hxxps://www[.]mediafire[.]com/file/e0b0j21sp3rclel/Wind[.]rar/file

Resubmissions

06/08/2024, 19:16

240806-xyq92a1fka 8

06/08/2024, 19:12

240806-xwtmdaxfnp 8

Analysis

max time kernel
1800s
max time network
1685s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/e0b0j21sp3rclel/Wind.rar/file

Score

8^/10

defense_evasion discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4612	winrar-x64-701.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-131918955-2378418313-883382443-1000\{3DD66206-F480-4469-9E89-A50EE6BB982D}	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Wind.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 533267.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
3120	msedge.exe
3120	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1528	msedge.exe
1528	msedge.exe
3124	identity_helper.exe
3124	identity_helper.exe
236	msedge.exe
236	msedge.exe
4220	msedge.exe
4220	msedge.exe
4220	msedge.exe
4220	msedge.exe
2592	msedge.exe
2592	msedge.exe
1472	msedge.exe
1472	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 22 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe
1480	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4612	winrar-x64-701.exe
4612	winrar-x64-701.exe
4612	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 4664	1480	msedge.exe	81
PID 1480 wrote to memory of 4664	1480	msedge.exe	81
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3108	1480	msedge.exe	82
PID 1480 wrote to memory of 3120	1480	msedge.exe	83
PID 1480 wrote to memory of 3120	1480	msedge.exe	83
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84
PID 1480 wrote to memory of 228	1480	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.mediafire.com/file/e0b0j21sp3rclel/Wind.rar/file
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd48de3cb8,0x7ffd48de3cc8,0x7ffd48de3cd8
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4660 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4788 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6924 /prefetch:1
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3416 /prefetch:8
  2⤵
  PID:4576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,7138884295581208855,8749128485021105237,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1472
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3e681bda746d695b173a54033103efa8

SHA1
ae07be487e65914bb068174b99660fb8deb11a1d

SHA256
fee5f7377e5ca213c1d8d7827b788723d0dd2538e7ce3f35581fc613fde834c2

SHA512
0f4381c769d4ae18ff3ac93fd97e8d879043b8ec825611db27f08bd44c08babc1710672c3f93435a61e40db1ccbf5b74c6363aaaf5f4a7fc95a6a7786d1aced8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f081a02d8bbd5d800828ed8c769f5d9

SHA1
978d807096b7e7a4962a001b7bba6b2e77ce419a

SHA256
a7645e1b16115e9afec86efa139d35d5fecc6c5c7c59174c9901b4213b1fae0e

SHA512
7f3045f276f5bd8d3c65a23592419c3b98f1311c214c8e54a4dfe09122a08afb08ab7967b49bd413bc748ce6363658640bc87958d5e0a78974680a8f9beadf44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
62KB

MD5
6b04ab52540bdc8a646d6e42255a6c4b

SHA1
4cdfc59b5b62dafa3b20d23a165716b5218aa646

SHA256
33353d2328ea91f6abf5fb5c5f3899853dcc724a993b9086cab92d880da99f4d

SHA512
4f3b417c77c65936486388b618a7c047c84fb2e2dd8a470f7fe4ffec1ad6699d02fa9c1bbd551414eef0f2e6747a9ee59ca87198b20f9f4a9a01394ae69fa730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
31KB

MD5
c03ff64e7985603de96e7f84ec7dd438

SHA1
dfc067c6cb07b81281561fdfe995aca09c18d0e9

SHA256
0db8e9f0a185bd5dd2ec4259db0a0e89363afa953069f5238a0537671de6f526

SHA512
bb0fd94c5a8944a99f792f336bb8a840f23f6f0f1cb9661b156511a9984f0bb6c96baf05b7c1cf0efb83f43a224ecea52740432e3cfc85e0799428765eefb692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
20KB

MD5
6959c9f88b6fb8554e6f425dde0672b4

SHA1
b7b9f19568b87b28475a84e85e4b21ce970a8dda

SHA256
4a1f68864b12b9dbb0d41320fbb3f6b96cae14ba4621e6b50f1de88a4ab21d15

SHA512
f91a0d3ce5764a291a0a718c4d5b94abff4f272d23586d1d46fc93807608c48e173088936833779b862b7ed661bdf03eae2185fa134dd9d4d52c4f7d82645734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\481963cd074f1a48_0

