xworm | 621278f6f2d263419d69187282d006e8f81afd73bdd75a39880d01d37bf0bbaf

Resubmissions

16-11-2024 03:48

241116-ec8cbatkgq 10

16-11-2024 03:48

241116-ecvffszdll 10

16-11-2024 03:45

241116-ea7b8stkfm 10

Analysis

max time kernel
150s
max time network
146s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
16-11-2024 03:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ApplicationFramHost.exe
Size

77KB
MD5

67c7fe1635180abaa9c88940d61bb20a
SHA1

addc53c2291b8a3d17b3668600b8257fef496989
SHA256

621278f6f2d263419d69187282d006e8f81afd73bdd75a39880d01d37bf0bbaf
SHA512

9b19f62ea458345a5d2d7ebb4d22a413996b502619466b1d3eaed0f92b35af91650cddd9ffdb397f8ed4558a09c44ce424d344c1f4102543934b651d103c40fc
SSDEEP

1536:u58tFnhxOx9v5vEv9t0bz9H2dhE6XDBO8YxHMQuhWy+R:i8tVh+vNEv9+bzmOvxHMLwbR

Score

10^/10

xworm discovery execution persistence privilege_escalation rat trojan

Malware Config

Extracted

Family

xworm

forums-advancement.gl.at.ply.gg:58291

Attributes

Install_directory
%Temp%
install_file
1336ffb22842d595e7ee3602982.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1528-1-0x0000000000F70000-0x0000000000F8A000-memory.dmp	family_xworm
behavioral1/files/0x002f000000045063-60.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	setup.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5088	powershell.exe
4936	powershell.exe
4368	powershell.exe
3992	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Control Panel\International\Geo\Nation	ApplicationFramHost.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1336ffb22842d595e7ee3602982.lnk	ApplicationFramHost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1336ffb22842d595e7ee3602982.lnk	ApplicationFramHost.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
3952	1336ffb22842d595e7ee3602982.exe
2444	1336ffb22842d595e7ee3602982.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1336ffb22842d595e7ee3602982 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\1336ffb22842d595e7ee3602982.exe"	ApplicationFramHost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\4e5fdadc-5ede-44e8-ac31-d61eb17c4767.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241116034740.pma	setup.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\SystemTemp\Crashpad\metadata	setup.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win64	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\shell	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}\LocalServer32	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{708860E0-F641-4611-8895-7D867DD3675B}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\shell\open\command	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2C6CB58-C076-425C-ACB7-6D19D64428CD}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0\win32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\Application	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\ProxyStubClsid32	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeHTML\DefaultIcon	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1361837696-2276465416-1936241636-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\TypeLib	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{463ABECF-410D-407F-8AF5-0DF35A005CC8}\1.0\0	setup.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1572	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4248	explorer.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
5088	powershell.exe
5088	powershell.exe
4936	powershell.exe
4936	powershell.exe
4368	powershell.exe
4368	powershell.exe
3992	powershell.exe
3992	powershell.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1528	ApplicationFramHost.exe
1268	setup.exe
1268	setup.exe
1268	setup.exe
1268	setup.exe
4700	msedge.exe
4700	msedge.exe
1420	msedge.exe
1420	msedge.exe
5568	identity_helper.exe
5568	identity_helper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4248	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1528	ApplicationFramHost.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeIncreaseQuotaPrivilege	5088	powershell.exe
Token: SeSecurityPrivilege	5088	powershell.exe
Token: SeTakeOwnershipPrivilege	5088	powershell.exe
Token: SeLoadDriverPrivilege	5088	powershell.exe
Token: SeSystemProfilePrivilege	5088	powershell.exe
Token: SeSystemtimePrivilege	5088	powershell.exe
Token: SeProfSingleProcessPrivilege	5088	powershell.exe
Token: SeIncBasePriorityPrivilege	5088	powershell.exe
Token: SeCreatePagefilePrivilege	5088	powershell.exe
Token: SeBackupPrivilege	5088	powershell.exe
Token: SeRestorePrivilege	5088	powershell.exe
Token: SeShutdownPrivilege	5088	powershell.exe
Token: SeDebugPrivilege	5088	powershell.exe
Token: SeSystemEnvironmentPrivilege	5088	powershell.exe
Token: SeRemoteShutdownPrivilege	5088	powershell.exe
Token: SeUndockPrivilege	5088	powershell.exe
Token: SeManageVolumePrivilege	5088	powershell.exe
Token: 33	5088	powershell.exe
Token: 34	5088	powershell.exe
