Overview

overview

8

Static

static

1

NordVPNSetup.exe

windows7-x64

7

NordVPNSetup.exe

windows10-1703-x64

7

NordVPNSetup.exe

windows10-2004-x64

8

NordVPNSetup.exe

windows11-21h2-x64

7

Analysis

  • max time kernel
    956s
  • max time network
    892s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2024 19:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NordVPNSetup.exe

  • Size

    1.7MB

  • MD5

    59cb69a08fdd9cb4b0539e3356df1d4d

  • SHA1

    0c773a0a76f821780c002d527bee387b98904569

  • SHA256

    bea34078c360c71fcadc1a86ebd397d081f0d589913ad43970c1a3983231f522

  • SHA512

    51d4f3d396d183bc5dcaaa0a26cf024fade9b5e5c0e73e1d2ee7663ba26bc55e799beb488d5bab8d8252147b33df6ea1209ebd730124a919940e899758842ec2

  • SSDEEP

    24576:u7FUDowAyrTVE3U5Fg23TD2D+Fz3ifFUwo433RfFcdnOtksSm:uBuZrEUWq0t9D7l

Score
8/10
persistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 5 IoCs
    persistence
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 10 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 42 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 37 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\werfault.exe
    werfault.exe /h /shared Global\2019cd1ee8c542ce88d1e689ceb4ef56 /t 3432 /p 3428
    1⤵
      PID:3668
    • C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Users\Admin\AppData\Local\Temp\is-O8BSR.tmp\NordVPNSetup.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-O8BSR.tmp\NordVPNSetup.tmp" /SL5="$150022,890440,866304,C:\Users\Admin\AppData\Local\Temp\NordVPNSetup.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of AdjustPrivilegeToken
        PID:888
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffac96d46f8,0x7ffac96d4708,0x7ffac96d4718
      1⤵
        PID:980
      • C:\Windows\explorer.exe
        explorer.exe
        1⤵
        • Modifies Installed Components in the registry
        • Enumerates connected drives
        • Checks SCSI registry key(s)
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3340
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4868
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
        1⤵
          PID:1916
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
          1⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4492
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
          1⤵
            PID:4808
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
            1⤵
              PID:1152
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
              1⤵
                PID:3824
              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                1⤵
                • Suspicious use of SetWindowsHookEx
                PID:5000
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
                1⤵
                  PID:2316
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
                  1⤵
                    PID:1112
                  • C:\Windows\System32\CompPkgSrv.exe
                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                    1⤵
                      PID:2328
                    • C:\Windows\System32\CompPkgSrv.exe
                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                      1⤵
                        PID:2584
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
                        1⤵
                          PID:2324
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3800 /prefetch:1
                          1⤵
                            PID:4020
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
                            1⤵
                              PID:4204
                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 /prefetch:8
                              1⤵
                                PID:1460
                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3816 /prefetch:8
                                1⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:2848
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:3908
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:5744
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:5008
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:208
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:5788
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                • Modifies Installed Components in the registry
                                • Enumerates connected drives
                                • Checks SCSI registry key(s)
                                PID:1396
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:5008
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:3992
                              • C:\Windows\explorer.exe
                                explorer.exe
                                1⤵
                                • Modifies Installed Components in the registry
                                • Enumerates connected drives
                                • Checks SCSI registry key(s)
                                • Modifies registry class
                                PID:5760
                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                1⤵
                                • Suspicious use of SetWindowsHookEx
                                PID:644
                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                1⤵
                                • Modifies Internet Explorer settings
                                • Modifies registry class
                                • Suspicious use of SetWindowsHookEx
                                PID:3420
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                                1⤵
                                  PID:5536
                                • C:\Windows\explorer.exe
                                  explorer.exe
                                  1⤵
                                  • Modifies Installed Components in the registry
                                  • Enumerates connected drives
                                  • Checks SCSI registry key(s)
                                  • Modifies registry class
                                  • Suspicious use of SetWindowsHookEx
                                  PID:6060
                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                  1⤵
                                  • Suspicious use of SetWindowsHookEx
                                  PID:4364
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
                                  1⤵
                                    PID:2628
                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                    1⤵
                                    • Modifies Internet Explorer settings
                                    • Modifies registry class
                                    • Suspicious use of SetWindowsHookEx
                                    PID:4224
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4232 /prefetch:1
                                    1⤵
                                      PID:3592
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
                                      1⤵
                                        PID:3648
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5960 /prefetch:8
                                        1⤵
                                          PID:3620
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5516 /prefetch:8
                                          1⤵
                                            PID:4108
                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                            1⤵
                                            • Modifies Internet Explorer settings
                                            • Modifies registry class
                                            • Suspicious use of SetWindowsHookEx
                                            PID:4684
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
                                            1⤵
                                              PID:6024
                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                              1⤵
                                              • Modifies Internet Explorer settings
                                              • Modifies registry class
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2908
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
                                              1⤵
                                                PID:5396
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
                                                1⤵
                                                  PID:116
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
                                                  1⤵