Filesize
268B

MD5
2bc3b56917cd815f854b3575681cb432

SHA1
8e9f483116cd963514666333a41ba6c0d28c8ba8

SHA256
f52472fbb21c5ef88fd88c6276dd69616b44e48afac170591b5983012ea2c890

SHA512
b915ec036bb3937c3eb6805247b1c009ee26974671556376bce36ec07004aa8931dc6e327b5519bcb263d54708268168f5c56d55bce8381b9ffed0defdc174ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\56d6f409590db490_0

Filesize
55KB

MD5
82fa56affd9469b3e379e20f396712ac

SHA1
397b66a6e0ab7c976c5c8c03872c9d9799a58e07

SHA256
ff56fd4aab4e9bd2f020f6ff51e58e6fde3579b0eb7263e3e4655b5de829f9bf

SHA512
28e62dcf3189d45e16efe491b4c9c8b7a8d8a6435f6f10e2da75c284fad3cb095db253aebf21d7e6ac9d251a78c0ca5f4aa16f8f3fcef05c433028c0e283e690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\735ae46a401e7a9f_0

Filesize
339KB

MD5
d53bbd2b589f07b6cda388ff88ab90cf

SHA1
24a377ee658c81d3939ee031402cd8039ba49ef4

SHA256
ad328bbaf628adff0034f180df5b3f360e56b74ac8c1bc8513a6a6bbf3e53abb

SHA512
10af13b5664eca261851bfe4f836829dc827ed82a68fdb7f676d5793217fa93ac9cfec14c2d2f81ec6ef8014211c0307d2b67087c6cc3e564de6204184ba8500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7a8694aaa036738a_0

Filesize
22KB

MD5
0b9e4df1bf9aa877dd77cf9dda986c35

SHA1
e187954141c83f8aa32b5f83ab15b3cdeeba2d1c

SHA256
b7218ebfe861121167c2df22cca08b8f1310bdb7a468954709d883cbbe842b6a

SHA512
89d68dcd7a99dd35ae3c96bef8d83f633066b3035dcf7203a843aca8c9d54b9a8fcdc236df6792c4da2c3625c96c479c006703c4bdba457e640294da6cd07073

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7b508899820079f3_0

Filesize
54KB

MD5
8ab3893ce693e767137b9bb1ec542a96

SHA1
a379d31c2375b1bedea5e43e4892fbbbeefc5472

SHA256
6b9401187e0588fa8bae9cc503bf70e18dcca859b769d064ef74f8c8b6debb22

SHA512
7894e317b08b55b1d522dca5dda124f40259d1d361779e916b488cdf669e72edad7aa9583e880004a4b6555fb8c0892e81746f8b1eae711345ffdca1031c83c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7e7fc6fd962bbe9e_0

Filesize
146KB

MD5
31e41c117ed79388b172757bf38110ba

SHA1
5ee8d14c23453243c7a227eeaf5b8714fefbbdaa

SHA256
fb595e2cb57384ad24279309eb510fc012c249fe0b2e82dc4e6b43d4a80a2f11

SHA512
54c45f5f45df0f0aee4c202a90bf2d7991e5a0406063074c4ae803feab8ca127d7c62550493001051eee6d1ff44ac3a4de0e9ac7f1a4f5586cba34ca7e5f4bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\b13d9848aa9ac2f2_0

Filesize
278B

MD5
d33150139b5f68c0ffdbf655e1f3f3f3

SHA1
53a99fa11714ce6c625b5239041c5141206b853e

SHA256
df228a5043c1b6e8eaa018dcd759a8d2dc5d141ccba6f7a6ed7f70cd5937df53

SHA512
1da57374d551c2035827f01f40d5e67cd9370f272d58f87a7d6cd2d284103a8e5ac7d65cbfeb021d260ed4ac291d52fef7b75f2248ec7cf4fbac7bc1fc76aa1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c472784dec098560_0

Filesize
14KB

MD5
d7c9ddba2b5037ad31a8f824472fef63

SHA1
5556c88bf22e94d646693786da0bc4911be371a3

SHA256
8465ed930c9d79170da2953bd5dbbaf2442c8807edb8aaa612881aa3ca42488a

SHA512
4885914e3a022540f341703d13ffcde5c500c506c0aea147a088a0963098b5f264c0946f25edeabd2b2181fd8dd7235f356ab4852c0fee51004d887297e6d069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
054d87c7c7272054798dc1b794083600

