15e157fb06c410f249d968c3761b91d04454bcf9459d6f136f81345d881ba2b0

Analysis

max time kernel
1274s
max time network
333s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
21-11-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

view.html
Size

91KB
MD5

6a13b13bad53f5f9a5d36899510a8afe
SHA1

c2f561e7dbf8a21c14ac7500502096960c478300
SHA256

15e157fb06c410f249d968c3761b91d04454bcf9459d6f136f81345d881ba2b0
SHA512

3120856f7ab725ac8da80138059a974bd237d79a46b4f2d6a014e341056b432f865f792d09731021be673322550ea54e4a677121bb33eb478933c50cf61293da
SSDEEP

1536:ocEiY5YP4jhGJ4m3plHNrCq59MHhfwCumZQ2MLN:SjuZhCqHYTY

Score

7^/10

defense_evasion discovery persistence privilege_escalation

Malware Config

Signatures

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 14 IoCs

Processes:

winrar-x64-710b1.exewinrar-x64-710b1.exewinrar-x64-710b1.exewinrar-x64-701.exe7z2408-x64.exe7z.exe7z.exe7z.exe7z.exe7zG.exe7zFM.exe7z.exe7z.exe7zG.exe

pid	process
3104	winrar-x64-710b1.exe
1464	winrar-x64-710b1.exe
4196	winrar-x64-710b1.exe
1172	winrar-x64-701.exe
3148	7z2408-x64.exe
4444	7z.exe
1364	7z.exe
4576	7z.exe
4908	7z.exe
4960	7zG.exe
1392	7zFM.exe
4032	7z.exe
748	7z.exe
4960	7zG.exe

Loads dropped DLL 2 IoCs

Processes:

7zFM.exe7zG.exe

pid process

1392 7zFM.exe
4960 7zG.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

15 drive.google.com
18 drive.google.com

pid	process
1392	7zFM.exe
4960	7zG.exe

flow	ioc
15	drive.google.com
18	drive.google.com

Drops file in Program Files directory 64 IoCs

Processes:

7z2408-x64.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\si.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sq.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ms.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sr-spl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku-ckb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ku.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mng.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ps.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\th.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\pl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ne.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ko.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kab.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tt.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ru.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kaa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ug.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz-cyrl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sv.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uk.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nb.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\va.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\License.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mr.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sa.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sl.txt	7z2408-x64.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	7z2408-x64.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710b1.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

7z2408-x64.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7z2408-x64.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7z2408-x64.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

Processes:

msedge.exe7z2408-x64.exeOpenWith.exeOpenWith.exeBackgroundTransferHost.exeOpenWith.exeMiniSearchHost.exeOpenWith.exe7zFM.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32	7z2408-x64.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\NodeSlot = "2"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ = "C:\\Program Files\\7-Zip\\7-zip32.dll"	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7z.exe	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7z.exe\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7z.exe\shell\open\command\ = "\"C:\\Program Files\\7-Zip\\7z.exe\" \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Applications\7z.exe\shell\open	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}\InprocServer32\ThreadingModel = "Apartment"	7z2408-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}\ = "7-Zip Shell Extension"	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{23170F69-40C1-278A-1000-000100020000}	7z2408-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\MRUListEx = ffffffff	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\7-Zip\ = "{23170F69-40C1-278A-1000-000100020000}"	7z2408-x64.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1 = 8c0031000000000057593578110050524f4752417e310000740009000400efbec5525961755918912e0000003f0000000000010000000000000000004a0000000000aeb6fe00500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1\0\NodeSlot = "3"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4248760313-3670024077-2384670640-1000_Classes\Local Settings	7zFM.exe

NTFS ADS 9 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 472351.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\a.htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\a (1).htm:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710b1.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 82675.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 424054.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
3048	msedge.exe
3048	msedge.exe
2796	msedge.exe
2796	msedge.exe
5012	msedge.exe
5012	msedge.exe
3824	identity_helper.exe
3824	identity_helper.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
2204	msedge.exe
1552	msedge.exe
1552	msedge.exe
2888	msedge.exe
2888	msedge.exe
3716	msedge.exe
3716	msedge.exe
5008	msedge.exe
5008	msedge.exe
2428	msedge.exe
2428	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe7zFM.exeOpenWith.exe

pid process

4984 OpenWith.exe
3724 OpenWith.exe
4684 OpenWith.exe
4640 OpenWith.exe
1392 7zFM.exe
1644 OpenWith.exe

pid	process
4984	OpenWith.exe
3724	OpenWith.exe
4684	OpenWith.exe
4640	OpenWith.exe
1392	7zFM.exe
1644	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

Processes:

msedge.exe

pid	process
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

7z.exe7z.exe7z.exe7z.exe7zFM.exe7z.exe7z.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	4444	7z.exe
Token: 35	4444	7z.exe
Token: SeRestorePrivilege	1364	7z.exe
Token: 35	1364	7z.exe
Token: SeRestorePrivilege	4576	7z.exe
Token: 35	4576	7z.exe
Token: SeRestorePrivilege	4908	7z.exe
Token: 35	4908	7z.exe
Token: SeRestorePrivilege	1392	7zFM.exe
Token: 35	1392	7zFM.exe
Token: SeRestorePrivilege	4032	7z.exe
Token: 35	4032	7z.exe
Token: SeRestorePrivilege	748	7z.exe
Token: 35	748	7z.exe
Token: SeSecurityPrivilege	1392	7zFM.exe
Token: SeTakeOwnershipPrivilege	1392	7zFM.exe
Token: SeSecurityPrivilege	1392	7zFM.exe
Token: SeTakeOwnershipPrivilege	1392	7zFM.exe
Token: SeRestorePrivilege	4960	7zG.exe
Token: 35	4960	7zG.exe
Token: SeSecurityPrivilege	4960	7zG.exe
Token: SeSecurityPrivilege	4960	7zG.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

MiniSearchHost.exeOpenWith.exeOpenWith.exewinrar-x64-710b1.exewinrar-x64-710b1.exewinrar-x64-710b1.exewinrar-x64-701.exe7z2408-x64.exeOpenWith.exeOpenWith.exe

pid	process
4388	MiniSearchHost.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
4984	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
2672	OpenWith.exe
3104	winrar-x64-710b1.exe
3104	winrar-x64-710b1.exe
3104	winrar-x64-710b1.exe
1464	winrar-x64-710b1.exe
1464	winrar-x64-710b1.exe
1464	winrar-x64-710b1.exe
4196	winrar-x64-710b1.exe
4196	winrar-x64-710b1.exe
4196	winrar-x64-710b1.exe
1172	winrar-x64-701.exe
1172	winrar-x64-701.exe
1172	winrar-x64-701.exe
3148	7z2408-x64.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
3724	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe
4684	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2796 wrote to memory of 1904	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 1904	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3588	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3048	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 3048	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe
PID 2796 wrote to memory of 2196	2796	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\view.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffd2af3cb8,0x7fffd2af3cc8,0x7fffd2af3cd8
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  PID:3588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2360 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3100 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4784 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3936 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4788 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4812 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2944 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:1660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5636 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3632 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3548 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5008
- C:\Users\Admin\Downloads\winrar-x64-710b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3104
- C:\Users\Admin\Downloads\winrar-x64-710b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1464
- C:\Users\Admin\Downloads\winrar-x64-710b1.exe
  "C:\Users\Admin\Downloads\winrar-x64-710b1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2436 /prefetch:1
  2⤵
  PID:988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6828 /prefetch:8
  2⤵
  PID:3316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4740 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:4116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7404 /prefetch:8
  2⤵
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1708,2631305858554323339,10006731722776918441,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7264 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Users\Admin\Downloads\7z2408-x64.exe
  "C:\Users\Admin\Downloads\7z2408-x64.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:3148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:768

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1056

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4984

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2768

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2672

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\4327b6ac128b42b3b46d5b1f08619f81 /t 3476 /p 1464
1⤵
PID:4904

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\71b5cebdeb2c4c1c8fb51db62010d608 /t 2148 /p 3104
1⤵
PID:3148

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\22808bba4dda4f20ba856509b8152ca4 /t 1824 /p 1172
1⤵
PID:2172

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5b1010f00f6e4a7ab3cbccb8224f89a5 /t 1460 /p 4196
1⤵
PID:4752

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3724
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4444

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1364

C:\Program Files\7-Zip\7z.exe
"C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4640
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4908

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe"
1⤵
- Executes dropped EXE
PID:4960

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1392
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4032
- C:\Program Files\7-Zip\7z.exe
  "C:\Program Files\7-Zip\7z.exe" "C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Program Files\7-Zip\7zG.exe
  "C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME\" -ad -an -ai#7zMap22253:152:7zEvent13886
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of AdjustPrivilegeToken
  PID:4960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
47KB

MD5
9f96d459817e54de2e5c9733a9bbb010

SHA1
afbadc759b65670865c10b31b34ca3c3e000cd31

SHA256
51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609

SHA512
aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
25KB

MD5
a0914bc7fb19bf3ddf3ff50958a69e42

SHA1
24b38738128b1efa1dffa433b25d5b1dc19dc124

SHA256
8b7bde3c9555d7d20aba60467cdb0e5901bf9112ac781562fe9cf442fb08cd43

SHA512
7693c9bbafdea30976470b3ff95bb6551f7cc2234d8179e820764ac4ec8e1a8368eee71a8804e07bf0278d636be08bf14f8cf4f3bd586328c8e9a12834df2b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dd24806322f51e1141f0f0361064e708

SHA1
fa17e64ddf9f01ed46fb1b202782bc10027c5f0b

SHA256
29c30337ed5572bad4be8ac7f8d7f425b0961fe81d5f16f927a84c0272d8b475

SHA512
a4954df07af215acb5f37ce08c4554725513a5a2910551e10a78fb49b7d5e022215da6e4adaf432262518c88776ad642c7fa1d8d3f1ac07527d6e2a51b9b4bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
8ac557533f6301fa4fb823284f2abf39

SHA1
bbd2977019188be8ceef137462dbde204a507d60

SHA256
4f5f628c2f68ca035bdde7b471fd8e41d9965a18691d10bfe277f0d56a69be53

SHA512
6d35709dd14b0e3e60b45d6d8782a25a64004932c72c75148d62dbb8fd7b42aa7247998143decce5c24c3775e6c4b9626cf3283a0d09be88fea023397972b273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8a9cac42048a234b21939505994bcebc

SHA1
c9fa1b940fdb06f5493cde0c690d1ef496b3a150

SHA256
18e3bc630f045a524315b735c10c2b95dbb878097c5605b909b8e277cadd6a47

SHA512
9a886ff7b66052236d31d9b4e384966af079a1483e40e83f947cc831dbbce8f02dd06a12f8842713098bc11236aa9b302a4c8ca9f83c9a8d76a803509ed3d864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4bffd4e7490501ad2ac738ec5994936d

SHA1
3126f6ff70b9a26c38e6229f02a84acfe9df7ded

SHA256
59be2d3b0bd77c69937f56ce1663c02c5244370bbbe9d1bb9c2a9ff9315bc5c6

SHA512
49d49776bf1415802c00169c563fa08389d0912b8414cb097a1dc80980cf39c5e8348caa60aa6952c5ad81b361cf3613ece6f6500e56fd56d51eb583b29f95c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e5ba7ae775a11531120336a67e98759b

SHA1
052b2cdd39d73d501260a83fd390ac0e1e0b6fae

SHA256
9088c31e7e14142411993dc49e213ccdcb1d72c89c2f5c8d30469c9f214acbc5

SHA512
0f4e230f004c1e69d5ce69905182324a3e01fb44fa7b5aa82ec0f8b454261a3f1550788a06f84ba7eb3a3c0aa06e30a2a3c4ce4ee96c8641791f30d4e6eec85f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4d561098c6c176bfb8c5007abd07699c

SHA1
b914d79716cd29ceb812cace01f408c129bf1d06

SHA256
686e36e9d724cfedfc9de83e4c6f8f335f02b0a80476dd036f0f00b6296e480c

SHA512
53d9956cec5bb796f2364d1728b1b887ab563373c9f3531344b4849cea9b2f46a581ed0d2d44dee7a60ce81de3e2fc75d493e61dbff59618df32b57b1d504e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
755d6336c56a1facb54d9e5c88421419

SHA1
1c4cc0267a1169802f98d6b41c34629a81bdde52

SHA256
4cbd9b0cec42e1dec793d1a1f28368930683a97af9f6e9af13e87642c2b8734d

SHA512
eedafe359b30e302f0fe67d26cbb150335868d86c3e6592d79a2ae50ffa155a90d75f459b90bf091a2d93089e9f2b46624fef38f266f46266aa10c327cd436c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
fbb92c50e2d1e7339c375231d541cddf

SHA1
1aaa061fa2289c969c93bbdd17657624af178c6a

SHA256
766cfea1e32db4f9f9c10b7dfcbbd4c4deea9500f67585a8012a288cfef6ba17

SHA512
bcf689766503afe062c39566211748c1d1e341107cbbb59c8e3b8613ac4e6e144c456a207d1e8936ba670b39070a62854f92b3456440dab895538e6285c87d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c494338662ce67a70c6c32b745868bbf

SHA1
c9dcf9b6ae30aed6a250fc31046f0cdc93537cb5

SHA256
d46b65121d58e045e1848349e860a7c86d77ea57b1f93c169e244f4825dc9790

SHA512
4c0db7d0d2c04019a7fbee0aa474748fcd35dc4fd7d768aeb469d2cf2aee42f53f41540fe24d77f080d3c09fa1c82dc9c1ad6bf94b4934433edd05cae5d98a9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
13909c458176ee8c93d6520a848c766d

SHA1
263e6ab92eb73b0f1def2e42b6b7ac3ccf8fbc1a

SHA256
827bf6065d52251bd4444d170c68e84fe040304ec1f739b369da4e36ba65781f

SHA512
b01dddcb88e300ad41054765f16203a3b3858e03c3943213c3bdf9230ee9d8c6c49a10beccf3d3a99e679ddcffce2cc5e685acf1f337a0abc89d91b0075beded

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
54890542ebfc56792a737a744310773e

SHA1
ac2c86a833bd4b77b6bb50f8696641a75f5440e4

SHA256
cff55c0f7829d06c330850dd90dc66eb05bd3be3d439ac5cbf8c40b77e40e06c

SHA512
8e4c45e9d83c14c4bd95d8da3ac1f33968114ec64d4fb097a33d9fa7b0df450450f69659ce8664b2276ae848db01ed670644a4f15b5ef800a81a3a8754143fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6c3bb2e647602a27a71693e5c475b90e

SHA1
77db1a91a8d9a773322d6c81676f3670f8698ae2

SHA256
d8ff2ebdc5e460fcf74df3a42e51a396728fd3e84df79cf05e797d0c95b5ddac

SHA512
b9cacb2ea163ed6849c98d1854dc1212d8a711150ba573c4e2b1e59a552c7d6614f78e8764738f20928b7ff7fbaea7b100b2d5e3d43ec41390861f7bf7964f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c3f5b9391d8bed47c78d89253d11a745

SHA1
be4ad45effaf8188445e37240884be37abb5fe60

SHA256
2682b059cc965ffaceaba9a35f8e5c07c71f8cb4971810d414f09faeac9d4f5d

SHA512
a5a0af6cdaefe45e4011cadab573db1ca7a78930fb2f0d51b6e6b7b832a311397cc6f6b75babb4b608c56f6fa07cf06e3a42a1545c29a4b71a5c99fc47572993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
ea27f490d3adbd568e59e6b6c442e6d1

SHA1
8885f974935d8b13ffcb34db6ad3f1a7cf16958c

SHA256
15d22b1a0601dfa7783fc4e96f1ee9e66ef80b37121568183b8c4f0ba8d249f0

SHA512
4cf37583ae7d1cd0d1c6104a2cbc47f3647e283c9e99c8f175ffa8a6a2766b0c62b57105530603f217b2f510bf10556df36764b2ce5afee74cd717b96b90eac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7b727b0157fd50236464314e98674559

SHA1
5fd5f8e1b342ae44c05a58361cfe0ec8c3a1b886

SHA256
310b3c4c725b5c63ee4e468aa084e9b36f485c7bedeb024cd81281ea62226768

SHA512
fe1f9c2288b6c5ad880ff8e68a7b6b19389a9c4fbf7ab5f7913f9a38fde94ca1917764c80cfe49b36b74200ef07db7fc06966b62b7da3937a3192a64f1f40ac7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
702e47b402d6b754f6b6138c6f83d917

SHA1
c7a656f56e3eab12e44a64cb37de04a737d6b726

SHA256
cdf037fd2205b8f19749a9eb35c0bc2d11f4ede33eb3133c502f141c42a8e591

SHA512
739426508395e55ff03ec9e59c928e8d37cbe24ea745a8ca1860c2376c5d336a35cc29dfd80294d249b80c1f9aa4b576fa4b8fc810bae77978a0b3651aa79fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a52c3fb4586a5761628b7c456e9cb63c

SHA1
6488cb150a1949654166bfd50ce070e6359794dc

SHA256
4802cc32d590209686c765a0c9b565ec2a192c27821e79f412f86ff51ae5508e

SHA512
1ec2ff7fc38f986e50d1b3547049b13e6149b345c7ab6a256112c6e77db8063e27c8219e5deb8a4abad5febd44ab8b829f58437a4bf989411984e25bfb1ee638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7ef91112ff7a01c5f73a47b941a6ef94

SHA1
880d4b17df736d87eaa89e4be79cc519f3a45816

SHA256
556c84d861e931c44bc0425ba933892df6c977cbd72b35bfdb5f1a727bfe98c9

SHA512
21e4a1fd02adcab8cdfe796e333dfbd7305e4284032e71db4e21116aca82122dfd379b33e782b53e797bea679f73d27ffc49ab4ad92797c4c8b560e9a894992c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f4b74bab3a08adac04e6c39c00ba12d6

SHA1
26bd44a1c6b07d63b9e284517596ac1a6161a0f0

SHA256
2b2c9aea63412094615d0fe79da1cc20d7944963132be0db39f3fb8f2bce95f3

SHA512
dd4b13a29ca476bfac4228bd7ca85c73cd81ca9d6c1a9a4606eebe0d5c4e9b28dbbdcbb9d521ade5482cd2b86ed027696d66422c712e6248af1c572ac490dc36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
370d1242a381553db5ca6a3171089708

SHA1
42a7895d05e80f75f9b27900617c16672d846b53

SHA256
47ae9ad64d893929e2d6ae4403085dab555c22cf7bda669d6e72bd1de13dfa67

SHA512
238980fafce6c9dc77d8de5bbd74ce73e4a64e64ffdb81dcb07bd16a411726c5340c251145b613adf3c188e16e7ace99b4114bbce6b8fe4dc7c46a9174655edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8ed52083de3627ae7b2e769968bc8c05

SHA1
bfe0cd493cb79d8d6d2e1225f634bc87f4685185

SHA256
4e684d29dec4272023dcb02ef544970bad4ddd760dfbf42d7b8768e0d2eac22b

SHA512
c20e6799afd8be8872a61cfc01013116f840cd58546f5919612fa1c9e51568e1dfa9bc75d4765d0bdf47ef4200e38b9eee7b925315c62225db25772f55d74e7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8d6b0cf1a81dff4a90db7d630ac5fec8

SHA1
0c71112a75290070a830660aa533fb685046717e

SHA256
4b72e294b8ab4820c9cf3698a8177f5b30d73dd636aaeeb07d99ebf1918c663a

SHA512
a8d0b3273ba57df027e0d3e93cace055dd2611efc9900131ee468003f6c108a70d3538c8502735f7d97ead1649e8aa7ae119eb3ad58d2110a64cd4e334bccce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
15e9a14b50dd4293ef4e47e6dc009839

SHA1
2569d7e1a207a388cf60dfb3c028e6cc22107d2e

SHA256
d839ae03f7c0e16deb3acc4db2bb6065ebb20bffce695c6e8e6ae86331154a76

SHA512
fb656ba3d4752961e9081e8d00d23f557a9fd3a64222139d4f557a7fa55640a1979e6c1c0c58a894bb6809bd121f812f709aa1fd17c2b1de0d8a3d241e13b559

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
61332028058507ba50a5fb76cf3b3954

SHA1
1e44f0bde482f53bfc1fdd42fc429bc2e8ca79cf

SHA256
1b2124733c924ebd586683a5a88c647bf6e22e819407ff6bd03986fd31223669

SHA512
5c4b74417df75db4d4093743565449605c2bae60e178459620d942687478dcc35eb02ea0b4fc17c2e47c56d8b8948f7d95ca665814ea6f2cd4a836bfc3eb5d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3f9eeaedc390cdf7c41365a336520e49

SHA1
807d40645608e168bebabf2a3e94eef0f57966eb

SHA256
2a6f83436f21485e424f79497ca83e0bb3407a19cdf597f0c0c6b40cd7fe0ae7

SHA512
f788319f324dbaf5a9b1eb7b6f45296018d480200f81b43345c2b31d77f19390d48b62b317a8d933cf7a52f5f6e639507b6589b36161bb45c55359ec82d616ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
84d7be4616f897f791189001f7265f4e

SHA1
5b0a7c4208bccffaed262093c079fb890b2766d3

SHA256
952d671d8c37d98f2367517e9e00ed89714aaeaafed3563d041e105487a636e7

SHA512
7873858697a6e97db8204d549d466c0bfda96d8ccfc203e7e2c33c0551199186ee3dc4a18d72c47eac0b940d40793c526d10f67ca939e4f75ba675eeab56fd16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d23782ef89dbae06b4d34d452a43e1d1

SHA1
0f1fdea988cf91ba6a1d530441231ea1a9ebeea9

SHA256
c459c41181df00b203b0fb5cdc138012e85702d4adcd27aee94e4dab0a940818

SHA512
b3f34584aa258b94ba6bffe05f2d228c963c668a7f0f78ec50a1f568f1c5aee4890ec043943a027d6c14a30db695cea2761d212cbe4e0c05fc7fa540a401b09d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
91b2c9140d9ac2fe8588534d1ddacbbc

SHA1
7a581df1a2993ed1661a66350e4df340b253fe85

SHA256
0f95b7f655fe898707993ca5cdb07309e62f8b29c1143062293bb0b0333f712b

SHA512
d142dbe9d20e71953391ebc78794b2e9694a6a741c7323b42f16572c35b420510af863b443ec1eab780d1c9d961e67773157898dfbebbfcf41f85c96c4d47f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
16b0b4ff5c1f780fd77f362765ef4d5c

SHA1
0a079a5bc1a90afabba7f3f6340b7e5239dd9f0a

SHA256
e8ee9a10d7386260f11cfeb422e2dcb3d8c3062189436f7bcf73fa146269565d

SHA512
9d29f852173d0d83b8cfba30a1e8a06b5153b1a5e0a0ade7d6b70f0e522326b5a6b49fa7fef1da07e5b9b35f1cd8d02172be114fd8bbf4b8252568e3342cc38f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5bbd03.TMP

Filesize
539B

MD5
22669800cbaa00bc9c5142679d0a366d

SHA1
e2f4ed1bcabd9169d1ccd4e097d6ba6b36341674

SHA256
8aa6e101d8db11f4d8d1730355ce6fca67fc538050493de70bf94afbafc1b27c

SHA512
d8009826a5437f32754658a860062eaf583510e5af50f40336f45fbd4fa61150dff914f8b173d70fbf31b0c12c04d7fa3192f151975086c8595b85aaac7e3b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
14b3ca912eaf6a5b4a743823486af03a

SHA1
980647b7d383a31ff3ab2f009e6ad672c856e829

SHA256
837191fcf64a596ea87d8a256ce05d9ee58d0b5279853d2c7beb69024312871d

SHA512
d4665b0ea1c5968a8aca896d1b0cf52340f878b5dd2171a632e93f027a8eba86f74a646aa04b3d7e303a4dda56babf55f7bb25fb43195bf2e56964bfa21c6ae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b705c87012e448fbe5fea6f2222f3a44

SHA1
8dd58788893c18d2d3332d09bf5860b735c6a20f

SHA256
146cbb216e44d0ce958161c8ffccd665e06458e1530c1cd00af2c82583a2bdc4

SHA512
b75730a370fd7e7e850facc85d421ec841bab0887f6230394dfb8b18d9b98702faa22d873fb1f8e1002da30cfbdac733702a2de1ba79ded6a09a6fe093b2e650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c19b1e537bc6c5d42dc3bfc93c5754f9

SHA1
dfd5039006b293292897938a26e11e8fd87d0d20

SHA256
92ca2cbef35dc50c5fa6b835c4de5d893a384ee4d358b7396ba00f0e32ef8a86

SHA512
3ecb45f020a15b70991d20220b16895200b8c89b7f52796d7b12762f57e3e765bd7a7f98b9830823f5209d8cee2e5ad777d7c81a3938a18f2bbd0f46149c2926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07cf36d0b0917297d1137cd164d3ef11

SHA1
dd1aacc389d7936f325acf1d2c2640e5345b2519

SHA256
9cf523bb16fa937792a25abc8b8ede8f1c0a95a51d550eede1371806b14f87d8

SHA512
4348b0e386c0385d0cab4232b9cf6a156888c28925955b317f8ba91f7afffd3a4307979841472cdcce73edb55231952cf3a8671e16a80916bb42ca071d97ddf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7bdeefdc9d65be8cfa7401d3eabb8882

SHA1
e21c3a2e7af408cd35b5d2a63c41b4199837f467

SHA256
569e5e331c8d6f06965fe747d1c1b439e75c9c0d4969323628e1503abb5c0e52

SHA512
26a29a2d07d139b745478b3ee01045068b8462a54a173c44dd07c905a0f96e7bdfdb3d195611d280dfe1f87f461d53fafc3df4e65e82194d1dcaea64bd3696d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
61c3d943d384bd02f3001998a1c738f8

SHA1
2afe5bf84bd2822fcafc4a53ef2ec578e93b5b63

SHA256
74bbcbbe604c528218b34dc0957225b8a9cc4f6e73a00ce367eeed0530905a73

SHA512
99d100d5f5ff6c59da860d27544a210f1fa40af609307d2d20d2f227bbf30893fd8a6defcca4ce7843364612b61f2c3602302c891842840e2a0763a5bc3dcb85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4bb630b193aee6b6c69e62242a20e706

SHA1
ba636ea86e3c638e459af2bc5041784f024f1de1

SHA256
a5e03dfb3732686929452ccfd54a5b9a99e4f726b274fd4d300cb88e5e0527d8

SHA512
a96b2dc3cd247758af1c6f7e97fad8c1d4180df987228557b75e115d0010a5544092f8cf858d3a565b722efc02d3f6bc764542851fa63ca22bf49be5b3da8ac0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
209570c5a1dabbd8a986f35e8cf2dca7

SHA1
80c2be3fe42411154bc12d0be1a7b0e8d4c0dd1f

SHA256
aac1d9232f3b9fb3994ae803e17cc72f7a409b9569f806c8fe0b96e1976ef95c

SHA512
eb9e116380dbea7509321e935145c3038bc712b8f0081b9304185ef69e2090566005e9443339e7e510083b0cb880d685afd20ccb08ade8957705896ce3e834fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\db70be15-4000-467a-94da-151410a661b1.tmp

Filesize
11KB

MD5
293a7cd10fa158887e0fd6d28247bdbb

SHA1
b7130f6acf7e9e143ab3cb078450797814531b19

SHA256
30146e01ad849395b27ad772b2790cd6ef2942ba2cfc6f61ebe43d25c3ebc8c6

SHA512
24883a35b866971bdd1d2ed23ac00989f2399a6db2595bad97d0ebb17f5e0579f9e922db7ab16d4df62f96543b77576e500e406b35626e22bf2848275b0209ac

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\1f2b5bee-4dcb-491d-9c8c-294ede13bcf9.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
1301a13a0b62ba61652cdbf2d61f80fa

SHA1
1911d1f0d097e8f5275a29e17b0bcef305df1d9e

SHA256
7e75ad955706d05f5934810aebbd3b5a7742d5e5766efd9c4fc17ee492b2f716

SHA512
66aa4261628bb31ee416af70f4159c02e5bbfbe2f7645e87d70bb35b1f20fa915d62b25d99cd72c59580d1f64e6c6b5ad36ace6600d3bcdb67f45036d768ed8b

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
964219fcbf4c1e0008bc5e05686367a9

SHA1
685a0b860afbfd43305bc67763e41b296a22ba8b

SHA256
4f4388ce8c3055db4827ad4b6d7d6ffc7bead99955a3fbe44ab3a5454651ae25

SHA512
2745f64b2bd54740a5c1f754785c39eeda9b6b5112707cc8630ba188638442de7c636446f750aeb340905d9da26f96ee4e7f7c96e2b690058ce29d7b6efe8c16

Download Submit
C:\Users\Admin\Downloads\7z2408-x64.exe:Zone.Identifier

Filesize
62B

MD5
c890bea6e954f09438132954810d7427

SHA1
f615d11deb02acb360649614730f82a909232618

SHA256
44a8204cd11c7f1d91c8dda2fe2bbd935a55c8a62e073a220534ec8587f121d5

SHA512
4b42cfbda92affdea4b3fb64efc28dedbe598800e6abe17733d0645a8c60d9586b8a28c8bd1ccae3cd6e305f6ff8050bd221d4bd40ba41b79d69609aeaf3a53c

Download Submit
C:\Users\Admin\Downloads\Microsoft.Flight.Simulator.2024.v1.1.7.0-OFME.rar:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 280068.crdownload

Filesize
1KB

MD5
da6dc48de5f94adb63dc073a45503880

SHA1
0d618e3a0ea71ddc45f3db732aadb8385eb088e0

SHA256
3252f74f31fc8359b726529b645ae8e48459d74d71899d64266ecaad4e4fe5e4

SHA512
979f4ed04b8c7192359f5093a012599a3124bd8fa20898cba9944a2f706c20b9aee00359cd3f61c6906041b655a808a19daab8516cf7117965d55025aff32c4f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 424054.crdownload

Filesize
1.5MB

MD5
0330d0bd7341a9afe5b6d161b1ff4aa1

SHA1
86918e72f2e43c9c664c246e62b41452d662fbf3

SHA256
67cb9d3452c9dd974b04f4a5fd842dbcba8184f2344ff72e3662d7cdb68b099b

SHA512
850382414d9d33eab134f8bd89dc99759f8d0459b7ad48bd9588405a3705aeb2cd727898529e3f71d9776a42e141c717e844e0b5c358818bbeac01d096907ad1

Download Submit
C:\Users\Admin\Downloads\a.htm:Zone.Identifier

Filesize
420B

MD5
ea2e990e053140cad98515e30317bec8

SHA1
54010a2dd7cd2609f0dfb0804868b3a911f7467b

SHA256
e578103db3e14a742a50991f914053f8004819de1e63858a366e717f895433d8

SHA512
aab262e5f10c06800e55c6d831bc7cade08a6a12cd95db6a50619688c881ba9fb6a215e9b117a185bf6dd492200673c1ff7bbacb996ce1cf0d24a5cec2fc7b82

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe:Zone.Identifier

Filesize
130B

MD5
2920729da1ffdf0a8af2d7170153f6d2

SHA1
2b5269271b4494e24abf9217204b13be59be4660

SHA256
cd2b4f422661fa94aa10a6cc8ec747573f554ce7c5f94a0767ab9985288d1fe6

SHA512
158c3aeb7f35b338eb61864c74d91d0acee3598f5c579606155a33ac320e784f7b54346e4ae5b594477b4eced967410a969af5d07fb32fbb0e5abbc393381d9c

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710b1.exe

Filesize
3.6MB

MD5
a45673cbf245afb3ff461a06b27959f3

SHA1
8ff52ea98ef4b508584dd3a1a84f9adb8c233eaf

SHA256
3ddf96e686666ea923b17382a10d707876a888d012b9d4dace1005792cb7ab96

SHA512
a429e208a24aa99a5ac6487a061da975c7d18e7d4155788ddf1e1d589ba8124589d8497cf7cfe1848d0808cbe041e1db38001d0bf982f348dd83ea22054dcb07

Download Submit
\??\pipe\LOCAL\crashpad_2796_QRBUNGUEZIKMGIJB

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit