4b93c98774977cfd3db8c5702d7c17f5753c3c42412253b09740505ce0af5a97

Analysis

max time kernel
611s
max time network
618s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/02/2024, 00:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

HTCloud_setup_1.1.5.0205.exe
Size

5.6MB
MD5

767ef30c3113f4136d36f1e71bf20555
SHA1

46866630aa288a2668cb0a8639f750061dd673a9
SHA256

4b93c98774977cfd3db8c5702d7c17f5753c3c42412253b09740505ce0af5a97
SHA512

d673b53e501d7e1054ba1b2df7e6e8b2036c40fddf65478789b475380228832ec17d92a9150e80d3df221b89cf3b7597a350168f2b6895349f73ba864f274745
SSDEEP

98304:AL5TknjzvD3Vf3qjzhP+fKE9m13g/rds9i3tRpygou5X1x7ffI/HmRgNEK75pfYg:AtTknjH3F3qPoKZX9idyYR1x7fQ/Hm+V

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WmgpLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WmgpLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WmgpLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	WmgpLauncher.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 9 IoCs

pid	Process
392	peFlag.exe
4852	WmgpLauncher.exe
4664	WmgpUpdate.exe
4972	WmgpLauncher.exe
5000	WmgpUpdate.exe
2504	WmgpLauncher.exe
1684	WmgpUpdate.exe
3884	WmgpLauncher.exe
452	WmgpUpdate.exe

Loads dropped DLL 4 IoCs

pid	Process
3260	HTCloud_setup_1.1.5.0205.exe
3260	HTCloud_setup_1.1.5.0205.exe
3260	HTCloud_setup_1.1.5.0205.exe
3260	HTCloud_setup_1.1.5.0205.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-557049126-2506969350-2798870634-1000\{0DD51C61-4996-467C-B79D-579E41258AF5}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1328	msedge.exe
1328	msedge.exe
1284	msedge.exe
1284	msedge.exe
4824	msedge.exe
4824	msedge.exe
3752	identity_helper.exe
3752	identity_helper.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3260	HTCloud_setup_1.1.5.0205.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of SendNotifyMessage 42 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4664	WmgpUpdate.exe
1684	WmgpUpdate.exe
452	WmgpUpdate.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3260 wrote to memory of 392	3260	HTCloud_setup_1.1.5.0205.exe	96
PID 3260 wrote to memory of 392	3260	HTCloud_setup_1.1.5.0205.exe	96
PID 3260 wrote to memory of 392	3260	HTCloud_setup_1.1.5.0205.exe	96
PID 3260 wrote to memory of 4852	3260	HTCloud_setup_1.1.5.0205.exe	99
PID 3260 wrote to memory of 4852	3260	HTCloud_setup_1.1.5.0205.exe	99
PID 4852 wrote to memory of 4664	4852	WmgpLauncher.exe	100
PID 4852 wrote to memory of 4664	4852	WmgpLauncher.exe	100
PID 4852 wrote to memory of 4664	4852	WmgpLauncher.exe	100
PID 4972 wrote to memory of 5000	4972	WmgpLauncher.exe	103
PID 4972 wrote to memory of 5000	4972	WmgpLauncher.exe	103
PID 4972 wrote to memory of 5000	4972	WmgpLauncher.exe	103
PID 2504 wrote to memory of 1684	2504	WmgpLauncher.exe	105
PID 2504 wrote to memory of 1684	2504	WmgpLauncher.exe	105
PID 2504 wrote to memory of 1684	2504	WmgpLauncher.exe	105
PID 1284 wrote to memory of 2072	1284	msedge.exe	107
PID 1284 wrote to memory of 2072	1284	msedge.exe	107
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 4620	1284	msedge.exe	108
PID 1284 wrote to memory of 1328	1284	msedge.exe	109
PID 1284 wrote to memory of 1328	1284	msedge.exe	109
PID 1284 wrote to memory of 1180	1284	msedge.exe	110
PID 1284 wrote to memory of 1180	1284	msedge.exe	110
PID 1284 wrote to memory of 1180	1284	msedge.exe	110
PID 1284 wrote to memory of 1180	1284	msedge.exe	110
PID 1284 wrote to memory of 1180	1284	msedge.exe	110
PID 1284 wrote to memory of 1180	1284	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\HTCloud_setup_1.1.5.0205.exe
"C:\Users\Admin\AppData\Local\Temp\HTCloud_setup_1.1.5.0205.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260
- C:\HottaCloud\WmGpLaunch\peFlag.exe
  "C:\HottaCloud\WmGpLaunch\peFlag.exe" "C:\Users\Admin\AppData\Local\Temp\HTCloud_setup_1.1.5.0205.exe" -o
  2⤵
  - Executes dropped EXE
  PID:392
- C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe
  C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4852
- - C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe
    "C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe" /launcher
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:4664

C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe
"C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4972
- C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe
  "C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe" /launcher
  2⤵
  - Executes dropped EXE
  PID:5000

C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe
"C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2504
- C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe
  "C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe" /launcher
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa530546f8,0x7ffa53054708,0x7ffa53054718
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1296 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1481676478955419705,12816692949227449454,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6156 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4908

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4940

C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe
"C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3884
- C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe
  "C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe" /launcher
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\HottaCloud\WmGpLaunch\Config\Config.ini

Filesize
670B

MD5
b7052b8af36bfcaa0300b709eb19eacf

SHA1
4b0e36d3d5cd430018353460ddc2072a5a127f02

SHA256
aed4ae5ee6121c3b28985ff28c5e58a739736fb5fd030c220c21e8f26b010399

SHA512
cd84ea3840edb6933bdd6d11de3e2d71ac114fc1bd68ced835f3e12f68e380425fd33b61baf359c03759a91b12545037bfce0b95f409ebafb2fbf16264c26db9

Download Submit
C:\HottaCloud\WmGpLaunch\UserData\Log\WmgpUpdate.log

Filesize
18KB

MD5
8029d035413d65c90c294480c7094aaa

SHA1
1084a49c751f923eb5d16936d2522b2392c528bc

SHA256
0f374cf8ee8f9a0546f9bac015f89a63a123f46de71b233cf8c1161d689b2c64

SHA512
72967542de7260c9157d69551b88b2a4d1b5e07cf8af47293f04db76d2c53d16a34ff97d92b8373ed77c60c0ff6f7238bfe7d9fe5c76952abd6121ec5a7d45a9

Download Submit
C:\HottaCloud\WmGpLaunch\UserData\Log\WmgpUpdate.log

Filesize
39KB

MD5
78b9f6b4cf4464d0c5e9a01bed242e93

SHA1
2c3ede385a8d9f083a9b04cce0abdfde0a69b423

SHA256
5cbc5e721d0b379e524349c9135e4b812498cffdc411c0e772b110a0430d0174

SHA512
5d3bbfcfe10cdd306fde75b3c36b74433ffe9d316043d551a5ed8ec569a612ab60a9c000ba2c2c79e06dd7803c10a8ff0cec7dcb865e0858cdaa5828cc8f7078

Download Submit
C:\HottaCloud\WmGpLaunch\UserData\Log\WmgpUpdate.log

Filesize
19KB

MD5
c08631ea9db8d23b32c65c7e073e81b4

SHA1
0c17cadf4c1ce2416744434cd11a61b18356f386

SHA256
001b21f98c91414542e84d4ca3b89675d43f72664f547fdaf2a1b318ed76072e

SHA512
7dda6818b56b22e8a571aeed769c279b109753eac0e8884e0687156889efdd0d0190cdababc17a4b3d9c9a1fb8397bceacc2a557713977c2570f528a49667338

