exelastealer | hxxps://mega[.]nz/folder/6F1BHBAJ#AGTtR1oAXcA81tmbKqrSGw

Analysis

max time kernel
600s
max time network
589s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-08-2024 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/6F1BHBAJ#AGTtR1oAXcA81tmbKqrSGw

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5060	netsh.exe
4352	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2892	cmd.exe
4276	powershell.exe

Loads dropped DLL 45 IoCs

pid	Process
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
2516	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe
1364	YaraReborn.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2516-2220-0x00007FFFE7230000-0x00007FFFE7818000-memory.dmp	upx
behavioral2/memory/2516-2223-0x00007FF802CE0000-0x00007FF802CF9000-memory.dmp	upx
behavioral2/memory/2516-2222-0x00007FF802D00000-0x00007FF802D0F000-memory.dmp	upx
behavioral2/memory/2516-2221-0x00007FF802FB0000-0x00007FF802FD4000-memory.dmp	upx
behavioral2/memory/2516-2224-0x00007FF800430000-0x00007FF80043D000-memory.dmp	upx
behavioral2/memory/2516-2225-0x00007FFFFE230000-0x00007FFFFE249000-memory.dmp	upx
behavioral2/memory/2516-2228-0x00007FFFF76F0000-0x00007FFFF7863000-memory.dmp	upx
behavioral2/memory/2516-2227-0x00007FFFFDD40000-0x00007FFFFDD63000-memory.dmp	upx
behavioral2/memory/2516-2226-0x00007FFFFDED0000-0x00007FFFFDEFD000-memory.dmp	upx
behavioral2/memory/2516-2229-0x00007FFFFC6F0000-0x00007FFFFC71E000-memory.dmp	upx
behavioral2/memory/2516-2231-0x00007FFFE8CB0000-0x00007FFFE9025000-memory.dmp	upx
behavioral2/memory/2516-2230-0x00007FFFFA410000-0x00007FFFFA4C8000-memory.dmp	upx
behavioral2/memory/2516-2233-0x00007FFFFDC40000-0x00007FFFFDC55000-memory.dmp	upx
behavioral2/memory/2516-2234-0x00007FFFE7230000-0x00007FFFE7818000-memory.dmp	upx
behavioral2/memory/2516-2238-0x00007FFFFAFD0000-0x00007FFFFAFE4000-memory.dmp	upx
behavioral2/memory/2516-2237-0x00007FFFFA260000-0x00007FFFFA37C000-memory.dmp	upx
behavioral2/memory/2516-2236-0x00007FFFFB2C0000-0x00007FFFFB2D4000-memory.dmp	upx
behavioral2/memory/2516-2235-0x00007FFFFC6D0000-0x00007FFFFC6E2000-memory.dmp	upx
behavioral2/memory/2516-2239-0x00007FFFFAF80000-0x00007FFFFAFA2000-memory.dmp	upx
behavioral2/memory/2516-2242-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp	upx
behavioral2/memory/2516-2241-0x00007FFFFAF60000-0x00007FFFFAF77000-memory.dmp	upx
behavioral2/memory/2516-2240-0x00007FF802CE0000-0x00007FF802CF9000-memory.dmp	upx
behavioral2/memory/2516-2243-0x00007FFFFE230000-0x00007FFFFE249000-memory.dmp	upx
behavioral2/memory/2516-2244-0x00007FFFFAAB0000-0x00007FFFFAAFA000-memory.dmp	upx
behavioral2/memory/2516-2249-0x00007FFFFC6F0000-0x00007FFFFC71E000-memory.dmp	upx
behavioral2/memory/2516-2248-0x00007FF800420000-0x00007FF80042A000-memory.dmp	upx
behavioral2/memory/2516-2247-0x00007FFFFAEC0000-0x00007FFFFAED1000-memory.dmp	upx
behavioral2/memory/2516-2246-0x00007FFFF76F0000-0x00007FFFF7863000-memory.dmp	upx
behavioral2/memory/2516-2245-0x00007FFFFDD40000-0x00007FFFFDD63000-memory.dmp	upx
behavioral2/memory/2516-2251-0x00007FFFE8CB0000-0x00007FFFE9025000-memory.dmp	upx
behavioral2/memory/2516-2253-0x00007FFFFAD80000-0x00007FFFFAD9E000-memory.dmp	upx
behavioral2/memory/2516-2254-0x00007FFFE6BC0000-0x00007FFFE722D000-memory.dmp	upx
behavioral2/memory/2516-2255-0x00007FFFFDC40000-0x00007FFFFDC55000-memory.dmp	upx
behavioral2/memory/2516-2256-0x00007FFFFAA70000-0x00007FFFFAAA8000-memory.dmp	upx
behavioral2/memory/2516-2257-0x00007FFFFA260000-0x00007FFFFA37C000-memory.dmp	upx
behavioral2/memory/2516-2250-0x00007FFFFA410000-0x00007FFFFA4C8000-memory.dmp	upx
behavioral2/memory/2516-2308-0x00007FFFFAF30000-0x00007FFFFAF3D000-memory.dmp	upx
behavioral2/memory/2516-2324-0x00007FFFFAF80000-0x00007FFFFAFA2000-memory.dmp	upx
behavioral2/memory/2516-2325-0x00007FFFFAF60000-0x00007FFFFAF77000-memory.dmp	upx
behavioral2/memory/2516-2346-0x00007FFFE8CB0000-0x00007FFFE9025000-memory.dmp	upx
behavioral2/memory/2516-2362-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp	upx
behavioral2/memory/2516-2360-0x00007FFFFAA70000-0x00007FFFFAAA8000-memory.dmp	upx
behavioral2/memory/2516-2359-0x00007FFFE6BC0000-0x00007FFFE722D000-memory.dmp	upx
behavioral2/memory/2516-2355-0x00007FFFFAAB0000-0x00007FFFFAAFA000-memory.dmp	upx
behavioral2/memory/2516-2354-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp	upx
behavioral2/memory/2516-2352-0x00007FFFFAF80000-0x00007FFFFAFA2000-memory.dmp	upx
behavioral2/memory/2516-2345-0x00007FFFFA410000-0x00007FFFFA4C8000-memory.dmp	upx
behavioral2/memory/2516-2343-0x00007FFFF76F0000-0x00007FFFF7863000-memory.dmp	upx
behavioral2/memory/2516-2335-0x00007FFFE7230000-0x00007FFFE7818000-memory.dmp	upx
behavioral2/memory/2516-2348-0x00007FFFFC6D0000-0x00007FFFFC6E2000-memory.dmp	upx
behavioral2/memory/2516-2347-0x00007FFFFDC40000-0x00007FFFFDC55000-memory.dmp	upx
behavioral2/memory/2516-2344-0x00007FFFFC6F0000-0x00007FFFFC71E000-memory.dmp	upx
behavioral2/memory/2516-2336-0x00007FF802FB0000-0x00007FF802FD4000-memory.dmp	upx
behavioral2/memory/1364-2450-0x00007FFFE60B0000-0x00007FFFE6698000-memory.dmp	upx
behavioral2/memory/1364-2452-0x00007FFFFAEB0000-0x00007FFFFAEBF000-memory.dmp	upx
behavioral2/memory/1364-2451-0x00007FFFF7580000-0x00007FFFF75A4000-memory.dmp	upx
behavioral2/memory/1364-2454-0x00007FFFFAE30000-0x00007FFFFAE3D000-memory.dmp	upx
behavioral2/memory/1364-2453-0x00007FFFFABD0000-0x00007FFFFABE9000-memory.dmp	upx
behavioral2/memory/1364-2458-0x00007FFFF7550000-0x00007FFFF757D000-memory.dmp	upx
behavioral2/memory/1364-2457-0x00007FFFE8620000-0x00007FFFE8793000-memory.dmp	upx
behavioral2/memory/1364-2456-0x00007FFFF7520000-0x00007FFFF7543000-memory.dmp	upx
behavioral2/memory/1364-2455-0x00007FFFFAA50000-0x00007FFFFAA69000-memory.dmp	upx
behavioral2/memory/2516-2667-0x00007FF800430000-0x00007FF80043D000-memory.dmp	upx
behavioral2/memory/2516-2677-0x00007FFFFA260000-0x00007FFFFA37C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
137	discord.com
146	discord.com
80	camo.githubusercontent.com
136	discord.com
149	discord.com
150	discord.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
81	camo.githubusercontent.com
93	raw.githubusercontent.com
148	discord.com
13	camo.githubusercontent.com
131	discord.com
147	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
121	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4612	cmd.exe
1856	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4260	tasklist.exe
4760	tasklist.exe
3604	tasklist.exe
5036	tasklist.exe
4208	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4948	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
408	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\FortniteChecker.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FortniteCrackerV8.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4000	cmd.exe
4900	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1716	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4448	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4360	WMIC.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4304	ipconfig.exe
1716	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4484	systeminfo.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5016	taskkill.exe
2112	taskkill.exe
2440	taskkill.exe
4024	taskkill.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2 = 19002f433a5c000000000000000000000000000000000000000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{1AB02F79-F4DF-4D35-B58B-F0A3927DF3E9}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{3BE30499-2BF8-4D03-972A-0B197EF46172}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000100000000000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{F2C764C5-7633-4D5A-8978-8E9DBF43DB70}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\NodeSlot = "8"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0 = 8c0031000000000002592281110050524f4752417e310000740009000400efbec55259610459880a2e0000003f0000000000010000000000000000004a0000000000991bf800500072006f006700720061006d002000460069006c0065007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370038003100000018000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-970747758-134341002-3585657277-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-970747758-134341002-3585657277-1000\{D7CCF9AA-4EF4-4641-91AB-7C9D3FEF7FB0}	msedge.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 975502.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\openbullet.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\FortniteChecker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 41803.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fortnite-Account-Checker-master.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\YaraReborn.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fortnite-Checker-C-.zip:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

pid	Process
2528	msedge.exe
2528	msedge.exe
3188	msedge.exe
3188	msedge.exe
4492	msedge.exe
4492	msedge.exe
3752	identity_helper.exe
3752	identity_helper.exe
5040	msedge.exe
5040	msedge.exe
4028	msedge.exe
4028	msedge.exe
2204	msedge.exe
2204	msedge.exe
4380	msedge.exe
4380	msedge.exe
1524	msedge.exe
1524	msedge.exe
644	msedge.exe
644	msedge.exe
1956	identity_helper.exe
1956	identity_helper.exe
2084	msedge.exe
2084	msedge.exe
1500	msedge.exe
1500	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
4968	msedge.exe
608	msedge.exe
608	msedge.exe
1224	msedge.exe
1224	msedge.exe
2628	msedge.exe
2628	msedge.exe
3544	msedge.exe
3544	msedge.exe
5000	identity_helper.exe
5000	identity_helper.exe
4704	msedge.exe
4704	msedge.exe
3284	msedge.exe
3284	msedge.exe
4628	msedge.exe
4628	msedge.exe
5012	msedge.exe
5012	msedge.exe
4276	powershell.exe
4276	powershell.exe
608	msedge.exe
608	msedge.exe
2892	msedge.exe
2892	msedge.exe
3508	identity_helper.exe
3508	identity_helper.exe
3096	msedge.exe
3096	msedge.exe
3704	msedge.exe
3704	msedge.exe
1500	msedge.exe
1500	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1412	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	4624	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4624	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	4360	WMIC.exe
Token: SeSecurityPrivilege	4360	WMIC.exe
Token: SeTakeOwnershipPrivilege	4360	WMIC.exe
Token: SeLoadDriverPrivilege	4360	WMIC.exe
Token: SeSystemProfilePrivilege	4360	WMIC.exe
Token: SeSystemtimePrivilege	4360	WMIC.exe
Token: SeProfSingleProcessPrivilege	4360	WMIC.exe
Token: SeIncBasePriorityPrivilege	4360	WMIC.exe
Token: SeCreatePagefilePrivilege	4360	WMIC.exe
Token: SeBackupPrivilege	4360	WMIC.exe
Token: SeRestorePrivilege	4360	WMIC.exe
Token: SeShutdownPrivilege	4360	WMIC.exe
Token: SeDebugPrivilege	4360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4360	WMIC.exe
Token: SeRemoteShutdownPrivilege	4360	WMIC.exe
Token: SeUndockPrivilege	4360	WMIC.exe
Token: SeManageVolumePrivilege	4360	WMIC.exe
Token: 33	4360	WMIC.exe
Token: 34	4360	WMIC.exe
Token: 35	4360	WMIC.exe
Token: 36	4360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe
Token: SeUndockPrivilege	3956	WMIC.exe
Token: SeManageVolumePrivilege	3956	WMIC.exe
Token: 33	3956	WMIC.exe
Token: 34	3956	WMIC.exe
Token: 35	3956	WMIC.exe
Token: 36	3956	WMIC.exe
Token: SeDebugPrivilege	4260	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3956	WMIC.exe
Token: SeSecurityPrivilege	3956	WMIC.exe
Token: SeTakeOwnershipPrivilege	3956	WMIC.exe
Token: SeLoadDriverPrivilege	3956	WMIC.exe
Token: SeSystemProfilePrivilege	3956	WMIC.exe
Token: SeSystemtimePrivilege	3956	WMIC.exe
Token: SeProfSingleProcessPrivilege	3956	WMIC.exe
Token: SeIncBasePriorityPrivilege	3956	WMIC.exe
Token: SeCreatePagefilePrivilege	3956	WMIC.exe
Token: SeBackupPrivilege	3956	WMIC.exe
Token: SeRestorePrivilege	3956	WMIC.exe
Token: SeShutdownPrivilege	3956	WMIC.exe
Token: SeDebugPrivilege	3956	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3956	WMIC.exe
Token: SeRemoteShutdownPrivilege	3956	WMIC.exe
Token: SeUndockPrivilege	3956	WMIC.exe
Token: SeManageVolumePrivilege	3956	WMIC.exe
Token: 33	3956	WMIC.exe
Token: 34	3956	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of SendNotifyMessage 58 IoCs

pid	Process
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
3188	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
3544	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe
608	msedge.exe

Suspicious use of SetWindowsHookEx 19 IoCs

pid	Process
3480	FortniteCrackerV8.exe
3480	FortniteCrackerV8.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
1412	OpenWith.exe
4564	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3188 wrote to memory of 1028	3188	msedge.exe	78
PID 3188 wrote to memory of 1028	3188	msedge.exe	78
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2628	3188	msedge.exe	79
PID 3188 wrote to memory of 2528	3188	msedge.exe	80
PID 3188 wrote to memory of 2528	3188	msedge.exe	80
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81
PID 3188 wrote to memory of 1004	3188	msedge.exe	81

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1908	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/6F1BHBAJ#AGTtR1oAXcA81tmbKqrSGw
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xdc,0x104,0x108,0xe8,0x10c,0x7ffffacf3cb8,0x7ffffacf3cc8,0x7ffffacf3cd8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5840 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2924 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7028 /prefetch:8
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6308 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,14733826814025542174,5101683073000625586,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004C4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5056

C:\Users\Admin\Desktop\FortniteChecker.exe
"C:\Users\Admin\Desktop\FortniteChecker.exe"
1⤵
PID:1080

C:\Users\Admin\Desktop\FortniteChecker.exe
"C:\Users\Admin\Desktop\FortniteChecker.exe"
1⤵
PID:1884

C:\Users\Admin\Desktop\FortniteChecker.exe
"C:\Users\Admin\Desktop\FortniteChecker.exe"
1⤵
PID:3008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffacf3cb8,0x7ffffacf3cc8,0x7ffffacf3cd8
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2056 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:1692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:3536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5308 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6168 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6660 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1884,9808328483198561060,5853594269023320844,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffacf3cb8,0x7ffffacf3cc8,0x7ffffacf3cd8
  2⤵
  PID:1476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1852 /prefetch:2
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2536 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4888 /prefetch:1
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,8948014976827551138,12803548461389931389,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3424

C:\Users\Admin\Desktop\Fortnite-Account-Checker-master\FortniteCrackerV8.exe
"C:\Users\Admin\Desktop\Fortnite-Account-Checker-master\FortniteCrackerV8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1412
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffacf3cb8,0x7ffffacf3cc8,0x7ffffacf3cd8
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1824 /prefetch:2
  2⤵
  PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:1800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3028 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4120 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6396 /prefetch:1
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1720,15492226947588732766,16476592246015955049,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:2800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2616

C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe
"C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe"
1⤵
PID:464
- C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe
  "C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe"
  2⤵
  - Loads dropped DLL
  PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4452
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:4212
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2184
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:2304
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:480
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3156
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:4948
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:4840
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4192
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1028"
    3⤵
    PID:1780
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1028
      4⤵
      Kills process with taskkill
      PID:5016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2988"
    3⤵
    PID:1336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2988
      4⤵
      Kills process with taskkill
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1476"
    3⤵
    PID:4792
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1476
      4⤵
      Kills process with taskkill
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2312"
    3⤵
    PID:2480
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2312
      4⤵
      Kills process with taskkill
      PID:4024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3660
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:608
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3976
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2712
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2388
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2892
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4000
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4612
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4484
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4448
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4472
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2292
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1656
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:1908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3964
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1976
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4704
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2356
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4712
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:5072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1952
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4208
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4304
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4380
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1856
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1716
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:408
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5060
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1508
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3876

C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe
"C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe"
1⤵
PID:3096
- C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe
  "C:\Users\Admin\Desktop\YaraReborn\YaraReborn.exe"
  2⤵
  - Loads dropped DLL
  PID:1364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffa763cb8,0x7ffffa763cc8,0x7ffffa763cd8
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2056 /prefetch:2
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2808 /prefetch:8
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5352 /prefetch:8
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5660 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2304 /prefetch:1
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,12468923722025778567,13339051412830971747,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\System32\notepad.exe
"C:\Windows\System32\notepad.exe"
1⤵
PID:784

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8276eab0f8f0c0bb325b5b8c329f64f

SHA1
8ce681e4056936ca8ccd6f487e7cd7cccbae538b

SHA256
847f60e288d327496b72dbe1e7aa1470a99bf27c0a07548b6a386a6188cd72da

SHA512
42f91bf90e92220d0731fa4279cc5773d5e9057a9587f311bee0b3f7f266ddceca367bd0ee7f1438c3606598553a2372316258c05e506315e4e11760c8f13918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce0687fc34b32a436e432357da098e43

SHA1
da7fdad58ea671ca5fcfbe522a003458a4262257

SHA256
36b122434a572b24d989a2966087731d43cb40bb37fb0ce883de7b1ff57fd0f4

SHA512
98b524c3975f9e7db34eecbe70c7d34b3a8278a6d20ad9ca9637bdefbc297ee3ce9c904eab9e2ba55757c3415d22d7e87c63d667d33c344d55fe108822353a50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf8fd9df67f1d5bc2fd8aafc68751b2

SHA1
85780a817868cebe6f3bf784b5edb2fe652395c2

SHA256
270b3d22be5c04bd4b111924e5b0f7379afa671ff97eff99ef9755db1d30fc77

SHA512
3c3bc2adb88680b6efe3e31bc3756fd6fe6902a2571db0942009890795e71dc0defb938fed70498b40175916a15d7c6ef4aa820eaf625320612b5b4cb6556527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5f9091673451796c43be4e1a3b5b861e

SHA1
54d22b294022c7839d50ea4cecfc7798afae92ca

SHA256
4e8f6d169200c13567332d9a3d316e0b4e2886d34b368f21d1a85d4bfff70883

SHA512
a1d75da2f7f5335b7b15946f8aed9ca85b0254b52ba067a9aab2eb23f0447d76f67b8523a9ddb68656c9c01d89462e7f8cf06be0abe11cf106e64ac44b0f0c85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
058032c530b52781582253cb245aa731

SHA1
7ca26280e1bfefe40e53e64345a0d795b5303fab

SHA256
1c3a7192c514ef0d2a8cf9115cfb44137ca98ec6daa4f68595e2be695c7ed67e

SHA512
77fa3cdcd53255e7213bb99980049e11d6a2160f8130c84bd16b35ba9e821a4e51716371526ec799a5b4927234af99e0958283d78c0799777ab4dfda031f874f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1e9e7c176dbfb8e4afff2f96e3613a66

SHA1
44156de48db3e7c1e6a34e85088b7a1a3d64d015

SHA256
5cf6dbb5a90ddd5b6e96dcc6faa0ac29fc07310b71f06a4675ba9b1012185e5e

SHA512
0ecd26bd0b6ce8a6f87b8726f5c665257d47a07135fdc0cdc3b30f7351e8c9058cfee780f1a0cd45754bfa7130c77ac1ec29de3a18b04242b30ccbd03a622af9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
219d82f2792cf6d618dff291c512e7dc

SHA1
c83caf9675c799664477a2970f74df98f6a7fe70

SHA256
ad87fb2a24047d44fed6a96aa948309036c94e416d46d90bb28446757c87d0c9

SHA512
c73b37d2074476fa614e191aa6241df71eef66b1aef113266dccc567afcdbf31edf75329148931d829a47719bdef1766944bc27e25770a8fbeaecb2822784c90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3f926296-bd2b-45cf-a869-2b60f7d10e0b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6e389c54-b2f3-47bf-a605-aa9c385d5c60.tmp

Filesize
7KB

MD5
9e86e1a9c10b285042b1bca260b9c516

SHA1
32409a8f77b81ed5f7012197cf064ad677bd454e

SHA256
d3df91e0d562bcc246e80978b6a6d071fe21b44131b1592762ce804c5d54a70b

SHA512
428452e433196a9467a6e980f76574082e29074e592fbf87dd9df3c486b6c95eed490409e2e8bc7850031fe79541a0e7a7f4286d13cb2a3f3aab13bd1a777095

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d681719ccb697ca24ad02a319349e94d

SHA1
0002e0f73b5f970343f973f76f76868608cde4e9

SHA256
ba9cceec480ce33961b59fe90df23f258c886a7550868fc4a7abaee0ebe6669d

SHA512
e339792e2afb166621132bacc4eaafb9689ae83a6263831cd9b2f8f3a14daf485820102b3cc3e7fa65e5fc5c5c59208543bd813efb0a689505a6299eecd69353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
4d660538c197eb369574065bad75b309

SHA1
ddc92b8a404389a00ff453c763468ece9bd994dc

SHA256
31a544ddff30f8326338767f48698e93c177a3246e6ab6373bcbe16c8eb8b5d8

SHA512
e3755c49efcdc7f5ff66c5037112f117b8c031efa542939f1c953041e84697b59cc11beb9dc85719117e09d87819da4eb9137909acc4b667e3bbce8df8b6c9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
21KB

MD5
b1dfa46eee24480e9211c9ef246bbb93

SHA1
80437c519fac962873a5768f958c1c350766da15

SHA256
fc79a40b2172a04a5c2fe0d5111ebeb401b9a84ce80c6e9e5b96c9c73c9b0398

SHA512
44aefedf8a4c0c8cbc43c1260dc2bbc4605f83a189b6ef50e99058f54a58b61eb88af3f08164671bad4bd9c5e3b97b755f2fa433490bef56aa15cdf37fb412b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
36KB

MD5
f90ac636cd679507433ab8e543c25de5

SHA1
3a8fe361c68f13c01b09453b8b359722df659b84

SHA256
5b4c63b2790a8f63c12368f11215a4ffec30c142371a819a81180a32baeb2bce

SHA512
7641a3610ad6516c9ecd0d5f4e5fa1893c7c60ca3ba8ae2e1b3b0cc3a72f7f9bef4c776a1f2fc52f366bd28a419ae3594a6576e886e79a20ebd98b55b2acc967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
69KB

MD5
24a806fccb1d271a0e884e1897f2c1bc

SHA1
11bde7bb9cc39a5ef1bcddfc526f3083c9f2298a

SHA256
e83f90413d723b682d15972abeaaa71b9cead9b0c25bf8aac88485d4be46fb85

SHA512
33255665affcba0a0ada9cf3712ee237c92433a09cda894d63dd1384349e2159d0fe06fa09cca616668ef8fcbb8d0a73ef381d30702c20aad95fc5e9396101ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000027

Filesize
41KB

MD5
ed3c7f5755bf251bd20441f4dc65f5bf

SHA1
3919a57831d103837e0cc158182ac10b903942c5

SHA256
55cbb893756192704a23a400bf8f874e29c0feee435f8831af9cbe975d0ef85d

SHA512
c79460ded439678b6ebf2def675cbc5f15068b9ea4b19263439c3cca4fa1083dc278149cde85f551cd2ffc2c77fd1dc193200c683fc1c3cdac254e533df84f06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
1.2MB

MD5
027a77a637cb439865b2008d68867e99

SHA1
ba448ff5be0d69dbe0889237693371f4f0a2425e

SHA256
6f0e8c5ae26abbae3efc6ca213cacaaebd19bf2c7ed88495289a8f40428803dd

SHA512
66f8fbdd68de925148228fe1368d78aa8efa5695a2b4f70ab21a0a4eb2e6e9f0f54ed57708bd9200c2bbe431b9d09e5ca08c3f29a4347aeb65b090790652b5c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
18KB

MD5
02a6d83c02b764c734e7e88196167e6d

SHA1
56fb0b031d4e2cac807e6e0a7a92b71a0e5854d6

SHA256
0c9833e8a9cc66d7ca42fb8ec733fa46264dc1ff27c1714612e40d3296987159

SHA512
f71a370a356ec98b9b06256dc82af73002ea449dba3420752be3a2d66d6000cd75d920c60ab22dcce7d3c60f1ce8cc444a6db0cce6a1bb983f93fe0aa4a4cd1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
17KB

MD5
3539d635569a7bfe70436e30753014bc

SHA1
5fec3a521862003cb6318ff5ee224b799243ff68

SHA256
272192f350e19f23b18c72f9fd5eca32a07ed6fd9326ec444748f3ba583a5bef

SHA512
75090a58f79a06cbdd275a0333eddbaf67c7a95b1b23f52df022de77dbe9976ab55d3b3ee608bfc20b4d569ba3e7a7613e3709d6b2c037fad2c338c0493fb1fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000066

Filesize
31KB

MD5
50844df75dd48cf9b240fb381bdb0542

SHA1
02ea5307e287d1c1e6456f0e474921b4a75ef05d

SHA256
40de8ee148f2c5f406a8aaa41d1fdf9af93627b14f91b125e9941d9ff7329250

SHA512
2e48ef1bb63511341bd83955874dc6d0b3f47af0517e192d3fd0743b26aa0c6361005e1d9a6c655afd62f849dc29389673ad2bcbed856c77944bbd2b4fc7ada3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
71936f0b4d1cd83a6795af44347165cc

SHA1
c3575725772180182719d95ab911ea7968ef6225

SHA256
7424d902b5d944f1e1691570725c5d6af17af96963f1de0cc23eff284287966a

SHA512
43559eb4b20432c3e123d6a0a0d992e67c12ce400325fad21e60167a03c108afd36f9fbcfed654aa7af3b6b926dd02ba7994da02294b725753473ed6c7301efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e1e76b082359ff930b80d5db719fd723

SHA1
6a5c3b587a61733162380fdf983cd26c0b9ab76d

SHA256
a89767ced7aca7ede0d0bb7e8d7f3a93daaa2d4e1c28372cdbbeda466dd22745

SHA512
0057caef7f27f4ca76219e124ca424fa0e41df9f2de3ce83125e9f5487e6f25faf371e0e338db0e1fba18ba5bcfc50afb0014a79645ddf2a5ef7ca4d604bf7f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
10f1f57eabfd59ed7a285d1789e88d36

SHA1
43f6c2230ce743dba5ea684a8412081c825ca688

SHA256
65b7818c281e01e80735284584307bbb9df1a5ceb45483fe887c20881bfdf9be

SHA512
c8adefc44074b891b3409505c90773f5b4c3c355ec2a4cde08e59b63ebeeba3b08214b34a883a4720433d05ce8ae4aee9372ba9074dcad5d671b362689e5ffc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
717361666291d0c4866edd176347680c

SHA1
370d76528a27b8bdb1feb8df974b0e25ccb70d98

SHA256
9580dfb491b9bce765f81c1e3af0e74acfdbfcc844c14acbd997f53706b0714d

SHA512
f2c74b78ebeaf39d4f9bb0f200833579331b347441c150dc195a0f43b606eb9282025ae8594acf88017da9985a366c5c4a5d03691e3d15d2cc7c60057735e2ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
fbdf7ae5e74bb1c0f0cceac25a5c82e0

SHA1
ad0abf5eb3dcf2da1e6b4dd1d7657f055fddfc7f

SHA256
290cc4c955ef527105cc2702e8d8e8f23aba272d0dd9dbcd0af851ce53687cd4

SHA512
ca6077f585ef872b77c2b31082caf6d0f1c532ade70da924f21f7fd05980a53afa68e750631d991bffa9c1bfa978140cc6429f5d1741baa5177ce5fc731ba02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
87cd44f077dba1e9baa90fd43fda783e

SHA1
79dafbc8fec5b26d1d4a273be8432649e8d8cff2

SHA256
375e245a6ebb6795a84413e81f05b38c79d68e5d1d1b19d87d58a20cb05b93bc

SHA512
0260cfc4bbd00c89391ebd88282797c5e839fd477a6d16f37709982a70ded94da1e481359958431b60eee4b89e4234697596e80fe8573e1935631788d029ab57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
c454ecade67f93b3447208e4daebcfca

SHA1
d7bf5f0814b213490c5ce84fcf922a75297b690a

SHA256
4e6221bbd5511dcd7a9190e59427b88b851e25e048b1ece5e29412f8134684f9

SHA512
73c9951a6dd25305d27ffc22e92855823aa8147107b19184f9a6c5cbd71d4e6e8919f014bc6f4b5d5fcbe9ad44876f1c65f7e62bcb83cedc9f07de1eb685e92d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
3f01bb41bd18dfb331469a2b771c1d8c

SHA1
a4c08024c041e641a5ebe51e44769bade1bcf86d

SHA256
817621f9ea0bc2f92ca04f34d5621d78ba1e35a527777578147a4189349effc5

SHA512
f8f504f6adf4a3519ea46513d2ac819cfad2ca1a93cc8322425179c1b17c199e5b7eee3bdedcec8d9c64600700849fbc1fd1351cb85612ed8571a0ad3d58a3aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
997248fb0dea1270dab162690b43ff0a

SHA1
2ee7f8fa76e0fbc3eb725ac441d2a2cf3bc4b298

SHA256
3738a27d33963d34d1ab2dac222d0d496c8fd51e4efb787a91fbf56876cdfd82

SHA512
4d4d327cead64c6291a14a483e80553de4c73e8b9a3c3fc0328673aa71ad15ff4360208afa3e5c4c95afd745480b6d9af9d1dc5040422d5a94bd757b5f15bc32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
3KB

MD5
86baf38eaa917c0f4fb6b38b8fde1130

SHA1
97a33be5774092f51c1dbe03ca8c72fcc382a2c4

SHA256
7b11c0c2de4577fa20869ec416cb725322ff09f7f9360b4b0f22e3e650fb2fe6

SHA512
2d9f97c56aa0ddfcf619f3b9cbef55ba660c3806770b1ca6a043d7faf21a5946d8a684e663e95c970214b859c68dbf80759266d7a42adb2b5e27b87858b50575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
9a7b1adb51c2507ffb030d0ef7fdd8d1

SHA1
1ebf7ce0ac6403d7a5122c9a998cf284bc1cc603

SHA256
10dfcf5b3c7479217eeff9949dedacb4ef130cdaab92224aebe8484d3ba58233

SHA512
30299f38649dd55eb604a207cd4023f1053ccb7c4d529bb16937762940916595d8b77c362c80011fd9466e1944ec96f1623522242954dfb21d9cfbf54cfe071f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
1e2af554130bc47c49724f155e1a4001

SHA1
9cb02bdcd4e5f20a78432f50cc7a31dda6492f13

SHA256
c8606f7dbf0bdf938c8d2e2a7cb383b36ede5c38b58c02facb83f6a297b358f8

SHA512
2a0e9d929cc741b5e5bc4dd046c1762d1943f68276a5056b6b23034383cda67bdf0cb45475ebc5e2b7abc4c45f78e9dda60449f59777a9b6c0d15f9f01c77f9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
7c9cf1782abb5f68787fc3269827f415

SHA1
3e719c05c159f6ed7ab6e03fd1b8af20893a66b0

SHA256
0abdc68739556fa7b3f062fe7612348255353aebf1087832a7d28e40b04ca132

SHA512
14acaa18cd97c932e77a0dd5bf4ff986c5b2ae69eb547e451c981ae2610e390755358f184f2acb763ab9daf5de6982a605797c94e50b85460e9c050cecfa8596

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
791B

MD5
450dd3df2b8282d1b120a9f79de693c6

SHA1
e4438ae6b52fc0e45e57cd09190cb033526436e8

SHA256
2ab6ee1ea2d17ea3393dbaf6644e0cbddc3af5b42a7b20324853ec97092a7f79

SHA512
f52152a244a1818ae208f4e6f16efec72422d8fb4a601281f9e2497946f1f5f15feeffc72e6eee426189c03c0e4dc4afcfc0c5e795c6b17d01b8d46cddb38d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
83d09722629b6cb10cd76f725eaa0128

SHA1
37db6dd3fb54770016b2fe4f9ab26c2de56cad53

SHA256
382a04a15b906b290c8181a24325ead39a1dbc316b1603ea81b16b45e6ae6594

SHA512
751e822e6d0236ef8c3fd956d3956fb870a79a7d4b2c3faf60e15d598d39530bad41736f0ef145e325fa591410d8cc4fcb18162ae214ace2082713122c610b81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5c5153f236aca4984f3172f84291b1b0

SHA1
b2fa6cc52501953d0f9a440ac02df605f21d9211

SHA256
46d48d56be28f1f0352ebacc7ad43e69b6892a9fee0e6a014bb6370d589fafd9

SHA512
69ba7b07da11f6c3319d58de732feca6839230a29c7d91cbc253b6ad91ea5fe2333e977adc4566654a956b6c3653d242b665c2ca689db04a9da8db735997a34e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
85ea2e98bac9e1184b371ea40a6978c5

SHA1
702b8234c1d457c07f325e87f1f5d4ba07a5de68

SHA256
30dbc3c18e2a0f516bb260d5e37d8391b5e5c65d2218fa1528af42af8fcfded3

SHA512
3732815ba0014b92b49b932421560a61f12f773b4c6f1014197652618933a1670967dbc53ec8e58e3e4fa26665cf4a91ee2d6ad4c69147de34f6cc03724f9c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2f52d69b69795c12fbfcc165004f589f

SHA1
ee5431d8aca7d41b80113c34f4cf4f9ba83332ae

SHA256
40da78f31a0a1df28587e854cf12db788009406daaf6596f13b3b00b4d79bcb8

SHA512
5713b09b85967f63ec5658a1f61159ef5ff7b4ec128485d649f49e7dd4830a77d4d74452a52dbb3c391658a18b8c47f6e7b2a486a667141e7c0697c0484fb00d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38cfbc62e508fc148837b1dbda306a17

SHA1
00763607e3ccbb581ed14e147ba28aca7cadb1bb

SHA256
0df30045b144c67f44e36e49d7cedf05108cce7b28cdb29d10bf141dc82807e8

SHA512
6449d11bdb6959849cce8dd566494a7ab408e1c1e2dee4870f9407c2880472e0abd07011d8cd0f6848777a3c32a85a2163122eb3abf7240c2bdcca46e877d369

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
28077e79adfa3f506a631343b7a0a8b7

SHA1
4164589bb3f0c1f0d44c1aff952dbbebd226ae86

SHA256
794f84488718d9ae14944310bde77a70ae9d39037a4ec0e06481664c89b473ae

SHA512
3bc9bd038c76d080f48901bfde3ceb558a97d2eae051e998b7c5b5128cf16096bc1123c3deba0a2ba99e297b568c75669a5bcf947e663d419ef0365528fb6239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1935443050a5b7faf2e972ca8ea63976

SHA1
a60306b9ceee703ca16f39f816f3c87ab41fbfbe

SHA256
405366e0cd5552d3108d366c287702ef105c1a616117a24e1de8918596666b75

SHA512
1e876a16c903ffbd6f6ea545c3f8832870a942a7484c1c16f1101cefe0185ac9219290cf8f833bdd71a920d94b0a7513d7a9ed6e39ce6e42580a3e27d240af59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a6ecf8859dbdba6d0b0823b3bb70cc36

SHA1
90d034a0f38636b6208803bf54a475e40f8bddcf

SHA256
3a052da73444d9bc98d7049a3cd5c1e1681f3cea92952c64c1286f793a0164a0

SHA512
b78d3927fa585292a54231387b4180272e5ad93ece7a07f70e7a42d720c89a6e126bafb453b30ad711b0b8eace1b476be5b8de0e6625e704cd3663280c3bae52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
70a38a9f80ed3779f305de27a2a1a788

SHA1
29f5d589d852f8cd0b213b7610cda4d1c85b1d4b

SHA256
920ea26a7705525c461f6c56ee6847539cb6fbbfb78cad39edec863cfa835ae9

SHA512
8f9c477d560de529485f24df2c8b2cc53860cafc73d804ac6edeec5b92a7278c682c41383f99e72d106aec7055b9f91e10bd0d33748f0581dcc01256899b85bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b8da6e2cdfd4cc3eb5bb8c939aae266d

SHA1
7871fc5d7a7019f38ff80d3d8101da157ab36932

SHA256
7ed09ab34bf91f6e38adce9af4026df09f2c3c2beeab6402fa6eb52af57da80a

SHA512
da9cfdb1b53608877ecef3653b0f7c874395b8fd716cdd8b01dc418d8710695f181132f1c512c114b71c2b9d7968d5124630b55b5383f92055a5d4f8d6be6c1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3e1f9fa2935a0e1b9297b11bfb2927f5

SHA1
746d2e61f6a012af8a5163b7899aedc980fb93b9

SHA256
52fcbc342769c57db53dff45d69e60514beb5f31c330419a79e279f96203d843

SHA512
ad97dfb4c5a599c1542f29cd1d11c6dae0834dced0284dd26e8532944c46ced50c4672c09bcbb1d28c9d1de44b7a68f88bdea6993a09e9fdd9ccd0980b6f809f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
3684d9df2995e3f46016c3e67e38b2c9

SHA1
f4d7824f28838b4a9cf6f32b85f156a8e98e7124

SHA256
5ddbec7401f6c6a2ea0f3797782316a02d989fefa8494347eaae0c0063ea0782

SHA512
00f0c9daf8a812eb91158a6b34a3f1df54191ecfd87819eadf08307e2d8af83eb0b6819565908e64507220dbe1d4652736a0aed66dd34e813ab96fc77c9ac85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5c6d3c9c8e59976448c377334d6b4d0c

SHA1
d0464f18d53876d4df78ebe2f473896c58b76a27

SHA256
11f3d61415a6d1d0de339dad322dc4adaf915824f9e8962f6a576d073ab478e2

SHA512
21068a30d509b17c00e86db62aeebed83da629773fd1b89a88f8a7043d01d4edcf7246eac8c30186ac8545f98c98079ff629f4ed3f81d7d0118e98570d0ff549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7cc7d89b8359c4e968a543ef30a98bff

SHA1
61de49896d4de181a3ecd1e26dd1c16e1e2b06bc

SHA256
f2f822fee0eceb4edbc75281b897ad13c2fb121a57bc9c0122335e308eecf2b0

SHA512
830c0daf092fd6e5587bb030515bd43efa04fb7fba0090c78685a8857209389877a593f725c8f1afc6b6b54c249bede236870baff82cd1002f666b05a19f21e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
40f160c72bd47561ad34b80a333642af

SHA1
87b99f87bc853999f698ceb457e3fcf53ad08a16

SHA256
e4837b9d4d75872fe58a126ed49176230d5fa0805fd0800ada4d1f83aee65e36

SHA512
53f72305dd6ddf5dd12d158896c6ad2edb87bcc748692b4ff0827cbb2d47d22806dcf940846603b9fb59eb2598d7bd9ae482e3ab3900a931f6f33afd1ac59f71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
be633444b312acec59ce6564809f69ad

SHA1
0f72feff75d4ba770a08875ea72c0c8dea2c07ca

SHA256
e0e11dfbbbb7b9464ecdb69bc4fba37ffea2f7e147b760a52e0598d0d4a930db

SHA512
33433882ef59a2e94e94b835b95b6c30a41cebf5694cf0815d637b730ac986884f064e44e77d95ee4e83940b51bee873884194bf23ed7262a50d4491bc1fbbed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8a733702b0e2799f92c9ac6bde05a4e0

SHA1
9af5706a3861c6b60065656f8242ef6083512950

SHA256
2cec53f9d82f7bd73b854f8a5eb2a73a150100ec35c82231a368e4cb40696b62

SHA512
d19fd309fe48aaba2eb92a6f659e207bab554764184244a2e72e6143c40d7a9a13b58944059b155e15e892f4f6af894442a8f97f21f5930e86519d93f1cf4fae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2e9f38e8d317157cf51189a6f6e02523

SHA1
37d7b9dbffd59fd4ca964720f6f7da1be1472aad

SHA256
f3a750749c0c1fe8702894eec813aa8ec899a92c0272258e19a761e64e91f603

SHA512
e649e32fd8b58678dff17980eaab3d34dae54ef44c7cf9633ca0ac54aa30533da61dbc299afbeda3ab2fab3eac5e8de32742bbd93128855b3969795884e53843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bc9611ad2d4ab77cd6a2cb178951d1f1

SHA1
464ea1b765162669095d6cbfa884e4442126b94f

SHA256
1cb22fb04e5a11b63c9c21e3ec9ac7e5696511041891ea5244fdacb076663dca

SHA512
3f5657abb72a8c058a82b253e1a65ed43544f7fb4980345e3a3092ed4fdffbf3fd68f6f2b0bb41690477d156fcac45d1b0170f5c8fe697a98e92d98a13b4cbfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2f4af7b4eb68cd0e202b73915053cf07

SHA1
0a89f9a066a5050e22fd5a00562f9225b3b9e62c

SHA256
55587fad359fd9f6483799a0a37c50b97ed795112c9feacaf550d06d987adfa7

SHA512
0d21aceb7f851f33f9d0735eec91aa9bd2d3103d6d2e0deef3bc67eb832157a0b3a88755f89afed1359f9fcb7c204df17f414feb2b7e781b92e15fd6ec59594e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7f80144b11e70e9df0b2349e0b3ed0c6

SHA1
22112adf1dc774b427c61246c3a7b28e90db93d9

SHA256
5746f6900899dbe791b944495cd0fbd014b4bf5789cf0955644c845f1c6a666a

SHA512
cf9344cf6355d88da4bc357c9735dab2991a82bcc17a027a944448094fec74417cec270bb47b1fe7e513559ba97c6846917ed3d6f6441b0efca32604102f3d56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
400caa00c79d2e22cbf5040e28037162

SHA1
94d280a359adab8c3ef8b8461deda5bbc1fbf39a

SHA256
3ffaaf40fd467ae2f85b170baaa3b11a8ef2846fb9d279c43ba0206690d556d5

SHA512
4ab7951fff6bb1f6fc29fbf0fd7b6c08e7279bd4e343f8daef0b7b3c313bcc1489fbe00f23671bef1fbfe239645c0adc6c7e6fac4cea0957c0250e63f4c9a618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3eb6fb88fa2b7680f6e877285c4d3bfc

SHA1
91fb6a45643097efb1ecdbc5a260e14473a44438

SHA256
6efe101deeb8a5f1f27da1eaf73ea5d8805cebb48ac890a6070a9577cb9c8c3b

SHA512
ffeb5efffdcad9444c7c952280fae2b1316551e29c6700f2d447c2c5d77e56c94e11d2468f9011ddc2e5ca046d64b668645a17b93ddb070d83d6048ba887833f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
72d0d518ddde259a151e963f69b53a2b

SHA1
276d7e2e48cb93c51e0de63c4dac1c57298caa64

SHA256
4c5e83c14dcfa19add9f65e2d159be3051efb9209e033a9c1cb6fac584f628e9

SHA512
f323e0f0985d44d491d6f78b5326db6b66abb78b2f1c9cb2ec4c3361eb175affc6109c37d29f67b5141d0b21645e5a972b50f8e674929ce4869b4664f619e25f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
955efb1dc175b050a25fa3ac0a822526

SHA1
1692e2f8cf2d170eb654aefa42feeb6ac7137a4a

SHA256
91e6f8fc0c9fc9d3d2ef4b89c617fc6ec8b7500b82c92677ed57c37222baa72d

SHA512
74b79f756c73fbb2e7eb25949c5202b08d2bc2b25d97691c8d4ea1fb63db8e3a069b6428ae7b5bab4ff4181b4afe234b047a6d1e7944ca53d98785550443c462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aa45311bbb69b9ebd1fa8e5a20767d10

SHA1
0670147560829a9c663e075bb0c39d4f270cf961

SHA256
8f9bfda6f1cfe994a23eb337aa45072a5ed8da8ca28b484ed4d4fddd61b31980

SHA512
8f6b52f6923a8bb01c893107020ff34a0d7474b1f1ede639c1c67f4b2b3e37c822d3d5a96ab2e21e28b987e8e99e7ee757feebc5965ef80f24540281015de542

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
edfdc21622e6a8c77720d7194715af23

SHA1
d18c4fc4dbbd813a826157cbca9a7742710a4635

SHA256
5895b9147d7a25a2bb35787d48b1283553b80b1062fd8f8a3a2e3496f86de989

SHA512
704b1e24dc359af03abc576ad6e618deb77b9f5f5a6a6d59bda2a53047c724edb358db2e669e78c51b921d31584e8f5266e1471994f5876cb5e2c4f438a88af1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Filesize
602B

MD5
b0860cd343e1f5b0b0f25d836fc388b9

SHA1
54ed9287fc1a10b747e4bfd9743dd9975ded1274

SHA256
4fc21009f9dd992f145eff21f81cab6233e53c0590d20ec45faa4bc2eb5dc7e9

SHA512
f703a192e1f5cbbbb82077e4846b9837e248a75690cd2b3bb0d38d7aa6735680477ee3b6681f62c4122f0d031544e8fa686a9d1f74a4269e5bcbdd94f37d1c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
295B

MD5
469e5e4b5a621d11f9a11cc1985f7faa

SHA1
32a31d1c9e6752923246f4f87c46cc7bd375fa63

SHA256
3535e80c55530d5afbbb666887a616814d534441481b8d32f0a185d32cfe5459

SHA512
eaea99a72cf5c2d4c1cf5d1c7e15d09c5478ff6b3103062a8dcfa4b53b82239570ddf3fe17cb3e2b846fcaf7fa876366bb5eab6c6bc872e3259471047b5c6476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
f43e265db0651dcd07bfab4e245afe2c

SHA1
9adf2aa867766b519e6e2de54e1297105be50085

SHA256
886475bb656192939dee8d7a751b2388608fc95c0679af0c3a57c8373801d452

SHA512
6e16b108784f5b2bc1f7050a7dfe350d81e7854ac5f8dbe39ca1259154fdb50f4f94c1d3220cd5cf03ca3f7856d8a16c0b7de1c954144172888501d8534a9b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe580710.TMP

Filesize
48B

MD5
7b5dbfdbc28b10fd55c35e43564c637f

SHA1
5750b119c65fd9b1d8d84f0f8c3ccc0709dc5abf

SHA256
d322d3502984427cb5df4dc166ff8ec744d2c64124958851461ec808acfbbe0c

SHA512
d0c44fb333ba4259352e63d63631ba858bd919ad32f4b20ad28c728957c5d5b236a3712dce33df2eeb7a3861485368d18227a9fd9012c31951899879a77f0f9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
2KB

MD5
1b576316a90368b668810821ee9231ee

SHA1
84a6f4335a4dbc72d9a45e4b915f28eba70c82ba

SHA256
8a7e21c9882ea45301b1165b23cf261a012cd4d5dbeb7f846deeaacbe851df61

SHA512
f513f8dddb009aa06a8720978fec212976352a01b110e1e2ba8b3ea39f79a35ab2c1f9313ffebe8c3b0ceca7849e675a1a6b8f03f5b5c42dd91bf64ff00a769e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
84aff030a6b70d94931b94ca5b1299f3

SHA1
50b806911f67a8458566543e95b7f9e2c3ae5e51

SHA256
4c40ee5fc554cf8751c1719b3ea8015a8492ccc9d18418bc66f75fa06384bf96

SHA512
e51610e550c97c69d68bfe8fdbc35040edb7174f64eafeb3454a6a2ff12e894f746c3bf248079164483a86f8bd6be0911007c5a004f3545cb861ce3893031496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367207940128410

Filesize
44KB

MD5
216ecb8439c566ecbeb26bbba38d8b4e

SHA1
ea25bdcfb8a63603d0f6976050b27084fbeb0520

SHA256
de738b2a73f0b1abe06b303f550d47650acd64ea26a54e1cdb0c2767bcd762d7

SHA512
d28aba88f98b39807a5d1b1a671113a8b2afabe5543f8d6a0d09cec818a578bfac3ab979124a42a36abd09b070189c8c3fa221549ab6df67b90363b9e475dcd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
256B

MD5
3a0f7a7cbfdafc7ecb29590358e66676

SHA1
a1254c866bdd675ee65e006dda99c926d8a3a0ce

SHA256
d36a0ce1a4fb4780cff1b3cad1960f1b83a4aef0fceb4c07fff7ac2c315d15e7

SHA512
31b811fd3948eb36844653907786323733e4f00d540365059a0d605546cc790a0d4b774e147d63799b56f749a3869b7c902a5affbea72762fbf2e2d600058519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
367abcb2d21112e902e1633038169b9d

SHA1
87d7a0799da574b7a362b5c0e3f9f80aac5ae72d

SHA256
e7c702e0a5afce3cee7fee729df70474ebe090640ed3fbac359eb3498b132712

SHA512
310e2afdd33347784263a42218989d38266790db557ea31ad0686b4ba4ef5f8e4432c298bb22cc1a8c20309f13fd773ef125f59ded4768beb39e3fd27a743e8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
a347ad36adc421b9c401d7d6ef97a759

SHA1
c6239e7db3ea9a55092331bf2c9ad5a7114d5e50

SHA256
cd8cd0c0032be6690f45dfa3b86b8dd469016e571fc1bea776761054c152bbed

SHA512
447ef84e1cddda3f75d8f51fbbd37bdec49a2d109598fbc92de9163c31d69ba2243e8ee42fb6bda8cb8f012173a9d10de69c6315050d56d0550322eaf036ae3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
789949fa6bd309675c03f7bc658b195e

SHA1
1f436a509aeff68e81c53ef6fb90a382e8e4e585

SHA256
52cd122377aa2d6c6274f89f2d7010059dfddce83533a89142ed2e357d6bd311

SHA512
bb1a983663bb98d9280db0835226e4084bdf3bb280cf7d8b36e2e9f55406f0fd58a2a31c277d0080b98d8f9a6cac996c1d0a2ea7762efd54f3df0335a1ab1555

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c9bf3464c828b079bcbeb9fb9706dc75

SHA1
8d815d818b77af939551be9c1702075da52b6ff1

SHA256
edbee59fafe6e822f3d7bbe24e78422706af057ae744b0d49158770a6bbae067

SHA512
45ae037743cead113e412ecd895ec6eabf5fd29c36779e6cc8401b2758fc4ed9021a5e4bc1cd478397c513921b5d7724d128c5f270a802a12cd28180c1ec5960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
791643d4770cb203da4b25d0ba18ae68

SHA1
5e30f999eb374d26642cd758b8f2b60e6b97a5d7

SHA256
36a3d534775ee6be7bb14b9e95fe4f6bd839cde7613f9e82d33390c5bce2cb79

SHA512
7cc42bb79c1260e915096a8d7ff4969884eab70de11865739fa7f5a6a6e717b38aa9038c7d00b243be73b33a5a7a42753e9a0af2814ff64e4937921494fad583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
705B

MD5
2932a494e715f5d404b3488818d7b8b3

SHA1
51397eb19a6e2d1dd85ce42baff34ac6b7efa8ff

SHA256
d7ece33892b9d09df758b41de902be6b0e1923b563c7cb43fa847b5784b64e4a

SHA512
b6069ff0a7271140fdf881d93716c834a4ee6e83a899a6a1c43867cfbbb07946c474eee46dc0184b801ae9259e9c62f53bc60585f2c971faeff451efba17c890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
703B

MD5
23df64d0a79f98e5072a322bb30ea796

SHA1
9b3912055a7f2864c8056d884ac2e0fc68028a1a

SHA256
a9667eda693f9c2086d2575ad22d85b54824f4d33a46b85a26fb31b2fe1809f8

SHA512
5e2fb4f3203acadff5419fa05d8fd4488fb84f5aba1a5d063d04cf8201e7581b09f1dae296a4d9f5ef60ecffdc57ad089cb7852a968e03980eef103fcf6a380b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
774e33fabc25890788469864d204c7d4

SHA1
f0d585a8a1fc8f0a90c109d046539f966819a047

SHA256
2f3683e4c44b920e02397ccc3b7b9cf135fb4f964c74d31d8a0ed6e98af6b6b7

SHA512
c81f7637fbd87c0b5349f5d1f6e28e8068c9e8e2c306f3d0df75ba9152d78c166e69f74ac07ec5b763615e3a446b6a122c03c44f77f1a5af57355a682d68dbfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
05487561bbdf0cec8530747233ab1918

SHA1
803398e4cd4219b8b569a9c172e1aa75af0c24fc

SHA256
24b4adfd3560d5b2a61f76c9331f71941e1e6ee38516dd0b8d4b1dc1a806d58a

SHA512
dcbbf90d1ae647ed45b34e71a060404b972fa0063b2bb9c1ff2b95c5de55273348b1b6afbb8d79987d3fc5b4693abfc3475e68de9b9bff293e8a8c6c815ead91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
556b3922a7bdb4cd8aee23cedd35e4f8

SHA1
4f6e569e832a6dc55e6e2cdc330df18cebe804e0

SHA256
5908bdf242384427e993406c6800808f1dc731fa49a5e95e5556b2a630567e11

SHA512
0c859c3cfcad9f7628dacb4a853cbc16960ddb4e5a495a94d39c4e58768769511d80cf4e3d5418eb15e3d92f202ba6274150babe1035bd4676b70609dd0a46b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d3fa2b9f5dc427ce34e0312b7cd75416

SHA1
a0c66ea79b213144a00a6fad9e2f9e52b95c9d13

SHA256
af00bc52d672803276f79d1c738ae164a1163b9fb57669cc7872f2c8dccb95c9

SHA512
ac2d81ba6cd2a82014ad4ee46c8cefc3c442e0e9fe03d13712c529c56906a63e2c85cf9c862e175d40c119b5dfd6b12d1b2d5e958e9753bfe576641f800002f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1ca3a7535314de74f271ef63cf492176

SHA1
cd09f800b92c44a81eb10da8414c37a6f28c96df

SHA256
18080fd506d0572612faf43e7d0500bab01be0cab96b840d5c70db4ed7b02a51

SHA512
daeac275b003d1de2771d8e94ae4d8ed7a46bf57198cc6fa29d328626c972a2fb5b4b551d22e9d002eb4fdd36fc10ee5ccedf13642144cbd49d889aaacf29eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
2cf8de6862c050c7df06c13947dc5ac3

SHA1
f7556630bd300243f5184795bbf0b6669080bfc7

SHA256
7960d322b7b414e1800e529b0048817e13d8011d83fafcaa9d0e1de2386895d6

SHA512
c46b7ae91ce098226f2201b38f3b07be6fab8d5849f855ee1b72bef459c977df2c96f63736d54e5903f57d6e30faa22da17173dae3955fbca2d796074cf153df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2dfb4d19a253546a54f59cdf3f83620e

SHA1
ffef5a7b4d3d7c48e2ba78cdfcb6bad14c9cde5e

SHA256
584e22bfa9f75cb459331cb2b78bbeb1b65ae8b729cfd02618b0f9f268175d8f

SHA512
bee295191fec39f3a44625ef1af6ba6436bd267265d14f623a1b38abb1729bae69b8f1496b99969b9b09d7b12f9b32c8a56e83bff0a8385e00a006c0a0d340b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e843f471f7444daf296b0e1583053de8

SHA1
a802361bfd1bf4d0634530f05226908cb6d2b3fb

SHA256
c0c97cd07cdd75be0b066731ef6614d8e8523eb71f8b28546220e9351d19967c

SHA512
4709e3142ace5830302efc54a3ac8da0836cb24106ebcd63d98e550bc750b3f354843ed546ffa600ef0654c39ed9900fddbb01769f6d5979ca5cbb10842639d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bdc9b618a5b0bb826b26bd90c61b37fd

SHA1
a856938226cdae81f0b533a96d97bbac92f1d270

SHA256
0445b6038b453fa32e37641b70076ea5c9ad4b0ec0f4e6820d211b4ce2838d0b

SHA512
78cd4c5dd02503305d115469f758249b968d1c64d093fae7795ff855fc1cb4bba667a1a9ea82165b6b81ef7a9a19f96620021ead98809d24e5e3b127777caaba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
58e40ed2e91f5e936c1684e4e7eb069f

SHA1
9d6abd42026a44c060890fc7eb262160e4a7ad37

SHA256
258eced1b75084f1b129244936d3aaedeac0101ee8a800d9b0c4d3ed5a628fb1

SHA512
be6665b18b555580cf867aeac7de458af5e240f531f429c255953745a3bb2832c72b90b734929a7391d38e77bc60e6c145f5c124a34bdfcdf22dd0725c56e6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a53569480607c5985b4c0d285c9ebc04

SHA1
8c16065a80a4ec67ad35e692b90e1451f6c0c37d

SHA256
57ce9168432d435efb2308fab3f6dc352056d6117c911a1de38326afe8f46143

SHA512
8ce9176fc7684144fb3db7f2bc5ff765517245d141922f9686913170f016c54c54b31d43a4887b4078b49c8b06ff3552e47386b5babba263247f2d5598a56f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7f5cc3503b83fa2e63df96178127ae9f

SHA1
e9ae0189ca06e19694529c0d96f56ce2f4e8d89c

SHA256
e9713d21b765b80aec145b0085013867d1c639f52fa92511095f661ede3d5c71

SHA512
83fe15cb751e4e9807a3fc1a752f95b2f715d650b8bc4b0756fdaa9630b8b8fa813dc785c7ccb1a1545c9bd62e22a6f9ec7375db328ea1a9bef178cc77930335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
23e60112069f4c135cb0f01a1d6003f7

SHA1
9b86b314dbf4cb20e0f859ca594e64e1d278300e

SHA256
e5ee52f59e1b3032626d491d27cb044336eba21247256bf614e4e8c7bddd0935

SHA512
e0b1c181b3002b9208156598c256c13cf0ae94e79e312b312929a40a3d9d1b1fd9f19bc9c6d8f76f8948b725acaa62cf5ea59402abedd96b1b47209596689969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
84545b4d12649ca24d9c867caf9eba4c

SHA1
c4ebec949452031f48fb7283d5c428156871895b

SHA256
e2af8ce685a3053500b2f2c2516b689e854620c3a2f08ad0e46c60f845597254

SHA512
9174a6bc25706ef48ae3c167f3ff27963153b6327b76a2ae82162ff664b85f4f40566ed4bab5f406e1248aeae13b0ca1efe8614eb942e111a033124f00019532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
642d669ce02bf2932b349bba8b3e0bb4

SHA1
b27c8ec45def3f068c8e33bbd4b295b2eb4730c7

SHA256
1b8c8b268fd763ac29a10e9bc0d40e3cbb2abf5700db7537d6e88648b37482d0

SHA512
6f46426da98d4fbf4ae1e8a3d6d18f730e473db9da8ac42083dda12b941ac69029353c77fa7d71ff0feef27fc39e7792b3ec6857cb37f7c53468fcc5c709432a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
2.7MB

MD5
4371ba4c4d5033497b8d19937049ba43

SHA1
1bb77e7e3c173e481d3648dfbd8117f3552a97a4

SHA256
5091411b5ef3ac1f32c06c3b49c375a6ef2e555d15ba42e37d256ee4722b4249

SHA512
2d1bf70d2548a391cf6dfcb61affad39232336c8474bf8ea27bf7c258007f2f6a13978a6c363a0b124b5f071c226f2ce221224a7a4670415e533627aa1f5c932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
29KB

MD5
025bfcf2af0f8f3322130f01a4e9d8c5

SHA1
fa41af44bbd25d6b9100c6461163994909c661df

SHA256
b7df1f2ca661db80686f4dd1cff056f33a34eb1da6f40b4db2cf5718b0543df2

SHA512
d65e539c31f4cc350aea75bbd7d25ceccfeb3e6b72a46acec6abb777ade7f0be112542f55c2f6208a361da666b0a98433f1f227b971f8651117d8e6899c9236d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
10KB

MD5
93f6a8d04270a0eb2531eed4e84d379c

SHA1
fba2b38dee4f63fd1adce35113cca157d9888bb9

SHA256
f44722d5800905da9400dd5aa6cfe83061a187d5c18125905dc97156607fb572

SHA512
0fc8ac9a29d6b8eaff2db6bd001c353082e0ba2e7b6462f0dbdf4e18c8555465fdd52af4b46cd69dac370d0fed9a0d6445768572dddfda39a1fdcabf063746c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
b8b0e447551e49f8206973d3fcaa4631

SHA1
2316ff31596bd4515370becdb5cf4ca81f580133

SHA256
b16fa0cf97bab60b8834e8f368e86e8a2835c692bdf9767706f624bd2be963b7

SHA512
1fe64e43e924a51e7989bf60a2cdf6af88c4dd69e0f025cd1e0ce7f815101906f818781881f0079056bfc31489ce9b57e3ea5a19bb2029648d5e7b59458948b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
92eda2615473ea54c2041d30bc8dc754

SHA1
6dbf9a28e460183c48580a0232175dcb8f07aee0

SHA256
fb2eeaebc03bc2daef7709ce490f3d3a9a8c95c70cfac6f3017bcb19aa04f06a

SHA512
993eeb58f708de89372d2b7796220064c4e84a97f0587a618ed90f2ff6b6e972ebd60d16bca37403a797c9ba897806001ba9443d17b8d8f66b830eea2f12f7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
126dec42486300223c39e337e7703766

SHA1
44f08a504cb70e04e52a7f716bc102b45c366915

SHA256
00a136394872cb789a7c9ab111f462aac0a6c3ded758077b1917918962813515

SHA512
bc82531f65b2f9e24d13917a2043aa57337ae540791cf158d2f6f0e92d4c6b6750eee654dd10b5feab9f79e09461bddaa9012623d9434d92f87c840a9a7f2efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
426d469fc232d0bf8581f0e53a6613e6

SHA1
a59039f06955716e2b6bbc628f3baa8f6073b49c

SHA256
255eb407adbf35aba6263128c37ff439ce2b129d1547f4eab7530125c47854bc

SHA512
6fa43428a72b0a4be6bab241b2b266840c34f371223e82be13d09b9afcacad46644cf7eb096bcd6ecc722384dbcc831b4a2afa422c28bda6cef11bbe519205e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
79ffba4b3f498bb4ddb7e14499da57c5

SHA1
31f5e7dda09f62f558c4dab6a331f1a0a5b85efb

SHA256
fa86b65de040f3b3a056c8156503c77a17f1fbb1f109f47d89cf52945aad1d26

SHA512
ae9fa73cafa64cfdcfa926d7e76b8b5fc03a8fb5267017bc0cdefd7c73bfb574df65acf0029cb9166943989a6319c93b53debad4d8297744e21ce0098f91bead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f7a017a01fae9bb545b56028ea448bb3

SHA1
666f5c8d02983c11e14ae1d5e25484988516c732

SHA256
df30a34238950440f50f08fd00c7c22ec81ea020cee55a1f235f5129ce29eafe

SHA512
41a1a023b9b045675d60ac7c27a6ef967d96f16d47381f091c75e24476be24afb4d675a5fb6f94bbc5305a4190a9d69b8ac56665882a4ce35b7301b99369aa8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
122b2223e105d704bccfcee80b21cba8

SHA1
83db67b5e3b7c630ba4668a390b36730022298d1

SHA256
1fd7fef0a174234fa160246fbe627345e39cae882293152cda7191e16c0a5529

SHA512
b55102eaf16a148509a8fd706ea4d81a0a79bbaac5c7b76cc1494a57bc990162f66d07d74c8a6f2d5f0ff9e91d67e0770cbdcbbd1b4fbca4ed6a64f5e2bf5c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
25d225b77f05cc03835450fd844f2015

SHA1
b4f1e42281a8aefcd2455eb4213d3a4f2623df81

SHA256
1bc3cd5805c550699c1aea02e74b793849485ed2bf70ab17aa7fdf3a58b8bb2a

SHA512
5a4f1576ebf0910bcc9e5f309ecae0832339982971583ab44392dd253704011c277deea257d0bd934e04e92570eaf3bf7fa5cf9ee837e2eb49b60542ca641b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6a638766abaa93ee997730557349369e

SHA1
fc669a5386f461727036623d264facc30f0e0982

SHA256
bad3c63e465285db5cf1004c62fe1c4e1d6bdff70bbc3c22385b39cb01f97143

SHA512
37a87817af0493fd6045622cb726aa9eb348534f5cc83ed4d3a8323e196fe34b4414c5ded4a379b18fab5b6d3e0013169a91d63fc26c7a113b3678710073e2ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fbb73095a472be3e760f972da5786963

SHA1
e0f21c68ad671847978666d892a36b619856a520

SHA256
5852e231f83b7e538e0641f4bbfc72a86d92aba3fd344b745d554da9c40e5a39

SHA512
cdf2be3c6b4ee4bdb38905fcf9bc01a18ac51fa0c1cbf1c0a91dd74548280b6776ee9f381697947d06fd94bee786bdd8955749a26d8936f915c12ae163013d33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
05c6866180b570e8168dc7c5f4ab1295

SHA1
b7234a3ff64c22b427319afe0708e80f8807f9ec

SHA256
d3d70359025934e676ca999040d2817c3865e50c1e1323d1ea26f32c3442f214

SHA512
18197e40afe2d3bb9c385b0efd50dd21fb71f74b4292a96a1e8893e48368ebe106f7e95d31a28926471a1de6614352dcc7ffa8c9c5deeead282f1b01a50c3ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2a22c48d8fc4783f9a8b448b350f6200

SHA1
d1cb88e31b15d6d5c05b39e254b372203ffcb30b

SHA256
904ee19c9e4e4f98c9ddb6a19a9578ba4af639dd1bf989867ba54511108ef2ca

SHA512
43a0ec28456f102de3653073d02a446dbbb0f40deed141d219975a9826d3bee2fb243a4407035ea2fe2062b1cc72b0da33dbdb79a74d1f136528845f21f7e346

Download Submit
C:\Users\Admin\AppData\Local\Temp\.zip

Filesize
7.7MB

MD5
458b2acc17a21f5e559bb2056e9a8771

SHA1
b2e69b9cb341d8f24a4273f474ec30dc92010f95

SHA256
b7fd2814486179a8e7840de432320a4e6112edf78f475f43ce1bf49a396fb63d

SHA512
3d2a04202129245f1baa8610bf70dd33989ec3a2c27ade7a2d6450d45d7b41c780673f018b07aea2c8adf867de7af47ba4c2aa48a4b3ffb2b257383f51fffcb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AutofillData.db

Filesize
112KB

MD5
f4674d3ceeea61a1ec410ea61c4bf3a6

SHA1
9d0a41500a93240f259b184a820e7be98de5d256

SHA256
98c1329c1abacd584651da059050157e124c707d187aa9753f5a14adf21a98d7

SHA512
f1ee694260aeee9d0f3480aab6f11dfeee8b348c2b49932203af8093fa998189e345c60af08d0d164e2dcf8e3bab9aa84db90044a90aa0fa9bb2b9d1bf2b12d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\DownloadData.db

Filesize
116KB

MD5
e59fe24345d89b7bd8d5babd46600224

SHA1
61151df1cd1877f3d1980962f5c7ad8569fd1437

SHA256
6dc3dbba8dfa080f4fe7f96b325c8a4fc43aee79c3ab82e1c4007d597262c33f

SHA512
e01ad82be2ffb08f805cf7ef8d038e80dffb585342bc8b79aa61a41dd924b170f74defd9cd4d5758d478d7e540cd566cfa1fe5be93776223abc826dd60bcfee3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ApproveRepair.docx

Filesize
15KB

MD5
bfb55a427f8370cf15708154100a4bab

SHA1
76a435d6244783af5c8ce38a711ac311ba447edb

SHA256
734ece633472410949f7f35a452f84cd0bef60d7733c65f510533eb46ff0d567

SHA512
88aa612b9e515c2154012b8c1ddffe1f69c5072b663b3c2ab677a4add4ae16f0d697066cd79d517bd6ea31c05e39e4868c139acacd3e29f96a178e72763b4859

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CheckpointAssert.xlsx

Filesize
11KB

MD5
46e7bfe17080a2e5ff16d08d11d29d07

SHA1
f019346726ac42d4570b2d4a4fe897409326ee62

SHA256
7ec2a099235f751c0fe1ae2981ae08fbe31e3a12cbd278cbc51931c50482def4

SHA512
08815891c12151b141799e878b99fcfce96eaad0216eb48ffef781b5ce924a464afa5e4a15ca27655ffe6ae224a9a8e086118e8088c6c846fcb30d68f77270a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ConfirmStep.xlsx

Filesize
12KB

MD5
0757035453cce2bda2a547e5bbc2ad23

SHA1
ce1f5e7fdbb4c1c3bc3e8ba299d902ac8ba4ea6e

SHA256
ce7edccfc442f742d2509435fe77fa5c2f64035dfc2cb5349cdf0379c87cb2f2

SHA512
c351179ddd2e1d5d8e0713d0ec9aaaea2ee6746b5c7174deb3faa4b3ed74848758a360167cf689233b6dfa614fde1f2901e7f9bcb18ae8f159aeb40de2ab17e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\HideAssert.xlsx

Filesize
13KB

MD5
2a30382227bad8b3b494e45bc7dd743f

SHA1
a9d4bf47049967f6b6638008650b21b9e2806490

SHA256
b4d553cf77439cc165a59d31d68f3ebc1053fb9c370f187caf2c5e54d0bc8025

SHA512
1dfaefbef70cf6a1a56f8fd2f1036c38cf9616e0c5439650e6b2c649c9133c841ebaa96b49a17273537ee76dc64de79789a6d3b3f820bc3e4a505b2f5f806899

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SaveSync.xlsx

Filesize
487KB

MD5
0f8ec512364729eb6365cebb9989cf5e

SHA1
5b71dbc09478bfd135ab4feba7348aa408f1959e

SHA256
2817373f008f6d0eb6eb1c4759969c7180671633b27fcb32352547c5797e1d08

SHA512
86a6957be23d53c9486756b755c91319b61bd479c336707bbdb6bbdf26c98895754a41f8172e17293b74139f9872c30fcca73cff791490117b712d8503d3c01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SendClose.xlsx

Filesize
9KB

MD5
1e60704c915230fadbb22d0a135e49ad

SHA1
d161dd7a2ed18a7e6b649f0e08ccdb7bbfd6d83d

SHA256
887b4db8f83f1ca4ebaaaa61089fd70e9b7f52455d4d2066ec5f743abb3e7b9a

SHA512
639aaa259824873bad94842b50aaca050f76ea1655666d16aa3d051343d83348532a1c9a456f64eac0eef135cdecb905252956c4be4f6de49bb9aaa733a2a539

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SyncDisable.docx

Filesize
17KB

MD5
a5fb6c01bbced45bf55e84ec1d3abf47

SHA1
68274d9ea65330ea0ad745fa18d38e5ba7d6c9cd

SHA256
9f932c13fa3d0b6ba54abbf6383680d3cc10963147a93f037c766f42eb09d2f6

SHA512
1055d259b0eb114da1df8a8b37ebf7653b1d40d78f4d2e2b7a5d89073c471974945b3795380597dac9b7767919d203524cb0f6161a5eb05461a61619023c3931

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnlockSelect.jpg

Filesize
445KB

MD5
4d920308e49464150052455c2ba64d6c

SHA1
0cec832288fcaf00449a2ed29bc1c3bef77450be

SHA256
f28dd91a4ebadf1301c3846e7aff735d2f8578eb281fb1ef2b1274caed48418b

SHA512
78bb8ac8c1e132774f3e7337ace4304eac237fe15864008100c71843c505d28479e45f3dabe4ec8073814a13389ab4587c68dcba4282a0999a0b2ffb5d8de734

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupExport.potx

Filesize
182KB

MD5
609c77975079c7ad9adc1c3cce30fb36

SHA1
93238f23fb75dbf75da1210f3997c151d4df6fc5

SHA256
0730ad06e7633443b36bc0c87308386c5b5d751c0bb866aa30cdf4c248d826d2

SHA512
80d0232a2db44f834029d4ff7cdf17bf44491127ecf264ef006f1cae2d08423c0405318fe16587589d2f4639df470998c24a124dd3de9cf8ef21c1850082c3ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupSet.xml

Filesize
260KB

MD5
4c7c7a8e1579c0e4ba864ca44774f268

SHA1
498820b69264a3c4c628bf5a8aa4fda28e2dc5cc

SHA256
616efddafc731f6c63e57ab5c0a0f9b556d32a25da73f25e44e5e378e6199252

SHA512
44523a1834b1aa5ad40fdb7f44dea73ebe00bf2e60a6223cc8c83b39c2a5b71f1027acd47a9a8f8bbc3565b13fb603d96637bd85d4cff6d3d184cdafa6d3fb83

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EnableDebug.xlsx

Filesize
12KB

MD5
1c98dd86fa6963f7b759eca7e8a1b0ae

SHA1
609f8d6c5dd2b16409a81f4eae4eef94e8da1780

SHA256
0759623729f446d0ae5bd140fd820e067322403d4054118703cae8937fa45295

SHA512
d89872b225d9d4fb55d9b4ccb6784c43fb85369ff56544c6e27d2650eb5352182cb14eeeb89ea3f4a8411cf7360cfca50dd12e45fa06ba9df65ce6bd51e4e91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ReceiveRepair.csv

Filesize
304KB

MD5
6c62421630ea662c7802cd8ba0479546

SHA1
a3b2da17c60b9f5245026214fca61e968e5de5e5

SHA256
cc2601c8762230762b59f486d86673e148e8ce76eaaf2af6e0714fedbc333af2

SHA512
966e5605a68ddeb7de6a0485f39d529395689bb4d05c2fa3b0ca5131870e452f11e734cba95cc6e5ce7f111ebc07ca50a61fcbed42e0228ccf563fbf5c112c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RequestMove.xlsx

Filesize
12KB

MD5
b8a9d8f7dff668e001a58fdf2f30bca6

SHA1
1b4fe280c947edb3368c01253fc0b03080ecf35c

SHA256
85cca9951e19748e3b5d7f55ac2f81ee80a857644925fbf8372dd3779f67440f

SHA512
9c9bf3e7a50fcd098ea4999fae33a964ecdb0908ba5664d95849b2172cd22668b8e09d9453d3ca72482cb7db4dea80d8e85c84727768ac163bc2a9e81e408754

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\StartMeasure.xlsx

Filesize
12KB

MD5
0a85ab952738408c36c05a2723f24426

SHA1
4024891a340fca942ccad545ecce15853fbb699e

SHA256
cde8814ee8d81eda8148644784ed820beccd4a7ef277c99075f7296e308f34cc

SHA512
2b16c635723675a4ecc7cefd324fa398ba52135b9cd5fededf6911b3a3106f6c1a642df33426874804153d72adc805d31b1432920dc15f90e2bee75ee2e87a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\CopyLimit.jpg

Filesize
230KB

MD5
7b915ba085b52de4640d41c873316207

SHA1
2e47463c4cf6948f755d5bd19b96393e68654d67

SHA256
e9095eb36328ab2f1c874f39863a49cb677889f7ee3d5f2db1806363e0d32898

SHA512
0c625fb0126ff7ec68ae068d7e0787cd15d74b1a3c40f20bea9be9a8b3f00d1cc5cff6817a092626852eee14691d82d84605b6fd6854aa0bac2df10cc8b08df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ExitShow.txt

Filesize
362KB

MD5
1dd31997c5760ab7f2ba9707f3d8efda

SHA1
2103fa5c601e617df1f91b08e1b32f5acf0c5151

SHA256
2407b2f16840b3a9bb766507aa30eaed6fdd16508d5c0cc304503fa9e51b4fc9

SHA512
f932b6c829a728895cd8fb9bfed7c04dc771f9bd247f418611c641fffdd2ad9e35e34615112d7236d04c4aaa48c3cbf6c641d610248d7f272d9c11e1a2161c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResumeAssert.jpg

Filesize
249KB

MD5
f1f6d4d99c0799d4a3d0d40d64cc89e6

SHA1
8f05ac84f785ed2a9b57f9fd3d9d77fb5960d6e2

SHA256
e449b6487fc6d18375f58f6b9e7f7cf6b00036e12b4638318b12cccb1f8e4889

SHA512
4d5b4ccbdcc3e5626cebde435b6b061bbae73b67cd73fc745de1f6e7ae82327430e2b2b90a8c2003684cdf2cdbdc672373ca4398cafae313ad8325a9dbd08210

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SendBackup.3gpp

Filesize
390KB

MD5
7fb6c53e031e175c0779a3c7cf28bd9a

SHA1
232df5ee12440fed2e7e1e600208f59ee3133474

SHA256
a8e0a243d271bb4986935dff92c031ebe25b747288c5a80845f0a93173c47485

SHA512
8abfd6ef1c4355dfedd5825a6d8744a39b9db00e0d75cc841851a0b09820c0e710e8d4b409e353d2ebc1c71a1891b6d639e2c164613daf3cbe688c6787b4b726

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ShowInvoke.xls

Filesize
258KB

MD5
5ca6c0ef28bf52f8aba02aea351411ac

SHA1
295004fce8641cd65975c00861ec99ccf72bf9e2

SHA256
9f732ceed5c07f8353c149c308dc70bc2fe7b301ceaccd92f062de52e1740da0

SHA512
76d78339ef10830b78feb27053f9ba3bd49ff24748eddd05c9fe18e2a42815f89c179e57f4c02abe55f2c778ef86f701c8ff628e468860b9a841ef3ffc27d606

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\AddAssert.mp4

Filesize
357KB

MD5
185972f32c31bf4093a37f0f1e2f9951

SHA1
6b9e5753604f673e6ddec4d383d405c066d57b4f

SHA256
d692a6a8f9f035676db8b9577f95611f984c8a1597944508c9bda6287f03ee4b

SHA512
faec220839c086828de74fc714903cd6c1f10b305ea4e03e515a32d5b28d5be519183d045f0bdd74df9e6a33a5fcee03f93d95204fe9aaf3ba2bc0802d6c9dcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RenameBackup.vst

Filesize
219KB

MD5
78a98bd3be040653a93ce6ea345d4b47

SHA1
bfa5759f1438f28a63fcbb8e549406a1ff2af2e6

SHA256
429c5d28d21655fbd3413569d4595757f129fef15c891b6e58cd5818fb4f27c4

SHA512
d1c848c7ecc4c5fcc2a3cfb21ea8126ac3fe8f8ab62c839846941c4306001596d7de218292449b726ec9133f40ee3c835003d6e63ebd942940fb535abdaa488c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RequestAdd.xls

Filesize
557KB

MD5
e0a53b204a294aa9651e8965c8d1c389

SHA1
0b7ef80d0eaa67f71c5994c6d4ac53a52454874a

SHA256
000c78bb81436ce14e8f092813f8a3386c9436df669806c0c5b4b85854838712

SHA512
0511f589eca5c0cc89ed57e67ea06aadf4323e49864a8f7cf594bf422bf8bd0e096d27f048cf1b650852d0da1be9d2829f2e5eec8732b26ad253bd6cac382f16

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SetClose.jpeg

Filesize
294KB

MD5
d6301dc2475b3a9f1e5ef2225a4a1e10

SHA1
d8409ac61a3533de8d68996c643fdc2050bbe8c5

SHA256
54636097b59de20504950c156b93682d905feb915f973346da03a97e2148b4f7

SHA512
145a3aa346584ea3c302be61bd438c216e17cabcb0450d87ea9051bcdcc3caaeba4339c4d8e0f3f745ae52e3e49d92e927992711a2f8017d362fed72c2399a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupRedo.tiff

Filesize
394KB

MD5
e9e965e22e537a7f5ac8ef43e9e3d755

SHA1
d86409d9f73daffd4c374be05beb47f7b39ae572

SHA256
2d5291bbe8363b3c2aa7953c5be4c2587334f80f770a5d1176ac27ff891a41b9

SHA512
ffc7b89c66ddce54259f65eb15768ae96d65c2018b8b514f4a76a68b63a6a8c714bae8fbbf73c89d92f89497ed56c9812663998bdd883b3b50fba74ba5dbc1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupRevoke.pcx

Filesize
680KB

MD5
054151ca59ec955a081dadddd1ecc71e

SHA1
2a3284fb9bc7953c560a16f5d65894049ab8e287

SHA256
a074ff6470d78a13356a83cdaa4a2801c822fea37a3419225da8787cc9f7067f

SHA512
c60e34a4bc381b3077550befda7db5b3fc5b68a6f5395436097bb8a6f14f65ff988877d3ea785a952a22eaf82a6cf046d4638d75c8549e6d4221b9e0a822a5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RenameRemove.jpg

Filesize
573KB

MD5
37a3758ebf971522c99bc8662d2a6dc7

SHA1
938dcf06eccfedb76a761cb0360c51e0e272a8c4

SHA256
9f339f0653f3e7ea241f73cff806931642d24a60d57669be0857d388ee5c3c84

SHA512
7d63aeda44c06bf0aedc3464b740b3e5d390417c24b92f647720d3f051c14548ddeab947e9b152a5beaabc7f313ae98e380a81015aee70cd22761ab353e2fd6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d4fnorl0.qch.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\Downloads\Fortnite-Account-Checker-master.zip

Filesize
4.3MB

MD5
9590dd4170f596c8d8ca283d6e4c650e

SHA1
cd40e65b7520ff07bfdff6018f607424155cb68f

SHA256
1eabeccd65c80fe084cfb6a97331ff6bfd2ca6d551a9032353d28e426df48b5e

SHA512
cbf5a407b531046a2b70ea547bf8e2c1da7704f975f037de35c2588c86627e7166e3d7f31a24ca45c6667bd5d49545460252d4753ce3474d4fc6ec2439acdf92

Download Submit
C:\Users\Admin\Downloads\FortniteChecker.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 41803.crdownload

Filesize
5.1MB

MD5
2490d7de4c8c109b6a2432833e56986e

SHA1
62266c7ae074702cdeb40fb208cfbbd53939f54e

SHA256
6200bbd5560e22c3a1bc32c79a61baa7aec0b388299634725ae1e05208535112

SHA512
5ae69287f4918cc030e49942f08f00bb0b8a7dab48f74417729bf617834db98399d0891837b1f7c2b914d030b7c890f7a264f3a45eccf29b3096463ac8020721

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 975502.crdownload

Filesize
1.3MB

MD5
182a0d1f7d720f1e6c1cd7f86e5c8a54

SHA1
76963010d20dae57d4b7844573b674bd34feb6c5

SHA256
811015513a1fa5123789f5a681dd5c8a05cf56e68760d65730c3853a72a20816

SHA512
dccaaa9e4e3503d7da5faddf2e740d6455c136944e18f3fadcf63fd48120c67ea59afc17cc34ab27638b43636eb6f30444cd2bf8757842badd4084d3e3477a72

Download Submit
C:\Users\Admin\Downloads\YaraReborn.zip

Filesize
11.3MB

MD5
cc149ed422ed5ed3c9227a915c933af5

SHA1
f24d8f9504d12fd850810ad64376395e21d27144

SHA256
f02ea44d31cc9cf82ed0b50f2e0a18c69114b4bb5afb7cdf3c83cd7a80ad05ad

SHA512
d6aab60305af29c99c659ec3abf2772a88e4aa62087acb70e4987ba1ae931add9f84f115c2e981ba89637964ff5e9471704ad3e8205c2f82249325e1a8a77a3c

Download Submit
C:\Users\Admin\Downloads\openbullet.zip

Filesize
5KB

MD5
5853c93ce01b18b6206703cfa62aaae5

SHA1
ee7407f1cbeecdf89a11613aed9463e017a8712f

SHA256
705434d8601fb4c1cfacc03474ac066006528b60abdc6006ffbbb1f29a947c46

SHA512
dfb0f64d01756831af95619e4a64c96ad42a5675ccf735fa8305e8f5ec6fc2e9205124e58d350adcc49dc82d073f42951d3cc30a6e2277a30a2a8b16b4d78914

Download Submit
C:\Users\Admin\Downloads\openbullet.zip:Zone.Identifier

Filesize
52B

MD5
dfcb8dc1e74a5f6f8845bcdf1e3dee6c

SHA1
ba515dc430c8634db4900a72e99d76135145d154

SHA256
161510bd3ea26ff17303de536054637ef1de87a9bd6966134e85d47fc4448b67

SHA512
c0eff5861c2df0828f1c1526536ec6a5a2e625a60ab75e7051a54e6575460c3af93d1452e75ca9a2110f38a84696c7e0e1e44fb13daa630ffcdda83db08ff78d

Download Submit
memory/1080-864-0x000002073A940000-0x000002073AA43000-memory.dmp

Filesize
1.0MB

Download
memory/1080-860-0x0000000180000000-0x000000018001A000-memory.dmp

Filesize
104KB

Download
memory/1364-2695-0x00007FFFF7550000-0x00007FFFF757D000-memory.dmp

Filesize
180KB

Download
memory/1364-2699-0x00007FFFFABD0000-0x00007FFFFABE9000-memory.dmp

Filesize
100KB

Download
memory/1364-2703-0x00007FFFE8620000-0x00007FFFE8793000-memory.dmp

Filesize
1.4MB

Download
memory/1364-2701-0x00007FFFFAA50000-0x00007FFFFAA69000-memory.dmp

Filesize
100KB

Download
memory/1364-2696-0x00007FFFE60B0000-0x00007FFFE6698000-memory.dmp

Filesize
5.9MB

Download
memory/1364-2697-0x00007FFFF7580000-0x00007FFFF75A4000-memory.dmp

Filesize
144KB

Download
memory/1364-2698-0x00007FFFFAEB0000-0x00007FFFFAEBF000-memory.dmp

Filesize
60KB

Download
memory/1364-2700-0x00007FFFFAE30000-0x00007FFFFAE3D000-memory.dmp

Filesize
52KB

Download
memory/1364-2450-0x00007FFFE60B0000-0x00007FFFE6698000-memory.dmp

Filesize
5.9MB

Download
memory/1364-2702-0x00007FFFF7520000-0x00007FFFF7543000-memory.dmp

Filesize
140KB

Download
memory/1364-2455-0x00007FFFFAA50000-0x00007FFFFAA69000-memory.dmp

Filesize
100KB

Download
memory/1364-2456-0x00007FFFF7520000-0x00007FFFF7543000-memory.dmp

Filesize
140KB

Download
memory/1364-2457-0x00007FFFE8620000-0x00007FFFE8793000-memory.dmp

Filesize
1.4MB

Download
memory/1364-2458-0x00007FFFF7550000-0x00007FFFF757D000-memory.dmp

Filesize
180KB

Download
memory/1364-2453-0x00007FFFFABD0000-0x00007FFFFABE9000-memory.dmp

Filesize
100KB

Download
memory/1364-2454-0x00007FFFFAE30000-0x00007FFFFAE3D000-memory.dmp

Filesize
52KB

Download
memory/1364-2451-0x00007FFFF7580000-0x00007FFFF75A4000-memory.dmp

Filesize
144KB

Download
memory/1364-2452-0x00007FFFFAEB0000-0x00007FFFFAEBF000-memory.dmp

Filesize
60KB

Download
memory/2516-2221-0x00007FF802FB0000-0x00007FF802FD4000-memory.dmp

Filesize
144KB

Download
memory/2516-2680-0x00007FFFFAAB0000-0x00007FFFFAAFA000-memory.dmp

Filesize
296KB

Download
memory/2516-2336-0x00007FF802FB0000-0x00007FF802FD4000-memory.dmp

Filesize
144KB

Download
memory/2516-2347-0x00007FFFFDC40000-0x00007FFFFDC55000-memory.dmp

Filesize
84KB

Download
memory/2516-2348-0x00007FFFFC6D0000-0x00007FFFFC6E2000-memory.dmp

Filesize
72KB

Download
memory/2516-2335-0x00007FFFE7230000-0x00007FFFE7818000-memory.dmp

Filesize
5.9MB

Download
memory/2516-2343-0x00007FFFF76F0000-0x00007FFFF7863000-memory.dmp

Filesize
1.4MB

Download
memory/2516-2345-0x00007FFFFA410000-0x00007FFFFA4C8000-memory.dmp

Filesize
736KB

Download
memory/2516-2352-0x00007FFFFAF80000-0x00007FFFFAFA2000-memory.dmp

Filesize
136KB

Download
memory/2516-2354-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp

Filesize
100KB

Download
memory/2516-2222-0x00007FF802D00000-0x00007FF802D0F000-memory.dmp

Filesize
60KB

Download
memory/2516-2355-0x00007FFFFAAB0000-0x00007FFFFAAFA000-memory.dmp

Filesize
296KB

Download
memory/2516-2223-0x00007FF802CE0000-0x00007FF802CF9000-memory.dmp

Filesize
100KB

Download
memory/2516-2220-0x00007FFFE7230000-0x00007FFFE7818000-memory.dmp

Filesize
5.9MB

Download
memory/2516-2359-0x00007FFFE6BC0000-0x00007FFFE722D000-memory.dmp

Filesize
6.4MB

Download
memory/2516-2360-0x00007FFFFAA70000-0x00007FFFFAAA8000-memory.dmp

Filesize
224KB

Download
memory/2516-2362-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp

Filesize
100KB

Download
memory/2516-2346-0x00007FFFE8CB0000-0x00007FFFE9025000-memory.dmp

Filesize
3.5MB

Download
memory/2516-2325-0x00007FFFFAF60000-0x00007FFFFAF77000-memory.dmp

Filesize
92KB

Download
memory/2516-2324-0x00007FFFFAF80000-0x00007FFFFAFA2000-memory.dmp

Filesize
136KB

Download
memory/2516-2228-0x00007FFFF76F0000-0x00007FFFF7863000-memory.dmp

Filesize
1.4MB

Download
memory/2516-2308-0x00007FFFFAF30000-0x00007FFFFAF3D000-memory.dmp

Filesize
52KB

Download
memory/2516-2225-0x00007FFFFE230000-0x00007FFFFE249000-memory.dmp

Filesize
100KB

Download
memory/2516-2227-0x00007FFFFDD40000-0x00007FFFFDD63000-memory.dmp

Filesize
140KB

Download
memory/2516-2224-0x00007FF800430000-0x00007FF80043D000-memory.dmp

Filesize
52KB

Download
memory/2516-2250-0x00007FFFFA410000-0x00007FFFFA4C8000-memory.dmp

Filesize
736KB

Download
memory/2516-2257-0x00007FFFFA260000-0x00007FFFFA37C000-memory.dmp

Filesize
1.1MB

Download
memory/2516-2256-0x00007FFFFAA70000-0x00007FFFFAAA8000-memory.dmp

Filesize
224KB

Download
memory/2516-2255-0x00007FFFFDC40000-0x00007FFFFDC55000-memory.dmp

Filesize
84KB

Download
memory/2516-2252-0x0000027FBEB90000-0x0000027FBEF05000-memory.dmp

Filesize
3.5MB

Download
memory/2516-2254-0x00007FFFE6BC0000-0x00007FFFE722D000-memory.dmp

Filesize
6.4MB

Download
memory/2516-2253-0x00007FFFFAD80000-0x00007FFFFAD9E000-memory.dmp

Filesize
120KB

Download
memory/2516-2251-0x00007FFFE8CB0000-0x00007FFFE9025000-memory.dmp

Filesize
3.5MB

Download
memory/2516-2245-0x00007FFFFDD40000-0x00007FFFFDD63000-memory.dmp

Filesize
140KB

Download
memory/2516-2246-0x00007FFFF76F0000-0x00007FFFF7863000-memory.dmp

Filesize
1.4MB

Download
memory/2516-2247-0x00007FFFFAEC0000-0x00007FFFFAED1000-memory.dmp

Filesize
68KB

Download
memory/2516-2248-0x00007FF800420000-0x00007FF80042A000-memory.dmp

Filesize
40KB

Download
memory/2516-2249-0x00007FFFFC6F0000-0x00007FFFFC71E000-memory.dmp

Filesize
184KB

Download
memory/2516-2244-0x00007FFFFAAB0000-0x00007FFFFAAFA000-memory.dmp

Filesize
296KB

Download
memory/2516-2667-0x00007FF800430000-0x00007FF80043D000-memory.dmp

Filesize
52KB

Download
memory/2516-2677-0x00007FFFFA260000-0x00007FFFFA37C000-memory.dmp

Filesize
1.1MB

Download
memory/2516-2682-0x00007FFFFAD80000-0x00007FFFFAD9E000-memory.dmp

Filesize
120KB

Download
memory/2516-2684-0x00007FFFFAF30000-0x00007FFFFAF3D000-memory.dmp

Filesize
52KB

Download
memory/2516-2683-0x00007FFFFAA70000-0x00007FFFFAAA8000-memory.dmp

Filesize
224KB

Download
memory/2516-2681-0x00007FFFFAEC0000-0x00007FFFFAED1000-memory.dmp

Filesize
68KB

Download
memory/2516-2344-0x00007FFFFC6F0000-0x00007FFFFC71E000-memory.dmp

Filesize
184KB

Download
memory/2516-2679-0x00007FFFFAF60000-0x00007FFFFAF77000-memory.dmp

Filesize
92KB

Download
memory/2516-2678-0x00007FFFFAF80000-0x00007FFFFAFA2000-memory.dmp

Filesize
136KB

Download
memory/2516-2676-0x00007FFFFB2C0000-0x00007FFFFB2D4000-memory.dmp

Filesize
80KB

Download
memory/2516-2675-0x00007FFFFC6D0000-0x00007FFFFC6E2000-memory.dmp

Filesize
72KB

Download
memory/2516-2674-0x00007FFFFDC40000-0x00007FFFFDC55000-memory.dmp

Filesize
84KB

Download
memory/2516-2673-0x00007FFFFA410000-0x00007FFFFA4C8000-memory.dmp

Filesize
736KB

Download
memory/2516-2672-0x00007FFFFC6F0000-0x00007FFFFC71E000-memory.dmp

Filesize
184KB

Download
memory/2516-2671-0x00007FF800420000-0x00007FF80042A000-memory.dmp

Filesize
40KB

Download
memory/2516-2670-0x00007FFFFDD40000-0x00007FFFFDD63000-memory.dmp

Filesize
140KB

Download
memory/2516-2669-0x00007FFFFDED0000-0x00007FFFFDEFD000-memory.dmp

Filesize
180KB

Download
memory/2516-2668-0x00007FFFFE230000-0x00007FFFFE249000-memory.dmp

Filesize
100KB

Download
memory/2516-2644-0x00007FFFF76F0000-0x00007FFFF7863000-memory.dmp

Filesize
1.4MB

Download
memory/2516-2639-0x00007FF802CE0000-0x00007FF802CF9000-memory.dmp

Filesize
100KB

Download
memory/2516-2636-0x00007FFFE7230000-0x00007FFFE7818000-memory.dmp

Filesize
5.9MB

Download
memory/2516-2666-0x00007FFFFAFD0000-0x00007FFFFAFE4000-memory.dmp

Filesize
80KB

Download
memory/2516-2665-0x00007FF802D00000-0x00007FF802D0F000-memory.dmp

Filesize
60KB

Download
memory/2516-2664-0x00007FF802FB0000-0x00007FF802FD4000-memory.dmp

Filesize
144KB

Download
memory/2516-2663-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp

Filesize
100KB

Download
memory/2516-2685-0x00007FFFE6BC0000-0x00007FFFE722D000-memory.dmp

Filesize
6.4MB

Download
memory/2516-2647-0x00007FFFE8CB0000-0x00007FFFE9025000-memory.dmp

Filesize
3.5MB

Download
memory/2516-2243-0x00007FFFFE230000-0x00007FFFFE249000-memory.dmp

Filesize
100KB

Download
memory/2516-2240-0x00007FF802CE0000-0x00007FF802CF9000-memory.dmp

Filesize
100KB

Download
memory/2516-2241-0x00007FFFFAF60000-0x00007FFFFAF77000-memory.dmp

Filesize
92KB

Download
memory/2516-2242-0x00007FFFFAF40000-0x00007FFFFAF59000-memory.dmp

Filesize
100KB

Download
memory/2516-2239-0x00007FFFFAF80000-0x00007FFFFAFA2000-memory.dmp

Filesize
136KB

Download
memory/2516-2235-0x00007FFFFC6D0000-0x00007FFFFC6E2000-memory.dmp

Filesize
72KB

Download
memory/2516-2236-0x00007FFFFB2C0000-0x00007FFFFB2D4000-memory.dmp

Filesize
80KB

Download
memory/2516-2237-0x00007FFFFA260000-0x00007FFFFA37C000-memory.dmp

Filesize
1.1MB

Download
memory/2516-2238-0x00007FFFFAFD0000-0x00007FFFFAFE4000-memory.dmp

Filesize
80KB

Download
memory/2516-2226-0x00007FFFFDED0000-0x00007FFFFDEFD000-memory.dmp

Filesize
180KB

Download
memory/2516-2229-0x00007FFFFC6F0000-0x00007FFFFC71E000-memory.dmp

Filesize
184KB

Download
memory/2516-2232-0x0000027FBEB90000-0x0000027FBEF05000-memory.dmp

Filesize
3.5MB

Download
memory/2516-2231-0x00007FFFE8CB0000-0x00007FFFE9025000-memory.dmp

Filesize
3.5MB

Download
memory/2516-2230-0x00007FFFFA410000-0x00007FFFFA4C8000-memory.dmp

Filesize
736KB

Download
memory/2516-2233-0x00007FFFFDC40000-0x00007FFFFDC55000-memory.dmp

Filesize
84KB

Download
memory/2516-2234-0x00007FFFE7230000-0x00007FFFE7818000-memory.dmp

Filesize
5.9MB

Download
memory/3480-1781-0x0000000000420000-0x0000000000942000-memory.dmp

Filesize
5.1MB

Download
memory/3480-1782-0x00000000053E0000-0x000000000547C000-memory.dmp

Filesize
624KB

Download
memory/3480-1783-0x0000000005AD0000-0x0000000006076000-memory.dmp

Filesize
5.6MB

Download
memory/3480-1784-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/3480-1785-0x0000000005480000-0x000000000548A000-memory.dmp

Filesize
40KB

Download
memory/3480-1786-0x0000000005520000-0x0000000005576000-memory.dmp

Filesize
344KB

Download
memory/3480-1787-0x00000000056A0000-0x00000000056DA000-memory.dmp

Filesize
232KB

Download
memory/4276-2309-0x000002A320BF0000-0x000002A320C12000-memory.dmp

Filesize
136KB

Download