SHA1
d1dba97b6cdda11d4363152bdd476288e1231fab

SHA256
dfdbd354b35b84794e2491a8dc6914f68c3b09e41af04796a19614879b319882

SHA512
e962ea2cc33d3d97ae39aea829ccb8b0923b9846aeb7d8e2c3206007a75d26740ab36e43051cefc02c1f69d466ef9dc93943b1810ce79ae7bc2e66c4bddb596b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
735f45bb59e071a65db7e78f103e4491

SHA1
6a43c6044c9a0ac5ed31b4829199898414d2b7b9

SHA256
86790e801629dc0ffcc3b9a709185aa968c22dee8c10ccd4a69ba81352a7882e

SHA512
5bec0a0328a9255b61003cdeb906d551d87e4d859f0d98ba6a9d74338ade6c973decf3c5ac1555ad6fb51ec5da8a5568a7c3520e067de72b360bf06e088460f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b7d4e5e4f5333a88a72f563924a2bdd9

SHA1
c4847524d558ee654ba65b46a7486c88f3a06b16

SHA256
56ae00600c76306a853e9bb64e9a50da7cf2ba9ffbe4584fbeeccf9633722878

SHA512
50f2fe55d5879f4e088322c42417f866c92260332847dd28c0bc5e4d642a2bebbebed6a21f92c21d6641429184da20cac339320e24a6a615d9aab5a907b161f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
22e22a64500d7c050ce545072d463e29

SHA1
7707e5bb4e3842af8772399e8abc2a4af38309a3

SHA256
428a20bd161e87d10fec28962e414283d07032f954b1f4f7402bc130761b1695

SHA512
b3c6744c724ca4f9b94a4777500bd5529e2518edb4dbb2f9c553e5acc6da05b5b5fcc6f01c5f4bcad8abd21eb5134a39b9a78ec33bd367a63bdd34676a0cef89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
9c01a36c1f79030b5303970123c7312f

SHA1
f8e777712a0de6805eafd816529953a020ab436f

SHA256
5c54e99db4171d917afaae184e2ea9012cb96385d39803684f8f6da1730c5a50

SHA512
a111357c18592c52f07032a9811a44c90aba3a8c353043adaf2125fc1f9a8a4a2ea5fb5d74011a8280f8fe737d03ef8289f5a66f41364d60e7d98e1473cbae93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d19d9062da6c288e035fcca7fd71bc16

SHA1
253ad0e083c04f270c43fc1e9378f3312759c230

SHA256
f08ca4ee3d6d33d5927793f3e7094522c6477257a19157be7107b18d8f44d073

SHA512
3e84b35b19f4b080cec454603ce9cd775f1e38cee41601b6db1640a4d18f35ddcef47ecc1d02101c47c73b59fe894f7413428277cec4431e6f20a8a4e3642a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
37e22d554824bcb263d1e393a0d88e57

SHA1
1f520308d4c300f421e8dcedd3266761d56b71e8

SHA256
a117d98b7819008a508aaf1d025cea8981720a1bae76f964a94332211fe178c9

SHA512
d78b39ff756dc88d0dc7b148458df19f09fbd942bd5efbfae1ec4cde42e3e3de1efcd423e02b722973d884252bc96c47ec94573508a9290d33a0076150860c74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e8cd31245b89514345bcf96ed32aeb42

SHA1
01eb6a6c57106c352e2ef7c6dc5ce1e722a2dd2f

SHA256
40f074e20d576764ee5d0a1ccbf61cd875a7bfa2c4abb8dfa8065b791a7b2be5

SHA512
21b6be1e87f315e9cb8ce50ca651dc5d387d96d49089f53abe1f11335a610e15490a8a05cc3cd09dba7941817a7b8f0330401daa48cf0c08125ccbf73bd45627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
6a99cf04c691f8ccfc4c1fda5583bf73

SHA1
2a5d7fc226f72480c800c83a9ac84cfd82c78858

SHA256
e15c379470ca8c2d63c67ce514236755cbc348d3e5d340dfdf12ba45eda6de67

SHA512
9484a6f51e96da3079592cbadd3a83da2cdd53cceeb073594f0422b068f868153fdc718585f4cb90c2df12610aaaefe2d59cb12d1dbee1913789895b99e50045