Download Submit
C:\HottaCloud\WmGpLaunch\UserData\Log\WmgpUpdate.log

Filesize
20KB

MD5
563abda1b4a51d1a1fcb2416b340118c

SHA1
4734b16b4e93ca553fa042158095e5e9d7487235

SHA256
9de74f4edb9adcd90dc5dd66c3cdcd2af94e6bb0742391a3e50548ed36bd2ddb

SHA512
99ed5ab4482963150404cc5a7a234289b5417ca1ad7bc280b81773bf52cf57b72605a6d227e4af76c1617c661250b91204832864cb3a4dadb3e7fa3672341f5f

Download Submit
C:\HottaCloud\WmGpLaunch\UserData\Log\WmgpUpdate.log.bak1

Filesize
18KB

MD5
3b59f69b037cb663ae130abaa7eae4ec

SHA1
3a8169e0da83636075f45445b851785fc5c293ec

SHA256
2773e9d532673c21ab427a7f3c375807cb6385708ec160f2a9088a6d35afbb94

SHA512
4277ca199a08be3dcf14332a871c198bb3a8e9e63ab86996ac69498ad00dc9912c981719dff0683da648333df87b6d392191425b53a8ff11ec5d5b7a9368d43c

Download Submit
C:\HottaCloud\WmGpLaunch\UserData\cache\vlCache.ini

Filesize
81B

MD5
d3b639cb2446076cee4277fc93eb4be3

SHA1
c6227f05c7763240836f9d44efda2e404482de5a

SHA256
8db1c918cd1a9bb204dac68da04fdeb375288ca71c34c5653b9ee5159d1fce4f

SHA512
78f3ac8014a6eff07b3403a4188575c0fb83751b4671552290df8af05fb11fdebf56c2f5a028b809a591a0c72c9d0246e321a4555efc01a169a16daa5744cbcf

Download Submit
C:\HottaCloud\WmGpLaunch\WmgpLauncher.exe

Filesize
575KB

MD5
093578e5a3c0116cbc4d7238266079a4

SHA1
2743ade8f7277aade1231ea0c72fbe894ffc6528

SHA256
6cdafc9b6debeb58b2232fe2dd21043c02a6c10c4b03ed6b0f65b8498e8cf571

SHA512
eaf15fe69ccfe4ffd1bcaa8ceddbf2cc3fab85dd4dd9287896c7c55094164b2e81d9d10375f1721a3067f5bf83d88c2e8b99530fc47e6061edc30ad642c6c077

Download Submit
C:\HottaCloud\WmGpLaunch\WmgpUpdate.exe

Filesize
1.6MB

MD5
1fd00078eb8e7d96a249aa7686b0e5b8

SHA1
2be355f2b76da7ada68b6680dc0ff1b6e65ceb03

SHA256
7320dbb0e7a1ce2fc59f8ed8e38684a5ba26355921d690353e204ddb1fa2404c

SHA512
47803a470b956657658f7430b8b7fab04ea0aede777641e2ede8c0c2429d976f6e40e8918d14ba45199b2730504876f8bf342d0b8d2a4397da865429f682b01d

Download Submit
C:\HottaCloud\WmGpLaunch\media.txt

Filesize
46B

MD5
05613dc3eb76b2e62943d739c938a0aa

SHA1
7cdda81829206a446aed7f32e76e07d395240e89

SHA256
b847c53feddd98ce40006ef2013f573cd84e971608ad0b602bf51ad1d714841c

SHA512
9959b4f1e18a53bd1ca9ce97881aef73f7674ed0746c1b01f338ffa82b6e03dc9a2070f89f6acbad45d4a36d9453a19f2df010237001a9f614c715929ddf858a

Download Submit
C:\HottaCloud\WmGpLaunch\peFlag.exe

Filesize
149KB

MD5
89a1817246eece6d084faec432e51131

SHA1
fa671db46927eea00e216a93cba7a0f4a36615a9

SHA256
fae9ba71444b966d76df871249ff102dc7e95784203ec11ef11552253c33a89b

SHA512
4da0aa70515866257976327c52875cbc920a227401224bcbb377fa3c1de108e20d7904e244db97ad9b2be4b64c3cf3a07b2befddebb3ad5d967433d62f6542b2