                                                    PID:1884
                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                    1⤵
                                                    • Modifies Internet Explorer settings
                                                    • Modifies registry class
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:3724
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
                                                    1⤵
                                                      PID:4520
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
                                                      1⤵
                                                        PID:4844
                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                        1⤵
                                                        • Modifies Internet Explorer settings
                                                        • Modifies registry class
                                                        • Suspicious behavior: EnumeratesProcesses
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:4108
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
                                                        1⤵
                                                          PID:4220
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5964 /prefetch:8
                                                          1⤵
                                                            PID:4304
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7104 /prefetch:8
                                                            1⤵
                                                              PID:4800
                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                              1⤵
                                                              • Modifies Internet Explorer settings
                                                              • Modifies registry class
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:5352
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
                                                              1⤵
                                                                PID:4580
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6768 /prefetch:2
                                                                1⤵
                                                                • Suspicious behavior: EnumeratesProcesses
                                                                PID:940
                                                              • C:\Windows\explorer.exe
                                                                explorer.exe
                                                                1⤵
                                                                • Modifies Installed Components in the registry
                                                                • Enumerates connected drives
                                                                • Checks SCSI registry key(s)
                                                                • Modifies Internet Explorer settings
                                                                • Modifies registry class
                                                                • Suspicious behavior: AddClipboardFormatListener
                                                                • Suspicious behavior: GetForegroundWindowSpam
                                                                • Suspicious use of SetWindowsHookEx
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:2508
                                                                • C:\Users\Admin\Downloads\winrar-x64-624.exe
                                                                  "C:\Users\Admin\Downloads\winrar-x64-624.exe"
                                                                  2⤵
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:1020
                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                1⤵
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:4764
                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                1⤵
                                                                • Modifies Internet Explorer settings
                                                                • Modifies registry class
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:1660
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
                                                                1⤵
                                                                  PID:4976
                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                  1⤵
                                                                  • Modifies Internet Explorer settings
                                                                  • Modifies registry class
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:4868
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6816 /prefetch:8
                                                                  1⤵
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:1012
                                                                • C:\Windows\System32\rundll32.exe
                                                                  C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                                                                  1⤵
                                                                    PID:3100
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                    • Modifies Internet Explorer settings
                                                                    • Modifies registry class
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:5668
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                    • Modifies Internet Explorer settings
                                                                    • Modifies registry class
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:3316
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                    • Modifies Internet Explorer settings
                                                                    • Modifies registry class
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:2328
                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                    1⤵
                                                                    • Modifies Internet Explorer settings
                                                                    • Modifies registry class
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:3628
                                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4200 /prefetch:1
                                                                    1⤵
                                                                      PID:4092
                                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7248 /prefetch:1
                                                                      1⤵
                                                                        PID:2472
                                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
                                                                        1⤵
                                                                          PID:4476
                                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
                                                                          1⤵
                                                                            PID:1180
                                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
                                                                            1⤵
                                                                              PID:2440
                                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,12002508942962902936,7360912829456657624,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
                                                                              1⤵
                                                                                PID:5212
                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                1⤵
                                                                                  PID:5732

                                                                                Network

                                                                                MITRE ATT&CK Enterprise v15

                                                                                Replay Monitor

                                                                                Loading Replay Monitor...

