c12c9bb19d17f63cd8595b9a88c2c6913f6474c9d4c8b462e1dfa32a0f112535

Analysis

max time kernel
1038s
max time network
1028s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

v.1.5/FA Installer v.1.5 .bat
Size

83KB
MD5

01cb29916177e46315107b76be8f6cb5
SHA1

e218815f2e951604fe76af1e2fb5f0e3137c9a51
SHA256

5f010d661da950fb604ab5b004abe0980af6f5dffb1441df6ee054348b4490be
SHA512

7e2a2cab16a3e65744bbb616f81783bb8223f26708e851a7b172f4f0e298736f805e451c679b5edeb2ae68d3da04949f212f052babdd96f68a00b380575505ce
SSDEEP

1536:8SSG9nf9tUc+nuxGIFwyKhTf+DxhbHAtr5t6EQM1J4Ey4fg+5Q:8PGDhbHAtr5t6EQM1J4Ey4fg+O

Score

7^/10

execution

Malware Config

Signatures

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5404	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 14 IoCs

evasion

pid	Process
1608	timeout.exe
4608	timeout.exe
1964	timeout.exe
3204	timeout.exe
4552	timeout.exe
3360	timeout.exe
1060	timeout.exe
1340	timeout.exe
2560	timeout.exe
4172	timeout.exe
4548	timeout.exe
3604	timeout.exe
2820	timeout.exe
5456	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
3308	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1337824034-2731376981-3755436523-1000\{862A8C53-F870-4382-A507-1E0A13E0F40E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	WScript.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3868	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3964	powershell.exe
3964	powershell.exe
752	msedge.exe
752	msedge.exe
1396	msedge.exe
1396	msedge.exe
2728	msedge.exe
2728	msedge.exe
3684	identity_helper.exe
3684	identity_helper.exe
6060	msedge.exe
6060	msedge.exe
5404	powershell.exe
5404	powershell.exe
5404	powershell.exe
5444	msedge.exe
5444	msedge.exe
5444	msedge.exe
5444	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3964	powershell.exe
Token: SeDebugPrivilege	5404	powershell.exe
Token: SeDebugPrivilege	3308	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1360	OpenWith.exe
5388	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4200 wrote to memory of 4412	4200	cmd.exe	111
PID 4200 wrote to memory of 4412	4200	cmd.exe	111
PID 4200 wrote to memory of 3024	4200	cmd.exe	112
PID 4200 wrote to memory of 3024	4200	cmd.exe	112
PID 4200 wrote to memory of 1716	4200	cmd.exe	113
PID 4200 wrote to memory of 1716	4200	cmd.exe	113
PID 4200 wrote to memory of 4384	4200	cmd.exe	114
PID 4200 wrote to memory of 4384	4200	cmd.exe	114
PID 4200 wrote to memory of 4400	4200	cmd.exe	115
PID 4200 wrote to memory of 4400	4200	cmd.exe	115
PID 4200 wrote to memory of 5068	4200	cmd.exe	116
PID 4200 wrote to memory of 5068	4200	cmd.exe	116
PID 4200 wrote to memory of 3108	4200	cmd.exe	117
PID 4200 wrote to memory of 3108	4200	cmd.exe	117
PID 4200 wrote to memory of 3120	4200	cmd.exe	118
PID 4200 wrote to memory of 3120	4200	cmd.exe	118
PID 4200 wrote to memory of 4852	4200	cmd.exe	119
PID 4200 wrote to memory of 4852	4200	cmd.exe	119
PID 4200 wrote to memory of 4020	4200	cmd.exe	120
PID 4200 wrote to memory of 4020	4200	cmd.exe	120
PID 4200 wrote to memory of 1552	4200	cmd.exe	121
PID 4200 wrote to memory of 1552	4200	cmd.exe	121
PID 4200 wrote to memory of 4508	4200	cmd.exe	123
PID 4200 wrote to memory of 4508	4200	cmd.exe	123
PID 4200 wrote to memory of 4000	4200	cmd.exe	124
PID 4200 wrote to memory of 4000	4200	cmd.exe	124
PID 4200 wrote to memory of 1028	4200	cmd.exe	125
PID 4200 wrote to memory of 1028	4200	cmd.exe	125
PID 4200 wrote to memory of 1340	4200	cmd.exe	126
PID 4200 wrote to memory of 1340	4200	cmd.exe	126
PID 4200 wrote to memory of 1060	4200	cmd.exe	127
PID 4200 wrote to memory of 1060	4200	cmd.exe	127
PID 1552 wrote to memory of 3964	1552	cmd.exe	128
PID 1552 wrote to memory of 3964	1552	cmd.exe	128
PID 4200 wrote to memory of 3868	4200	cmd.exe	129
PID 4200 wrote to memory of 3868	4200	cmd.exe	129
PID 4200 wrote to memory of 1396	4200	cmd.exe	130
PID 4200 wrote to memory of 1396	4200	cmd.exe	130
PID 1396 wrote to memory of 2688	1396	msedge.exe	133
PID 1396 wrote to memory of 2688	1396	msedge.exe	133
PID 4200 wrote to memory of 3604	4200	cmd.exe	134
PID 4200 wrote to memory of 3604	4200	cmd.exe	134
PID 4200 wrote to memory of 1608	4200	cmd.exe	135
PID 4200 wrote to memory of 1608	4200	cmd.exe	135
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136
PID 1396 wrote to memory of 60	1396	msedge.exe	136

Views/modifies file attributes 1 TTPs 10 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1716	attrib.exe
4384	attrib.exe
5068	attrib.exe
3120	attrib.exe
4852	attrib.exe
3024	attrib.exe
4400	attrib.exe
3108	attrib.exe
4020	attrib.exe
4412	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\v.1.5\FA Installer v.1.5 .bat"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4200
- C:\Windows\system32\attrib.exe
  attrib +H "C:\Users\Admin\Desktop\FAtempscanbat.ps1"
  2⤵
  - Views/modifies file attributes
  PID:4412
- C:\Windows\system32\attrib.exe
  attrib +H "C:\Users\Admin\Downloads\FAdowscanbat.ps1"
  2⤵
  - Views/modifies file attributes
  PID:3024
- C:\Windows\system32\attrib.exe
  attrib +H "C:\FA_Antivira\FAoptionScan\FAscanthfolbat.ps1"
  2⤵
  - Views/modifies file attributes
  PID:1716
- C:\Windows\system32\attrib.exe
  attrib +H "C:\Users\Admin\Desktop\FAtempscan.ps1"
  2⤵
  - Views/modifies file attributes
  PID:4384
- C:\Windows\system32\attrib.exe
  attrib +H "C:\Users\Admin\Downloads\FAdowscan.ps1"
  2⤵
  - Views/modifies file attributes
  PID:4400
- C:\Windows\system32\attrib.exe
  attrib +H "C:\FA_Antivira\FAoptionScan\FAscanthfol.ps1"
  2⤵
  - Views/modifies file attributes
  PID:5068
- C:\Windows\system32\attrib.exe
  attrib +H "C:\FA_Antivira\FAoptionScan\FAtempscanVT.ps1"
  2⤵
  - Views/modifies file attributes
  PID:3108
- C:\Windows\system32\attrib.exe
  attrib +H "C:\Users\Admin\Downloads\FAdowscanVT.ps1"
  2⤵
  - Views/modifies file attributes
  PID:3120
- C:\Windows\system32\attrib.exe
  attrib +H "C:\FA_Antivira\FAoptionScan\FAdowscanSIG.ps1"
  2⤵
  - Views/modifies file attributes
  PID:4852
- C:\Windows\system32\attrib.exe
  attrib +H "C:\Users\Admin\Downloads\FAdowscanSIG.ps1"
  2⤵
  - Views/modifies file attributes
  PID:4020
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAshortcutinstallerdesktop.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\Desktop\FA Security.lnk');$s.TargetPath='C:\FA_Antivira\Fabi_Antivira_Securety.bat';$s.Save()"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ipconfig "
  2⤵
  PID:4508
- C:\Windows\system32\find.exe
  find /i "IPv4">> "C:\Users\Admin\Desktop\FAnetinf.txt"
  2⤵
  PID:4000
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo ipconfig "
  2⤵
  PID:1028
- C:\Windows\system32\find.exe
  find /i "IPv4">> "C:\Users\Admin\Desktop\FAallinfo.txt"
  2⤵
  PID:1340
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1060
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\FA_AntiVira\info1.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ufile.io/1cs1w93x
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffeea0246f8,0x7ffeea024708,0x7ffeea024718
    3⤵
    PID:2688
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
    3⤵
    PID:4264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
    3⤵
    PID:4824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4560 /prefetch:8
    3⤵
    PID:4692
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5196 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:2728
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    PID:2160
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
    3⤵
    PID:660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
    3⤵
    PID:2664
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
    3⤵
    PID:2552
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
    3⤵
    PID:5136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
    3⤵
    PID:5144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
    3⤵
    PID:5436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
    3⤵
    PID:5616
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6116 /prefetch:8
    3⤵
    PID:5624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5756 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
    3⤵
    PID:5968
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
    3⤵
    PID:5976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
    3⤵
    PID:6108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
    3⤵
    PID:4436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
    3⤵
    PID:4888
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
    3⤵
    PID:5612
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5009136430705615794,767680347546399122,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6364 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5444
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3604
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1608
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1340
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4608
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1964
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:3204
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2560
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4552
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4172
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2820
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:4548
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"
  2⤵
  PID:5000
- C:\Windows\system32\timeout.exe
  timeout /t 60
  2⤵
  - Delays execution with timeout.exe
  PID:3360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\FA_Antivira\Fabi_Antivira_Securety.bat" "
1⤵
- Checks computer location settings
- Modifies registry class
PID:4984
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAprotection\FAdownprotection.bat"
  2⤵
  PID:5308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -NoProfile -ExecutionPolicy Bypass -File "C:\FA_Antivira\FAprotection\FAdownprotection.ps1"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5404
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAadd\FArev.vbs"
  2⤵
  PID:4872
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FASecLogsTxT\FAupLOG.bat"
  2⤵
  PID:5328
- - C:\Windows\system32\timeout.exe
    timeout /t 5
    3⤵
    - Delays execution with timeout.exe
    PID:5456
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAvbs\FAbuttenUser.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:5008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAvbs\FAscanmenu.vbs"
    3⤵
    PID:4412
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAcmd.bat"
  2⤵
  PID:2344
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im cmd.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:5388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\FA_AntiVira\info1.txt

Filesize
160B

MD5
e0493d2dce5e5bf1255ac2184a75b7a4

SHA1
f5640123bfd25d4a973381396588d4f6b3bb6893

SHA256
72642da4b2db58226b939fe7e1466e28877f6bdad2791dbbff5c66d13d8ca6d7

SHA512
4b406cce2e8ce1ea6bbf2544304887bb399f1c4efccdce8509f67412916650f4c815a5b3897eaca285f96735daac8a603dd5fd9cd2a48a39dcf656f555934d38

Download Submit
C:\FA_Antivira\FASecLogsTxT\FAupLOG.bat

Filesize
466B

MD5
0ea60cedc7c561c2b3eceb58339f3bb2

SHA1
1c500a5b3625aec2d3f1b2a204b921b5e85c45ae

SHA256
957680d4b0ac571bdf53e789855625ca7c68bad067f02b8fc9a7ab74355cfe51

SHA512
c479cc265cf906b50f03a46571cb28471511f1cee4e35674ac968f73fc68bad972329a825fc1d9fce4bf11ad8cc624bcdbc0a7fe751711f1ae0ed53a8236b597

Download Submit
C:\FA_Antivira\FASecLogsTxT\FAupLOGlogFile.txt

Filesize
69B

MD5
f3c14b650a9c8c735acbd1e1ca2db77e

SHA1
f02f25a0f37e798ccc588576118b8a024bb27223

SHA256
e4ab6e0e6edf808e01b6e685a5ea3624a1dd23a973a0decdf92d312f52af2275

SHA512
63060d26b52bbf71f1164dae4a18902877c51bd78caac13c2e131b66e6f05f35188f4196a998c81d4bf0ae10135d9c51f74e34e88b35c5b770aa2d5a27065278

Download Submit
C:\FA_Antivira\FAadd\FArev.vbs

Filesize
237B

MD5
b1d409d53118c7dce65dcd1715f62405

SHA1
8e06c5dde266521403627d97b19080f7d5184e97

SHA256
5c390c8d3b5bd97d9b0a23450f0eb7815ef046e88d3671e1b04dcf44913750ee

SHA512
a9eb234ff2a5f89a41343c0c40e62c8a730ed5acb64d79a4be9d3a0a26cac1640d7c038a7ef1862fc338305a3b2e146bf908d5a17c4c3ae01547570633a57a7e

Download Submit
C:\FA_Antivira\FAadvtool.bat

Filesize
13KB

MD5
3bcd8f1256bdc7e042343a5cdeaab347

SHA1
90ae74fd0144d89a50d8a0e88cffcebad2467a92

SHA256
87952df14f2d111090203545f7b89fe4982b71b9f1f84c7a226175d12f7ec4a4

SHA512
1059055b471a0628437dacd96817939cf656685de04219b83776890ebb0e6f7cd003a04e9454d39843806bcc99e171a42b09d09a2479c10fcc5d81a1110f8ccd

Download Submit
C:\FA_Antivira\FAcmd.bat

Filesize
26B

MD5
c4645d6e11ab471b8e0d246a285ca38f

SHA1
cfb73001deb5265fd23118ea7c92b069726e0744

SHA256
d3e398863bb562e0d6df0915b463e633dbb25947728fb2c5ea097c28a063491d

SHA512
b0e49f720ce0738a5f77fd2e1e7383756ebcba77afb71c2d3c3962c0ef1d5a7054bed41963801fc570ec468ddf8a10c38756b9b3ed341b3c18d5a714640886ee

Download Submit
C:\FA_Antivira\FAoptionScan\FAdowscanSIG.ps1

Filesize
735B

MD5
19c33a3c471d52342e7c48e2009c5281

SHA1
223075bbcbc2e95348ce7cb8c0f626a855db403d

SHA256
b0dcc90f9046b7079d26abc72552089b06a955591e525603d064aca45758c9e5

SHA512
5fba97953f97dcadd2d4087296c7ab9adcd555591bc27b0bb9fce0bef8a8d71f41452e9c66b2bc910a574581a9eb8d1bb054cd24201885fe5d7bdce0f04df55c

Download Submit
C:\FA_Antivira\FAoptionScan\FAtempscanVT.ps1

Filesize
1KB

MD5
bf5decff64137c1ab093a716018c6189

SHA1
384fce1fbfe8d92a34f97dd7f05fdedf6b374aef

SHA256
2ff0da73477c575831e89abb3a75543fd2d6be8392a9ac4c1bff778b9e07e1f7

SHA512
8c6b9ebe7a27440db8a4408a452b1b809c473133609b67834758b381931d294a2ab1ce5bee1f7f9fd6a4e84c2dd59f107567a748e0fa1795aa0ab84d08126ef7

Download Submit
C:\FA_Antivira\FAprotection\FAdownprotection.bat

Filesize
105B

MD5
1730a595032204dacf8a827fe3bd9bc8

SHA1
2804c1842df36731658ac5bbb2492ac39ae6166a

SHA256
e226818b103c3a2e361b4dcddcbddfafa0bfae83725e28ab998bb26a2c68d958

SHA512
66a1ff878a62ea6189a34b823b5d29f67bd76dd56def9024a22daa0fc0843313c92b7f9244546584108ae205413ad3271cf176720555a7bcb6ff64a22ca84212

Download Submit
C:\FA_Antivira\FAprotection\FAdownprotection.ps1

Filesize
802B

MD5
4018438daadd26062f69b240ef0686fd

SHA1
a1fb7c29ded4377d507ffdd3869ee050527e1c15

SHA256
bd6d4690f94890f5523f74e15e3c45d16143253d7cf25ba9566b87f46441e76c

SHA512
a2a330953e22bad703e2a498ed3a55ab5c3470019bbe35586b39f7568cbaf89e6b47aa7c2d27b8fd439c4e8e6ca3fe87cbb9c89be9932135962415aa8e3d3433

Download Submit
C:\FA_Antivira\FAshortcutinstallerdesktop.bat

Filesize
579B

MD5
43ac0b308354a69a243ade90d4710a48

SHA1
eb13fd963da445a000a2bde81254a6165fb35ede

SHA256
a66196a3237ebee214521d8a60c9747137c2abd928dd3123663ce6bf5b760bc7

SHA512
e5a8f9934c72492bb7631140a6bedb0d114f8dbc9b4c1a7cf80976216db0e9acba411cf0841bfee988a3eee2639a0596919a51c6eaeced3ab1a62de2abe96ab0

Download Submit
C:\FA_Antivira\FAvbs\FAbuttenUser.vbs

Filesize
1KB

MD5
4707abd071ca697e13eecca2160b5dbd

SHA1
854318de99b20f1ff9075cc443cdfd4846e56f1f

SHA256
1e1d3cdbf5322d830e8be47eab2917e9544d4633b8c3e6ae5feadfc1b0670ce5

SHA512
dd1dab99ddfd5ad0e34773a65d782405768456beda60674100fdd6427b52a5b345895cbdcdc7b8e4a5ca5af94565cbece1545226f772d9ea272c16fc033c24f8

Download Submit
C:\FA_Antivira\FAvbs\FAscanmenu.vbs

Filesize
815B

MD5
512ecb8cf919407338f5a5d203870a5d

SHA1
b5c08ecf919f3e1d28eabba0c8edb5570c108c33

SHA256
254a1e31246d5ef2ab6a599ccfc567ce663acc7f57baac221efe8f0ac1c85e62

SHA512
d03ead41a8c18648373cfcc98e687f0195ebf536ce529e97c20a162d53d191cd654deedc854c0f8a4cfb0d237633fe7d572c8f2ec0c0f213f1881351cc20cecc

Download Submit
C:\FA_Antivira\FAwlc.vbs

Filesize
37B

MD5
8af233a3816f2564fe1dd935a228eed5

SHA1
e135f58494c4aa12e4c3fc1c6a5645716bac5384

SHA256
9c30303185a1337fa4f8b22c5cf93bfa40b5f437bc82abd168c4aa0a85889ec0

SHA512
2fce3e661e3d677848817d80567fdff464bc5c12badf3ff454576252facd49b159bd00e8da6ed96fc9748ca0c8b9d24d64a35651c29de1daaf2cc718fdbff8c2

Download Submit
C:\FA_Antivira\Fabi_Antivira_Securety.bat

Filesize
340B

MD5
16b203a94144522c9146b3253129062f

SHA1
5ad694c15bd8bb67814fa6a57bfb150895c9e200

SHA256
76f764f99716c453dcb02f34c8f5726acfe65292c0fd58405152e4b7b1803f63

SHA512
3dddd7814eae3aaf8bc4d8c6be266963621b792799d3f384e13db4a19d6ac82e6dd2a84fb5d6be3bc4eff25ee5073ff9ded62147079b44ee87304cafa0ac78b4

Download Submit
C:\FA_Antivira\Python\FAMsh.py

Filesize
1KB

MD5
f06a97184ed1bb25f16c559a16415e22

SHA1
8c60c67cd77ec37957aac94b2f8a745027bcecf3

SHA256
446e6cb5b08b78c8197642f18073f86f704dd642767f69bf149499015b0cf023

SHA512
7801b20f5540881b2fb254c1eceb279604e08d63eb58f3cd8d6e3584cf58950a9727b3be651cf461ab31fa420efe86eb68df91fb8e84bd3213e0ac151d7496fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
207KB

MD5
e955953b801c04327c1e96c67dd3c618

SHA1
f9061d3780f153e863478106bf1afd85132bccb0

SHA256
e8965a2d52ef25918ebee58ab6971745d396177a7943acf1ed53a65bb4dddd45

SHA512
6318ff1eb838954dd73dab5ed891d47f4f39089fa5e899d30183c32269c5620bd09d169af4cf8303e3d5c2ebab23cfe9ae5d9fa5c3281023abb009f66a25782a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
eb871aeda582f31688e4c5f50f4eeebc

SHA1
d833d726c00bf1b92e8b10353b15ca8dc2024c3e

SHA256
09982354fd6b3f404eda0107762a867cb3413550359e1befb01716ebc09d80f2

SHA512
2470e87c1053865077de9b6dd83c0d1b72824acf712b759c30771e608495814760ce7b6d5c58b77d53b5965a6117fee3c730b141db31e519018407a16eb78db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
0ed19ed6aa2e50145806c2835bf5a1c0

SHA1
cc108f43b925803037d436e98b5eca43db5815b4

SHA256
0fcda195d0457b005b248016593bfff81b2e1d3cd7b9fb2f60730e8ee337737f

SHA512
c38f232dab294ea1a3846ac9bc2bacb125d7ec517b11a1ca1deea6b27ca907c6d86c11fb6ee7ce477e5be0f6b5147ed63ae2f891b680391cff0744e93eb448cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
35ec288c90b803c206a5ebe02257aa1f

SHA1
293eedb5a17536993cae500850cb8d5e9bfcf5e8

SHA256
199746e6a79c8be09fee9ec295dfab4aafbe8d9e758b19faabc55e6e7bee53f8

SHA512
c134057757f1354d2eb89d7698bdc8e208d3999315cf45f55e9c8f79d5d0692cf007f2b2cefcf6a8864f81df64db26423368c6905805540d06d232573d04014f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6085024ae2e8a75645c9b468328a319e

SHA1
4006ed9a657a1528754de6f5a37e74881ccc7b90

SHA256
b3883491fe0d2821a0e61701e415f725e8e966b276353a3675cdd99211262d72

SHA512
5d7d018c21ad7cf8ab0f2a369731679f9dfebe8bba3ace452be22af7ef8759f5ae719334daf98c47bde33e47acb7abea8a85e395e1039a2b041b5b197d14a5d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
8b39733ec7901dbc5596d7b3ee468727

SHA1
06ca4450b622fe82fcc46e14b93450a280aec57b

SHA256
b44288d15877d8443ba9f808e83a6e16734510d4a974f8071c06c0fcef45634c

SHA512
2d0e4895194a4239126b9fb499718cd3dfec5c06088cfd39d6ff38eeb73a5504ae650bbbec753f0ec76dd27bef8dccf94823e058512fe108b320299397b27db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ae949e5081ced251668023b8832c867

SHA1
4da0be35af459aacd42a90f3e654760063c47774

SHA256
7aa8b0e661dc70a5978e00ae4d6ba7e02cf5d1a3ba44658180f84b986f94cfb7

SHA512
1049641cf5741315ca041a3213da9d6d9629a9b540db14cbb3f95b5b7eb3c110a54acc9b12efe3a270f4756b77dfa61d98d157122c016cf222e765b4d023373a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
784856a8bafc2451cec9f94b1659a3a6

SHA1
b61f13c2263b379ac1e6c0e1baa27c1626b64cd8

SHA256
7c77907cb3bf4ad87b4347526208e419b46c8c68a067695a7d45793bc6a92eea

SHA512
5fc6f922f9c8eeca4772606cb6ec8cf62b4cdd3dec1d8e23010d10a6e51a2f6200e1ba27c09c9150f27ba23e748784ea8edaa1d71f39d2ceebf1df38b11b42c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dd9f0cb844a4141b4a4debc697a4764c

SHA1
8d586218469763086300496c749933efaa150e1f

SHA256
3558daf181070279ced251ffe400e46f29a59947af2a2a0198a9c76739c9bc46

SHA512
91f7285a3aa70b5b09058497fdebbcfc7c1ea7338044b93c30934f884ad6946210b2f6f5e543a8efac443f40256ab7e383b59eb49c3645514e8652a1c526151c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c7c22fa58f30e28e81c1536eff2f41e7

SHA1
686702a33695836a6dad6ab9de9eb5a49b7182b2

SHA256
2e15131077613df9a50b77b89e97b53ed48c36650bfbd9e97abdc7ed027338cc

SHA512
76a0a6d9dcec9f39a0f9c55e142fd67e8e16ba5a040f3d355db6e4fe51f7c61b2cbff16ae17ebef5eae01c9f6bdd7f226d168caad02b08fec8f0ef0c5d012bcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c49f2899d68c9eb68f26bf1fbcfe7089

SHA1
b59523153aad77d8f1dc6d89a1bb060976ec50c8

SHA256
dd7005a4508fc829d0040dc74810566611bb73ef8691fe666881b61a9098ae62

SHA512
2629933bdb18b0f7b916381ea2d31020789ac288627c9649ed9aac8495bcf4925533bb55766ad4f3e967a15fe4d6057b4bb0bc9225138b1c09465f1a0229b5c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0eb5a4b510878f9cd1c760af8e1ce6e4

SHA1
c3f304f36e00b3c5c9fe2115a031bbd274b20279

SHA256
03d733e7bf10ee45547da443373aa4f4b977e41f8be7b1daab9133f4aabb0849

SHA512
f16d87c370656cd2368a660dd35f09f9f97f9130ebd642368ab6c215d94ccd439fdba06927a572064668c6ebd7aa62dd54f25a967bfb7591220f35247a575826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
537B

MD5
e33214b2a23348b725da49ea12074f4f

SHA1
3dc7cdba3c086da5d861849a55058125e859c76e

SHA256
c344854c91fb7e7fcf93c9615fbec3a7c2fd86614929b6e660b6cc4128189c5b

SHA512
03e04d5b492611c6bb7089b6147c92f7eef529600d9b421d368e33d88564101a71828043883cb7afd073ba5b0d33da2eb545fa7d42e6cc2511bfae8a75f1a106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59fc48.TMP

Filesize
537B

MD5
986b42d5680e4d01bdd5e5180e9209db

SHA1
689d6bf32565ab213e3f9088401fc3a30bc7ffb6

SHA256
1d4279eb3001db70becfbe8ccd1bc3ba36c01f93de6d0bd5e149800e12e24235

SHA512
6471003c1a8127d26d8b3ea7f8be4ea00dfe8b1f7063a6c4c0dfb665398825d71a025aa5f41f46356717b83921a7678a8aa36ec3709921661d296639f2ffa7e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
829f75b9439dc5aa5a4ce003dab5d613

SHA1
af27508077fa9b09bb98a8c81f28cbd33c18f417

SHA256
d3572c0aabd6f081f3592f6e3b2f18496478bb58fd81e025382b7074e998859a

SHA512
4605e3d6998f7abeca9b973612d010313c27f682f90f506ebb1772807aaa54b1c83ab9f3cddf6b543fbe80e4f8e2067e39fb861f473182128c122babf49c6676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
de5db3de2db9102eafbce284d074571b

SHA1
9a27d79a35bcbea27790dbad87c81b1edc890965

SHA256
8f0e72bc60cdd4a011369525e50eb8224fe331ecffccfd237c3412c1c05dc020

SHA512
531693eb493d48cd1324252b7ce9d53ac56ce6551ea57da177188d5a69ebc5d1b664d70ddd661f4df07edf3a03597674e09f04fc906b007ddd9a2e7e642c7e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
08f9f3eb63ff567d1ee2a25e9bbf18f0

SHA1
6bf06056d1bb14c183490caf950e29ac9d73643a

SHA256
82147660dc8d3259f87906470e055ae572c1681201f74989b08789298511e5f0

SHA512
425a4a8babbc11664d9bac3232b42c45ce8430b3f0b2ae3d9c8e12ad665cd4b4cbae98280084ee77cf463b852309d02ca43e5742a46c842c6b00431fc047d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j1odw33h.2en.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\FA Security.lnk

Filesize
711B

MD5
5d245e5aa187ddc18e8dadace9d0e161

SHA1
03810bad02ace949f9f47cb32fb52dfae69240aa

SHA256
a9febec910f53bf356432b37a19fc2d060bf87d39985a90366e6b4b7c61868e7

SHA512
861bc431f5a2a63a9c16523fa1d80f3765efdb26fa178d7a8cfb0f011225999132befac8a17525053d88e9fe6b23b1e11064573cbf6f6b99ca3d1f8b3a0fbca8

Download Submit
C:\Users\Admin\Desktop\FAtempscan.ps1

Filesize
1KB

MD5
8c86cef91ac07f12ee66f7996cf8aa24

SHA1
6d71666c0f57652c475ecd2f8a50759356f579c1

SHA256
41fc8753432f5088a99bbbc8e64b6533f8757f063c35d961c2acbae29676dc50

SHA512
49286fce4cc7232e650b994babb2392393cff1f16911710fec62615a85653fc3510278b83ac1d6c1408f6ee84e4e1d28cc04d70dab14b5f460df1e1798c189ad

Download Submit
C:\Users\Admin\Desktop\FAtempscanbat.ps1

Filesize
1KB

MD5
670bb28f45d73c68e698831a42f0db8b

SHA1
cb655371e1777e6687b9a624be0c0bf606900a68

SHA256
6dc3b08621061f67b40d1728baf7d37182dccefbe8c770b9993df73d58738916

SHA512
e2877344ebdd957a1cfed13bc6a99c3fcfdc45ede5dc6a3d9377246be8498df282c7adbd3371c7340c786b0921e9a51f67b523506aa3a96b1d81563ec8c6a0e9

Download Submit
memory/3964-97-0x000002611B060000-0x000002611B082000-memory.dmp

Filesize
136KB

Download