revengerat | hxxps://papers-please[.]en[.]softonic[.]com/

Analysis

max time kernel
215s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2024 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://papers-please.en.softonic.com/

Score

10^/10

revengerat wannacry guest defense_evasion discovery execution impact motw persistence phishing ransomware spyware stealer trojan worm

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x000900000002371f-1362.dat	revengerat

Downloads MZ/PE file

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDFFD7.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDFFEE.tmp	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 7 IoCs

pid	Process
2720	RevengeRAT.exe
5700	WannaCry.exe
1488	!WannaDecryptor!.exe
5752	!WannaDecryptor!.exe
5380	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe
4452	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
642	raw.githubusercontent.com
643	raw.githubusercontent.com
659	0.tcp.ngrok.io
684	0.tcp.ngrok.io
695	0.tcp.ngrok.io

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
287	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2720 set thread context of 3428	2720	RevengeRAT.exe	186
PID 3428 set thread context of 6168	3428	RegSvcs.exe	187
PID 4452 set thread context of 656	4452	svchost.exe	286
PID 656 set thread context of 4900	656	RegSvcs.exe	287

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5296	taskkill.exe
7124	taskkill.exe
3824	taskkill.exe
7096	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-945322488-2060912225-3527527000-1000\{9B131A08-B62A-4A1F-AF9D-4D407BC73737}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File created	C:\svchost\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:SmartScreen:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 279720.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 606826.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3856	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1360	msedge.exe
1360	msedge.exe
1112	msedge.exe
1112	msedge.exe
2264	identity_helper.exe
2264	identity_helper.exe
6984	msedge.exe
6984	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
3404	msedge.exe
3404	msedge.exe
2984	msedge.exe
2984	msedge.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	RevengeRAT.exe
Token: SeDebugPrivilege	3428	RegSvcs.exe
Token: SeDebugPrivilege	5296	taskkill.exe
Token: SeDebugPrivilege	7096	taskkill.exe
Token: SeDebugPrivilege	3824	taskkill.exe
Token: SeDebugPrivilege	7124	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4768	WMIC.exe
Token: SeSecurityPrivilege	4768	WMIC.exe
Token: SeTakeOwnershipPrivilege	4768	WMIC.exe
Token: SeLoadDriverPrivilege	4768	WMIC.exe
Token: SeSystemProfilePrivilege	4768	WMIC.exe
Token: SeSystemtimePrivilege	4768	WMIC.exe
Token: SeProfSingleProcessPrivilege	4768	WMIC.exe
Token: SeIncBasePriorityPrivilege	4768	WMIC.exe
Token: SeCreatePagefilePrivilege	4768	WMIC.exe
Token: SeBackupPrivilege	4768	WMIC.exe
Token: SeRestorePrivilege	4768	WMIC.exe
Token: SeShutdownPrivilege	4768	WMIC.exe
Token: SeDebugPrivilege	4768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4768	WMIC.exe
Token: SeRemoteShutdownPrivilege	4768	WMIC.exe
Token: SeUndockPrivilege	4768	WMIC.exe
Token: SeManageVolumePrivilege	4768	WMIC.exe
Token: 33	4768	WMIC.exe
Token: 34	4768	WMIC.exe
Token: 35	4768	WMIC.exe
Token: 36	4768	WMIC.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeDebugPrivilege	988	taskmgr.exe
Token: SeSystemProfilePrivilege	988	taskmgr.exe
Token: SeCreateGlobalPrivilege	988	taskmgr.exe
Token: SeDebugPrivilege	4452	svchost.exe
Token: SeDebugPrivilege	656	RegSvcs.exe
Token: 33	988	taskmgr.exe
Token: SeIncBasePriorityPrivilege	988	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious use of SendNotifyMessage 60 IoCs