                                                                                Downloads

                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                                                                                  Filesize

                                                                                  471B

                                                                                  MD5

                                                                                  dab29f0ff85749876aaa834e6c1b5918

                                                                                  SHA1

                                                                                  d514aa16346e208e62e1289a82af2ca16c5e64d9

                                                                                  SHA256

                                                                                  808cb554c37d8021989c5d145588c2bec772f12b9260dddf8c4d55b3babe65b3

                                                                                  SHA512

                                                                                  ffc6db04dee3b901eafb3a8f0234679694bfd66ced092917a4586f62bf8cbfdca6e6eeae3563a0f7ac7ee530d698aa9e36112cf7a0a483ccdfcafc58085056a3

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53
                                                                                  Filesize

                                                                                  412B

                                                                                  MD5

                                                                                  2c242c3226165734f06fef178cf8d883

                                                                                  SHA1

                                                                                  a6eac38a5f66a614abfa7083ca3b23185f084133

                                                                                  SHA256

                                                                                  0645ce40185716fb65e444b990e3bc8782db299bfe12200fa159a1c259a62509

                                                                                  SHA512

                                                                                  2c245b746882abcd10945447474c3d666f29b42966ace922a362aee40155ce874f94778fa022fd743b3025768fd744164b37e57b662ab4336fb441163c156220

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
                                                                                  Filesize

                                                                                  384KB

                                                                                  MD5

                                                                                  fb17a4c4f7057811eab7d1722fa8d344

                                                                                  SHA1

                                                                                  c083d57084d42af26026100ce5c725642a0bb9d0

                                                                                  SHA256

                                                                                  5df7dc1efa908d3a6817e3999dc2d62b7506fdb107863bb650ba75ec67dfb719

                                                                                  SHA512

                                                                                  ea8dc22bf9c95a8f153a83cfbd70b0c3b109224ee7bec62e4bd01031e04beaed034a332c55cf6858b94ff40f56a58d5b23b3241a725e39d845974fd2c2414732

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
                                                                                  Filesize

                                                                                  30KB

                                                                                  MD5

                                                                                  888c5fa4504182a0224b264a1fda0e73

                                                                                  SHA1

                                                                                  65f058a7dead59a8063362241865526eb0148f16

                                                                                  SHA256

                                                                                  7d757e510b1f0c4d44fd98cc0121da8ca4f44793f8583debdef300fb1dbd3715

                                                                                  SHA512

                                                                                  1c165b9cf4687ff94a73f53624f00da24c5452a32c72f8f75257a7501bd450bff1becdc959c9c7536059e93eb87f2c022e313f145a41175e0b8663274ae6cc36

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  6252070299b0c962e842c92687881d6d

                                                                                  SHA1

                                                                                  bc4a70db25067c92d256960a8c62724061f4f9f8

                                                                                  SHA256

                                                                                  777c0dfeffe65fa5613f4da19e63649df37a09fff0449ed375b14ed785f85000

                                                                                  SHA512

                                                                                  4c4904971ad07dafdf908c9893fe11128b96546c7882804648f409d3fd5f74621c070e7be9f166f0bb4884123bccb6b3cce2613f8c4b319a80a87f4b835190c5

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  e694acc184267dcdd2b81cd15c69cacf

                                                                                  SHA1

                                                                                  e7fab9d4f94d07312fb5f0dee3156edb80029573

                                                                                  SHA256

                                                                                  98cbc05499c13fd360740b03866df5d611ff5e6a2c27f6ac554f753b1f46f7de

                                                                                  SHA512

                                                                                  e56ebfbb6601ce2755b2ea12ca4ad83ee83f250466ae6e662f4aeff10d0e53d510b3278a6e5555f86e42b5815c50920bede2ce8823d977322822f7b0fc29c199

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  38168a103b1ab62f0f86db25ada6a57e