Download Submit
C:\HottaCloud\WmGpLaunch\updatetemp\UpdateTemp.ini

Filesize
27B

MD5
d630c995b82b1b340ce671702ae3dd15

SHA1
d4c81d391f90dfbcd501f3b0b2421011c65fc51a

SHA256
30c66b9af0bf3baa1694947a44d8f84a9ea42ad562daed3cf7d1e82a6466ddd1

SHA512
79a446f05a856aee717bbfa1964e295abac27a118c4b83f1fb151e9c620c8bdcbe36cec2204413e0bdd7f0299e6523be4a669510758b57e205b956897dceae54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
195KB

MD5
873734b55d4c7d35a177c8318b0caec7

SHA1
469b913b09ea5b55e60098c95120cc9b935ddb28

SHA256
4ee3aa3dc43cb3ef3f6bfb91ed8214659e9c2600a45bee9728ebbcb6f33b088d

SHA512
24f05ed981e994475879ca2221b6948418c4412063b9c07f46b8de581047ddd5d73401562fa9ee54d4ce5f97a6288c54eac5de0ca29b1bb5797bdac5a1b30308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
27KB

MD5
322ec754f369b14aa8898467033c49a4

SHA1
c6d01ad92e6e8a7e4a61a656f2bc931f1a5994cb

SHA256
a20310738269ab7907af99cf6abaaf81a876fd59dd36d9ccbd8fdbd4407489df

SHA512
6b2f26ba17a1a9172acacf71d8b69743f866579da7dde85789b2984e5d618c57d872fabd41f487b217c2d4b10409853fa2a03e3b77c9cdfd4ebb2ad313631b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
be71fb4f42644661b710eebf23e61b4a

SHA1
b4a668254cfe0fe2bab1343bac9b7d315c5876d2

SHA256
67195f453f4b6b8d2554c49147d191bc1215e4527994b352eec14734545a831b

SHA512
d9430e79e2ab9181f1f3dd0ce1896c0d2af9989a41d473de117e16dfe4e756cd6147378fd29cfba74fb5704d02d6a099efef8460cde528845066f28a366074d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f9ebf033527d580fefea163ec351f846

SHA1
b19c9d0e9b03ffcc39e5e338c208750cde4dfe61

SHA256
3b3cb46338768e90cb74f70f42b28bf7c7d8f712fd684ab2365089396191398d

SHA512
c47138a0b5f0fd46189e041876915d9912b6d9dc14ef965fcfc8a631edf9e7c1d8a301bf38772288364b1480c5b964f2bded6fa031395987b70765d375207e78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
286b5882f6a2ef598027fd4c1c8858ed

SHA1
10d982ac9c73a9558eda6ccca9c4367d0035598f

SHA256
127b7ce7f9f9f3450d24878f11f530333a087fa2a1a43dcb69a3964efb4a6b0c

SHA512
ea664d4e0a0c70727c393ed7a59f37882037f01b79b9ac0e562c4a1a38777993ec875ff8d992d875506f696ae1d147ef5d9e66418df2f3c547350f0f358905d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
15f9c08f21496f555d072744f3676cc6

SHA1
d040366e68d9fbbe6f5c27647f4f7bf46253ac6f

SHA256
1f0a0baf907b5419bbdfb286cd5bd11bd702bfdc9cb4b0dd12de6e7411723e3e

SHA512
77c9f89096bfdd53ff6cd5251b80eaf5e111e4fc05d2bb433612bac92079ce8ac1e1764b70cb3a16e6aaf775e1db2ae4861f6c7cc9918030740c6ff7edc11eaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b145b0e5273ddfba921a86a4092053f1