pid	Process
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
1112	msedge.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe
988	taskmgr.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1488	!WannaDecryptor!.exe
1488	!WannaDecryptor!.exe
5752	!WannaDecryptor!.exe
5752	!WannaDecryptor!.exe
5380	!WannaDecryptor!.exe
5380	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe
5956	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 4000	1112	msedge.exe	83
PID 1112 wrote to memory of 4000	1112	msedge.exe	83
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 5028	1112	msedge.exe	84
PID 1112 wrote to memory of 1360	1112	msedge.exe	85
PID 1112 wrote to memory of 1360	1112	msedge.exe	85
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86
PID 1112 wrote to memory of 2112	1112	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://papers-please.en.softonic.com/
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff894246f8,0x7fff89424708,0x7fff89424718
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5376 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4144 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6788 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6792 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7416 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
  2⤵
  PID:5856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8344 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8604 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7496 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:1092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7772 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6692 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7360 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8608 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:5156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8208 /prefetch:1
  2⤵
  PID:5172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7908 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:1
  2⤵
  PID:5132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6616 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8792 /prefetch:1
  2⤵
  PID:5992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8144 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
  2⤵
  PID:5508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8140 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:5644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8316 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7900 /prefetch:1
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7728 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8480 /prefetch:1
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
  2⤵
  PID:5944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7172 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:1
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9212 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=9264 /prefetch:8
  2⤵
  PID:6188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:1
  2⤵
  PID:6404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:6564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7340 /prefetch:1
  2⤵
  PID:6896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:6936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:6984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7716 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7652 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9476 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:1
  2⤵
  PID:6436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9912 /prefetch:8
  2⤵
  PID:7080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9908 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,1002099807931776066,6610188275414997995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:3428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      PID:6168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\99wx9r_s.cmdline"
      4⤵
      PID:5932
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o0fbvmfi.cmdline"
      4⤵
      PID:4344
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3421.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9F4DC90EA7584EB0B59CA954B7D106A.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lhozsadd.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5904
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES34CD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc837E7413D9D3494E92B69D6FA33FADC.TMP"
        5⤵
        
        PID:5160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bxipftim.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2504
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3579.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7C79A7607E83430DAC3FBDC5B3BD90.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4480
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btq1he0w.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5256
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES35F6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc825A8C44EAD64DE98470A78CA81C29C3.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mmtqqww5.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6812
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3692.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc299E980FB7424A74A54BA4E449C394.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ocalscpk.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5024
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES371F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFA0ED97565844AA699FF39615C7AD978.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\8hlrcfsn.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1616
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37AB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB23C433C95824A129925B49C7A989A67.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1ul71xay.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:456
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3857.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc83FC7A7813CE40759BBED1276D237F0.TMP"
        5⤵
        
        PID:6920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\peaavrgr.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5960
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38E4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8BD2107050B84EB88C3AD56A9BF1C8B3.TMP"
        5⤵
        
        PID:6572
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tfoh0s-m.cmdline"
      4⤵
      PID:6936
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3961.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4A969CE76D94C289F505BDC6FC8972F.TMP"
        5⤵
        
        PID:1236
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\j1ser8vx.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5868
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES39FD.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F4FC91CBC34758ACED33E931D993A4.TMP"
        5⤵
        
        PID:5108
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mstdvrpj.cmdline"
      4⤵
      PID:6364
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A7A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8F769A91B5B426B8B6D1D6C97B99A6.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\btitgjpj.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6020
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AE7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc512EE72E56784136B44A6BC5E9F339CE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6908
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\n9ugbegu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4140
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B74.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc3E12EACE58014624BE4778106E5C4D58.TMP"
        5⤵
        
        PID:1844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\yqsa3iwg.cmdline"
      4⤵
      PID:844
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3BE1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc700D231E2E8C45F0AEB8EE34239EA843.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tekmkrve.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2308
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C3F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2CC85F3C95E94435BF122C7C4A51A92.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7072
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cmf_pyei.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4060
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc593E300B8584D1B8E779EFE69C44A64.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5048
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bdkpfed_.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2180
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4CA34CE0B30E4D45BD87A6A73A787432.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\znkdlorn.cmdline"
      4⤵
      PID:7116
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DC6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6334D288CB3742C6BE3399BEF71C524F.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:7088
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\c6meqp5o.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:7152
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E43.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD1B5378E144C4DFB88B978733DEDE7D0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\m5opz2x0.cmdline"
      4⤵
      PID:6460
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3ECF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc12B090242B5D4C208D7C1E8139546E14.TMP"
        5⤵
        
        PID:6124
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rsthz5ua.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5696
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F7B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc390B5786A4E446D88FCE87D242D32EBB.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3268
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:4452
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3856
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\4wzbeomo.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE57F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD8CD03E815D44724822DB7B4A87C3B3A.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3240
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\w9w1cyn7.cmdline"
        6⤵
        
        PID:1016
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5ED.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF9C75948CE145479D86B1608BB637DB.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:7140
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ua-pj1l2.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE66A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc17A97232CC3D49F7811C52A371A386.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\o7erc18g.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7132
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6D7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA3B8949CE4F407A9BE42FE8477355.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3696
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kg4aoviq.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6744
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE773.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc69AD56439B15435A87547961AB47335.TMP"
        7⤵
        
        PID:2904
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3onulwxo.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4148
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE81F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA60E525133EF4D339826749271A41FF.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:748
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wclilkmq.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6764
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE89C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF5AE67AA2AAD4C1593EB877A229242C3.TMP"
        7⤵
        
        PID:5508
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zcwgnktx.cmdline"
        6⤵
        
        PID:5012
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE919.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36064302E47541D9B3BB54ECA2227D76.TMP"
        7⤵
        
        PID:6572
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\_ttrw5c2.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE986.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9533D1C19E3A4FAEA5B34292452F39B.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\murp51v0.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5612
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA03.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc316D1C839BC6472FA3CC695E67B995C.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2624
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nebrubdu.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6552
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA90.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFAB24E1D0CF40EDBCA1275C8BE9BF7.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3076
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\2v6kkw2y.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6972
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB1D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc523530784EB4254A21A6C7FB58C5CB0.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:5700
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 314731722969012.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5472
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:6540
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1488
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5296
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7096
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:7124
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5752
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6988
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:5956
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5892
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5380

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5916

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x480 0x50c
1⤵
PID:6248

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3320

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:5136

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Scripting

T1064

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\svchost\vcredist2012_x86_1_vcRuntimeAdditional_x86.ico

Filesize
4KB

MD5
fde1b01ca49aa70922404cdfcf32a643

SHA1
b0a2002c39a37a0ccaf219d42f1075471fd8b481

SHA256
741fe085e34db44b7c8ae83288697fab1359b028411c45dab2a3ca8b9ea548a5

SHA512
b6b4af427069602e929c1a6ce9d88c4634f0927b7292efb4070d15fb40ce39fc5ce868452dcd5642b2864730502de7a4c33679c936beb1a86c26a753d3f4dc25

Download Submit
C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
d65839197b000441fb7d54ffc45f98cb

SHA1
8f9cbf8e183e8e5b1092fe8ff9919ffc81d2adf1

SHA256
f3fcb6945a8489248aac376e574382c999e98b8b5487a25892bc6afbdcffb4b9

SHA512
4195d2ec7de6b44f967c2eee1f22cab210513e72ab8a4f9a95d0492ca2e877ed0df7123a519581136a8155720021429a4092b6b92cbb6a5ca26b7bc2c029de95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9b008261dda31857d68792b46af6dd6d

SHA1
e82dc88e2d1da2df7cb19d79a0346b9bb90d52b3

SHA256
9ac598d4f8170f7e475d84103aead9e3c23d5f2d292741a7f56a17bde8b6f7da

SHA512
78853091403a06beeec4998e2e3a4342111895ffd485f7f7cd367741a4883f7a25864cba00a6c86f27dc0c9ce9d04f08011ecc40c8ae9383d33274739ac39f10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0446fcdd21b016db1f468971fb82a488

SHA1
726b91562bb75f80981f381e3c69d7d832c87c9d

SHA256
62c5dc18b25e758f3508582a7c58bb46b734a774d97fc0e8a20614235caa8222

SHA512
1df7c085042266959f1fe0aedc5f6d40ceba485b54159f51f0c38f17bb250b79ea941b735e1b6faf219f23fe8ab65ac4557f545519d52d5416b89ad0f9047a31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
17KB

MD5
67e30bbc30fa4e58ef6c33781b4e835c

SHA1
18125beb2b3f1a747f39ed999ff0edd5a52980ee

SHA256
1572e2beb45d2de9d63a7e7fe03c307d175b2b232bad2e763623dceb747729ba

SHA512
271d4a65d25b0a5d2ff2fe8f3925fc165d9b4345893abfd919061d78ffc5ffe8890ded35e41274ad8b860f06264b027cfea6030ec9411a4e03bc6d7cb4d4d228

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
19KB

MD5
1f28801aaa01f8c1cc2f87e66344e8ad

SHA1
366e6a11383b097ddbbd560b967074f1b0dc4f8f

SHA256
0b110f0ac15be93f4bb2272d6c0bf858d4b1fb555663924d19f39a4525b88a52

SHA512
0160a192703bf11d0ef36f1d74cff79890befb6e4dc83ba77335eba8d1167eb395feb671f54a45bf7789eec6544c35e24891b6d9132d88879b01d35d5acba0cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
104KB

MD5
7651b1187bb58ac4c7be625337b35e5b

SHA1
307d969ef4137a66fe2793737dc1c546587c7f43

SHA256
0632850d01a46bc2f8c223155a4bf6c398b33596bb711e098440623f118c3968

SHA512
a81d2f768af155bdc642941404e7ddf95a2cea33c9374acb5fe32f6f5266e337fbef32f904551f61fcc9f9ab5a1c6a5ad130ab85b38bc2258e2f82c0ca1e9c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
31KB

MD5
4804ed3fd76930d8cfd481e8c692cb56

SHA1
f736a301068c4ffbf70c541a89c53779f771e875

SHA256
311a12f8a9b86f2770786d33ff69fea935958d8b8b5fd6d3ea8d76ac8eb456f3

SHA512
41a770ccbf60f15582ba8e830495f3e2f08ec9bd777dc111a8f03abb0be58deffe2f061ff566d0ad875e30205324e4786ab1732141fcff2a8c8608330da0914f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
134KB

MD5
d4f79c8b71f5a580bd6b2cfb715fb8a8

SHA1
1f302524b5bdb5248e4f760eaba906321ac0bc7e

SHA256
8f8aa1da551f73e067ab2f6258842bca9f60874b9d3ca4ce799d96bfac17e60b

SHA512
df8896e8fffe9dcdce4b133850b35ee4d5771bd8bcc2d04d95182026b3e0c1214683f76d42da80e3115096bc9e66d7fb8afa002b21b40c5381d849d40307477f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
98KB

MD5
7cdacd214f7eaa30897765a989a4d96e

SHA1
aaa6372dc510564392b5c149d0b04edf5deef48f

SHA256
e238fdd1a3724b4cbb5d862fe771264a5352bbaf8aee2c85bfac8242b5940034

SHA512
5bd53f1db2c30781cabeab73672ef6bb61d3d40b8c37bf42414ab7ae001918eb897545cfa88d7fc2e936a2b9f5e5b276613f4b5ffb96d71a7032ba3cbb7bfe8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
20KB

MD5
c175a1acfddf2d267654a2cfc96fc395

SHA1
bcf7d36bc18066ce96332ca69c754f4dd32467f9

SHA256
f55d1cb1115cdc60d92a99b2666254b4fc73ec80ce2de6cc208f6230a3b54288

SHA512
628cac38cf2f49abe25af82f96c980a8e3bea8522b543ffaf78d32c8fca933ad39f21153e2c710dda9a89dc695ec2f801fccb93e56dbd82dd7a9ff77978b93b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
25KB

MD5
42e84ebcf5470237abd1f9e322b751fe

SHA1
a828a45804554507d9e8521c36109e8bc3d5eca2

SHA256
a9fc7baee3689f0331e46617f60d6e7c3ed631209b7211e7dd09cf20d22a64c1

SHA512
36606d42aee5689819dedf221af3c6c0da06aeb9997b9ce84b42db42ab80a0926352219f1e47f2287dcc850fcc96e4eefd5e487e09e1f1228102eced11271e25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
147KB

MD5
10a8a83c6230c12a4890329a352f3617

SHA1
6e3aa832e17bea6716802ee1ce873271349251a1

SHA256
3876ec1287afebfe3ade64a0fc5d75b99a2273b37c90309cb0b5ef4b056bc1b4

SHA512
49dd17a22eabc653394aa5a6c4eaf28d3d61cec7b7f835555d72a47b75d4983a98b0dcfd15abe426b83c29ccc6df062a46d972a66656872ae43b82286d3f859c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
149KB

MD5
8d35e5a431f4c2dbc25de5c812df8381

SHA1
2904985721547092012996115401e49362898ea7

SHA256
b70ad694d25e7585319a62a094a2e21f5d2195fdcf1b09fabd444a3045499357

SHA512
25155aff6d250435f3def7d8878690d79aea9c5ba98910fb70c7506ec241d860185cd80d564b5060aee4597d8de55306fcfea353da1a348277e043038df826a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
81KB

MD5
c7fc68db8eb2e60b41d9eafae56791a4

SHA1
c95e84a84dd4acc219414dd0a6571dbd21cb8ce4

SHA256
130450207e896ed768c4e7ad7f889844fd4cdfa634b981ab837e3626cacc7601

SHA512
fa0478f2894f8e9d691947d890c781a1440f1468b50c2691cedd293e4f6d6cb21dff2a3d5ad42e966bf719a6bcc047bec3427a5af21b2671fc8d59363252c9c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
76KB

MD5
48088bfadab03e26f9c26b67c17c67f9

SHA1
a34e4ad3237bb344327246425f3ca1bcead96ba6

SHA256
fe1c8489eaf41a0afc7282d2592131030dbd82f7c1bce0b245c6f619799b41b7

SHA512
c6d531ae42e980fdd5d6aa42855912925b6ee6ead1f5b2e1e9db1809c3fab6ac117526ba2ff8a16b3d5fab97915f5496e9eaddf98f93d4f6bc7869e718b3c787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
19KB

MD5
8be102e2c9ff27f0c1ad9d93138522f0

SHA1
2e9233646304b9cb72f73b09d1e89fdef1d7369c

SHA256
dd46a083bd9e98443f97cf9129cf8d4d782deac0c28e1f7b4a65df000f9e164f

SHA512
e3a570317c4c770a9feff907a7386e5db454ca356ef974a8a141241c4bd24a989fdefca76bc01934768e3ab05ccced4da01a34f3c81d1b41c224b200cfd058a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
81KB

MD5
ed6f3488a52d280647a945c2246fffed

SHA1
0886f5cc792b3e6871e518d4508cb9ee596291be

SHA256
23c4e914250fa50d586f63ea933645e6d371883236b1ef0584b7716a31eee09a

SHA512
20121497af10f067992a1bfe44e1177656b04b6b2315373d9ae094992c7062d4b579155b4e508b7c466a5d17ea5e16eb63258174fc33a62090c704e28389d041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
47KB

MD5
010966f1a7a2d91055444a2388217c70

SHA1
2182189e92e5af47929fda40e1f9e4c3ed8a0bea

SHA256
63dc95b8beb2854e2eccb6408b0131a4076a8ac001f6f32c4235ef9d7f5f1542

SHA512
4bb4dd03dc1c9ad3464e5a4dae9f3df3e8d1051f78bf05daf678c62b171cbc8575facfc8ba2f774f5f79edc278077b6b50d2c28cdb1abd40131fafc062fa3d01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
27KB

MD5
46e6043b3a70e5986f0b72a748d9e3e2

SHA1
5d3ac460401a49fb84286e0f8b9edf6167530fa6

SHA256
171b12a8c0900d5f0d9e700eb668c02f167ad6f7adce4b9c36201ee10aeae005

SHA512
c0f875ed0d9e05a7439ac9d160edf59ed3b1b384b87dca5b75de3ba11a47a94d543f108ee60aaf421c965c0635408003535795e0f6601afdef4010d982724385

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
38KB

MD5
66ea1c6bf26309f295083e8ffb5f6d2f

SHA1
e48a9abc7cc21f755acf9150ee6b3e9f741226f4

SHA256
7b6b7a436f160f8ccefbda751fc1e122e9a1c61fb75eec400159c999f3a4e1ff

SHA512
8d8e25f27532e16de0b5e08ddec7bc1b04d6fa3729c4fbc4a3ce23707dd9718b73c37cb3859889c41aed78cbb7c815159b9481ae7d496a4c375e96a1f042d57b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
62KB

MD5
0800f316866f3b20e5443bf0b6c133a2

SHA1
0c26d720ec1078b683068d5586b3a204ec118bba

SHA256
8bf6fdda34cb70a0e5abb753af6440a64d37ed2fee81ab1d9c478f7d77aff84e

SHA512
84d9961ef0b3890094c0809750708d57ab23a9e21f76fbddae37fe04443b44c693dd087e51ed06e5ea2900f1fa7f2bda76f8991d3f8396dacfaf923438e48d75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
20KB

MD5
6931123c52bee278b00ee54ae99f0ead

SHA1
6907e9544cd8b24f602d0a623cfe32fe9426f81f

SHA256
c54a6c3031bf3472077c716fa942bd683119dc483b7e0181e8a608fa0b309935

SHA512
40221fe98816aa369c45f87dc62e6d91fcdb559d9756cb6a05819f1cde629e23a51803e71371f4e4f27112a09489d58ed45b2b901a5f2f00c69c082b3576057f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000028

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000034

Filesize
16KB

MD5
9c6b5ce6b3452e98573e6409c34dd73c

SHA1
de607fadef62e36945a409a838eb8fc36d819b42

SHA256
cd729039a1b314b25ea94b5c45c8d575d3387f7df83f98c233614bf09484a1fc

SHA512
4cfd6cc6e7af1e1c300a363a9be2c973d1797d2cd9b9009d9e1389b418dde76f5f976a6b4c2bf7ad075d784b5459f46420677370d72a0aaacd0bd477b251b8d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3a19544dd8e5e4b2_0

Filesize
32KB

MD5
de25a2d4dd88a27cf53c4f5a53a0b735

SHA1
88610a018f79e646bd2ce085f511cad66bc313ad

SHA256
1d7ae59997278e07a270d493bd18e7c7b1b6e704cd44ff2ce015939c63e7e8be

SHA512
c3e2151a1868325731d6944b492bb17fd721eddb55e723f57038e5f1c28811ae7a413a712da9c2a58000387dd432004d85ce9855178667a97399e6db2d7e8af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cb8aa1d6e4ecf0e1_0

Filesize
241B

MD5
b1133f1cf1de13ef688d970721612c14

SHA1
ae41e2e3b46a20c382ad90e2ac53752cb1ed7ef5

SHA256
b039f27ffd9b0d5ab1af1b6e4469e0c7bef0ff55f9bdd007b3a65d26ce7ee314

SHA512
b1ec27b398c85f0f33fb0fc7ca0b08e4a1d539d1eda8d60e5ba3afd25400c868c3febfb7a0a7b909b4199f9c433e03fd8df70f2f374e3f22b9fa682702d1d577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\cb8aa1d6e4ecf0e1_0

Filesize
32KB

MD5
a22c3a33a76abc6ddc014107f18df6b0

SHA1
689f46f4ab16407129cb5a0e7b2be4ad5ff3d739

SHA256
75045ea030d515749de3896ad951d15631eab7f46cbfc0ee9bfc56b23ea65a62

SHA512
7cd62c754cf7ebc5fc22861b82fecdef673c25cc3cdba33588ef75a0600ea7d4613fe047888199e4d77ae4cab050081c78602d8d962ef4a21cc498db8d9bb10d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e05eba8c1f7ba55c_0

Filesize
3KB

MD5
d3e9142eb08e3c4517c9a85e7b1c278b

SHA1
56cf8f49235b104a3042de5bdc04a97b9d2fd9e8

SHA256
22f3194285e32d617170b356458ccce212dd7c8d3f3f386c6596fb766e77cbba

SHA512
6e6bcc470e5823bfcc170ae72da2b8ef70aa6fd802c4e6224da634b25b690d6080fb1cc0b6cf983a509f036065cec3467341e20a474dfde7e4e412dd29f1f01a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
babd5a2eb8cf4d00ead4feabafa91d2f

SHA1
15294e7b7b40bcea0dbaf4c77cdec93f6f37d517

SHA256
8c56af92608687f4601bda23d23262ed68641cb9b0a481722131336ca04c2251

SHA512
189c3a26454e5d7dfc361a8cc23ca635677d8657cdab410414c679aed47bde873c0779ec050037b4adc129c813914a02a1f9fc251017fe4117d6e0793c21feff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
f871c315ee672216dbd9bab677ed26eb

SHA1
ccb8aa163191c8d00ca15fe4d1c3c4c516b90b78

SHA256
8779e2f1ebc7de1670b7f3e0c521e0155030d9b6c9212c63542452696ba78271

SHA512
0eb39033d41e38e901737c213ee151bdfbe9280602b34a16e2c116ce73f1d9169a3bcd3dcdb288ffc8c57a26e00705066c1ca54bf17e8889428d1d8d50e680c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
572dba2eb1940ad33cfe14996a814cb8

SHA1
b8585a28852c9c18cf794b75f97f37af6c717521

SHA256
19e68bf20797dd1669109c9dbb838b94b29c0ab00a8f85fd0df0cc0e037d7b06

SHA512
ddf9cab3f42e82665a522f8f744b911cfe8012ac795c2b25d88ceeee65a7685df3e393244e73ce0c06816be8bbe9250f2d7523a8beabe6eb8bb5feed4b80c889

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
4126e05440f2d7c2140a673d63448d9b

SHA1
66bac887d4575e5f9bde4776b7ce6ace3b7de878

SHA256
8eeb85f6da9e955e9c674d059ca2da5a373e3e899dbc31036053c3ae7509cc7f

SHA512
f98c8dbab843af4171d7ed808f37ec9a36ff399b1172e33136c118ebf4fd6b2998c30b033d6f9275c06e118727af9bf8f4a1ca536ac8ed8aa0ac31adc1f22278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6120868b7627eac6efee3b7dd0b900d0

SHA1
b30ca57c2a3ef5d83084daacbbba28165d7f557e

SHA256
6e6c3c3669a61bfffc57e517834d0d586c2e73e0c20aa1b4122a259a1cc6539d

SHA512
fbee98b3d3dd4e6b7f2f2f8f25a776aa3470228678e3812c0e43f185097f3bb73578a2fd9da2d66c3cf2e7ca4209d709dd6e7748f7fb2fac95042f31a0cf34a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
401c1ae0b6d9dd2e57da1c76afc61d4a

SHA1
72559f3a526f770dae7102b516e6721114f65fc4

SHA256
e135215e8546a2723ef6381fd06a2b35843906fc38d904034f7d84e2116a9fad

SHA512
06b0b354db4d5f03a43115fcc1df88e682113f0f9013df8950961454e2be348d27b75e39fe1cfa910beb165f642df33800a508cd487251b2185bc0bc6f26839e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
d2182d73d88fb77fe3d77e786b58ea30

SHA1
52ebd5f3057c275b6a239a8a8aa4c470606f2081

SHA256
0b70542cd4a7285f479aa9e746e993c2ee3f293617cf69db77195ef69106d3aa

SHA512
834c00be8363b0d3c93b7e92f2ed398743c33e3e03febf1bf2337917f042e0bffcc49a37388748890977af841b4b5a573b10a24ffd1f07fa21f8772369a0d585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
9ce571d972523225b673c1db25d2b5aa

SHA1
a85b54bbaff919a6657185ffcc72063355bb6bd0

SHA256
1a93e7ef45e7468f216885ddfee70be4f22c83db00b32277af6ef5ea0e3763fc

SHA512
1c9fb8b133c1981c16a9e1b1d5aa3520238e2f2a45c0470955d0adc6a9c4520fe4a983884908306737f0def8165afcf3bb4de3da39d856b1aabfe65ced8cb8cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
3ba1faf0a71bb32955fe4152bcce6d06

SHA1
3f702081eb5a3a9014a33168fe680a2fcdf2fce5

SHA256
56763d8334640adf7a6f79c26ce7b2f9271424c0df067f981531d5bda36c56c6

SHA512
c6062ebf7b7868fcfdb519a0b249fd35d6535585e5d8cf2d4522d4b4ce89c688fa962c5025bc9404c91ae90f4b3747663e3363cc439c310aa939dc3cca5c0f95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
8c9cd4d21bf96bfa2a80bd4ac5e40643

SHA1
3ad7030b06c6d3875283038e19e10a35946198d7

SHA256
aa23d9fc6f876161c177ef702695ed3e128ebdde9d8169fb74f5be4b33fbed1d

SHA512
a3d5ef7482ce902e1d8c7218c23d22871967ca5cbf1d8e4b300eab622f449a12e6c41d19a5074a34200fac51f0d6f71fdd6d8893802d8cb4e787be2dd31336c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
98b2f5c77c11a74994ac450055cb8560

SHA1
0a2ec2295b23cba6d25cc6f8f5d7b7b5fab7496c

SHA256
ec09e612516aacb06edb8e6ee09e723febb6770a8494b82af4aa593c34ffd28c

SHA512
9fb4d5f088cb522b03920781ac3f2fd7ba3a9e5c55c08a29b2d789a12ec7e470e2e2f574c3327492a46d0aa2640085b88a6b5669787db89ab5f9a48381431a66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
005769e0b36fe19ea9c0fc6fc4e5398f

SHA1
76176e85aed69bd76f01917ce9e592ded338b898

SHA256
5c030c26f46966c2ccd8e4ce2eaf6cf0c680204e8ba8c0cc6ab26b807b42fa81

SHA512
3b8cf8db302494fce4c39ca8c5de702ed69dc3de6ccb511809fb11b9b3bde55d9321ede26ee1d87b7ef34cf9cc609aab24fe0cacf4bb2e10bae3dcc41c41c806

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
8e0cdcecc12c0b16d8e67d36af6141e6

SHA1
d4002efbdeea2cce4e065095f1b81b07f7226cbc

SHA256
cd3d4940d5048d586e229a03c9da7c2a6fad92d852e75c1ef1b5923203e473c6

SHA512
525a67497702cc0c51c21b168ceaad966f2c24966cb5890776f08066a922f4429d75e3cca7c183e8e5ea268f0b9304e0feb498d33966440a9057d43710f7fd73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f663c6935b98ba77712998fdceef73e5

SHA1
7d73b78d7807a217a1cff336f90593a92839d33d

SHA256
2fb3d66b8eaa5eb871e50008faa1f378ac82257bd6bc68605cf8f5bffa471af8

SHA512
706a7416c7d0e8e8c4145fb07b874471ce2e8053a5ac6cc7e605c84310cab141e511ba60456acab644308690d483cc61cc09cf19c2a184c4f355cd3180a95ba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
be75757afb4b428e70f8550d19f64d80

SHA1
e9a1c55ff9a8cd1907bf6a5696cb0c70fa4f883b

SHA256
3c888fb84b0ef2533ea50bf795a7fe564bb40a1bcf440045356b68f8079c043c

SHA512
b5efa43df9d09925d675ed1c82e085c4b8fb97d3db8b1c9e45b7bf2752f0d937a1d9f49a17e12038cff2dcc65208028aca3b490511d2c6d9b3450546f74746cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
ed1b1345935e74c2f5e7bcc153456602

SHA1
3571e30aa3e194d3ea6aefd6dda6281a2adfaa23

SHA256
b72ea23d14c7d387dfa42342d0b773b11d36d7933de3bff4bd35ef4754e53b0c

SHA512
fc6328b99e3585737a74e5ccbc4eaf18f8e98e1c59f29f3930b07ccead794246a04757e993da2428f56645c76ee3a0a89b1e16b91b3c8570547ec3ef96bf064d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
d2d211d3487b95ce1e33a01f8ad7ea7c

SHA1
b62846a2148ead8612b6c1f0e615d0acf5ada526

SHA256
ba7889d89fa7f430d30910548d6e48b15034e43bf9b784afe33fb486f3b442f2

SHA512
d468a94f178f8a4b66bce2fad4e217be6ecb098729c9b0073b381492798b9d510e1991d54ac0d0f965be549b77965b9ec085c93ad02a5cc91ed3e75698cf2f2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
f967138de260cba97eb6a87ac20fcdf1

SHA1
c5868da5383ebe0c0e7366d14c81e577783f88f5

SHA256
97652bad1eaa1b8b73d76d5d44f1a3b8cdf7c9aa447c720505d4bf92ac186a82

SHA512
89abafaefa3e0666e236846e144afdd4fe1c8bbdc6b4b0fc42225584d4b60ddcc1fc6fb8f90c9a0d00f94b86763ec7dbabffd77bada2c45cb43957739ea81ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
bfe7a8d97722554b2508cf9a032ec945

SHA1
5d0443e1e14f2748ac8a0546474f429cf23424f3

SHA256
0aa2593a50ea5a2b6725a406037806cf3b2344a7970859e8bac3cae65cfb1a78

SHA512
dc8673de0c43b4d0b235f0ac15a09aa0efd4f1b4a58c0fc6c5cf829fca306a24ed0cb1ce02dfbfcb9e986d4cb821cb97310ab3e9820fbc382dfdca439ddbebd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
4db03bb2a2b08f13003aaabc55c093d4

SHA1
010cecbf85334191270178682f85ffd3e3bea75f

SHA256
06a2c537b043ac26d69f4f1e366ef77187b05ab081c435920801a4999b37b85a

SHA512
c82b43f6fbbfab1883641d595eae937174022655a68c7834a9ccb8003778baafcc194c39fafae91b95b0773872bc25e644ba688d31c107486c44cd3aca2dadaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58117f.TMP

Filesize
3KB

MD5
482e5a89af66814e7b021a091bf289b8

SHA1
2c5fa1754b93559aa9ba3efc540e24b83213ab18

SHA256
65c58a21db894649fdc43e29ac09c01ae36d56c657fe63d813a956bb9b874ecc

SHA512
ac095d1024e17fb6b3fae2ce95d08a5cedfec07a8c0f30b2ddbcd7e18af7cf7be2d04dbe46b1f2fc7f3eae92504fc2b6172915cd26d38c5a4404cfd6a5875848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
64e5e51f9f6e79eb6cd22ab79d4037c9

SHA1
58b2fb7df3b951977737e985b31ac8a36a5f3b9c

SHA256
3da14250757821051ab4418e5043ea225f4fcb99f44ded5595c533e8232dcf25

SHA512
3b18c59e85f7f17c7820128476f15d30f9db0faa0e807eb1b8b9d2d0a043df7b5809a494265aa65f85192e097a097169199db4d4803b9bf376c7cecd9f18b70d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
216c26fe5e733d91ebe9aada72893a71

SHA1
4292b20f3ea6c258f7f54405d2a6464aa178cb45

SHA256
9fd219a860676eebb9769a004e17c256d7cf376148bfadcf7f7f6e2f2f3829cd

SHA512
d40976df17f25648549ac9152c45894e7cbb10d29ccf24b732fa3c599c01f0e9b78034b11338269c28816d660a2a23d1d511d44b6a1a06b81de1fe73f5c9cb37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4eb488780a97b62b19f0b4031540bf6c

SHA1
844282be0d74629cd27f8934a19ce3c6d9ed8310

SHA256
53f46697831c0a4ed6bf9e0c0f886f3f34ebbd3a6f4f1d2d5157a38a06baa2c8

SHA512
85998c1f9d2460bbbf6a09e731813df11531f4c5b1738204c82ecadc0b83e8393e11a41d79d9f019f15411e50ac3bd6e2e32e2e8d25d8eae3f79a3a43242b138

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc316D1C839BC6472FA3CC695E67B995C.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc36064302E47541D9B3BB54ECA2227D76.TMP

Filesize
700B

MD5
47df494f2e559672edb5b0c34b15393d

SHA1
2629682a6b60cb29aead2ef985eb808f2a342a1e

SHA256
39ef23fa7819a8c04d23e206bcc619bbbec2ac19fe79545fccc358beba415d04

SHA512
2a348b83eba04f9546c8d5f6e92f9fecb375cec03f52b3be70f1f911c68d651cef691d2e57be03b8401787065ae2096f1d09641ab7d072a5a8fac78817e87cf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc69AD56439B15435A87547961AB47335.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA3B8949CE4F407A9BE42FE8477355.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 279720.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 606826.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/988-3311-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3310-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3300-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3301-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3302-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3312-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3306-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3307-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3309-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/988-3308-0x000001FDFEB30000-0x000001FDFEB31000-memory.dmp

Filesize
4KB

Download
memory/2720-1497-0x000000001C0F0000-0x000000001C152000-memory.dmp

Filesize
392KB

Download
memory/2720-1496-0x000000001BF50000-0x000000001BFF6000-memory.dmp

Filesize
664KB

Download
memory/2720-1495-0x000000001B9D0000-0x000000001BE9E000-memory.dmp

Filesize
4.8MB

Download
memory/3428-1499-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5700-1535-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/6168-1500-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download