                                                                                  SHA1

                                                                                  df13f6ec7ead6f64e7bffd8fe81913aeb8216b3d

                                                                                  SHA256

                                                                                  8abf3b634453904bb3a9a9bca18e6d6ca51c69782553f7c6b5291a3b7ad02b44

                                                                                  SHA512

                                                                                  ef37b17e9d70da78a99d7a614cf58dc13778dfadf2a8fdbb3c1b76a76fb07923707c54e0f3b918906eaae1304d693b180bf86485106c1a772bfbe7a63f0de202

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  8d81a59ae2bea1191fcde096e622e68c

                                                                                  SHA1

                                                                                  a224057f6ae7c47f5e0571e7455b885ac2a92b93

                                                                                  SHA256

                                                                                  a1004cb2404f6da64c0bce792893eb8683593ddf608f293034c01e4b636b23db

                                                                                  SHA512

                                                                                  ec9babf41b04c0b2027fe52e7d7e01754cc0da1edbac9984b3c5cd0020d78831839debcd02335fb73db373394ae64c42b10a5f6356000a139446b9432235ea66

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                  Filesize

                                                                                  111B

                                                                                  MD5

                                                                                  285252a2f6327d41eab203dc2f402c67

                                                                                  SHA1

                                                                                  acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                                                                                  SHA256

                                                                                  5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                                                                                  SHA512

                                                                                  11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                  Filesize

                                                                                  111B

                                                                                  MD5

                                                                                  807419ca9a4734feaf8d8563a003b048

                                                                                  SHA1

                                                                                  a723c7d60a65886ffa068711f1e900ccc85922a6

                                                                                  SHA256

                                                                                  aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

                                                                                  SHA512

                                                                                  f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                  Filesize

                                                                                  872B

                                                                                  MD5

                                                                                  9cb1a90f3564af88c7a46e4d567c4600

                                                                                  SHA1

                                                                                  260d4eee3f963727f595f2207ccd1c71b9966dbe

                                                                                  SHA256

                                                                                  997734d5a23842beffcd82e53e324106c0aaa28f3a5a65c37a098bd465f541b5

                                                                                  SHA512

                                                                                  cb300ffbea8b2e17b64444e32cb3c14dc4688fe45badb31e4144c7a9d655e63ae2164dc82f8e40b908d2647940d534412e1ce28b713ceef50939328d93fc1b9a

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  d3d8eeb804d1b4b0301ba713b31fad7d

                                                                                  SHA1

                                                                                  86e89274fcbf302055a904f251423a1e85d0c591

                                                                                  SHA256

                                                                                  59f432dadfa6d23eae2e7397abc8344ffdcb3662950468050c84685770f07db2

                                                                                  SHA512

                                                                                  392147e36eac7bbf5e70116805461598f7d8d113148fff118001e42b8eadcafbd98ba2c080602cb4b0d5f20bdf9530214adf1be52ee6612fcac78852f46d59f7

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                  Filesize

                                                                                  1KB

                                                                                  MD5

                                                                                  7d53771954ba9c1e6468a0e128e0fe4e

                                                                                  SHA1

                                                                                  238086add3408db3148dc5e070b531e8bf4f020c

                                                                                  SHA256

                                                                                  549c8d536942196761546028ebe4b9b78e12d75c3529f057d92188965eb545bb

                                                                                  SHA512

                                                                                  5ccb1aa58fe4320e3793e4fe547eb63a1c2ab349c1e9171ed71be49a3c1f2ff1321a7d69e4c60d07881c9c5479f8057613215b0477239d8ce6f9aed551ca1280

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                  Filesize

                                                                                  872B

                                                                                  MD5

                                                                                  a62ae5aa79f16f08fd5756e4b957fafb

                                                                                  SHA1

                                                                                  4a813c26f8cd9e44100b1cb837a7b29d6be01b68

                                                                                  SHA256

                                                                                  c651ccfd2c008571ffd813c5963b0ee8bfafa9d8d0e867a5e2dcf4f152a80bd2

                                                                                  SHA512

                                                                                  a5339baed28dfef40070ec0f1115586358e9ddd1bb1b8f5e00c0650e83be25e86e3192fa03c1d488a9f8f234e4d4ab1c04732d60e03c9c8c66d84ecb3ed20e08

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5973fd.TMP
                                                                                  Filesize

                                                                                  370B

                                                                                  MD5

                                                                                  216c0afc7204e483c403b1dc507d1de6

                                                                                  SHA1

                                                                                  b38bedcf97306abe946efafc5a8ad98a8be36130

                                                                                  SHA256

                                                                                  cc42d55d0fcb81a1fd40237a51f6e40ea96ec56fb5b7faafba2f1f24c612b746

                                                                                  SHA512

                                                                                  6f99f3586f6c6789bdf01aa3650b1fa144b6bf1c0795937dc4b4df5bcad4e5088969c9249a9ec65b8ec165c784d0f7174d72334677a39a1636c5628abe6803b5

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbres
                                                                                  Filesize

                                                                                  2KB

                                                                                  MD5

                                                                                  0876735c863d60789e519870d515a4ee

                                                                                  SHA1

                                                                                  412f7a385df8ec4640f399923795c7af19447ecd

                                                                                  SHA256

                                                                                  e7b297b4101f6b2d2b56187d96d6d8ef5657b647654526bdcf2aad1f0e282c8f

                                                                                  SHA512

                                                                                  cf7dc382ff439e04043fd15b3d15585bd2710b87f7d26b84e3a28ad118b30ffb49da94ebeca8aba30e0b9066452df03e2b040601419c5891119adc1f9ff4ad3d

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___java_com_
                                                                                  Filesize

                                                                                  36KB

                                                                                  MD5

                                                                                  8aaad0f4eb7d3c65f81c6e6b496ba889

                                                                                  SHA1

                                                                                  231237a501b9433c292991e4ec200b25c1589050

                                                                                  SHA256

                                                                                  813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1

                                                                                  SHA512

                                                                                  1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\{1AC14E77-02E7-4E5D-B744-2EB1AE5198B7}_charmap_exe
                                                                                  Filesize

                                                                                  36KB

                                                                                  MD5

                                                                                  406347732c383e23c3b1af590a47bccd

                                                                                  SHA1

                                                                                  fae764f62a396f2503dd81eefd3c7f06a5fb8e5f

                                                                                  SHA256

                                                                                  e0a9f5c75706dc79a44d0c890c841b2b0b25af4ee60d0a16a7356b067210038e

                                                                                  SHA512

                                                                                  18905eaad8184bb3a7b0fe21ff37ed2ee72a3bd24bb90cbfcad222cf09e2fa74e886d5c687b21d81cd3aec1e6c05891c24f67a8f82bafd2aceb0e0dcb7672ce7

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133514627493729215.txt
                                                                                  Filesize

                                                                                  74KB

                                                                                  MD5

                                                                                  c09e63e4b960a163934b3c29f3bd2cc9

                                                                                  SHA1

                                                                                  d3a43b35c14ae2e353a1a15c518ab2595f6a0399

                                                                                  SHA256

                                                                                  308deca5e1ef4d875fbe0aff3ce4b0b575b28e643dffda819d4390ec77faf157

                                                                                  SHA512

                                                                                  5ca3321034dff47e3afe0b0bdfaffc08782991660910a29375a8e0363794b78247282aba65dbd882ae225aa140ae63927dfd0946a441ee6fa64a1d8c146777b9

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\2QRDRLTB\microsoft.windows[1].xml
                                                                                  Filesize

                                                                                  97B

                                                                                  MD5

                                                                                  04549d11a7b61537f1764f3bc366553b

                                                                                  SHA1

                                                                                  314c45d21da6573a30d864045fca8a51a5a32726

                                                                                  SHA256

                                                                                  1e2bc8a47c4283e3913c3b1f8f467dd891872ad6d757114a4d45876b6e790595

                                                                                  SHA512

                                                                                  69835e4409542b68cfc213cb157ff90584a6e4fe411ab968c06c21fe3e8c13181ace59274642e184d44d8e983a44f96d47b91f736577265d4e9de20dcaaa1b32

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Temp\is-O8BSR.tmp\NordVPNSetup.tmp
                                                                                  Filesize

                                                                                  320KB

                                                                                  MD5

                                                                                  dc9c88a2dcc07a0d1cb2b9c68f47a3a3

                                                                                  SHA1

                                                                                  a6aabf546b2bd1e46644b5196eaa6f7738ea012a

                                                                                  SHA256

                                                                                  3e6df52dc66c1158c5528aa601814300100136c47896c26bd49fde9e76a46a72

                                                                                  SHA512

                                                                                  b70b65b344f69d59a9ccf1d0f5c1f4308485d2b495dad629a955a054b489b564dddea6ded81ffab96c3c3eba2c38a37568f111224f62fda42d42a4137100eff3

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Temp\is-O8BSR.tmp\NordVPNSetup.tmp
                                                                                  Filesize

                                                                                  3.1MB

                                                                                  MD5

                                                                                  29ca787f3a0d83846b7318d02fccb583

                                                                                  SHA1

                                                                                  b3688c01bef0e9f1fe62dc831926df3ca92b3778

                                                                                  SHA256

                                                                                  746b972e21acb59e4086b5b25fe53ef2cddcecfa94dd56ad68c8e5bab9960c3c

                                                                                  SHA512

                                                                                  a6c21bf5590dc91a5d9bc729d9c04c20b54341d3270efd2fb7d2b548d7dc7b23a1a351147a07dfd569e901a608cb44533304de10725cb02fec781cada80b8e3b

                                                                                  Download Submit

                                                                                • C:\Users\Admin\AppData\Local\Temp\is-S5J51.tmp\Nord.Setup.dll
                                                                                  Filesize

                                                                                  40KB

                                                                                  MD5

                                                                                  b18bd486c5718397bc65d77a16ce2593

                                                                                  SHA1

                                                                                  58fe73e27c5c04e6915c5358f698f7fe8c2b5af8

                                                                                  SHA256

                                                                                  0bbf32b0553ca1292602e8c2c0458e075fdee2c8b6ef8ea81e924a86bc065f3c

                                                                                  SHA512

                                                                                  f4ffa1c8983914c41657fecc11c9324caa5899ad875b9687da8ffcf79ab189f19d6f926e16f09f240de9e6b22e26691fae785ed95657af310de5bf6c58ce8e0e

                                                                                  Download Submit

                                                                                • \??\pipe\LOCAL\crashpad_4444_TFGNWOOLHYCGDQGG
                                                                                  MD5

                                                                                  d41d8cd98f00b204e9800998ecf8427e

                                                                                  SHA1

                                                                                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                  SHA256

                                                                                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                  SHA512

                                                                                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                  Download Submit

                                                                                • memory/208-168-0x00000199AA510000-0x00000199AA530000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/208-172-0x00000199AAAE0000-0x00000199AAB00000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/208-170-0x00000199AA4D0000-0x00000199AA4F0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/888-120-0x0000000073AC0000-0x0000000074270000-memory.dmp

                                                                                  Filesize

                                                                                  7.7MB

                                                                                  Download

                                                                                • memory/888-59-0x0000000000400000-0x000000000071B000-memory.dmp

                                                                                  Filesize

                                                                                  3.1MB

                                                                                  Download

                                                                                • memory/888-68-0x0000000002720000-0x0000000002721000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/888-79-0x0000000000400000-0x000000000071B000-memory.dmp

                                                                                  Filesize

                                                                                  3.1MB

                                                                                  Download

                                                                                • memory/888-80-0x00000000042E0000-0x00000000042F0000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                  Download

                                                                                • memory/888-116-0x0000000073AC0000-0x0000000074270000-memory.dmp

                                                                                  Filesize

                                                                                  7.7MB

                                                                                  Download

                                                                                • memory/888-119-0x0000000000400000-0x000000000071B000-memory.dmp

                                                                                  Filesize

                                                                                  3.1MB

                                                                                  Download

                                                                                • memory/888-32-0x0000000006A50000-0x0000000006F7C000-memory.dmp

                                                                                  Filesize

                                                                                  5.2MB

                                                                                  Download

                                                                                • memory/888-30-0x0000000073AC0000-0x0000000074270000-memory.dmp

                                                                                  Filesize

                                                                                  7.7MB

                                                                                  Download

                                                                                • memory/888-31-0x0000000000400000-0x000000000071B000-memory.dmp

                                                                                  Filesize

                                                                                  3.1MB

                                                                                  Download

                                                                                • memory/888-5-0x0000000002720000-0x0000000002721000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/888-19-0x00000000042E0000-0x00000000042F0000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                  Download

                                                                                • memory/888-29-0x0000000074360000-0x0000000074370000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                  Download

                                                                                • memory/888-28-0x00000000037C0000-0x00000000037D0000-memory.dmp

                                                                                  Filesize

                                                                                  64KB

                                                                                  Download

                                                                                • memory/1396-205-0x0000000004170000-0x0000000004171000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/2152-24-0x0000000000400000-0x00000000004E1000-memory.dmp

                                                                                  Filesize

                                                                                  900KB

                                                                                  Download

                                                                                • memory/2152-121-0x0000000000400000-0x00000000004E1000-memory.dmp

                                                                                  Filesize

                                                                                  900KB

                                                                                  Download

                                                                                • memory/2152-0-0x0000000000400000-0x00000000004E1000-memory.dmp

                                                                                  Filesize

                                                                                  900KB

                                                                                  Download

                                                                                • memory/2908-363-0x0000025752530000-0x0000025752550000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/2908-365-0x0000025752940000-0x0000025752960000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/2908-361-0x0000025752570000-0x0000025752590000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3340-38-0x0000000005270000-0x0000000005271000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/3420-237-0x000001EC74360000-0x000001EC74380000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3420-239-0x000001EC74320000-0x000001EC74340000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3420-241-0x000001EC74720000-0x000001EC74740000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3724-397-0x000002634FC70000-0x000002634FC90000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3724-399-0x000002634FC30000-0x000002634FC50000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3724-402-0x0000026B51240000-0x0000026B51260000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3908-41-0x000001CA59DC0000-0x000001CA59DE0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3908-43-0x000001CA59D80000-0x000001CA59DA0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3908-46-0x000001CA5A190000-0x000001CA5A1B0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3992-215-0x00000238B0E40000-0x00000238B0E60000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3992-218-0x00000238B1250000-0x00000238B1270000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/3992-213-0x00000238B0E80000-0x00000238B0EA0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4108-431-0x00000292B3300000-0x00000292B3320000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4108-428-0x00000292B2CE0000-0x00000292B2D00000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4108-426-0x00000292B2D20000-0x00000292B2D40000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4224-295-0x000001B59A460000-0x000001B59A480000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4224-299-0x000001B59AA80000-0x000001B59AAA0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4224-290-0x000001B59A4A0000-0x000001B59A4C0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4684-336-0x0000016AED3F0000-0x0000016AED410000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4684-339-0x0000016AED3B0000-0x0000016AED3D0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4684-342-0x0000016AED7C0000-0x0000016AED7E0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/4868-72-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-77-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-49-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-50-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-52-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-73-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-74-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-75-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-76-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/4868-78-0x0000021D687F0000-0x0000021D687F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/5008-151-0x000001BAAD540000-0x000001BAAD560000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5008-147-0x000001BAAD170000-0x000001BAAD190000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5008-149-0x000001BAAD130000-0x000001BAAD150000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5352-466-0x0000017B98E20000-0x0000017B98E40000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5352-469-0x0000017B99220000-0x0000017B99240000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5352-464-0x0000017B98E60000-0x0000017B98E80000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5744-129-0x000001E4C4A80000-0x000001E4C4AA0000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5744-134-0x000001E4C4E50000-0x000001E4C4E70000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5744-132-0x000001E4C4A40000-0x000001E4C4A60000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5760-229-0x0000000004850000-0x0000000004851000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download

                                                                                • memory/5788-186-0x0000025899570000-0x0000025899590000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5788-188-0x0000025899530000-0x0000025899550000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/5788-190-0x0000025899940000-0x0000025899960000-memory.dmp

                                                                                  Filesize

                                                                                  128KB

                                                                                  Download

                                                                                • memory/6060-280-0x00000000030F0000-0x00000000030F1000-memory.dmp

                                                                                  Filesize

                                                                                  4KB

                                                                                  Download