SHA1
ba34bf3ba31c72f3c0eee03f2c475a31f3b61fab

SHA256
3581b2f40d63719512a1a1b12dc7a103d0f401da4d32adcfd41b76df732bf85a

SHA512
839e96bf8d3ed8f1627b93fb9dddcf29c66bdad2906a981fb2b2024b8729fb9539a55f0f961e38bca8acd2dc21341a35c0544e9161ffb95ffa3261afe2e2774b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0d5e3dfdd64039b2c3d89039b81fe69f

SHA1
a031a9cc0f9888d34aecdc4e4386bf3e8b0f127b

SHA256
d04cf99496bacc116555a7fa3b33b9e12a1be2bbee0d05d9cfb9281294665368

SHA512
1a16947aa1339cc78ce19931bbd5763823e2dab777a8bd201f50af559e29f9d56e1b9d6d5bfe17954c611ac93360d10f6faf488dd968c3a1c151b60376bb113d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
7ecd03dce7e8eaf8c649caa5e207c72e

SHA1
6759ef7ec6832b51e4ea042554f6934e0572526f

SHA256
da1655ae518cc173ba13bd8b1a38b30c497f1bd510f12adf3966eac3d91d4deb

SHA512
5f57a7d3eeeefb8c24f625c8366124b0f2d34d14d437da3eaa6a96cec90c5e68c5e599b4754551a5a1af6b0089a8aa7bc2fcd46347713a7a97f6a883f0f71923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0840a1416fe15da2df574138100f78b1

SHA1
4d8ece6d964856166b6967821cb5f2bc1a3c19c5

SHA256
c8de0954c92b274ce43855ff2ef66a216a302e707037e81c08cc3b23b7a5fffa

SHA512
0b3de053a4eaa03173c32903fb9204c2a3bc4a2bbcf89a360a2cbf7cee5feeb554fafcfb0e99520510c0d4ab5fc9fc2afe1b92a22fe59bf2853c2bedd56a81e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
aedad7970f212463fe388e9c03065506

SHA1
1638af52b19f30222e023a2dccf2acfb6da4b150

SHA256
91b5cd42323386c9b1c9d3572f1475b44120f6fb09ff5621f3c89b17cf5964af

SHA512
36faa86a8fd72f976d78c1575a13568320bb2bd358abded85424f2c346eadc85c62ad43b0f35f08b8f35c4db25c7c5884e044b5104386f5828c624f958a6d07c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a18288166fad3abd44a5af84dae89200

SHA1
75f3c67b645055e3d47181e022e36738e8f0bfe4

SHA256
10d148c41a62feb671cbc0b0d243b153af36bbe7fa6de0f0515eb192c350ec36

SHA512
858fd3a1917b62e4d1bf037971e94f089409443a021dff38c62fe4fa3b6300f91ba8cf736c6ddfd74253448acabfb234bb0a54685d8ee9dc7e2f128964c30b97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fe65e242c8e91523dd56bb715cc6645a

SHA1
73da82550fa237ceec8bf01ec92e674ecccbf5aa

SHA256
f33c5319a625e3005d872b2c8aa0fe6e802e46e5efb39c4d5c46d3fd8a2bec47

SHA512
23ce5e123f970db9703fe8499c658b59e3cf4746c92cedfca405bfc78db20b3a3c08db648bcf68fa13395c43f327d96ec1fa0ba6f3646398ddb24e32785a6c62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f11513d3dfd43fafb1785b9d8c79cb8f

SHA1
ae8098eb6b2a1cf9e4acde700a6c6b5b2d61915e

SHA256
ea8f8e830e7dc78106d4a8a62173a3d39f71e2dc48edfb8330fce5bdf3215376

SHA512
3d5e45adce0dec2ac9ce49a7e3dbe93f2208abcfa8f0cecf9191b1c089400bc6b7ae3e4efe2cd6dbb6ff8c20b09ed071c6433c0448e5a4e0a6b94055768e7f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
186e7b95395fb5b921a60daf97256d8f