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
1d43291bfb7a5fa7aa3319ca2355e11b

SHA1
8f5c846dd3f3ade86e453805c078c6aea46fec45

SHA256
55b036903154a28d182d2ad590301ed84e0b34ee59b4f0ca7da2cdcd766d8d05

SHA512
7d925977a5dfc3e31f0d55806bfed5e2281f3f3e96505664917ec1cc54ed351d512c844e022fea0b391b030bf8daf33b23460fa51af8217c9bdd8a02a4e65847

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
6d1fdc4488c4f327ad83c357885a9e41

SHA1
9b42babac6d31b07d2d45b6772b0ad4d2f5c9247

SHA256
df0cc72766ad213ce2301099919c866eacf2c60f360b9730c948bf84ff529c92

SHA512
28b51f8381a76e3b56580a1d906eed8345e2a988a9a2096e0d27f35705ff6778194ace5605ad12634c933cb556769882a9e3c7f96a7dab0cecac6cf5102b8cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
8097869e87ba61b4312bb98bbb5f81b3

SHA1
470b51f72db87ea12f671ee681ec4a208bb13f75

SHA256
b656002100cea8d0050ffd0b519db3f468e9f30bcb264034945481f752c8c13b

SHA512
211ce2c406b46f8d665458a2d9f59435ec03d9b90b3978d59477ad1259fe349ee437b284ea12bfd496752b8091312c076959c1cfe4cc24b9b55fd0f7323d4fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
418f2308dce19eef66c7be8a1b823b81

SHA1
c6e459e6bfbacc562cbf5a129c4e55c6012c60ff

SHA256
7f6d416df4eea437155ad0f9910ac45ae970b8ec2fbe5bbd1c367dca75d7c34c

SHA512
7c464d2800cbb5a04bd4cc2349ce56ecede4eee4c7a4bfd5e777534f30de76f95a54133e349f296698fdbc9e06084e5b7d221298d8044fc46b02c90d3220f653

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
8a341f9ea2c3ee0ca9e1f0acfc63a67e

SHA1
f69a1cd2208cac4d2de0af5ab7481c133e0afe99

SHA256
b5c26ebf9024870399597c223a383e36b53bde1ce496bb8acd892d4f553e5258

SHA512
93dccb09c6db5bbacdfef5626ff097b5ed6b46c2e6e4c5534f70bfe3237877de36054aaceb2dbf6c9677d5f6e1fb9023fbc0e0e5f9137be14d047dd526c53b64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
dce5db5b2c6c82e7faaa2eed95db53b1

SHA1
645fee3ee0a26788cdeccdfa56857e3973557b2c

SHA256
ad4ce992c20b7237063c876277735205a05ee0371e0a95afb38d7a2a9e3c2b6b

SHA512
8ac6f5d67b7e448f9a7b1595ae1c4a352a2d3c6d5d90d3311bf1fb25a8c89c77e63f2c080f018d1fb3acd987734736abd61cf5e5073ca59779abd6f933987ef3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
1a96c859dedb95994e4acf6263471042

SHA1
728692687e5b939e84bbaca348267c8a32fb97a1

SHA256
cbf534d3d6eb2108b0ab47e79ef37a36239d599542110699424a7327b6c06bf9

SHA512
d21cfb1a1f57b253c5e9db91f496b832472749c9d534b60a66070d7c77bfb61fba5a28688e7a00c6672f876c208eafaf1e4c4d2f400e8b384c486ae31ed7a7b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
3d6ca8a0d4de91b10f9815acb0585306

SHA1
7d0f5e508463e9f4bab1c0072c49192c20c23c12

SHA256
5b9b57278eef0063ba331816c20c404049feff207d09c522709488292de52fed

SHA512
97f892001246708c722209a9842c7abd7ab5591b21c9269ed1fb7b8974f7dfe1642e675534e22be146fa05fa3ed04e9a00ba5676005683a0507e021d1e7c7a2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a4ea2787a0fca31986b254dec39b7290

SHA1
aa0e2f4efbbf637258a4b445ff65e041d7518ddd

SHA256
898555db734ecff62ac36effb41895fe451ebb94bbc8ffc4824926b9820da194

SHA512
6220e200af98d03863c608c656f12d812ea2b56d4c91274098987400d3b57de05b34c28f37a4c2e876cb0556f3dd165ce739ea71652833d28dd3305778168e06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
1390c2d60c75cdc86defc474271c528f

SHA1
bf8cfcfdebbd48ad39561796e6a7c6fd06086ee7

SHA256
603aa91e903cc7aa15b3c90599490ca83adb7a27deba8f34e93ef3fd207f5bb7

SHA512
578ee212d720832feecf45c0e93cca8e9b0c8fd8b40ee903e16fb957254a7efa8eb1a5c23766bb419780953bdbc78b856645e9ed5b9b9f458f81b74ca4f43521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
593a5d51df6c9321d4daae3d39909aa2

SHA1
afa35c68ec043eadea486934f77317a2ea3879ef

SHA256
5391e016199ab3331a08f9258f189c0179cd8161665ee24a9753690d8de42567

SHA512
e8f2cea7229d04829a94757355b1e61a54b5b96b38126f49d8f4996c468b388e24a2e3507e2f2927b6fa73e7c708e1f2bd7d657f2e8b51b7abbcc5ea931062fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6e298ea501497b531b8c235fe18bbad5

SHA1
86ef76cecac2a68a70634185b4cc93bfe499a2d5

SHA256
f3076381e3156f6a0c67b055fa106d3570e55e1f426f38afd40ef7c145bb7e77

SHA512
788c3c07273a95ab43440e52e8bfc1c28b721036c66cd049e2c897c1ea92a60d21c304fb243db62ab8e1a8f9a98fdd80b3f602663ff957bb35f92b2a544e7377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
da8015ee65a699660723a424601b02a9

SHA1
586fd4abfe462f69f32bba56ad1effb4170bb80a

SHA256
5d240e15c1bc23be6e66e7dc81b9952b4c1913b2691d2316c690779140f76301

SHA512
2707b39840328f451a1345c93756c26a832c351a9a80d61a32c4059857f93db6b6d96f5989e12ce2d45ca4b8840e94c69309df191bad5b54f610d21e6f0ab7d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5814ea.TMP

Filesize
1KB

MD5
3f7f3fc1f7a45dbecefe3743ce3c956c

SHA1
ef230f9fd291101cadbfbcf25afbfe9ffe3125e9

SHA256
4203335b30a5a3d954906ca0d13edbbeeeb7d6c1d4eac2410ced9d7ed79c71b3

SHA512
b298d979cf5739230aca0ae69e7b9390a68db6b110a7104149445ea5954abfaf5321f5051a4e119707dbe08410ffb45c21421c1ec4fc956d27ffbed32ddaa7d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1356339eafff49026ddeffe8ee2ae5e3

SHA1
accb1ee4115b9c6f86307f34a247bd711cea1140

SHA256
42233f0599cfd4d8a2f85a1f32ebfde95aa3944905768d1b10fda38c40e334f5

SHA512
a69bc0b1260e2a6bd00db04c0e5bbc1e15040e850e6138e687df07744d130cf5ebd2837d9598085f52ffa47150ae54b101d4ad4af63af93c9f13ab86744d8da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6d4c6a26d0e915b14aac2a2388cce338

SHA1
067a580e427ce0979ce97e557bcbf64af9c264ad

SHA256
dd7952d3662ac612e7dff3018f2501cb81f0aa45cb98ca6563e44bdee56fef47

SHA512
46db6c7c952d5c8b344af3e62347a1ce00b8b9be6bf72418304f70acc7603a973a0731014862b44c43a9ab5b68e60b94d6b54de32db2fef1d8b58b95ac3ef9b2

Download Submit
C:\Users\Admin\Downloads\Wind.rar:Zone.Identifier

Filesize
307B

MD5
5a28e23dff0eefcdfd28d9cc5837f921

SHA1
b290ede579f32a55e500ca8ec76a28701a8854fb

SHA256
b049cefa01864b8091839dcfeb3067733c51b204e465ba0f17e838a49b472ddd

SHA512
b157351545e843e3e09db3ade930c7c49e0ddcb80989bdfc1cc2e2bf984d8866e535e79c1896b74ce311567b7ce2c7d57042cd69f15e55c5257aed55293952d5

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit