discordrat | 2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec

Analysis

max time kernel
435s
max time network
450s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord rat.exe
Size

79KB
MD5

d13905e018eb965ded2e28ba0ab257b5
SHA1

6d7fe69566fddc69b33d698591c9a2c70d834858
SHA256

2bd631c6665656673a923c13359b0dc211debc05b2885127e26b0dce808e2dec
SHA512

b95bfdebef33ac72b6c21cdf0abb4961222b7efd17267cd7236e731dd0b6105ece28e784a95455f1ffc8a6dd1d580a467b07b3bd8cb2fb19e2111f1a864c97cb
SSDEEP

1536:YCH0jBD2BKkwbPNrfxCXhRoKV6+V+y9viwp:VUjBD2BPwbPNrmAE+MqU

Score

10^/10

discordrat defense_evasion discovery persistence rat rootkit stealer upx

Malware Config

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\system32\\userinit32.exe"	Fagot.a.exe

Adds policy Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\status = "present"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\winlogon = "C:\\heap41a\\svchost.exe C:\\heap41a\\std.txt"	svchost.exe

Executes dropped EXE 6 IoCs

pid	Process
5276	ddraw32.dll
1696	ddraw32.dll
6420	svchost.exe
5488	svchost.exe
4564	svchost.exe
4360	svchost.exe

Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys	Fagot.a.exe

Modifies system executable filetype association 2 TTPs 16 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\IconHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\DropHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\OpenContainingFolderMenu	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell\open	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shell	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\PropertySheetHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\IconHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\DropHandler	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\{00021401-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\piffile\shellex\PropertySheetHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\tabsets	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\CLSID	Fagot.a.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/5192-3273-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/5192-3278-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/5276-3279-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1696-3280-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/5276-3281-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/memory/1696-3287-0x0000000000400000-0x0000000000410000-memory.dmp	upx
behavioral1/files/0x0007000000023807-3323.dat	upx
behavioral1/memory/6420-3329-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/5488-3343-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/6420-3345-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/5488-3347-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/3884-3365-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0007000000023827-3385.dat	upx
behavioral1/memory/3884-4061-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/4564-4170-0x0000000000400000-0x0000000000486000-memory.dmp	upx
behavioral1/memory/4360-4169-0x0000000000400000-0x0000000000486000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\dllhost32 = "C:\\Windows\\system32\\dllhost32.exe"	Fagot.a.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Manager = "C:\\Windows\\system32\\winmants.exe"	Mantas.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\heap41a\Offspring\autorun.inf	svchost.exe
File opened for modification	C:\heap41a\offspring\autorun.inf	svchost.exe

Drops file in System32 directory 28 IoCs

description	ioc	Process
File created	C:\windows\SysWOW64\ntkrnlpa.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\chcp.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\dllhost32.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ntoskrnl.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\alg.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\dumprep.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\winmants.exe	Mantas.exe
File opened for modification	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\ddraw32.dll	Bumerang.exe
File created	C:\windows\SysWOW64\autochk.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\chkntfs.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\recover.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\wuauclt.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\ctfmon.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\logon.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\services.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\win.exe	Fagot.a.exe
File created	C:\Windows\SysWOW64\userinit32.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\progman.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\regedit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\MDM.exe	Fagot.a.exe
File created	C:\WINDOWS\SysWOW64\userinit.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\bootok.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\imapi.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\systray.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\wowexec.exe	Fagot.a.exe
File created	C:\windows\SysWOW64\shutdown.exe	Fagot.a.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Kazaa\My shared folder\install.exe	Mantas.exe
File opened for modification	C:\Program Files\KazaaLite\My shared folder\sweet.jpg	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\XBOX.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\AOL Instant Messenger (AIM).exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\Gamecube Emulator.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\ICQ Lite .exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Registry Mechanic.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Visual Boy Advance .exe	Mantas.exe
File opened for modification	C:\Program Files\grokster\my grokster\blowjob.jpg	Mantas.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\batch_window.html	WScript.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	WScript.exe
File created	C:\Program Files\grokster\my grokster\WinMX .exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\PS2 emulator	Mantas.exe
File opened for modification	C:\Program Files\KazaaLite\My shared folders\mantas.jpg	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\diablo2.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\aimbot.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Winamp3-Full.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Winamp3-Full.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\Visual Boy Advance .exe	Mantas.exe
File opened for modification	C:\Program Files\icq\shared files\0m1a2n3t4a7s8.jpg	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\Windows XP Service Pack Cracked.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\Doom-Install.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\DukeNukem-Install.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Windows XP Service Pack Cracked.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\setup.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Trillian .exe	Mantas.exe
File created	C:\Program Files\limewire\shared\epsxe.exe	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\Gamecube Emulator.exe	Mantas.exe
File opened for modification	C:\Program Files\gnucleus\downloads\child porn.jpg	Mantas.exe
File created	C:\Program Files\icq\shared files\ICQ Pro 2003a beta .exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\secret.exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\Ad-aware .exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\serial.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\DukeNukem-Install.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\nocd crack.exe	Mantas.exe
File created	C:\Program Files\gnucleus\downloads\Windows XP Service Pack Cracked.exe	Mantas.exe
File created	C:\Program Files\icq\shared files\roms	Mantas.exe
File opened for modification	C:\Program Files\morpheus\my shared folder\mantas.jpg	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\Registry Mechanic.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folders\Morpheus .exe	Mantas.exe
File created	C:\Program Files\limewire\shared\ftp.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\KazaaUpdate.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\cdcrack.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\Gamecube.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\DVD Ripper.exe	Mantas.exe
File opened for modification	C:\Program Files\gnucleus\downloads\teen sex.jpg	Mantas.exe
File created	C:\Program Files\icq\shared files\kazaalite.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Wolfenstein.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\Download Accelerator Plus.exe	Mantas.exe
File created	C:\Program Files\morpheus\my shared folder\epsxe.exe	Mantas.exe
File created	C:\Program Files\grokster\my grokster\password dumper.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\Nero Burning ROM.exe	Mantas.exe
File created	C:\Program Files\limewire\shared\winamp.exe	Mantas.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\WebviewOffline.html	WScript.exe
File created	C:\Program Files\KazaaLite\My shared folders\MSBlaster Patch.exe	Mantas.exe
File opened for modification	C:\Program Files\edonkey2000\incoming\two teens fucking.jpg	Mantas.exe
File created	C:\Program Files\gnucleus\downloads\roms	Mantas.exe
File created	C:\Program Files\grokster\my grokster\iMesh .exe	Mantas.exe
File created	C:\Program Files\icq\shared files\Grokster.exe	Mantas.exe
File created	C:\Program Files\Kazaa\My shared folder\setup.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\keygen.exe	Mantas.exe
File created	C:\Program Files\KazaaLite\My shared folder\explorer.exe	Mantas.exe
File opened for modification	C:\Program Files\edonkey2000\incoming\lesbian.jpg	Mantas.exe
File created	C:\Program Files\edonkey2000\incoming\WS_FTP LE (32-bit) .exe	Mantas.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\NOTEPAD.EXE	Fagot.a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7116	5276	WerFault.exe	203

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Netres.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bumerang.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ddraw32.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mantas.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nople.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Heap41A.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	Fagot.a.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0	Fagot.a.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController	Fagot.a.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	Fagot.a.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0	Fagot.a.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0	Fagot.a.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Internet Explorer\Main	Fagot.a.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "www.blacksnake.com"	Fagot.a.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography	wwahost.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F2A7EE29-8BF6-4a6d-83F1-098E366C709C}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8C2D8C0-1CB5-389F-A5F9-FE054E09039F}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{22D8B416-108C-399A-9B57-B61D3D683E14}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Workfolders\Shell\Open	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Results\ShellEx\ContextMenuHandlers\OpenContainingFolderMenu	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.DirectMusicStyleTrack\CurVer	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7EA23D88-569E-4EFD-9851-A1528A7745F9}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{618736E0-3C3D-11CF-810C-00AA00389B71}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F21427F-D658-4B6C-9E86-850D23E7BFA4}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{03C2AEA5-BEFA-4C84-A187-C9245AC784F6}\ProxyStubClsid	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{35793B96-E562-3051-AB25-0AFCBCC95492}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\ProgIDs\AppX90nv6nhay5n6a98fnetv7tpk64pp35es	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D5662DFD-B471-3E11-865D-F0177E687E3D}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EC231970-6AFD-4215-A72E-97242BB08680}\Version	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D8C2122B-6CE0-433C-99A1-65F03037979D}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.ogm\shell\PlayWithVLC	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.m2t\shell\Open\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Enqueue	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.vsto\shell\edit\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9889F253-F188-4427-8D54-CE0C2423C5C1}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D5EC4D34-77DA-4F7A-B8C4-8A910C1C1CFE}\InprocServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.adts\shell\AddToPlaylistVLC\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\VLC.669\shell\AddToPlaylistVLC	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{74A9F0FA-58DB-3DA4-9207-511645089A71}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.Addin.12	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{939ABC08-6F0E-4595-A12F-F96CFCB7FF77}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\Microsoft.XboxGameOverlay_8wekyb3d8bbwe!App\windows.protocol\ms-gameba	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E480B861-4708-4E6D-A5B4-A2B4EEB9BAA4}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{AA5B6A80-B834-11D0-932F-00A0C90DCAA9}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.mp2v	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6EE96102-3657-3D66-867A-26B63AAAAF78}\2.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.heic\ShellEx\{e357fccd-a995-4576-b01f-234630154e96}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83567EDD-6E1F-4B9B-A413-2B1F50CC36DF}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{30590097-98B5-11CF-BB82-00AA00BDCE0B}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\NcsiUwpApp_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Extensions\windows.protocol\onenote-cmd	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\GoogleUpdate.exe	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Word.DocumentMacroEnabled.12\shell\Print	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\.dib\ShellEx	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\System.IO.MemoryStream	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\RemoteDesktopClient.RemoteDesktopClient.1	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EE965595-853A-331B-9CD0-D53DCCE3B6F8}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8DC4FED3-F278-383D-AC02-46478C0B4076}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2811B866-578B-37F2-B7FB-927DD993AB19}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\P7RFile	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\LibraryFolder\background	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE8F9800-2AAA-11CF-AD67-00AA00614F3E}\TypeLib	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0D6E31DF-3A76-3054-A8EB-150E92300F89}\2.0.0.0	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PowerPoint.SlideShowMacroEnabled.12\shell\Edit\command	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\PackageRepository\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2t	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{077679f5-6948-5328-8ab4-72e63a7529bd}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000CDB05-0000-0000-C000-000000000046}\ProxyStubClsid32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{000C0399-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E1D0AB13-2FE6-4DF0-8917-ED80CF0FEF6B}\InprocServer32	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AA14F9C9-62B5-4637-8AC4-8F25BF29D5A7}\DataFormats\DefaultFile	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{97CB5BF9-BF0C-47E5-A9BB-6B189BCA3C25}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\JavaScript1.3 Author\OLEScript	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A5CA5F7F-1847-4D87-9C5B-918509F7511D}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{44FCEACA-7F56-4D2C-A637-60052B1B9CBE}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{417917e8-bbc9-56a0-94b6-fd69d507b19d}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00020830-0000-0000-C000-000000000046}\Implemented Categories\{000C0118-0000-0000-C000-000000000046}	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\system\DefaultIcon	Fagot.a.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\PortalConnect14.PersonalSite.1	Fagot.a.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2612	msedge.exe
2612	msedge.exe
6840	msedge.exe
6840	msedge.exe
6460	msedge.exe
6460	msedge.exe
6388	identity_helper.exe
6388	identity_helper.exe
1520	msedge.exe
1520	msedge.exe
5648	msedge.exe
5648	msedge.exe
5648	msedge.exe
5648	msedge.exe
6372	msedge.exe
6372	msedge.exe
1508	msedge.exe
1508	msedge.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe
4532	Fagot.a.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4568	Discord rat.exe
Token: SeManageVolumePrivilege	3112	svchost.exe
Token: SeDebugPrivilege	3980	wwahost.exe
Token: SeDebugPrivilege	3980	wwahost.exe
Token: SeDebugPrivilege	3980	wwahost.exe
Token: 33	5900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5900	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe
6460	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3980	wwahost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 212	4880	msedge.exe	101
PID 4880 wrote to memory of 212	4880	msedge.exe	101
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2532	4880	msedge.exe	102
PID 4880 wrote to memory of 2612	4880	msedge.exe	103
PID 4880 wrote to memory of 2612	4880	msedge.exe	103
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104
PID 4880 wrote to memory of 656	4880	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\Discord rat.exe
"C:\Users\Admin\AppData\Local\Temp\Discord rat.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault6f109a2ch544ah47a9h9c11h572df8df47c5
1⤵
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ff96bda46f8,0x7ff96bda4708,0x7ff96bda4718
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,16311010306487055360,14606498579808842747,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,16311010306487055360,14606498579808842747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,16311010306487055360,14606498579808842747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:App.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:6460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff96bda46f8,0x7ff96bda4708,0x7ff96bda4718
  2⤵
  PID:6480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:6832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:6896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:6180
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:6696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:6744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3796 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5288 /prefetch:8
  2⤵
  PID:6276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:6632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5372 /prefetch:8
  2⤵
  PID:5668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:2388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:2096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6836 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:6628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:6244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7104 /prefetch:1
  2⤵
  PID:6020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=244 /prefetch:1
  2⤵
  PID:5376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:6632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:5548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1340 /prefetch:1
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6852 /prefetch:1
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6940 /prefetch:1
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:6560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3160 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6840 /prefetch:1
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:6244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:5912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7152 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6652 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6104 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3508 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1
  2⤵
  PID:6628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6164 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6672 /prefetch:1
  2⤵
  PID:32
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:6912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6868 /prefetch:8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4444 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:7024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3508 /prefetch:1
  2⤵
  PID:6792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7112 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:6184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
  2⤵
  PID:6204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=464 /prefetch:2
  2⤵
  PID:7008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,15433760624020029727,6714096069560205256,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:6636

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x4a0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3476

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Browser Hijackers\BabylonToolbar.txt
1⤵
PID:5892

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bumerang.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bumerang.exe"
1⤵
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:5192
- C:\Windows\SysWOW64\ddraw32.dll
  C:\Windows\system32\ddraw32.dll
  2⤵
  - Executes dropped EXE
  PID:5276
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5276 -s 324
    3⤵
    - Program crash
    PID:7116
- C:\Windows\SysWOW64\ddraw32.dll
  C:\Windows\system32\ddraw32.dll :C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Bumerang.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5276 -ip 5276
1⤵
PID:3732

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Fagot.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Fagot.a.exe"
1⤵
- Modifies WinLogon for persistence
- Impair Defenses: Safe Mode Boot
- Modifies system executable filetype association
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies Internet Explorer start page
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\HeadTail.vbs"
1⤵
- Drops file in Program Files directory
PID:6012

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Heap41A.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Heap41A.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5764
- C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe" MicrosoftPowerPoint\install.txt
  2⤵
  - Adds policy Run key to start application
  - Executes dropped EXE
  - Drops autorun.inf file
  - System Location Discovery: System Language Discovery
  PID:6420
- - C:\heap41a\svchost.exe
    C:\heap41a\svchost.exe C:\heap41a\std.txt
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5488
  - - C:\heap41a\svchost.exe
      C:\heap41a\svchost.exe C:\heap41a\script1.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4564
  - - C:\heap41a\svchost.exe
      C:\heap41a\svchost.exe C:\heap41a\reproduce.txt
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4360

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Mantas.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Mantas.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:3884

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Netres.a.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Netres.a.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:776

C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Nople.exe
"C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Worm\Nople.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5340

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c8 00000084
1⤵
PID:6420

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 000000c4 00000084
1⤵
PID:5488

C:\Windows\System32\smss.exe
\SystemRoot\System32\smss.exe 00000108 00000084
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Impair Defenses

T1562

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\README.HTM

Filesize
33KB

MD5
0af13f3704789d867113607f25f0f4fd

SHA1
7b8104c97c593ebf2bbe6685c58087873fc5a082

SHA256
f86ebbf734564fd1902a9778cc37e6a768ad1bf728c1481368180d602efa6368

SHA512
576187fcb859d7b748bce48bdd6c28104367926b7dc9b68a7656d9ee2013867b6956ee1aad997f78b42cc5472e2e8fa9e489746ca2be3cef63f06e5ac01303e0

Download Submit
C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
8e564ec01631fdf8980d8a0a7134494c

SHA1
18d4edde122057da4c405e72db0ea6ad4415a8b0

SHA256
7bbe0a7b32a85fe2079bc56cf1c537157b2e9940806d97c5bcd5a4f2b93a631e

SHA512
4248cbf697db4096cbe65497c1796164a07d17cb8359d9065a45f46ebd5b52d9c0f4475baa7726492210f291ed45c6bc8aade9d9652671b1e46aabbc79ca33a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\metadata

Filesize
150B

MD5
128f1783758b33625647076c2d94f92d

SHA1
8e70437016e3aa00fd5fdd8546c722509f67011d

SHA256
86009d609c233ed34e766c77318f67f15cb03d8d178e6e8f44fdaa241559776e

SHA512
8ff51a641c894499224abb9a927fab6426206986737ad51e79be00bdad41169b31a6443e16613e05d6897f4b29057aee5e5c087bcc9a7795c72c762ef113d213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\reports\8a5c9077-e2d0-4a2c-b852-58dff31f3085.dmp

Filesize
825KB

MD5
f2992d5c8f1e29ac3bdc6402a6bdf65a

SHA1
9b75336883e5a76d020e614dfdfa411b67bf7301

SHA256
032e79cf641d7952d907c8e81a0bfee10c983ebbe717c46f86343d01490acf28

SHA512
73c7c0c8ca39506128db294fbb47ffd383a20af438c743943bab409053af121ed0f9f47ae27e40c1c4679f68093e02337f4c5c931a66d43abae442f7faf708dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
57ce7118cb0beed6973e62b94dbda4b5

SHA1
a9876806f2adee0fa6200e79a871ae3637a652be

SHA256
19e72be36bf08db3025ba96c0ea7c3d571ab2db5519cb93e3685dbcf747e389b

SHA512
2217be5ab6d03f253c81299aef99d3c1900ada8037e4a74e8e1df1e4b238fd59dd1ba8cad14435ecf15c06a18eeca6981e75890089804d679558856fe4f7976f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0ae21286fcca8bfefb25428aa8583d3e

SHA1
ce8c1c7807287ed9b61acc2a7b7a39452f8b11a3

SHA256
ff60d67c9e94c64f8cedb04732555e6b14761b0f02cc61334caa09b48a089b72

SHA512
ee90b31b99b302b6071e66011d323072c1af2c522d021ab2525a97b62d3d98d21710cdec49e1e5bf6897ea5d2f150ef440c584c5610fe4e087262e950594cc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
58KB

MD5
d0373085db588a3a1804c5f4dde0fd42

SHA1
65b12241ed2d47470e32fbd965c68b038e2b21f2

SHA256
21ddf27458b3416166554551890845ec989f4e53677ffbe82a707e80f71926e0

SHA512
3820a6a06f04d4ae9bbdae63bb41e5064e73df3f8e47fc3be110017c0b9d7c9ee3693b87c721c2d285bde7987ec4d47c7d37ecc6d0d1c5bb80112362fd42e822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
69KB

MD5
24a806fccb1d271a0e884e1897f2c1bc

SHA1
11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a

SHA256
e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85

SHA512
33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
41KB

MD5
5b6eb9202abfde97e3d691a835509902

SHA1
515f8ea6e88d5bde68808f1d14e3571bc04d94e7

SHA256
f9ab282aea02569f9e73aba576cd517a7fefba7d90b935fc571397e710b15dab

SHA512
309f32e918aefdb51c218d57ac37714d90653dbcc4317597c1e3df67a8375b5cd7aed9dec97eeae248b29c03bb46318216a3384971357bfb4dfbc294e7f5f9e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
74c0a9aceda2547c4b5554c0425b17ba

SHA1
d5d2355e5919dcf704192787f4b2fbb63b649b0f

SHA256
3b9e3adb939801b9ada1ce67afc7decef4538c016c78113697b89a35a295dd8d

SHA512
e178dce4a59cf184bcca3523e687092f4edc2a3c7af4eddf1ca1965ca06347eadf8901f851260264c14fa052331b2d1aeef2a6b9048b87758617285c9650b479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
43KB

MD5
209af4da7e0c3b2a6471a968ba1fc992

SHA1
2240c2da3eba4f30b0c3ef2205ce7848ecff9e3f

SHA256
ecc145203f1c562cae7b733a807e9333c51d75726905a3af898154f3cefc9403

SHA512
09201e377e80a3d03616ff394d836c85712f39b65a3138924d62a1f3ede3eac192f1345761c012b0045393c501d48b5a774aeda7ab5d687e1d7971440dc1fc35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
74KB

MD5
b07f576446fc2d6b9923828d656cadff

SHA1
35b2a39b66c3de60e7ec273bdf5e71a7c1f4b103

SHA256
d261915939a3b9c6e9b877d3a71a3783ed5504d3492ef3f64e0cb508fee59496

SHA512
7358cbb9ddd472a97240bd43e9cc4f659ff0f24bf7c2b39c608f8d4832da001a95e21764160c8c66efd107c55ff1666a48ecc1ad4a0d72f995c0301325e1b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030

Filesize
273KB

MD5
c8ca3d3efab8428e3b6e5208e3ac68ef

SHA1
5666dfd8ed6c4abe9e40162d0bad612122d46855

SHA256
b023b1908cdd6f693c61feb525fef6b4c307f669f50504f8aeb9094501a9caa7

SHA512
777d0af4a84c1861eaebccf7426df86f4ee04eaea40c5b6f9fa060ef9c79c27179b4c84691b7d18242114b1814868a39d9060862071b2c4d026f767316f2f469

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
1024KB

MD5
cc215d30498d66e1799ef24be8db88e1

SHA1
cb5a6b988724b270cfd91dfa0bbe532fde3182ad

SHA256
a6c6a7eceb6193780d0bf0d607f2278f585a3054855f644db608584cd7616e27

SHA512
274da9c02709b3384c3b7e9bb0eff78be5694e862b8246aba88fa1058ee0577a0f4be402d7d50c51b22938630b1887defc676cd71538a364d11193b7df49482e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
516538daed97366a92a79d1c6fb8a461

SHA1
ffda58385f483b6b77697a72b1fbd6739a3d2cc7

SHA256
5c71a7673b371a376f502e9a089b80ee66aa105be262b23df36e546950222670

SHA512
7ff1ee0b5076672dda4892cbb94b7c61779f5ce3849b513626d9450eb3f63cad20584eb71c7dfd4871e968ccfa329faa8d201ace1590005a50f626054fc9b30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
b34ba30e0eb3c2f6e70cd5418a2860a0

SHA1
c3008cb0ee2a337f286c3e540e4dc32df34e9053

SHA256
5e43f474a7005f76c1057e0ffffb88224bd46a153a0409052d3545c0382004ae

SHA512
aaa081092bd2a82db8a35d148688b80a40470848d38674d0b874cfcad14c182f907868bd476b66e668a26dc16040537ef45cfc446e01a5908756403ea594a75c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
99eb9cdd3803321393db81e37103cef0

SHA1
92a263b9d26a1077eabd437e3336ef6463f7811e

SHA256
b494e05f35f7399f49e858ff4775db7a39f7066b9743add769534ad947cc804a

SHA512
53fe10c9d5a01f16d8880814f8b1e9cf03d650cc58e830ca7cb07f88ea99015ee3c955999e4d38043f2f65947dca2e978caf8b22a1d99e744588d82257541413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
bd13731c9f4f1754aa76efb136b28693

SHA1
4bc39f5bf459c7a82168d56ba15e0bf85e77d35b

SHA256
30be3692d0e1735cc0348d2e3d4a0e3d0075ce7c29f9f4f6efef0eeca35624b3

SHA512
493081a85cec192689347a52613a41f63aa1eeec8e3efcd26af63e0bae27081e5bbb1ed29b00a46aee2fa5644c517791ff7e31cb526c4ce718e5a20dd75f9b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
4f51f99e53581058c5f97037ded48478

SHA1
8411562e74048af035b05854662d42d6d991afe7

SHA256
e2ffdf70105ea169df278357966975536c210083d65476b1f64146ac3c6f6b93

SHA512
376b80b3e298876d3088a6e963bb96087fb318fff393c62529537c827a749ddcb77292ec165c917b19070d0091e646be4b1094447daa8ba6cd7fcf5521ed6da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
3e79fb12b78d4d72165004d31fbc70a3

SHA1
940313e02d292ae645147bcf17786cd848ca91fb

SHA256
f0adc900efe536ddc35f847705a91cb44da89b19e4daa3587d1bbf522a316b43

SHA512
67cec199bcb91e63fb139378ead8a2f4641eedbe4afddded8c59157d5a4c75cbf4d4ce019da387bc3eacc8df39aca15bf90da1a430b4b195fbf32d8347b8e88c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b4eda120325b142736f3c16785316ad2

SHA1
f8e5526efc877c638ad29fa756712a36282bd06a

SHA256
247d1a976162a62b2658d25556504c341b709f81b242cfa0d88938b5f553e625

SHA512
90626850b347ebf848246b88153d88e9945bf342135c9c3221fe23678e31281433643eee3a988ef0d856c8c37a83658caff0f76edf64918b18da4c7454bcd189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
39f4c517a95cffeacae1de5d2c3bdb73

SHA1
8613e88d4525d6f391b2cdd1ea0a1cfbedcf56d6

SHA256
2dcf9c1d378ab597c5172ea541b5abdd55df527e38afd96fe656108d50d482c0

SHA512
e43d97b7b21b450a1e716f4d69a839645465e434487e8e406efe9ee7586f9ee1d2a5c4f3b6f9c9e5bff09f6f16dd0115d0540b61d5e43d35462063517c9febee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
88d75786db260fcc0a21f4066fbae0ab

SHA1
f0abef24edb113b8a5da9e6b6138a235a83edbb1

SHA256
6d98a3da2d1aad7cc299d63359a6793b81f5b1552ee73f55247b84c885c15b7a

SHA512
7e1f87958dac3b575336dab7c3a6bbd404336ff19edca018d782ab17366df97ee6845b175cbdb5cf10ccc3bc1395e6117d7173c3574192d5a3d7a1fc32d9cc8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
559cf0d42b464c3eef880793af481daa

SHA1
0e6273b22a219908969d48b493015a515ad956f6

SHA256
f09d49ed754b33b6f846635178c6a224b246d4cc558fb63ba07898cb09293b05

SHA512
ee2f2e26576a9823e2755d1d1babff7dcfb3c9d56bb70f71477b89df67f5ef6cbeb899902f2f05065e44350cddd4d4cee7f24488c2398307fb22e3cabd34dbee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8c45d3f59591b20f857071ba3a071be

SHA1
3be3be24fb3e908ffd8217eb5add95e17f0f5af2

SHA256
80329eaa486c439478b17a8c3abd99ec8f944954a87fb9be8aba515e50b2a784

SHA512
cb1c110732a72172cf261bdacf63d78eec91a03b41db99fd72273bdf0be669a42207378c17ff65d2293fc8dc7ff447584f8bd4144d5d9ccf361bc401a9260739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b5b3a3a6d4296b91582121326d25bea

SHA1
31eff1aa59433bcf1706c3f8d0565f376ce91951

SHA256
5ff2ddbbe1a5b23305e30e6ec2d79cecfb1b06c713c550b5f6747abf201166fb

SHA512
dba5b2aa2a7bbe922b4322b323eee75ea518a9b342ae946c25de24e290405919c7ab03cbe3ae52bd30ce0768156218067c55a4d07b2ceb840d28b4e91ec1d8a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b63cc752a4856be3ef397fd91ec1eb94

SHA1
c84ffa71b8b990a90c8ff2c0e16eb869c7b9d01c

SHA256
327c607310efe5fa520f284d53b0824f165962c73d2d7624ff56cbad60d5bed0

SHA512
a6264d3f84eefde9be7c422bc9a0a7cf778a3c01d4d983341b5ada87da4f49a7a016f1be7f7bc80fb8d430595bd58c927bf8dadb13d3d4179f7e7b14a575eb76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
811d3287bb4f79dacecdad5660c0354a

SHA1
c59a9db901ca3555c7c2eb125bf9e8eff43577fc

SHA256
ea5d5c7c4729784f23c846383eaab8ad56e5206086228b932fd95fdd551aa68a

SHA512
56f4a9d3b0bae710d30d1f4427e6d87bad484a78a7a12a1fb4cfad074ad08978c0756b300dfe64cdb624155852e59422d1ccc4b9f18c392a9ef4d82bb57ab4c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b2af2628c93b16c6ef6a104f7d126640

SHA1
311164c3ab18b9c17981bb0f7028d59753d7363b

SHA256
20daa1f30469d55a209bfc854884c880a3a991e89707e0ecdab11d2b34ef9523

SHA512
e689b9c5fddc12165ff01fa78a45abfcf741966cc72c22c92f9e6e436b1cbf50133ca8ffabeb1e7788808e0a62c0f68c9b40c6d8c7da47b66fbde65f4083e326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
8180410827934bdcecd77e20fe70fe35

SHA1
9f62a415a91fabbf382785bce8ddfc82336dd1f4

SHA256
7f8153091c82767fa6a91f124bba2e5a199b6631837b7b718a58868c30c97a34

SHA512
c8a26d73f94e948a990dc9cf1adef746c9b9f1f8e502ea2da6b28c2b3a1b13830e5812422269adac261b005f79caf7a415203c0ce2d8f5bd168225035e9f9121

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d128876aa59aebfcd1f885fb39e1fd37

SHA1
669581cfc8ab6f09f15ef3272d6a99374b13fbea

SHA256
fadd3075ca1a17badd6bc7e9b4a90fd8871816f4f9fa80b01e8466c4f05a39e4

SHA512
930c919145b9d194c95ab1e90a1e6e272ce51e47cdbeccdaf709f368985eda4efbbdbf6e7a7ce496da747dd07de10a01fb77e8325497d7f6082a23be24dfbf3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
d66f5e6e42de8f242625f7c4475204d2

SHA1
9207d1fd5cf0d536d2fadd7a4b331af2c404b1f8

SHA256
0b579c0b9454677b059a41c8457a345f76fe7e59b1c2c37fca8556c848f0bc1e

SHA512
3cd54422e63e72572292bbce4ce0c60aba37886bb7f1e7d39a3cdd4c604295377bc84761c5c04efee18fa2ca8211a34e96118673a8be736b566e62cb340537dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
98c64bb7eb294f04da728338f1ec7b22

SHA1
10a1ba71d3c39fb8426f53cf49d5c7f25b1bed7c

SHA256
5dfefc6b6f836c948e3f0bc34d58c0d81ca97b71cd42e986f507ad655cdb3277

SHA512
446e4ff1d9530e299284cc0873df43514fa3e4214591c10688270c9a1ff3c3b0b3a3ae5b63915482ab7d15183b588847224a90d93e99d403d543675367fff0b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3da551a633298aed51621e96e2ffa60d

SHA1
4f0340f8378d19d3066aa2408add98a32c54de7a

SHA256
c69050e1026ddffd251b381951753707aa952e726ce0302df092bf35c4694849

SHA512
aeb1b4ee5c4ede22390ca63f4c3a456337ef3fde5ec450ab986a4162c304ed6148d4fc479ffca1b7942aeaaf68e83a9ea443c63162938ce13bca5d7f6f18165e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
0465c297aff33f41cc5980dedac93174

SHA1
2145f5bf97bc33924649e6beae0f51e1a464cb80

SHA256
cadd99e8f4dd84757559275b7e41ba55d0b7a7a1552ec36bc354a329fc6b7d32

SHA512
0475999c4f9d66c34dab5dbc22423e13e1ee5cdc55c0f150c4867d4caf75cceeac326f381514a535af81bc10c30ca1c3e1b2eadd88c5d271af8ee624716d47aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
240b10efee009c1132e1fa0c85ea9b99

SHA1
4dc0092b886100d6b07ff944362839838871d3b9

SHA256
5742c6cdf12282427ef705698281be09552e5f264a0dd58ce3de81a84212e0ce

SHA512
60968a280da8acb1e406df5800dcd545655bdeb6780f94065c635fb1afc704b57c1d0ae0aaa800084b84dcc161025c33f33b01702dfd96e5c0759f4e542505ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a28cd5f7caa8af48b934802e92acdc36

SHA1
57c13179ed0094c03675850eb7355f2f546b6a91

SHA256
ec94442b97ff40803cd379084994fec8d9a0d39a3c5200dbd4b92e5670365876

SHA512
64fed2100c0adb134d8f481ba96cc41d27075a0401df4a05c61147d95d4847421683c7fbb5be5ca3b8b5a2976a01fb8b03a4af3929a5d4b9164ec81e2d195c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
aff479cb5b54d845ad5aed6f55b9a6d5

SHA1
72ba22f6005b277ce64dca4bdef25d286b10de3f

SHA256
f642cc90b80a3e43729020781a5bd51892e0e692254ee67855d5d9a946b323cb

SHA512
97e3b8fb6b317c8d2eaa3ba9890c12bacfc6505ba241b66ac3ea956311799184434624d1d1a5c85c10e1d31546fa272e05429b9f2abfc5d0ddb718669ae07e59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
1d4d1b4bac6cc670390590abe8d14d55

SHA1
dacd34f37fda683def1156f36a38dfa91380e7aa

SHA256
d3d44fadbea05f1b90d7680b4a2ecd1120f51f114f4251abf2a5722c50bc415c

SHA512
6bc199538f950a3c03bf623fea0eaf77505c2d963b330bae30e95d8d644cb1fb060884e500256b627738ce97006557a756497709c311e9acf1032057c7cb7336

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
42ab5d25a837681adf54d1bd471a960b

SHA1
84fa44df7bf0875a5c8611da365afeaa70c66159

SHA256
93c97fd209ab86b58095068db152e18fa9d87a851d6f2c0aee13cb85d86119e4

SHA512
a096d202427e16f36fd7c4e9ccc26f1ca76752c29ff765583f2cf6a847e7638ac41da8c252880b1c03957a00f4c08a0f2819077552a588f5b4e392816fdf6f56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\3a2a5615-3828-4283-b8d1-6d1aaa8ea10c\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\95b4bc82-c90c-4b05-941f-9392b2262b67\index-dir\the-real-index

Filesize
120B

MD5
7b1296474c2ad7759fc2025b0d75268a

SHA1
8176dc48b2276fb08cadc5cccb1bde4583c3f5d7

SHA256
60902c10d958080dd7ace12abd99ce5b7e81a525248549267c7ce26371ee2918

SHA512
2331d8128bc8474e1a210b5b1fd516f5276a56791f99c7263c740313a017111a208b075c2d57b44db13b5c72aa7924f5be96e2d14ef9d4ed917b9b0b356cfb43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\95b4bc82-c90c-4b05-941f-9392b2262b67\index-dir\the-real-index~RFe5b0d2b.TMP

Filesize
48B

MD5
fc091ee1b7f6cda7ff957435209c7785

SHA1
655ad292bff92369ca9d1b96ead7e8ef035bd0ff

SHA256
2c9921ccf1d5bba146441d7cc43fb7c88f89848dfd23c710abe06d8439a6e899

SHA512
c70701d73e384042c5a0627491d666f1cb4c06aeab9f76a00a8273170b3c64867c81548bc47150e90834349832fff884504a8fa747cc695cecf06af2a5819615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\a2ea21aa-688f-40be-9ef0-1af2f0e340e9\index-dir\the-real-index

Filesize
96B

MD5
c57e5e9cbb95a22ead6cc2505b6676ce

SHA1
63d05167a07df97b66aaf03ba92ec9063be54555

SHA256
1b5b7a4c9ec2de5dc84c2f3cef6aec30bf351a61872dbe257b22760a0f0ed08a

SHA512
9fb9764f19535c5a4e9bbf26fd767a89470fdf02c55c35eb1a404382fc61dba9318b87daea891ffe9e0ccfd24f2c425292bd420368aecd68809a6f07660cf58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\a2ea21aa-688f-40be-9ef0-1af2f0e340e9\index-dir\the-real-index~RFe5b0ef1.TMP

Filesize
48B

MD5
43723b68443d0cca4e67c09ed1668e3f

SHA1
ff726f621120a8768ca2c3cd5f787466404d9634

SHA256
ea29b018d5fed7bf4a2a1fb74452bcaa13862181baee888fb810ffe6e67a7cf3

SHA512
e6aa312cfc26e5c3ad5749e60f55a2a53a5aea4705b2d96cede548e78baa7a2348a98bf30c4334c45ded8319a6a7fda7671e46340c9cc4eebf057833c0d20d0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\index.txt

Filesize
113B

MD5
7e269906bef36f2bde412dff60aada98

SHA1
001bba8c42a713cecdcc442579569070a3c6f7ed

SHA256
2422ca5351a696d4a14ecd1469951dc367c3f083acfe30475957b2b68800f7ef

SHA512
17062a377cbb24042fb789b7869568def8811d986c33466edc061f88b56cb3723dffb878f6471f7b6b04cff4255526368d7394b4f9efd65352496d8d9d002863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\index.txt

Filesize
240B

MD5
dd8d9c4afa39f5517f63cb5d72ac7429

SHA1
b138ea2a46d0a3a8286f00b99405306dafd0fbd0

SHA256
d9d4247bdd03bb4bcdaf74bcf3ab43cda9f9b07cd1f84a7910f0bcabc533ea54

SHA512
870240dcca7d179b7fcaee27ecc9979c00c33c654f22fde8f2793a354463794a7bb144ff9b6311c07486d202cbf76fafe137a84bb3f8072ced56ebb091efac7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\index.txt

Filesize
367B

MD5
d06db64d7e9bc10e6f3c5b1211677947

SHA1
92bbf85263fc8fa0188838dcdd4305a493371ddc

SHA256
ae7df42172f3dae5b948e47bb5e85cf7ef85631f13c36f3e412fa8571791e535

SHA512
5fb6d7b3aef52057b08a89b225ef1c97d3da7d3506115e4f35e11242d0023230665f4c7d99330e5341f509b1c7ca44107ba980c2c50facbfbf0c4bc72d131ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\index.txt

Filesize
495B

MD5
216f0e9f1fe4ec6d1571b7ed76b87fb3

SHA1
08fb5f275cdfca8892e75f33eecc365a5f308a8f

SHA256
63d9f4a35542f567fd744884630419b1f2adbfe44de4a3b6f47e95995496beaa

SHA512
4b2af508d752842848abff8dd615a9b20cd2784d14b6be5323bc3c9894d389d4985270cd84b62f46610b1166bdc4abc621ac026482072c046cc38c2ff45cdebd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\index.txt

Filesize
625B

MD5
0ee4ebc8a110cbde22eb2fef872f89a6

SHA1
5a23c1a7777d9c2074b19e45b43335feff251220

SHA256
69a99e765cf12ee522a60e47fb3e032a6e186386e1f3098fa0e743178e505171

SHA512
02f7d72bf566cf69aa96d3bf4f5e37c6eeb29611d370d4990e61006edb4e0652c81aad922d61aaca01de9fbd55f34635350a767cded173ec818636ace1a9e1fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\331b2f96fa7e13f557421be906b694c5dd9e7334\index.txt

Filesize
619B

MD5
53afe55f9d34894d139a1f00b725a0a5

SHA1
faf1ad0d8f4a6e528d96d16b753319063d554ccf

SHA256
d5b19485d72fc48bb09c2575b8732c3ff8729ceb638281e3825d078e123abf46

SHA512
38205bf90ef6126537eedd7da2465bf9913caf4c6b1e1db36893d2c52f9b694aab6203ca3eddcc7e0d56bdac707d45b65b1334fadc8a6d7ab22e5f2bb23b8047

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
5d70f7c2f2a80c9e6d6b7afbaf33502f

SHA1
3ce7504f8599e4b0aa49afb03c0016f52348097a

SHA256
6da88cd1e434098120e66d6655c72c5d68722845b32b31d464b47e198d92a284

SHA512
b2af5a75b2b2c314cb6c8f18a6762727d6a2167d5bf036aa0b9aa1c0f0dc9225d62c95ebb6fd5a035dbbd5809696df90c95150b70819693ec512937f4f2c6f84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5af8c9.TMP

Filesize
48B

MD5
89c7aea3b8ae0557488ab4f0b2068e1a

SHA1
dfcefece5bb6317d9742ebf15c5f64523061ace9

SHA256
663cfb3ed5d6f7631a73c7b6fe5e5fd3095e2deaa84665a5383e24af971b9c57

SHA512
2d13bf143151f7592d266f6b999e4e0380bbabe4dccaa8335976210a4b7d6bc7de2913533101a141c5b78c0bf2a7ea00bbc74477a2c2d6342a4f377db4cda59d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
e778282ce42808f06f92cb85b8867b36

SHA1
2915076e934c19f45368fb815a6b10ebb6386834

SHA256
b8694435a0f455fc182b5603247b83223dfe5a4948af65d57bcffe916a200733

SHA512
a5f385c3387c26b8f138afd24c0e039a1166b76ecffbca939140733da194a0e01c76afc947c75bb2dcf73d7741084e2610822422f5bc6b524fd558ded1b3c5a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
cc9c6dc4ba34eec585eed0cfaaf362e3

SHA1
e96325e354df77417834edf5d58046ceecdfb213

SHA256
f2dd170b978d7330e90328cd0065144ddba4259aa2f61995a15533295b9d3039

SHA512
0d28d28271036684cc19a61352ef473643117ce1c4c173f244330695cb9ec79bd0df47bc31ba1f0db75baddfbbc765d0fa2ba105b93d92687bb86773611da213

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
278645be4df0ca3b60e019cb5f876082

SHA1
458d245eb133879241a90a21511b5d8329f96513

SHA256
0fdcd432c99d98c89e2ee6964ce1b9b0eef643441323a5b6de39d8f1478e9975

SHA512
57a3ce0d4ebda5679b3eee3e1e24aeb4a15dd59a8b364de9a901e672e54b5d2a9d83fd6d4c8ba24eab8fd8ede11dc5c97a6cbe5861ad547b5ae8031b1de18301

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
106f1190fedbbbbeadbbec1975003320

SHA1
e90f8c3b3b4e30a74d0531425feb91c727c9b7c2

SHA256
aef7fb32c46b9062e2b21bd7d0ef9f64b27721e3bc91f16d6e142df22b462981

SHA512
30fc557dc89e8fbc0b1d2b4bc5e0826783effa81aa6f4f1565dd238e1038005b40a1984a47b8975ba8497a982df6bc35fe57e1383340677aa596fd85937162c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8ce8811716480c6b5528e5eb1ef8e1a

SHA1
32d523126f94fbd42f54b1d9cf61ed71e3d07d16

SHA256
24edcb91bb56278f4ee29ed8cbf945abd0b459d00abf4ecc1c6eed09327da8be

SHA512
94e9ae56a01e96118bb70fb5b0a07eb6f7c3811df8c9601c30d5d72b787c0189c3b7ce114405d2bbbdee10adc13664747aba70f7bd9aa9f3d6988e163ab836ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
44ea83bb5f3cc659219f6041559ccbd8

SHA1
cba6cd3b03668e799896f05c2f2ce3947397142b

SHA256
929b3e8d23312df47786d3695484c8199c44c3ef0522f62d5e29d2909d151974

SHA512
da81c40aa1cdd08094e021362752211b7c01d85a5c669018b1e526148000509de304d5f4844663ea2d51caad8e6e5d2474b00371a32dad0f222f67b1fba0e936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
40aa04fa5dbbe676ea41e629db94d329

SHA1
f90d85834004c1ed4be0836770e04d40c68a7353

SHA256
1bfcac94d157b83bd46e5092ec60d2668f08a04341d3e40227ab8c3cc24d0d9b

SHA512
87095520bd70829b6540579570cb06772c2d28ef1fdcd65aee2c7cacd29ed9289d8af0a5b482844af4d83aa70e8dd06f6783528b875ce3658218337075a16245

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
1b1e7e83cab9882476957c06c76d0a15

SHA1
13dc8a8f18076db226d1c3a0902447fd4da479fb

SHA256
749f73c92bdc853f3cda9bc702e60cb663a2e0ae464e8d445cf3f647b8d7f529

SHA512
ea8c3101a1889be13c7b0586f484691ef0f304ee53d7629875a7f97a58bb8b5a5a224d6926ee5e0b47f38c7f600c8f424d8bed35c3c31bf202734473df7d0f55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fa9d92f9e47541a3ab69dbe6c339f420

SHA1
a9c1ea31fa6183102e8074ee5e01058cfb8e20bb

SHA256
f063eb34f169cf1e5adfaff11801d0d5d0b404c092618be5e8d1bb3c581da9db

SHA512
567b306c658ca2851bda39dc6158525cb4fefee08971413017111f7715d5fe385576dd9ec88b289aa8b1976bc31a06a3c5009ed831aeadacf2424a30a8fb43d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
95d4497ea78361e0d505cb9b6d5c3d6e

SHA1
8c475190f40f91e26ad2ae3665467415f0b5b20a

SHA256
ea7b9efcc8a6bab9925790862d060ab81ce2db59ced4ee28f04a0e8f1def4ce1

SHA512
af38ad98cb77cb9713ae8630d94a9d9030b9fb2147de138db3466411d269a2b51f4cb291a416fe3331406955790168c64c6cac122a4cbec677f40b6c9bda2d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d31cc900c315b94360da16755416ea61

SHA1
ad912332ab657ef69416619c1dc67de1a2fa7f96

SHA256
a7c9add7e9b82da22694766393e04814101f51c8ac8c15127de9312c4afc9bfd

SHA512
beb4dc7f68d8463cbf24f006c8a25e9ab6be38a4434a25cbc2f60878e5d942e6d24a2d98ba73f24362cb9871bc157b05716d78ec3f8d86afe350110f39bf34d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c17ed5fad1671d5134f212f97edaaac9

SHA1
25519c3064cd74454865cd5db7137e4a84c50dc4

SHA256
967dfc465d978c9beb51e6465977aeb6da0231841c7bc8ba460d8a8478284398

SHA512
362ebc8f867cac05c37718dac231d6684e86811cfc0c92f68cd11a66aa63023470df5fa0422b468115632e3c6af41f3275af87b5dae0598e1738050dbdc4cf24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
fca26725005d7d46c12d91b6ed872df8

SHA1
cb8b8ff624e0f7990fdff9c54e8428539b1379a9

SHA256
e8f4f793d0b67c8aabf28cc6e4bdda0920acc58223aa30cf2fce682d2912404b

SHA512
5eb234507e2c2ad517f5b8f86e5e34c38a7c2c854d6fdbf0ceaaa99144203089fc04fa6323d9c8c7e10524e3a5d4310641d7780558f0f1dc30e9b2496f7234d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6295fc615c564f705d6c0a67ef965d1f

SHA1
a32bb49aeaa2d77e84c636b670e7fb74d807f9b0

SHA256
4566d463c53da00295dbe86377b486637264703de17ca36b05cec9cb81fb5b11

SHA512
5c07c05fbfe8f4356b015c923403bb3331b56026df59934f55679db9dc889c28a792c21c904777ed3af0a1fb36bdb3ab26838f36a0ee58f6aaf676af4c40c745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe597bed.TMP

Filesize
538B

MD5
9ee86024a3b167bc093bd4f259e679f9

SHA1
5ae43362abbb70402d6099f4d38233fcf8c4e071

SHA256
bdd9af15d618313ea1165fe972870381923a294a19a043ebee13e43cc3a77417

SHA512
f96f09217456ff3f47507a4c8c9e86d75cb14e52ad8cff6379c0297a61626c5cac137d4aead09b0102fd7e02e655a14a456bca780d777df7e38ec68048540bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\fd1c1ebb-dbb7-4b53-8147-447aecf86dc5.tmp

Filesize
2KB

MD5
860656edc00a4b3b05d11191348c0b9b

SHA1
68f8ac4649e57294140017e1f54427034ed3c2e1

SHA256
11ca5b9be877c3b888b075937a3546970f92f7b249729afdd9bfe18f88b8042d

SHA512
02881fe23d49d51b89347c6bf3ea7ea2d20f2e559aa5c3d0d8e108f374d6d620edf0c38e4a8adbd5adacc7d74aca1e60af83edeb143fcf4ca11ee41381f4d16c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
43cedbcccae25cef3a95aed960e86659

SHA1
98f96d2bf7b3c7bacbb822324ba1bd5a7fda7255

SHA256
8e4063f0c9bbb1d4f32e9db034c5903b610eb81f2b82903c57858bac5dcacada

SHA512
e6c605c2f397574c5a6c50752537d564df717c062ce06f3bb7054b631ffcd2bca0b72b8403254276c2539d251e48adac48097c461a42a2665d8c8d9ffd52c070

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7dd35f5f8f48186215f35913eb557eb7

SHA1
793c31045fbc61b40523fada789bfc7e96e644ed

SHA256
54e238eb91b069357e1f8d989a9cc87ba9ea92d90fc0668dbf59fb42f946854f

SHA512
8f7a8432ef7bc51ef36d2a2a5c9068a0959d9e901dfdf13b54dddb7ef020c398b9c058f266ae9929d25d1617f9126f2701165349039ffdf3a80ea6617dff92ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
a8d69a9d7fd4519fe3d0bb5daec84623

SHA1
70948be1310ab9d03d54841fbaac2cce5ba52ee8

SHA256
83b960d7164ce69c8c53f8522139f48a1720eb13776de72a26be7685001f8b67

SHA512
b69565e3ede5fa5d8431cb3249c889744d7906723bc7ba002ae9f51ee003b5f15f357c14d8e34a8ea33fdbf0b4679aeebe3341b1804145ce530585b000e6d631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ASV5ROGI\login.live[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\LocalState\_sessionState.json

Filesize
136B

MD5
9c1e824ef8695a1abc67f5d0a95778c0

SHA1
ec43ba5ce45d92453320bd6d14d96a866ed4c0e9

SHA256
0e9674b55a602a97e8ed235ec72e98e5d816ac014684d179a1fc0b9959345d97

SHA512
55e92e224e5d357e4c1dfcd34ee8b7e1d160f8edfce2f3bd156a240f4cc8c73b3329497d8199fabf2a81d8d04be5f49687224b498c57cb115231b47c81d65d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftPowerPoint\svchost.exe

Filesize
233KB

MD5
155e389a330dd7d7e1b274b8e46cdda7

SHA1
6445697a6db02e1a0e76efe69a3c87959ce2a0d8

SHA256
6390a4374f8d00c8dd4247e271137b2fa6259e0678b7b8bd29ce957058fd8f05

SHA512
df8d78cf27e4a384371f755e6d0d7333c736067aeeb619e44cbc5d88381bdcbc09a9b8eeb8aafb764fc1aaf39680e387b3bca73021c6af5452c0b2e03f0e8091

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q0J1K8AEM0KXLO06WGQE.temp

Filesize
20KB

MD5
220631ad44db05b592e520b26ca3e649

SHA1
3cdfd8a7f9671445f585f04d2935ecdbfb497a7e

SHA256
2ee3616390d8449ec90e893ffc69bb5876565dd733d7b676c7fce2fb1d992829

SHA512
1687871366e467fb5bd6df3fe68db50393b61ca3a6e7e2d4b9b698a3164e5a1b2690f937301d788a97167ef1099453ae708367adb7d30423619ff6eed9e25535

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
12KB

MD5
21b2bbc2584a8f448c57612506b7c226

SHA1
24172e02f20d554ec74d25f869cf526b10ab77f1

SHA256
b914684942723313401de6fe4bde11e2877a1762af91da7b43ebca9ffe58be99

SHA512
92b0b4d1fa3ec98e3af56c5d9b6c52749dfb8c539d3dbfcbadf737dd78331a43b979a5065a98f1e1fecd1edd257e7258baee0e9219e497e509c71a2c797a7716

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
14KB

MD5
477cebb4d2915861c84ccec330c00d9c

SHA1
1790554327787bb76d9099cb20a3533476b9a8d6

SHA256
3508d2b3ca63153a09c48bb6b87af3c70bc61db82edf21fb0d61d6be16e54621

SHA512
4c5f5276a071de939ab52f0b50f2249fdd0138ae8bec0cdfea2d4ca5af76875ae599978956651f7bafc7d1a05c509a2568ee33d38cdea27b030133398f626b96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
20KB

MD5
cd80b4cc0b968d5a1b2a679db2ee3917

SHA1
168431995f3350922a68ac3e23c4fc68211c063b

SHA256
a60befc0397e4f3065789e5d824f743955cde118461d007b0c89bea885eb9082

SHA512
5f4ac5fdd9c5881aa915bf29ef7f93f488653fbc5564cf40cb95b9dab55cafeb8e1d5edc2a0233fca8b12b4cfad500608353f4045f87d91827f3ae9f73164b3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
20KB

MD5
6b8872465543871efc7882c6056903d5

SHA1
839bdf727a56fcc228ea45bdd957d15c72541427

SHA256
bac09ac6fc5c9b5a7216bfbf810917b8948396f4b09b3ed0e60fcddc29a85f78

SHA512
c889dcdd5b6b0a5b825744b9bad075e95db471a25e3732a4fb1ebf218239e923027e2d0335c55ad11cd51a655bc4a44a7ea748f5d526aa2d4cf54216d56b1e39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
16KB

MD5
f1a350d217bf206a26672777b170646a

SHA1
6d49d90a792cc646a7b5bc941dc2cad2944e9933

SHA256
079ec6a87c4305be734d1bb7d90051ab9d40fd987cdc70e31c1ce61070114466

SHA512
e2ecb4736fc15477218c40bc8c1636f92e0e19a6184076c0f46d160fed680013e1c8a1b3759870299caa47ef80e42f1e1e773806ff8e86db4c69ab0d2c4218d0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
16KB

MD5
f19a8bb9a1d90ff7b27d5c2e82032228

SHA1
59114f4ef5e9ed900d372c85f71927b6ccf3986f

SHA256
ed7e452ebe1d604ce48e792a38ed4a953665a5040b5b4e51f5bf3c27fd217a9b

SHA512
7b7e996e5a1514b1a58ca4325ce75d17d214eeaed1f79a3356438e374f37685dc8063fef44abfba5bd6d9e3bebd627ca413f3d909c716962ceb416e7160294c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
17KB

MD5
ade87925eb8f8cace6b641162c04c596

SHA1
87431e33a59a5f66ad6bac934810bd8897327d7b

SHA256
118f70ddbfd551bb69e1061ad91de6e08f45235025dbbb1a362d66ce2fad89b7

SHA512
5e32103e077ab47bc05bd6b6e781f7e4630633e0d901bdae9a2dc2928b5e58bff103c8a8751824f0cc69501d17a3cb6609ed8fdd1dec5c625ea65b9d2ef8680f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
20KB

MD5
c550c19aab471f1df10b29a1a1f01bcc

SHA1
e6d5a77b8e78d334dfb9dcb0f15f74b390ae005d

SHA256
216ddfa1131386c8485d8c3ff4a26054847cb4fdbfd007f6b7f4ed985bf33921

SHA512
9e2c6dad5cdf1b22419b3510dc1d01422874dbec5223c33d26b941be0919d43638ac7849b214e9a7ab0d4a90b66b282d002b1dcb9831851052e255de92effdb8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
15KB

MD5
16f9f3d088bbe655546f8323abbf88c6

SHA1
f4d60fa06cd3a8cc87cc73e835ca100ba9ebe141

SHA256
4f0ad039c805f6d6e42190f38290b0db247a818200837bdd9e2dd90bed3517a0

SHA512
b22ddf096d6c7476bb411db0ea1cdb46d9c3fb76320be7d396a9483b90b8bead20e47984868011139c070976b63eb33cd88b9a7a1a664ba942c4a685f29be014

Download Submit
C:\Users\Admin\Documents\install.exe

Filesize
40KB

MD5
53f25f98742c5114eec23c6487af624c

SHA1
671af46401450d6ed9c0904402391640a1bddcc2

SHA256
7b5dec6a48ee2114c3056f4ccb6935f3e7418ef0b0bc4a58931f2c80fc94d705

SHA512
f460775308b34552c930c3f256cef1069b28421673d71e3fa2712b0467485861a98285925ae49f1adea1faf59265b964c873c12a3bb5de216122ac20084e1048

Download Submit
C:\Users\Admin\Documents\sweet.jpg

Filesize
23KB

MD5
58b1840b979ae31f23aa8eb3594d5c17

SHA1
6b28b8e047cee70c7fa42715c552ea13a5671bbb

SHA256
b2bb460aa299c6064e7fc947bff314e0f915c6ee6f8f700007129e3b6a314f47

SHA512
13548e5900bddc6797d573fcca24cec1f1eefa0662e9d07c4055a3899460f4e135e1c76197b57a49b452e61e201cb86d1960f3e8b00828a2d0031dc9aa78666a

Download Submit
C:\Users\Admin\Downloads\The-MALWARE-Repo-master\The-MALWARE-Repo-master\Trojan\Bolbi.vbs

Filesize
80KB

MD5
51ba32b4505aa80d98aa2d509ee209da

SHA1
883d17cd7b5df0b312c8906213589edb39fbc7d2

SHA256
697b347d8c015d559f82a970440d681d457246e5264bd130b9b7deaf0fd4c99a

SHA512
b9c7e30e4d6cdf74b6939c7def7c76b2540fe982230efcba33b98ffe5fce8a5e157c2e234c8b2fb687925b0456e02380c87898445dc68ef9c1a8200973470296

Download Submit
C:\Windows\SysWOW64\ntkrnlpa.exe

Filesize
373KB

MD5
30cdab5cf1d607ee7b34f44ab38e9190

SHA1
d4823f90d14eba0801653e8c970f47d54f655d36

SHA256
1517527c1d705a6ebc6ec9194aa95459e875ac3902a9f4aab3bf24b6a6f8407f

SHA512
b465f3b734beaea3951ff57759f13971649b549fafca71342b52d7e74949e152c0fbafe2df40354fc00b5dc8c767f3f5c6940e4ba308888e4395d8fd21e402b3

Download Submit
C:\v1.log

Filesize
479B

MD5
3417f4d01acdbdeb365543f902582a59

SHA1
20d78521d21c69c9f595ba971fc193d9bac011b6

SHA256
5e48ed340be3a7a18c57dd014fd9cabadc95768d8d0dc5ac81fbf074910a4fb1

SHA512
8790b7e8fe168fec8879d7d881811c825ce06bdaf29c156a377fd16b3dc1b5ea9e1952a0c5ec07e505855bc80d24d89bcee4c551ad1c093c6f9cc29cf70c4da2

Download Submit
C:\v1.log

Filesize
687B

MD5
3dead5f1f0ae6ded255c28aaa2fa23e8

SHA1
b988cad90b5e030e9e59996a8ee3ec6d285afe7b

SHA256
2a3576cb0c5b2b677c115e931b9db197a5e720fd57aab777d58d8a0d03d586c7

SHA512
d68f4b9ced490f4e3e659af785c8ea5d6cb20d98923d1e5317bdda8c5fad28bb4f3481691cd5369f9859befcc7907416bbbca4f3bfb32db96baa9796aedfff0d

Download Submit
memory/1696-3280-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/1696-3287-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/3112-38-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-73-0x000001079B730000-0x000001079B731000-memory.dmp

Filesize
4KB

Download
memory/3112-69-0x000001079B610000-0x000001079B611000-memory.dmp

Filesize
4KB

Download
memory/3112-57-0x000001079B410000-0x000001079B411000-memory.dmp

Filesize
4KB

Download
memory/3112-54-0x000001079B4D0000-0x000001079B4D1000-memory.dmp

Filesize
4KB

Download
memory/3112-51-0x000001079B4E0000-0x000001079B4E1000-memory.dmp

Filesize
4KB

Download
memory/3112-49-0x000001079B4D0000-0x000001079B4D1000-memory.dmp

Filesize
4KB

Download
memory/3112-48-0x000001079B4E0000-0x000001079B4E1000-memory.dmp

Filesize
4KB

Download
memory/3112-47-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-46-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-45-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-44-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-43-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-42-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-41-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-40-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-39-0x000001079B8C0000-0x000001079B8C1000-memory.dmp

Filesize
4KB

Download
memory/3112-21-0x00000107932A0000-0x00000107932B0000-memory.dmp

Filesize
64KB

Download
memory/3112-5-0x00000107931A0000-0x00000107931B0000-memory.dmp

Filesize
64KB

Download
memory/3112-37-0x000001079B890000-0x000001079B891000-memory.dmp

Filesize
4KB

Download
memory/3112-71-0x000001079B620000-0x000001079B621000-memory.dmp

Filesize
4KB

Download
memory/3112-72-0x000001079B620000-0x000001079B621000-memory.dmp

Filesize
4KB

Download
memory/3884-3365-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3884-4061-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/3980-313-0x000001CB12BA0000-0x000001CB12BC0000-memory.dmp

Filesize
128KB

Download
memory/3980-493-0x000001CB25C60000-0x000001CB25C80000-memory.dmp

Filesize
128KB

Download
memory/3980-559-0x000001CB26DF0000-0x000001CB26EF0000-memory.dmp

Filesize
1024KB

Download
memory/3980-569-0x000001CB26CF0000-0x000001CB26DF0000-memory.dmp

Filesize
1024KB

Download
memory/3980-461-0x000001CB13380000-0x000001CB133A0000-memory.dmp

Filesize
128KB

Download
memory/4360-4169-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4564-4170-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/4568-4-0x00000226EC1D0000-0x00000226EC6F8000-memory.dmp

Filesize
5.2MB

Download
memory/4568-3-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

Filesize
10.8MB

Download
memory/4568-408-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

Filesize
10.8MB

Download
memory/4568-4166-0x00007FF973F30000-0x00007FF9749F1000-memory.dmp

Filesize
10.8MB

Download
memory/4568-1-0x00000226D1300000-0x00000226D1318000-memory.dmp

Filesize
96KB

Download
memory/4568-2-0x00000226EB890000-0x00000226EBA52000-memory.dmp

Filesize
1.8MB

Download
memory/4568-0-0x00007FF973F33000-0x00007FF973F35000-memory.dmp

Filesize
8KB

Download
memory/5192-3273-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5192-3278-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5276-3281-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5276-3279-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download
memory/5488-3347-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5488-3343-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/5764-3331-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6420-3329-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download
memory/6420-3345-0x0000000000400000-0x0000000000486000-memory.dmp

Filesize
536KB

Download