Token: 35	5088	powershell.exe
Token: 36	5088	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeIncreaseQuotaPrivilege	4936	powershell.exe
Token: SeSecurityPrivilege	4936	powershell.exe
Token: SeTakeOwnershipPrivilege	4936	powershell.exe
Token: SeLoadDriverPrivilege	4936	powershell.exe
Token: SeSystemProfilePrivilege	4936	powershell.exe
Token: SeSystemtimePrivilege	4936	powershell.exe
Token: SeProfSingleProcessPrivilege	4936	powershell.exe
Token: SeIncBasePriorityPrivilege	4936	powershell.exe
Token: SeCreatePagefilePrivilege	4936	powershell.exe
Token: SeBackupPrivilege	4936	powershell.exe
Token: SeRestorePrivilege	4936	powershell.exe
Token: SeShutdownPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeSystemEnvironmentPrivilege	4936	powershell.exe
Token: SeRemoteShutdownPrivilege	4936	powershell.exe
Token: SeUndockPrivilege	4936	powershell.exe
Token: SeManageVolumePrivilege	4936	powershell.exe
Token: 33	4936	powershell.exe
Token: 34	4936	powershell.exe
Token: 35	4936	powershell.exe
Token: 36	4936	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeIncreaseQuotaPrivilege	4368	powershell.exe
Token: SeSecurityPrivilege	4368	powershell.exe
Token: SeTakeOwnershipPrivilege	4368	powershell.exe
Token: SeLoadDriverPrivilege	4368	powershell.exe
Token: SeSystemProfilePrivilege	4368	powershell.exe
Token: SeSystemtimePrivilege	4368	powershell.exe
Token: SeProfSingleProcessPrivilege	4368	powershell.exe
Token: SeIncBasePriorityPrivilege	4368	powershell.exe
Token: SeCreatePagefilePrivilege	4368	powershell.exe
Token: SeBackupPrivilege	4368	powershell.exe
Token: SeRestorePrivilege	4368	powershell.exe
Token: SeShutdownPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeSystemEnvironmentPrivilege	4368	powershell.exe
Token: SeRemoteShutdownPrivilege	4368	powershell.exe
Token: SeUndockPrivilege	4368	powershell.exe
Token: SeManageVolumePrivilege	4368	powershell.exe
Token: 33	4368	powershell.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
4248	explorer.exe
1420	msedge.exe
1420	msedge.exe
1420	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1528	ApplicationFramHost.exe
1268	setup.exe
2272	setup.exe
3368	chrome.exe
2320	chrome.exe
3788	chrome.exe
1716	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1528 wrote to memory of 5088	1528	ApplicationFramHost.exe	85
PID 1528 wrote to memory of 5088	1528	ApplicationFramHost.exe	85
PID 1528 wrote to memory of 4936	1528	ApplicationFramHost.exe	89
PID 1528 wrote to memory of 4936	1528	ApplicationFramHost.exe	89
PID 1528 wrote to memory of 4368	1528	ApplicationFramHost.exe	92
PID 1528 wrote to memory of 4368	1528	ApplicationFramHost.exe	92
PID 1528 wrote to memory of 3992	1528	ApplicationFramHost.exe	94
PID 1528 wrote to memory of 3992	1528	ApplicationFramHost.exe	94
PID 1528 wrote to memory of 1572	1528	ApplicationFramHost.exe	98
PID 1528 wrote to memory of 1572	1528	ApplicationFramHost.exe	98
PID 1864 wrote to memory of 1268	1864	DllHost.exe	122
PID 1864 wrote to memory of 1268	1864	DllHost.exe	122
PID 1268 wrote to memory of 2272	1268	setup.exe	124
PID 1268 wrote to memory of 2272	1268	setup.exe	124
PID 1268 wrote to memory of 3368	1268	setup.exe	125
PID 1268 wrote to memory of 3368	1268	setup.exe	125
PID 3368 wrote to memory of 2320	3368	chrome.exe	126
PID 3368 wrote to memory of 2320	3368	chrome.exe	126
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 3788	3368	chrome.exe	127
PID 3368 wrote to memory of 1716	3368	chrome.exe	128
PID 3368 wrote to memory of 1716	3368	chrome.exe	128
PID 1268 wrote to memory of 1420	1268	setup.exe	129
PID 1268 wrote to memory of 1420	1268	setup.exe	129
PID 1420 wrote to memory of 4788	1420	msedge.exe	131
PID 1420 wrote to memory of 4788	1420	msedge.exe	131
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132
PID 1420 wrote to memory of 4796	1420	msedge.exe	132

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ApplicationFramHost.exe
"C:\Users\Admin\AppData\Local\Temp\ApplicationFramHost.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ApplicationFramHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'ApplicationFramHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4936
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4368
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '1336ffb22842d595e7ee3602982.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3992
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "1336ffb22842d595e7ee3602982" /tr "C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:1572

C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
"C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe"
1⤵
- Executes dropped EXE
PID:3952

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4404

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:2152

C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe
"C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe"
1⤵
- Executes dropped EXE
PID:2444

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2516

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4736

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:444

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:4248

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{FCC74B77-EC3E-4DD8-A80B-008A702075A9}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --uninstall --system-level
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1268
- - C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff75cf24698,0x7ff75cf246a4,0x7ff75cf246b0
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2272
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --uninstall
    3⤵
    - Enumerates system info in registry
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7fffe16dcc40,0x7fffe16dcc4c,0x7fffe16dcc58
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:2320
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2096,i,3088280283864020005,7220620129439754138,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2092 /prefetch:2
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:3788
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1936,i,3088280283864020005,7220620129439754138,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2368 /prefetch:3
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:1716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://support.google.com/chrome?p=chrome_uninstall_survey&crversion=123.0.6312.123&os=10.0.19044
    3⤵
    - Enumerates system info in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x14c,0x150,0x154,0x11c,0x158,0x7fffe16e46f8,0x7fffe16e4708,0x7fffe16e4718
      4⤵
      PID:4788
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
      4⤵
      PID:4796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
      4⤵
      PID:324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
      4⤵
      PID:4604
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3528 /prefetch:1
      4⤵
      PID:2196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4456 /prefetch:1
      4⤵
      PID:1204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
      4⤵
      PID:5344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
      4⤵
      Drops file in Program Files directory
      PID:5368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff6838d5460,0x7ff6838d5470,0x7ff6838d5480
        5⤵
        
        PID:5444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,10479280687000588090,4392081654542154010,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6200 /prefetch:8
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
19227de768c8a800a12b3fc28a9db723

SHA1
be4a4d1663dc641e0f97db176269aded56651d1c

SHA256
6d0d78bbab396f7c266b13d3db1721ad1a048db236159a1bb9da798df75eaf93

SHA512
d6be82ffa326521ecd72c98831b3809d95f6c53384be3d46c2d9703b6ed54442a26ef80282f909ee6e5a9f2757341bb405bc23047ee7cacdeaef9e15f18b7882

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
118KB

MD5
055bd1e73fbc2cb45d4a487ffb2dbc00

SHA1
4e6a6d77100fbf8bc2ffa76f3a72dccd9fab4f38

SHA256
5c2c2c67d330f5a1b5d9f88edd2511a84f6de141eaa23bc506411b96f7a1ad97

SHA512
c7a5a2b66e280ad47ed6270e21cfd8b3ca7e82383f8c2f6ed714758dd1b0a00656c2184b00eb9e5cde84a26e97b9b38ae8670961be4ce8deb6c47830b966a914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\1336ffb22842d595e7ee3602982.exe.log

Filesize
654B

MD5
11c6e74f0561678d2cf7fc075a6cc00c

SHA1
535ee79ba978554abcb98c566235805e7ea18490

SHA256
d39a78fabca39532fcb85ce908781a75132e1bd01cc50a3b290dd87127837d63

SHA512
32c63d67bf512b42e7f57f71287b354200126cb417ef9d869c72e0b9388a7c2f5e3b61f303f1353baa1bf482d0f17e06e23c9f50b2f1babd4d958b6da19c40b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
78bc0ec5146f28b496567487b9233baf

SHA1
4b1794d6cbe18501a7745d9559aa91d0cb2a19c1

SHA256
f5e3afb09ca12cd22dd69c753ea12e85e9bf369df29e2b23e0149e16f946f109

SHA512
0561cbabde95e6b949f46deda7389fbe52c87bedeb520b88764f1020d42aa2c06adee63a7d416aad2b85dc332e6b6d2d045185c65ec8c2c60beac1f072ca184a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a134f1844e0964bb17172c44ded4030f

SHA1
853de9d2c79d58138933a0b8cf76738e4b951d7e

SHA256
50f5a3aaba6fcbddddec498e157e3341f432998c698b96a4181f1c0239176589

SHA512
c124952f29503922dce11cf04c863966ac31f4445304c1412d584761f90f7964f3a150e32d95c1927442d4fa73549c67757a26d50a9995e14b96787df28f18b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
802a8a6820c30fbc503ea57037d6c8c9

SHA1
a02203c94430fbbd1de0b5dcf4901f37f238a7ec

SHA256
15209a9ed02d2ccf854db7325eee998d61c79e48fcc75f85691d7d2e725f5be9

SHA512
7995f728f7bab579645d57ff45790684fb7917c6e240e2910eac2da8447a66a0a7e2442f0d08b76a2596656e18e9037101504e9ddf9942fecc4d92e87a2eeb87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
2e307add31c4e53e0549a9fdc3f31cde

SHA1
fb1317c3bebba602ba9f5114d07b8cd615811ceb

SHA256
2f3de3376a086db10970ace0818b4f1f561a6068273a697e66e3895f38cda0ec

SHA512
a9ab203f34713f46edd42a3dd3334aae170d571478999218d7eebd6df172f363080e939b7bcd52358a9264e08c310fe8e5953070b0033581eed3b43ce0ab9bf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
9b9fedb62fa976ec3221d63e82a692ab

SHA1
a072afbdd4f2b4c64ff28efddd12223540d8950d

SHA256
85192c4262fc572e58a0897a577662dc0b6584d4d129d906fcb5b276d86a44b1

SHA512
e0120e959121fe83983ba72952f03a29c5d25f1271deed803e79586c0900164383ab89fa84eb945d0c21b29f52821eba21266006c35ea70c081cc6ca0ef782bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
1e42a901fa6e81858489607bd228938f

SHA1
f7548e4fbdbdcb8c114c1c0ef4e03b4eab43360c

SHA256
a4737c5f5ec6bed25767e2cf19fbead3a9c1966827e18d852134eee8f36f7ed2

SHA512
20c65c7e2146a910d25be2d5049473ce1300ed2d5267acbd81306174514c8203367a9d70d754d2ad2af590b59a5a87ee01b0178bee68bc44354d46b4a5915c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff1865a88e34010b6c38a8496c8fd986

SHA1
577ea23b10d4bcc11040f44852d0b8f0aade1606

SHA256
60d93156da688e7f5f7936893f8882fdfe6d8cfbf51533629a8be71ce09b6260

SHA512
fe341fea7e763cf950b96313eaab9efa1e1cc149580224f0f684526ff15a9445436590455b9b8881593373bbc2efd32b90f223f51fcd9c182d5eb29416e22e54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
21320325bdfc20c6f4e4d136228fc9c5

SHA1
7e96950811d7ddbc1daeb7341ddb9768980bf2b5

SHA256
5e7ac2b978206a07d8b1841a2bd89eae4b466bcd8a0df3a62ae2ca0439b8bd5e

SHA512
ee78316d5b8edffdc83e3431bdbd28ae05a481d2a445ddf3b7c58bf0f01c6c42aead46a4d91e7fc75519a5ca8a7e2bab78749d88476c7a2fa0a25e8b3592bd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
9010fe212d7da97a4e9cf63a903ee7a4

SHA1
8f124a736d045eea3c50a9597d18c9af8b128e28

SHA256
c2956b77f9af9f4d79e0198d8a7e0a5b6f880b4d597dfeee25a3f56c05d11834

SHA512
f763ab3261592107fb19b7d6134c7f4d02e921258b1c72f1e0c69a95ee8ed9cc20498259a279cca9648bbd213a5234b965a9196865d465e1f975ee9242e36326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
178ee4ae619b73ad1f5e60ee01717188

SHA1
1fc51ddf4f6039ccf9b5846306004974ffaad4c5

SHA256
d562150cfe137433b7bf8cd8e27d0f0fa4e4b11a3bd6ef924f2dad7fe6c42a56

SHA512
5dfd0c2f195bb7a3d811d2c9c0b9155cb37443986eb3e0d0a9d693615a4da875741f9501cb7e523e8f1aa9b9392d4904d1c8a517e3390fe72450705d43a8c12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59a742.TMP

Filesize
48B

MD5
9b38f46748d5d2becc7fcbf08bdc0c23

SHA1
bf2881496755263709ea41ae9094cdcfbd0b3268

SHA256
80752501ddb1c463326df8a5c158a9ea6af302ae92e107f71abf8bf59d7bc376

SHA512
50aa2dab40cc734394ee7009572c8714ff9617f91af119e4094fcededd66650b7713435516d7323eb9850dc505de51e0f09619afcb10bb915ce5e314f93b3334

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\d7e20379-3976-49c3-94e1-041fa1dd975d.tmp

Filesize
5KB

MD5
56ad6ed6e84820cbd410ba92e6f557b1

SHA1
07b493858660633f2c2e943e7e29d96d23aebd4b

SHA256
b0356d68906ba056ac39ada642bf1bd46c06f579dd782cae9b4861bb4c6fde38

SHA512
6d692b4f7308484e3d551c38f37bb85d81bb74627304e6cd1f52f948d488a4248cc826511e7db3e756a105969fa818c9d8d619f31be8a302b1c2a20f800af1bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e2b561f53044c9fdfb373583e3a895dd

SHA1
5641d11095d9f85090bc78a8d85879cb8ec61b11

SHA256
4d1083664efcab5143e5fc49d2d15108d1eeb97e51c2f3ef67ec6a6b660729ef

SHA512
85ce2a284e9e4075f90b2e0c20b658be805529d545a9629192dba4aced49e2add7d8afc58bafb6fbf9ff68b29a3eee16a8b31fcc47d447cbd6f8d97f9693e37a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
aa06702f4b4111819f91804a198f091e

SHA1
342d918a63b874269867b2f71c2aa88d4fe38833

SHA256
632d94beb0d3503a60068cce90fa5c2b02e1b1ae448d15011b91551eb2397fd1

SHA512
8ac6f7060de738db3c2558b8d18f0213e3fda93a1ac9e7180bb5c7c020f19d9783b99fb24fe60dcca3da5e0777f96dbe40ffb36a139f51898e5cfe9d7ea4ba7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-16.346.2152.1.odl

Filesize
706B

MD5
eac3deb036d53f40a7abc959aeca79e8

SHA1
8ff02b7465fb99d20c827c658c155a704c45f454

SHA256
0b7523832f3498d9e4efb2a63f15a015b9115dfcb991ddece172773e2d7faf3e

SHA512
69ddc5fec2302fed08c982abc36360ad294ab30773b4e2ccbc629c5ebcfd17d3170dd593778f092372cbef72a0f643a59a8c9e9ada764c60193a387fdfe79f5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6a807b1c91ac66f33f88a787d64904c1

SHA1
83c554c7de04a8115c9005709e5cd01fca82c5d3

SHA256
155314c1c86d8d4e5b802f1eef603c5dd4a2f7c949f069a38af5ba4959bd8256

SHA512
29f2d9f30fc081e7fe6e9fb772c810c9be0422afdc6aff5a286f49a990ededebcf0d083798c2d9f41ad8434393c6d0f5fa6df31226d9c3511ba2a41eb4a65200

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8b72d556be912fa1ef73f4ab037d8561

SHA1
1764da38c18a1a56079b26f6123c19985627d9ba

SHA256
8639156780e2bab1326686893e7dc968806b907be8bb5c2228a46694838e0e06

SHA512
dfe69a9caeaf54965ddfa7b27f0a1136c71728b5c0a703732fca51f66bc92651303f2c2d770dccc0a44883ce3e3971ef94b0412ec1e2265d89334ef4a7567dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c70d68588637acc3329f04bed7502626

SHA1
2e3ad409d56a5e8ded6196b0fb0014770b66bbd0

SHA256
236234020673fa5e016bc413f258ec711de9a7295045e0602e0e929887ebf634

SHA512
e9615e953074dc2db6464a55ad7e0ae82dc5c422df60e99d6b4bff02c9e2ffac8ec496d6adf46df249be068af57ebe7e8179bbddb53cb7f700bdac2fb8e118b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1336ffb22842d595e7ee3602982.exe

Filesize
77KB

MD5
67c7fe1635180abaa9c88940d61bb20a

SHA1
addc53c2291b8a3d17b3668600b8257fef496989

SHA256
621278f6f2d263419d69187282d006e8f81afd73bdd75a39880d01d37bf0bbaf

SHA512
9b19f62ea458345a5d2d7ebb4d22a413996b502619466b1d3eaed0f92b35af91650cddd9ffdb397f8ed4558a09c44ce424d344c1f4102543934b651d103c40fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxddlrnf.pna.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
ea4031fa8bb4dca338d00f86e2407ba2

SHA1
6f7411c2bce53ff6c6c8b5d6947a5345273ceb72

SHA256
a38cf1b6d99e05e8d5fc7fd46e8320a2401a29e2a48e5e3c29bef74a9fbdb819

SHA512
7d3964261a1399b069d94a74210ec0f7d172ef44ff3894d60180c41908aeee2c68e85d37f6487a0750e353a3f3f301b612295c50def7c5d0f3cdba4117baf995

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
d02be1c18a09cfa21881229bc8e4adaf

SHA1
7f25aa2df09eeaf3f059de4397f40b8ba0eff025

SHA256
0d360b3d08711be29c672564206187dcaae0c57e4e37143ee49b5e493e50a4b8

SHA512
d532b0fe6343e0d6f6da50848bc94ccf1a7746120423a2aa21559d2e3dec69bd1e22bcff49aa498ef4e114811b3474141aaf8e24d7229923f499cd3adb845f2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1336ffb22842d595e7ee3602982.lnk

Filesize
1KB

MD5
07902105375d316f69391f1397f9cc67

SHA1
634d8e78e8a44df7b18800e80e7e3b7ef9645792

SHA256
76e58a9ba58da56d2bd0cd020ea094dde71789b96e5a03c91944cedce3e0e001

SHA512
769b36eb4e1d20ba69eb92280d522776cd4d0b38f12c6491fa414f048efceb210e5c692bc2ca0f94d6ce4f5249c086d5b0917904b8bfe386637c9a44cf6dd3e7

Download Submit
C:\Users\Admin\Desktop\ApproveConvertTo.edrwx

Filesize
602KB

MD5
4b0d1d45f9bab1351ea82a898533fd18

SHA1
351c2170eb186e531b5cbbc08db1b6573cbb091f

SHA256
7741dc4b7b02c5ff2a8b0af7a13dbd8c09499e0b2c462c3d6a0e63734ff863a1

SHA512
357ac5c90422a10a12acba5862ca33dea5b55f9d0ef54f7dbf79b38cdb3045dd7f4b48f4243fc1b8443504ebb1f9828b12d7e121d09020e6cca066fe4248fe0c

Download Submit
C:\Users\Admin\Desktop\CheckpointGrant.gif

Filesize
380KB

MD5
f100ba7db08202bbf262be90f0f22701

SHA1
9111ab15e1051d08eaca8e48a261778e408a2161

SHA256
10695eeb172b780ab5b858b9c062f09c16dd1fc5fd9ef080f9730049483bdf58

SHA512
d43336cd03025efd9fe99e4d43f8697b168539ebd5c70c37280284d560067e7add67dde5c7cc618dceeff28b20d3c2f3b111befacc7a755f95da91a25ffeb6da

Download Submit
C:\Users\Admin\Desktop\ConfirmApprove.mhtml

Filesize
454KB

MD5
5b76762e82680025fccbffd09889763e

SHA1
7ceb76c20385cc39fe575109d588bb4dd990eb1a

SHA256
8d99fe7f58f2c150d02a0efe1856a9e82031fd783b190352f47efaf3ba9ed157

SHA512
498bda744098c0f735dd4edfd7313a349a42ea19d76546bca50b8e0e2dcd9a8b835c52c5bdf199030e73edb5b650d8bf4915f3cfceb4a72fdc5323cee88c2a24

Download Submit
C:\Users\Admin\Desktop\ConvertToRemove.pdf

Filesize
749KB

MD5
b3447e923cc2fc797b11740ba7a3bd65

SHA1
1324ebb71e3fd2fa7ec6c23833cdafcb4ed64ad8

SHA256
9461f2813de43ed64f4cca21a52a36db9975652b64e9b59f605e6416b8700e3b

SHA512
12e7ca355579762ec26e639041d2dc9c2b709475dab9d86c6a1a8ebbc45c9a4a15f860701d5e6c39f2f3823b825d94030b8c7b8a1a07b1ef44c51b67faa849ca

Download Submit
C:\Users\Admin\Desktop\DenyAssert.raw

Filesize
331KB

MD5
cadc1d206372b9fa249acf3320874d5e

SHA1
560b73cfeca7e24722a2a12ba5d646369c601126

SHA256
a30667bdf17c7b88202964e11b79502bb995d2760080c5f65708d9dccfece7b0

SHA512
e1ab222fee86efc85bf725ab3ff2a93da0105f4d10454223a7a2721f3da6a22d59487a8a43617247586b57a8c42c238d7ad6aa1d9ddcae6d740e303ab83616f5

Download Submit
C:\Users\Admin\Desktop\DenyConfirm.wmv

Filesize
798KB

MD5
30d479461a9540b2c6470269ca74b96d

SHA1
4e6cc96397d15c8ab381f8452b8529fb2f0b753b

SHA256
a2ddcad3c4ea5f2cc956b229c8e63230d0b3074feb5e05f4db713fcd93cd5c13

SHA512
c744e57df7314971ea605667d91260f935abe791ce71b1fea74587a783baab308f56c63ce26906e3275603f0488b53a111167ab5f3935aa60caf3ceb6bf7c00d

Download Submit
C:\Users\Admin\Desktop\EnterOptimize.aifc

Filesize
1.2MB

MD5
c1523b763b29722fc6460ec01ddaf09c

SHA1
4f614946451c73d252df9b7efac5cc5d3b2ad23e

SHA256
b8c38cb2c9c6aa61bbe25faa8e24bba2e6c7a3d2bf1ffe3e1ef1f8b6ddd22a97

SHA512
ff29bf722a26fff6d8eccd1f654f23b400640f1ca750e539e556bd5944a6aa680e35b9933b7adbcda0121674760eb8c112ee157f8ff4209eee01ff1a77ba0cfd

Download Submit
C:\Users\Admin\Desktop\EnterResize.bat

Filesize
307KB

MD5
502abdb74339335f4109a7c3c0e11b18

SHA1
e4dbf9b161e4d1d5b50b75b7e21a4c2bed1c753d

SHA256
630bae8c81ecde0dd94b42e057520187891d2430a151a2f28d5c1e5e993bf059

SHA512
2f9ef1138e3d476762e2772f8178cdd4082094438fe92a879f8042e711126e89d4fd6541e91fd1a4f4a59393d954dd852f2c9aaf11e3842557dcca342aa58ab7

Download Submit
C:\Users\Admin\Desktop\ExpandUnregister.xps

Filesize
479KB

MD5
dcd050edc96ec01f8b597a922a3f2b60

SHA1
e5d7eb39bd23fba516a27cf4dd8475618736b4a0

SHA256
45c5ff33fe4aa60f3f46f53842ceee11f8e77486e296195d0ff30347131f50d9

SHA512
bdffa74284761186612e00292519c4b7a880b854780ab421758b15c125d361f1adec878504b96f17d5b46ace5c8b6cd280b0e32f03e8233a6bd52c7c4fc5e0d4

Download Submit
C:\Users\Admin\Desktop\InvokeExpand.au

Filesize
405KB

MD5
8e7c5d9442be7ab20324808d86fb285a

SHA1
b566c4cb0642715aee6c3e64efe997ca2a75e13e

SHA256
ed18ed368b7f8e376d6060f30c0486cfa642aba9593f7d25b65aec70f5155ce6

SHA512
68fe4722aae75aa9bb800427b3d0074240ee90e7070193354c03679cfc4b8820039cb4a1d6789a5d9ee9cfc06e68c34c5499105dd24ae9ef4f71c36392883bed

Download Submit
C:\Users\Admin\Desktop\InvokeExport.pptm

Filesize
675KB

MD5
f7d3c82c966f312b47883bf691c2b9b4

SHA1
cecc486c3d43f8729da996965a576f56c56e0ff3

SHA256
1efc6eab3d034e0623acdac297382bddb40c161a374cbd40a92d593365e42f4c

SHA512
13736cae2590082a079fd442e0f397c0d501b7fca90b5c313691170b0dd09ec8d39017a4eda274ad4607ead8f56dabd280093f4e4671eb290153dae81d444af0

Download Submit
C:\Users\Admin\Desktop\OptimizeComplete.kix

Filesize
774KB

MD5
a1dfec91b3ed43151b129fb3e72c74ca

SHA1
bdd5eb291397a4e1d6d8c78c1d7f8997698e2acf

SHA256
2e413a26ab8e73285cf4e8e27e4eba2c7436bd67c420aa7c5682a5158eea89de

SHA512
77b5ecaec7b4f4d1b9f6c37a82f5e40b2992510bdde7424221c803441891f64850a1b56b59170c3c6e18f81c1221d8490d6950b897e8ed4deb8b922a2ad37a80

Download Submit
C:\Users\Admin\Desktop\PublishCopy.M2V

Filesize
552KB

MD5
62c494d0827975c8cb715f1add3516ef

SHA1
941ad5d6fe57fddb29d5f9b04d4c78eb1aed176f

SHA256
aea646f8ea5fb6d68717515ab6cfaaee9963dde369c7f554022a528d5a7eef4f

SHA512
21160b01e880223f66c9c6e07e7ac56cabf12a284c1ffc26c5510807eb9f52a679433247edae0a6d0d0e55bd3e84d0bb957826b9588e419dbd53c9865cef2b71

Download Submit
C:\Users\Admin\Desktop\ReadExport.bin

Filesize
356KB

MD5
60fff2e851bcff83212d67ec7cda0446

SHA1
32d319f3dc3fef6e64ee24e344147d977871bd4f

SHA256
51f1b0fd7448250437d5d3448bbd17e6027ddf2aaa5b151e0e2d71da9419aa19

SHA512
aa3888448e6f72f208739a8084740c4ad25cf4d00e440d80fdcdd1c9efaaa22ca841eea9de2a36941c60222579984f1d260dfa9141e3220547a81c72da7b3a3f

Download Submit
C:\Users\Admin\Desktop\RemoveFind.wmf

Filesize
872KB

MD5
62c495283245b9cc771022f4f638e43b

SHA1
efb79c7b99cbad540eecf57dfb37b0e7f971eb53

SHA256
efcf3f9a95d28e2b3287d9453141e68fec45cd69648529beb4c904acf13df948

SHA512
a18cd65fc7d5108d1c69b6ccccca51fa88fdf39420fb9bbfe8d2f0bd9439f589cc51fc23fa3c241ab1f5946723236974e66ada8dcf08e3feacf9255ca60b19a9

Download Submit
C:\Users\Admin\Desktop\RestartCheckpoint.png

Filesize
577KB

MD5
b45804f3a5cdee30b5fc1362ff4f37f4

SHA1
6af294123a147d2dec173f08010454916198f777

SHA256
ad60e8a2b9e3ffbfdbaec0e11ebbcdbcd408c9e9875fa77cef3e63772cdf51b6

SHA512
1f1c6ce3a2e9d0f7484ab9225ad4c1132f3fec7fd99077bd48891a324ae50bd11bdb5c1e9cb3e915d8ab6223670b4044dcd61c500f23cc6cb026ca4e0d4f85f7

Download Submit
C:\Users\Admin\Desktop\SendRemove.temp

Filesize
528KB

MD5
d15db6f64461c509ca058a1568f1b917

SHA1
62b182e56b6fd3605a7b923bbfdb4120d167185e

SHA256
12017187fa306fe5f960d2c45257bf04db1a5f317477c1582f56feb8faa60701

SHA512
62a349101f3d155bade23d110ba69834b243de51faa07bb8c2cd2473ee410d2ec0c197565c8c0cf91eb2d39a40ab1ca3131af48a9f5cc5ed45a43d505833da49

Download Submit
C:\Users\Admin\Desktop\SetLock.au

Filesize
823KB

MD5
7ea219fd169be967820c8c7e73b3a3bc

SHA1
736ae68ea4f919932c9f327241d0f6ec8b2669cd

SHA256
e9e60f1fe1694fb0d41166de77e7e452ebf2bea89744203030dcf0d75893dc6f

SHA512
c6ad08f4ba8c8f5fddcfe446abebfe756c667758744e22d462a9880294b501e0dcf0213db32641f81f98dc088401e960ac34947e11f85e025f6d8eb1258183c0

Download Submit
C:\Users\Admin\Desktop\SuspendWait.jpeg

Filesize
503KB

MD5
a7dd4777d2e78dba56619004333a2e55

SHA1
8043e7f65d808038a0dfd4f0f8fad1a72737e75c

SHA256
00e89b59ad1792d5c102eec2b7c0243fbc42acc8cfd40dd20176662c6db13f74

SHA512
4a7d4c735f338de4dff94ffd0f278603bd36638ae4e214a2abd9b713904ca19b1f71f74947b0a554094a770b3be6fbd068c0d293d81ba0ec97847a65513404ed

Download Submit
C:\Users\Admin\Desktop\UnprotectFind.inf

Filesize
651KB

MD5
4b67d6fdf8dac5bf32be85db8c15bb56

SHA1
55c5ab02e7fd42c5fc8c3374c63be341b0d0a172

SHA256
22400a1cddeb6a45ac590a64dedda0be94c89f06a997f8d772e2c76ee1730919

SHA512
04d23ae3ff988b51f6eb05bd2ff1038fdbf87c288ff906242d2299691d7fae56107b21348e1725ccf25a833d91152917f34f2b0bfd73b71fc8b0aa60a6192f00

Download Submit
C:\Users\Admin\Desktop\UnpublishPop.xsl

Filesize
724KB

MD5
c52b35f6a79084fcbee86dc318d5a1d2

SHA1
5f9a35c80d9cb9b37de46fa7d5f860305ded1859

SHA256
49fcc1be6bf0bae498c62c9abf8a60fd3f1352098cce54424d78898b09e1dad2

SHA512
4f468060739869fb766abe4f5586c158cad7e83e27f21fd3f3976dfd2c3f41e839be18f3b0563bacb68fd7d09a3e828166c1b8f9a91a759d215e6b66fac69c60

Download Submit
C:\Users\Admin\Desktop\UnpublishStop.xltx

Filesize
847KB

MD5
9f8b3262512860b6a197d9c2fedbcb8f

SHA1
c4e109cac16887e2e23bf1c1a807c039590463f8

SHA256
7409e90d18ccf99d243678d224708b86e7e8bfaa0379425e54f52bb16bf345ce

SHA512
40ee84437b25de88d201aaf6d782df754e1f094448d914d49b1d6cb7d96f17079222d7630c7289f78f93aadce1383d1998af9f5a7e6dffc8bf670566c4436cfa

Download Submit
C:\Users\Admin\Desktop\UpdateReset.m3u

Filesize
700KB

MD5
b06fe8f29ea7564ee4754e1196eadbf1

SHA1
6e1c0c2333f324c934db4f443cc479fe9d630ffc

SHA256
efee4cdd02a332129cd575b3cbe3183028bcba739b2e8e1baecae2eb50c67b86

SHA512
99c53ba87505a821d337c836e94042617dec9a5314e0754cf7865ef698c164ed498bc9442d8e7905f5734f825f17e272b2d40df606de2f82f739f15073050978

Download Submit
C:\Users\Admin\Desktop\WaitSearch.csv

Filesize
626KB

MD5
b6ae3435c4a33390e129ba1a13e92692

SHA1
d93ed50b923ed0c2522cf8115e7b48d323080882

SHA256
5beb69497d2337002be0f1cd4fe6d517b84ea8b59240cb119cf882bfd112bb54

SHA512
2ccadba7f65aa08ed7dafaeeead4b8c207c9b01a92705baa22aac52e0d598736bf442404b14312e7dd06603b21af2616b003498783b1834c3c5dacb3648b0c98

Download Submit
C:\Users\Admin\Desktop\WatchMount.vst

Filesize
430KB

MD5
b35ff3194aa1adbf425323562c361f41

SHA1
9eca8ee2ef042fe7be0ba1b8cd71391a0b0bc4b8

SHA256
caa1dc6496fd4768b73e389275a6ad78271617dda615dff62afd56599f1c4d7c

SHA512
f74187c44a7b842043bd57617a87974a4788e819f03ed1c648fec31ed47cf661f028e54663857762650a119abbc86f1a9cf9891b07ad650ca12b5b5b99d77c95

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
93227dabb5ff55c00bef6ad6c9cfa468

SHA1
40c651bd4328640fb6e0cdccdd485aae5fa09138

SHA256
eb3b803ca81d725d7e512ae55b5d43165741aff21805ca9c02b71d4f3281f203

SHA512
2aff3113a6a9e64a20c18991910611b9beb44a10a84fadf5e38b777ca855ec69286499b18217a0bc565a410abb36225bca763c37af1396f703813be2531b4116

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
a8153bbf88942f91c3855174af94dbdb

SHA1
7b9c005e97d3fef4777d967f8548a20f74564b53

SHA256
23d6f43adad1add7664fcf95d5206c4dea695c3e037a8cf7973b0e49cacedf73

SHA512
20a154de6fbde3fb464db91f41462c4af85b8c670be5900111d640eeba78aa3a946de7cb5860d0e3a28254807ab34cf651740e013a39843a74e0b848930b91e0

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
3fb42940e4b173a3971a152acf78708a

SHA1
e20b7f56fd3c78ff6b017c38d96c7e736280b446

SHA256
892ec2cc88c3a7b8280dbcc872fb1cb0fa1c0babcfb7250a27707dfd0624b0dd

SHA512
bfa954d7bc7c08eebffcee0cf712fdafe529104a7fdf721b33d73e0d2e6692cea67c0f5eb724f65851824b3fa64d88b3897d6d11fa72eb11633e47743212b8bb

Download Submit
memory/1528-0-0x00007FFFE62D3000-0x00007FFFE62D5000-memory.dmp

Filesize
8KB

Download
memory/1528-33-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/1528-16-0x00007FFFE62D3000-0x00007FFFE62D5000-memory.dmp

Filesize
8KB

Download
memory/1528-2-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/1528-1-0x0000000000F70000-0x0000000000F8A000-memory.dmp

Filesize
104KB

Download
memory/5088-20-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/5088-17-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/5088-15-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/5088-14-0x000002CB16500000-0x000002CB16522000-memory.dmp

Filesize
136KB

Download
memory/5088-4-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download
memory/5088-3-0x00007FFFE62D0000-0x00007FFFE6D92000-memory.dmp

Filesize
10.8MB

Download