SHA1
fee7cd121f57239b23c36dee05a60d308d621b8e

SHA256
8c38d7dfd722dbff7f368d0e85f0eb94fdad81a0341d81788b1709496082cd06

SHA512
a68c327854a5ad453070eebe0ed96ce68da4d5badef65a5c878edbe138b9d243129e16500343f0636af228c80f34cdd1e45cc92971c137a2ece8bd2896e36f2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ad6b71c49a72c2a3e49cd5fd5db53bca

SHA1
b5c260c80dddd371c86c85a744cb618e09e4cadd

SHA256
495ceca929914734d48581a437a307008f3c58e61938152e79477058da0bf038

SHA512
6661f3b7d804621371105465df1c2f9ac5cb412a72ff0a7f594def4330e1f9e49c4d7821b4cb448f9462665daddbaaa94d2d929686cfb4f6474196242aafd61f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9894639b9f1b338ddcbb81ac69982eda

SHA1
453f8330bbac4b1b828c7f43ef906cbffd7192d1

SHA256
6695f60113549ed17e87ca20a249ef3e23fde94a5e2c07b9f5b731d12ebb954e

SHA512
f8ae53ef7042ae04bc9f6a5b75b2c0598c7b9e9e7baf1c9d3fac5d90b3f024c8c6f532b3e74577b08591a3d75b5ae3a7f4df2169f98506e36b006df61da528bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
642379b17d1e0cfa03fe2a22d1bae951

SHA1
8a6ac406e941e8136318456a405fc130af1f312d

SHA256
708e73ac290c1fbc1a74e9bc70bd29e92fcdb55c621cc9a9f2b15721f1810153

SHA512
a847625d44665e243e6ab12ca0bdac8e28cff1800d6ab1f7c8580688c3d421ba6457448c30500901902e25e3387fead0a2bd82c4c9e4c12f5749e58ee3f32a1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
eddd6768110e9b4e79042e54b9f7bde3

SHA1
5f9456da7a90480b60d04e77d8a635c05d967920

SHA256
39a65372751ba4530a4d76a92e7cd17e0109f8c619214a7acdf672b90afaae69

SHA512
f3e542fff6b52f55606cdbba9da991d2b5490ad78ea847ab9b55aec547949a1e9141a9d594074fc2ff5c11e4c39ae9e0a83867759386216c29151fd13a0349d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c2458.TMP

Filesize
48B

MD5
ec74dc1a88836f6989daa125820c20b6

SHA1
7fc9b3eb9e708cf318cc2675ef7dd510d4d9b26e

SHA256
f56163cf4ee2a979dae1ef1773035271925b7a0631ae470bdb4157d2ca1d4742

SHA512
541655d4e5959d3adc7825626860841c70b96a46de171158873f034225c409dc84c4302cafa2362918ae28367e47867cf9b5ec99194142b46ab981b84b7f9d3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6e06a9ae265eae900374fdd48d97020a

SHA1
d52b4c19815051d0e3796cffa91d7dd26f65a132

SHA256
83257a0106b3f09c5f392c1dd445b96298b1856335ddfcb49e451c91b19997c9

SHA512
e4b728438f23aa61e5194470d78a1d32a10ba1e16990a66e8d7d804323f451204645e3b246995d10b2e67835c2d9ff34894c5f87e404b1dd252b5d7c9d0321c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bf23c.TMP

Filesize
538B

MD5
490181fc3b68a01bff54a51e303db25d

SHA1
edcb6ca71147f40ffe2e6997b63169d1a4da68e1

SHA256
8753205ce4bd23c4f65a6f11bde2e7dc6afade90f2e8aedb467f7e2e997d8618

SHA512
1537dbf8223c01aaf65262fc6c4a5474d4ee9f2526990927392612a4da04dd99a5905e51f3e711aaff5707660eab2360835d5f53ef89a270477d371441553e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f0f989effd61c9b667f07942c9991e4d

SHA1
6da004468d7db8b6d9f74bcaca799d47cad18724

SHA256
78f7225d362c37b45cff966baaedffeda8b856418756777b689ea6df1a595b83

SHA512
3f55e8c2e8999743be6ae8db1ab6b1682d829817182f5f373b4996b8f4f9e5cbc7287653c5c62543100fb1e183d2a35672fa05a0b08f5b98690e281550a99250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
3585d45e74ef45a897fe0c62e1d71baf

SHA1
e5cdbada76766c10a00f6512f7257656f9a22431

SHA256
8a8facb70bbf7ef340ebe7701ec2b96612e953a6184d29ee2ba6602c0b87207b

SHA512
081ee7628871330db0583faccba220b25b7b3558539b1badd28d44cec33a82ee1e3f711d7506f7dc40c9eb24a6a4d405145bf7fb92263e14cab0b566a673c200

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD9D7.tmp\BgWorker.dll

Filesize
2KB

MD5
33ec04738007e665059cf40bc0f0c22b

SHA1
4196759a922e333d9b17bda5369f14c33cd5e3bc

SHA256
50f735ab8f3473423e6873d628150bbc0777be7b4f6405247cddf22bb00fb6be

SHA512
2318b01f0c2f2f021a618ca3e6e5c24a94df5d00154766b77160203b8b0a177c8581c7b688ffe69be93a69bc7fd06b8a589844d42447f5060fb4bcf94d8a9aef

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD9D7.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD9D7.tmp\nsWmInstallerPlugin.dll

Filesize
3.7MB

MD5
82d9ae773aef782fb16d538c57259599

SHA1
a60628f88b8dc55a2a087e7531ddac4fd4656a52

SHA256
e5fa172e16fa5705dbe145a8305d6ec2f79b723a703b6c9f9e16c588b206c01c

SHA512
f9cbf85ae66ab7ea77b8616af290707a430c14861af9ee81cf52590cbfe9a27bfe146cb7cb11f011be42ec8533cc54cb46b68a2a28c3ddda7f28adb6a421e01a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsxD9D7.tmp\nsis7z.dll

Filesize
438KB

MD5
e11da6f1d0b07caf3df6ea25ed444616

SHA1
8b7f3ac385e04d25988998d36b890e1f426ffd52

SHA256
689e0e89b413b7977ee51bfb932f2a7955826c2d186d3bdabacab46189a54421

SHA512
881330dc1566047a50cc8b84eeb2d33248b76ee0b825af0463db5151bc9d1f58c8269f894443efd51fa9611241ae40dea310afc33ad835ff5e2e165fe829c06b

Download Submit
C:\Users\Admin\Desktop\云•幻塔.lnk

Filesize
811B

MD5
94071998ba54634d934eff90c1d7482a

SHA1
111f82901b28fe6792910845d44b5d169b5c3e29

SHA256
aa8a5ce4d9d6c2564017a9639aa6bf946db063ef970162e34162da66e24734a5

SHA512
b682dc637121f16af8dbb18c3123ba111bb36da70de7386dcce2e2a3178c090fa412415a6e8a66c8b9cad43ad228546b570c807dfc10e79f563d0c5b37570964

Download Submit
memory/452-838-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download
memory/452-839-0x0000000002F50000-0x0000000002F51000-memory.dmp

Filesize
4KB

Download
memory/452-833-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

Filesize
4KB

Download
memory/1684-813-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/1684-96-0x0000000002B00000-0x0000000002B01000-memory.dmp

Filesize
4KB

Download
memory/1684-95-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

Filesize
4KB

Download
memory/1684-812-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/1684-93-0x0000000002810000-0x0000000002811000-memory.dmp

Filesize
4KB

Download
memory/4664-81-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/4664-60-0x0000000002840000-0x0000000002841000-memory.dmp

Filesize
4KB

Download
memory/4664-62-0x0000000002E00000-0x0000000002E01000-memory.dmp

Filesize
4KB

Download
memory/4664-64-0x0000000002E10000-0x0000000002E11000-memory.dmp

Filesize
4KB

Download
memory/4664-82-0x0000000002E30000-0x0000000002E31000-memory.dmp

Filesize
4KB

Download