324-332-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/5324-321-0x0000000008000000-0x0000000008008000-memory.dmp

Filesize
32KB

Download
memory/5324-320-0x0000000008020000-0x000000000803A000-memory.dmp

Filesize
104KB

Download
memory/5324-300-0x0000000007F20000-0x0000000007F34000-memory.dmp

Filesize
80KB

Download
memory/5324-253-0x0000000007F10000-0x0000000007F1E000-memory.dmp

Filesize
56KB

Download
memory/5324-200-0x0000000007EE0000-0x0000000007EF1000-memory.dmp

Filesize
68KB

Download
memory/5324-132-0x0000000007980000-0x00000000079B2000-memory.dmp

Filesize
200KB

Download
memory/5324-194-0x0000000007F60000-0x0000000007FF6000-memory.dmp

Filesize
600KB

Download
memory/5324-185-0x0000000007D50000-0x0000000007D5A000-memory.dmp

Filesize
40KB

Download
memory/5324-163-0x0000000007CE0000-0x0000000007CFA000-memory.dmp

Filesize
104KB

Download
memory/5324-162-0x0000000008330000-0x00000000089AA000-memory.dmp

Filesize
6.5MB

Download
memory/5324-151-0x0000000006F80000-0x0000000006F9E000-memory.dmp

Filesize
120KB

Download
memory/5324-157-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/5324-159-0x0000000007BC0000-0x0000000007C63000-memory.dmp

Filesize
652KB

Download
memory/5324-158-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/5324-133-0x000000007EF10000-0x000000007EF20000-memory.dmp

Filesize
64KB

Download
memory/5324-134-0x00000000704D0000-0x000000007051C000-memory.dmp

Filesize
304KB

Download
memory/5324-101-0x0000000006A00000-0x0000000006A4C000-memory.dmp

Filesize
304KB

Download
memory/5324-100-0x00000000069B0000-0x00000000069CE000-memory.dmp

Filesize
120KB

Download
memory/5324-81-0x0000000073E40000-0x00000000745F0000-memory.dmp

Filesize
7.7MB

Download
memory/5324-85-0x0000000006150000-0x0000000006172000-memory.dmp

Filesize
136KB

Download
memory/5324-97-0x00000000065E0000-0x0000000006934000-memory.dmp

Filesize
3.3MB

Download
memory/5324-87-0x0000000006360000-0x00000000063C6000-memory.dmp

Filesize
408KB

Download
memory/5324-86-0x00000000062F0000-0x0000000006356000-memory.dmp

Filesize
408KB

Download
memory/5324-83-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/5324-84-0x0000000003080000-0x0000000003090000-memory.dmp

Filesize
64KB

Download
memory/5324-80-0x00000000030D0000-0x0000000003106000-memory.dmp

Filesize
216KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads