crimsonrat | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Analysis

max time kernel
1050s
max time network
1051s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-01-2025 00:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

crimsonrat modiloader revengerat warzonerat credential_access discovery evasion infostealer motw persistence phishing rat rezer0 spyware stealer trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001900000002af5c-3045.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
Crimsonrat family
crimsonrat
ModiLoader, DBatLoader
ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.
trojan modiloader

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe,C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Modiloader family
modiloader
RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

ModiLoader First Stage 1 IoCs

resource	yara_rule
behavioral1/memory/1752-2078-0x0000000010410000-0x000000001047E000-memory.dmp	modiloader_stage1

ReZer0 packer 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

resource	yara_rule
behavioral1/memory/5880-3085-0x0000000005580000-0x00000000055A8000-memory.dmp	rezer0

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x002400000002af8a-3308.dat	revengerat

Sets file to hidden 1 TTPs 8 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
5076	attrib.exe
2060	attrib.exe
5480	attrib.exe
5440	attrib.exe
1080	attrib.exe
568	attrib.exe
3392	attrib.exe
1484	attrib.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.exe	Taskmgr.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe

Executes dropped EXE 12 IoCs

pid	Process
3560	winupdate.exe
5192	winupdate.exe
5424	winupdate.exe
2864	Userdata.exe
6416	dlrarhsiva.exe
4856	Server.exe
424	svchost.exe
1948	svchost.exe
5432	svchost.exe
6972	svchost.exe
5380	svchost.exe
1720	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Userdata.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\remcos = "\"C:\\Windows\\SysWOW64\\Userdata\\Userdata.exe\""	Remcos.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Desktop\\The-MALWARE-Repo-master\\RAT\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	Blackkomet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdater = "C:\\Windows\\system32\\Windupdt\\winupdate.exe"	winupdate.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
265	drive.google.com
368	drive.google.com
371	0.tcp.ngrok.io
377	0.tcp.ngrok.io

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs

phishing motw

flow	ioc
214	https://storage.googleapis.com/script.aniview.com/ssync/62f53b2c7850d0786f227f64/ssync.html

Drops file in System32 directory 23 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File created	C:\Windows\SysWOW64\Userdata\Userdata.exe:Zone.Identifier:$DATA	Remcos.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Userdata\Userdata.exe	Remcos.exe
File opened for modification	C:\Windows\SysWOW64\Userdata	Remcos.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier:$DATA	Blackkomet.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	winupdate.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\	Blackkomet.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\Windupdt\winupdate.exe	attrib.exe
File created	C:\Windows\SysWOW64\Windupdt\winupdate.exe	winupdate.exe

Suspicious use of SetThreadContext 16 IoCs

description	pid	Process	procid_target
PID 2864 set thread context of 5568	2864	Userdata.exe	254
PID 2156 set thread context of 1396	2156	RevengeRAT.exe	257
PID 1396 set thread context of 5556	1396	RegSvcs.exe	258
PID 5880 set thread context of 2920	5880	WarzoneRAT.exe	267
PID 424 set thread context of 6528	424	svchost.exe	333
PID 6528 set thread context of 2496	6528	RegSvcs.exe	334
PID 1948 set thread context of 6936	1948	svchost.exe	359
PID 6936 set thread context of 3184	6936	RegSvcs.exe	360
PID 5432 set thread context of 5368	5432	svchost.exe	364
PID 5368 set thread context of 2216	5368	RegSvcs.exe	365
PID 6972 set thread context of 3276	6972	svchost.exe	371
PID 3276 set thread context of 3844	3276	RegSvcs.exe	372
PID 5380 set thread context of 4976	5380	svchost.exe	377
PID 4976 set thread context of 1992	4976	RegSvcs.exe	378
PID 1720 set thread context of 6944	1720	svchost.exe	384
PID 6944 set thread context of 5068	6944	RegSvcs.exe	385

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4828	2300	WerFault.exe	354

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CrazyNCS.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WarzoneRAT.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winupdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Remcos.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Userdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ScreenScrew.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YouAreAnIdiot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Blackkomet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NetWire.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5532	PING.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	Taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 42 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\0409:00000409 = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload\1 = "00000409"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language\00000000 = "00000409"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowCasing = "1"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Substitutes	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\ASSEMBLYITEM\0X00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\Profile = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\Language	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\ShowShiftLock = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Keyboard Layout\Preload	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\HiddenDummyLayouts	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US\CachedLanguageName = "@Winlangdb.dll,-1121"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\CLSID = "{00000000-0000-0000-0000-000000000000}"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "183"	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\TIP	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\Languages = 65006e002d005500530000000000	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Control Panel\International\User Profile\en-US	LogonUI.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\CTF\SORTORDER\LANGUAGE	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\SortOrder\AssemblyItem\0x00000409\{34745C63-B2F0-4784-8B67-5E12C8701A31}\00000000\KeyboardLayout = "67699721"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a000000ffffffff	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\NodeSlot = "16"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0\MRUListEx = ffffffff	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\MRUListEx = ffffffff	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Popup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = 00000000ffffffff	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Popup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	winupdate.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\0	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\Shell\SniffedFolderType = "Documents"	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202020202020202020202	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202020202	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 010000000200000000000000ffffffff	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "14"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell\SniffedFolderType = "Documents"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 020000000100000000000000ffffffff	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\Shell	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Popup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Blackkomet.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202020202020202	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\0\NodeSlot = "15"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell\SniffedFolderType = "Documents"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\16\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Popup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e80922b16d365937a46956b92703aca08af0000	Popup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Popup.exe
Key created	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Popup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3587106988-279496464-3440778474-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlgLegacy\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Popup.exe

Modifies registry key 1 TTPs 2 IoCs

Modify Registry

T1112

pid	Process
3068	reg.exe
6104	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\jFvfxe.exe\:Zone.Identifier:$DATA	WarzoneRAT.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\The-MALWARE-Repo-master.zip:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5532	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2464	schtasks.exe
3868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4408	msedge.exe
4408	msedge.exe
3232	msedge.exe
3232	msedge.exe
4860	msedge.exe
4860	msedge.exe
2004	identity_helper.exe
2004	identity_helper.exe
2140	msedge.exe
2140	msedge.exe
1000	msedge.exe
1000	msedge.exe
1524	msedge.exe
1524	msedge.exe
2472	identity_helper.exe
2472	identity_helper.exe
1456	msedge.exe
1456	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
2724	msedge.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 5 IoCs

pid	Process
6540	Taskmgr.exe
7044	Popup.exe
5760	DesktopBoom.exe
4856	Server.exe
7068	DesktopBoom.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	6372	LogonUI.exe
Token: SeCreatePagefilePrivilege	6372	LogonUI.exe
Token: SeDebugPrivilege	6540	Taskmgr.exe
Token: SeSystemProfilePrivilege	6540	Taskmgr.exe
Token: SeCreateGlobalPrivilege	6540	Taskmgr.exe
Token: SeIncreaseQuotaPrivilege	3120	Blackkomet.exe
Token: SeSecurityPrivilege	3120	Blackkomet.exe
Token: SeTakeOwnershipPrivilege	3120	Blackkomet.exe
Token: SeLoadDriverPrivilege	3120	Blackkomet.exe
Token: SeSystemProfilePrivilege	3120	Blackkomet.exe
Token: SeSystemtimePrivilege	3120	Blackkomet.exe
Token: SeProfSingleProcessPrivilege	3120	Blackkomet.exe
Token: SeIncBasePriorityPrivilege	3120	Blackkomet.exe
Token: SeCreatePagefilePrivilege	3120	Blackkomet.exe
Token: SeBackupPrivilege	3120	Blackkomet.exe
Token: SeRestorePrivilege	3120	Blackkomet.exe
Token: SeShutdownPrivilege	3120	Blackkomet.exe
Token: SeDebugPrivilege	3120	Blackkomet.exe
Token: SeSystemEnvironmentPrivilege	3120	Blackkomet.exe
Token: SeChangeNotifyPrivilege	3120	Blackkomet.exe
Token: SeRemoteShutdownPrivilege	3120	Blackkomet.exe
Token: SeUndockPrivilege	3120	Blackkomet.exe
Token: SeManageVolumePrivilege	3120	Blackkomet.exe
Token: SeImpersonatePrivilege	3120	Blackkomet.exe
Token: SeCreateGlobalPrivilege	3120	Blackkomet.exe
Token: 33	3120	Blackkomet.exe
Token: 34	3120	Blackkomet.exe
Token: 35	3120	Blackkomet.exe
Token: 36	3120	Blackkomet.exe
Token: 33	6264	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	6264	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	3560	winupdate.exe
Token: SeSecurityPrivilege	3560	winupdate.exe
Token: SeTakeOwnershipPrivilege	3560	winupdate.exe
Token: SeLoadDriverPrivilege	3560	winupdate.exe
Token: SeSystemProfilePrivilege	3560	winupdate.exe
Token: SeSystemtimePrivilege	3560	winupdate.exe
Token: SeProfSingleProcessPrivilege	3560	winupdate.exe
Token: SeIncBasePriorityPrivilege	3560	winupdate.exe
Token: SeCreatePagefilePrivilege	3560	winupdate.exe
Token: SeBackupPrivilege	3560	winupdate.exe
Token: SeRestorePrivilege	3560	winupdate.exe
Token: SeShutdownPrivilege	3560	winupdate.exe
Token: SeDebugPrivilege	3560	winupdate.exe
Token: SeSystemEnvironmentPrivilege	3560	winupdate.exe
Token: SeChangeNotifyPrivilege	3560	winupdate.exe
Token: SeRemoteShutdownPrivilege	3560	winupdate.exe
Token: SeUndockPrivilege	3560	winupdate.exe
Token: SeManageVolumePrivilege	3560	winupdate.exe
Token: SeImpersonatePrivilege	3560	winupdate.exe
Token: SeCreateGlobalPrivilege	3560	winupdate.exe
Token: 33	3560	winupdate.exe
Token: 34	3560	winupdate.exe
Token: 35	3560	winupdate.exe
Token: 36	3560	winupdate.exe
Token: SeIncreaseQuotaPrivilege	5192	winupdate.exe
Token: SeSecurityPrivilege	5192	winupdate.exe
Token: SeTakeOwnershipPrivilege	5192	winupdate.exe
Token: SeLoadDriverPrivilege	5192	winupdate.exe
Token: SeSystemProfilePrivilege	5192	winupdate.exe
Token: SeSystemtimePrivilege	5192	winupdate.exe
Token: SeProfSingleProcessPrivilege	5192	winupdate.exe
Token: SeIncBasePriorityPrivilege	5192	winupdate.exe
Token: SeCreatePagefilePrivilege	5192	winupdate.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
3232	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
1000	msedge.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe
6540	Taskmgr.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1000	msedge.exe
1000	msedge.exe
6372	LogonUI.exe
6384	VanToM-Rat.bat
4856	Server.exe
7044	Popup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 3472	3232	msedge.exe	79
PID 3232 wrote to memory of 3472	3232	msedge.exe	79
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 2092	3232	msedge.exe	80
PID 3232 wrote to memory of 4408	3232	msedge.exe	81
PID 3232 wrote to memory of 4408	3232	msedge.exe	81
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82
PID 3232 wrote to memory of 2816	3232	msedge.exe	82

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3392	attrib.exe
1484	attrib.exe
5076	attrib.exe
2060	attrib.exe
5480	attrib.exe
5440	attrib.exe
1080	attrib.exe
568	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08613cb8,0x7ffa08613cc8,0x7ffa08613cd8
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5240 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4944 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,5837041245762874548,13012792049996519487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
  2⤵
  PID:492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa08613cb8,0x7ffa08613cc8,0x7ffa08613cd8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1988 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:1544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4752 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6780 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
  2⤵
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6540 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6612 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6728 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7588 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8052 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8040 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7892 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9120 /prefetch:1
  2⤵
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8888 /prefetch:1
  2⤵
  PID:5288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8768 /prefetch:1
  2⤵
  PID:5296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9128 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8028 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:5404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7836 /prefetch:1
  2⤵
  PID:5920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7700 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7872 /prefetch:1
  2⤵
  PID:5948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9548 /prefetch:1
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:2504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9180 /prefetch:1
  2⤵
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9596 /prefetch:1
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9360 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8468 /prefetch:1
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8740 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9296 /prefetch:1
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9000 /prefetch:1
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8068 /prefetch:1
  2⤵
  PID:5600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7508 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7220 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8132 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6944 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8108 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8792 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9496 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8976 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8380 /prefetch:1
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9040 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8332 /prefetch:1
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:5500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9184 /prefetch:1
  2⤵
  PID:5700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10236 /prefetch:1
  2⤵
  PID:5436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7376 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9736 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:1868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,3158064655831938439,3751103239759084565,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7232 /prefetch:1
  2⤵
  PID:5308

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3336

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3644

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:6000

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2944

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\NetWire.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\NetWire.exe"
1⤵
PID:1752
- C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\NetWire.exe
  "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\NetWire.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5848

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004EC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:6264

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa39ea855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:6372

C:\Windows\system32\launchtm.exe
launchtm.exe /3
1⤵
PID:6508
- C:\Windows\System32\Taskmgr.exe
  "C:\Windows\System32\Taskmgr.exe" /3
  2⤵
  - Drops startup file
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SendNotifyMessage
  PID:6540

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5428

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\Blackkomet.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\Blackkomet.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3120
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\Blackkomet.exe" +s +h
  2⤵
  - Sets file to hidden
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3392
- C:\Windows\SysWOW64\attrib.exe
  attrib "C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT" +s +h
  2⤵
  - Sets file to hidden
  - Views/modifies file attributes
  PID:1484
- C:\Windows\SysWOW64\Windupdt\winupdate.exe
  "C:\Windows\system32\Windupdt\winupdate.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:3560
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:5076
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Windows\SysWOW64\Windupdt" +s +h
    3⤵
    - Sets file to hidden
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2060
- - C:\Windows\SysWOW64\Windupdt\winupdate.exe
    "C:\Windows\system32\Windupdt\winupdate.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:5192
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:5480
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Windows\SysWOW64\Windupdt" +s +h
      4⤵
      Sets file to hidden
      Drops file in System32 directory
      Views/modifies file attributes
      PID:5440
  - - C:\Windows\SysWOW64\Windupdt\winupdate.exe
      "C:\Windows\system32\Windupdt\winupdate.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      Modifies registry class
      PID:5424
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt\winupdate.exe" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1080
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\Windupdt" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:568

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4176

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\Remcos.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\Remcos.exe"
1⤵
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
PID:4964
- C:\Windows\SysWOW64\cmd.exe
  /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4568
- - C:\Windows\SysWOW64\reg.exe
    C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3068
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\install.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4864
- - C:\Windows\SysWOW64\PING.EXE
    PING 127.0.0.1 -n 2
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5532
- - C:\Windows\SysWOW64\Userdata\Userdata.exe
    "C:\Windows\SysWOW64\Userdata\Userdata.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    PID:2864
  - - C:\Windows\SysWOW64\cmd.exe
      /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
      4⤵
      PID:5772
    - - C:\Windows\SysWOW64\reg.exe
        
        C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6104
  - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
      "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
      4⤵
      PID:5568

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\RevengeRAT.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\RevengeRAT.exe"
1⤵
- Suspicious use of SetThreadContext
PID:2156
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Drops startup file
  - Suspicious use of SetThreadContext
  - NTFS ADS
  PID:1396
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:5556
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oltpnnir.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7084
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4D1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD3BDBBDF445F4DC5954E297751FD6AAC.TMP"
      4⤵
      PID:7012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qj3ubocx.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE57D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc8477C4E146914B7BBB8F4F1FBFA2404D.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5576
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ns75h0g.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5FA.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc18281BA7B2D140DEBB3563CBF0C1A9AE.TMP"
      4⤵
      PID:3844
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vy_0dobh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4760
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE658.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD20C1DAE7F64B8D9D617A26AAFB6247.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6864
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\kmbweopb.cmdline"
    3⤵
    PID:2296
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6F4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A952A0BE4B949C98D97F2E932BB5A9A.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3392
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0smj6yk4.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3388
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE771.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4B4836E55C3D43659B39171DDE1A4F5.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5708
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\6f-k1u2d.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE7EE.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcED0028C6A74F438BB2983321907E7C35.TMP"
      4⤵
      PID:6216
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\agu6phcm.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:328
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE84C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc933C8389E6924E468F7613F7B39DA19F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4412
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bie9rcs3.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:460
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8B9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc9E83BB32B8194ABD91F39FE99B80B2C5.TMP"
      4⤵
      PID:4696
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\byvp4jin.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE936.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc32ADEFCEEBB64661BAD948FA6749F2B0.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3220
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\opgnjbza.cmdline"
    3⤵
    PID:5012
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE9A4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc92CBC0FA94D34F919F351160CB998FB.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1820
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\d6ae9gc5.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2216
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA01.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAFE11B5635484ACB84D8C55FFE8729BC.TMP"
      4⤵
      PID:5368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\rwakoduv.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5632
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA6F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF4F07B74C1741D8BBFEE864B45E7A80.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3964
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7xffqnyf.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4560
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEAEC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D5216CAD66A4022A0C08D9AA29A8D6.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:6116
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\0xgmnnuk.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5160
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB4A.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC46C019F1F407D817FFC398215391.TMP"
      4⤵
      PID:3160
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\mm-vmm0c.cmdline"
    3⤵
    PID:4292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBC7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc2D8FB2097DC04B7E839E64A0CC12F175.TMP"
      4⤵
      PID:4904
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\firxug1m.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC44.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc364BC47929942359ED43C7D93C6E7B9.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xuy3ncnh.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4220
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESECA1.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7634ACDC83F94903A43213F1E8F241C6.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1584
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qsmko89g.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4864
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED0F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCBCF485933CA4E5FA8186121C29C5367.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5400
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\tu-0lx5q.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4652
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFC0C4B7DD785495EAA81F7968F2B1F.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fursicyg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5888
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE18.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6A9930324C614788A0F23548CFDD6B8.TMP"
      4⤵
      PID:3416
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:424
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      Drops startup file
      Adds Run key to start application
      Suspicious use of SetThreadContext
      NTFS ADS
      PID:6528
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3868
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\qxlzxrdi.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5620
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB0DC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc1D715F68CEBF40869A20FFCC7B38F8.TMP"
        6⤵
        
        PID:2192
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\oxwx1yuc.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:908
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB1D6.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB8DD738B4505461FA7AAC45A4C26FD2.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:7088
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3h20oi1v.cmdline"
        5⤵
        
        PID:7004
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB253.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4EA0A51DF56942A58E742CD6A571786C.TMP"
        6⤵
        
        PID:6976
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fi_xhysd.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3276
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB2DF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFCBB236C9DE4813A4E1FED987A0FC57.TMP"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\am35ojot.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6448
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB32D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc77FB7EEAB2D84055A2CFB6256DB6C988.TMP"
        6⤵
        
        PID:196

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\CrimsonRAT.exe"
1⤵
PID:2340
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:6416

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\VanToM-Rat.bat"
1⤵
- Adds Run key to start application
- NTFS ADS
- Suspicious use of SetWindowsHookEx
PID:6384
- C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
  "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4856

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\RAT\WarzoneRAT.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5880
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jFvfxe" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD793.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2464
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\YouAreAnIdiot\EXEVersion\YouAreAnIdiot.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2300
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 1452
  2⤵
  - Program crash
  PID:4828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300
1⤵
PID:6616

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1948
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  PID:6936
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:3184

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\CrazyNCS.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\CrazyNCS.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2688

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5432
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5368
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    PID:2216

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\ScreenScrew.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\ScreenScrew.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5132

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Popup.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Popup.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:7044

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6972
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:3276
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3844

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Flasher.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\Flasher.exe"
1⤵
PID:3176

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\DesktopBoom.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\DesktopBoom.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:5760

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5380
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1992

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\DesktopBoom.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\DesktopBoom.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:7068

C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe
"C:\Users\Admin\Desktop\The-MALWARE-Repo-master\Joke\CookieClickerHack.exe"
1⤵
PID:5384

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1720
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:6944
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
9.1MB

MD5
64261d5f3b07671f15b7f10f2f78da3f

SHA1
d4f978177394024bb4d0e5b6b972a5f72f830181

SHA256
87f51b4632c5fbc351a59a234dfefef506d807f2c173aac23162b85d0d73c2ad

SHA512
3a9ff39e6bc7585b0b03f7327652e4c3b766563e8b183c25b6497e30956945add5684f1579862117e44c6bac2802601fc7c4d2a0daa1824f16c4da1fd6c9c91a

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\ProgramData\svchost\vcredist2013_x64_000_vcRuntimeMinimum_x64.ico

Filesize
4KB

MD5
28d98fecf9351c6a31c9c37a738f7c15

SHA1
c449dee100d5219a28019537472edc6a42a87db2

SHA256
39445a090b7ce086d5efb4ac35add13672fac9bf40eb481b54fa87302a3f45e0

SHA512
f5c2458348347798304393fdb5c77f4f7ed7245c0d4c7594deb0113262828cb8e210e7b48a4aa7c4d2fe1e31201b4e326cd60a6f9d4e3ba1a7fbef322dde0971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fdee96b970080ef7f5bfa5964075575e

SHA1
2c821998dc2674d291bfa83a4df46814f0c29ab4

SHA256
a241023f360b300e56b2b0e1205b651e1244b222e1f55245ca2d06d3162a62f0

SHA512
20875c3002323f5a9b1b71917d6bd4e4c718c9ca325c90335bd475ddcb25eac94cb3f29795fa6476d6d6e757622b8b0577f008eec2c739c2eec71d2e8b372cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
46e6ad711a84b5dc7b30b75297d64875

SHA1
8ca343bfab1e2c04e67b9b16b8e06ba463b4f485

SHA256
77b51492a40a511e57e7a7ecf76715a2fd46533c0f0d0d5a758f0224e201c77f

SHA512
8472710b638b0aeee4678f41ed2dff72b39b929b2802716c0c9f96db24c63096b94c9969575e4698f16e412f82668b5c9b5cb747e8a2219429dbb476a31d297e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2bacef941a59fd9cc2cfc0213b422f87

SHA1
ae80e327a07c7639a0855e5e31dc7ae59e252902

SHA256
844c33fe1cc6dbc0d66499c0faf09145079c0dffa1a88e5be6df977a723c71c4

SHA512
7acf8095dc50d630a1afd5c5e0d4f87cbd87f58298b054f2d9b1dd21514c292c6523e73d23b79f77795a8b370afaa7a070a5073365ad8f648720eccf2c3afbf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
d1e4147aba5812cc0b812c6c756119bf

SHA1
52d809cecf0624087bfc1ede628d7b3929b86022

SHA256
cb56b6234410414ba793e184cb571b3d345dcd7c5ee3128cb1b18404da838057

SHA512
2e555de7877f0db80520b894543238538d6749fd1e035d6d4eb7f137f268a36ebf4b76eb762a11a3a948a3109e72566a7ada93b5378166ea8d057d2f2a508cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
efdae9c5c7598fab4f127bb519a3fd30

SHA1
ad6b50e7b380c5673ab6bfe27e7d284816fca4b7

SHA256
1803f73f07bcc7e55b2a4793b65457a9bcea3d4443f09a6491029d2a1a61389e

SHA512
7c6b1a612c92b501e770e07f5ab952a1f1c0fc137af59c2be1b789820f24640fde75ee42b0f67f5083bb3e711a1b5ba4e4895ceb6ba39bcdee368e50710343a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
c11b9f942679da248184da4e918f88e7

SHA1
5071f639f90b8f1b74ab75704158f056661f7d0b

SHA256
10dae215fca55a68544e4129acbec654555aa7055c51c15b53c251e0b7e4144d

SHA512
65da1ae5784a12f4e96e6e995474765940f1ec8cd033ad07f8c87abb8979525ce470cfab9069c6a0477dc2cb540c5f2a1193e194a7446e126d5052f78d5c236a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
3316fefa6074890c3791993837c2db96

SHA1
528608d38d6bb481b50167c6ffc5cea32b67786c

SHA256
0b194c7d810c2d5bd3343f7b778c7ed5f12beab83b95a57a9f18edb20c812d0d

SHA512
85fd3024948465dda6b9e6006f38957eaef060e88e7110d0b5d54f4e49636d2399a807f1b8528f2f2a4804e7ce4e8c1614b0cf55f27293d22cc69932ef0b4be3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
497KB

MD5
48b5baf11b4b2c21513f906421a58206

SHA1
344ca9a7cea335978d69c5c00e006881ca016a6f

SHA256
08f8505555afc41b549ecd5e7d18c5dc9ed6bbbb6d6bdb9656591a86010df032

SHA512
9b5edd7bcadb437dcfffebd4f41c733519195005fb5dc0f41622a375df11fd827647ff6599d613f58ad1625e8f978f74a12bef7fe120f4c539a539dbe173a952

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002b

Filesize
172KB

MD5
aad635ebbdfcf68df49534854a83e786

SHA1
4c51bc46a62d0094899f3740302a81ce418af933

SHA256
12110a201fdbffdfe56482e21e3e5cc0fbf27738da2fea970658a6084a9486bc

SHA512
ca3e8cd6c06ef1681e07f4463f2dec6967f998ccdb6a5a2f6c88ffc7952b237d0fa641d21d9dc6fa3f87ebdd832e9491ae5bdc025eb42ca643fa972b1252a519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000035

Filesize
155KB

MD5
c0deae0f3e969a3d9db5017344c06665

SHA1
ddf39a65e505eb9c25fabf10ffe04c66c91465d2

SHA256
8bcc16e8fb0e9db5f5f0037881a3fcbc5c4280460a09c90200f69ab787886fe2

SHA512
3bd45ed51f57b2301fc6131feff9563699a41d663a4c77b62db5c4e3f442ce2d6ec89200ee9536be45fd351f7cb6ac811839dd2c4c27da4f9311b265252f1976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
167KB

MD5
48041d80f17e00cd3a111c004d785318

SHA1
4cd163ba0f4e92cb647d73f973590b5eed21e6e2

SHA256
c67c141c64f7ea3717da6d1e525af3b6dc1698c87c05b312036142d5355c0436

SHA512
168736deb6597d4348d128575c9accc80e8ccdba7be1eed021301f085bcbc32e2290319c2a1a480745a7ffe3838d4992baca9dea923258714b2cddb03976d15c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000038

Filesize
164KB

MD5
5737e78d49650fe608e19707b95f96fb

SHA1
b1825fcd146a02168ad64750ce404c5d433500d0

SHA256
dd52d01e776ebb5423ad4c702d8ed59cee16e39a5eb4fa796ca0ea4c21b13c2a

SHA512
00157963b06b368cfd853b6ab39326681173fc2216fba0165d16b4f8d2d347bc86d75de08a5e8bb1158497ae5562e1c3673871116f9b9581c60e4d99df86aaf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000039

Filesize
166KB

MD5
075d07e8760978ce1d445148fa3ff09c

SHA1
4fcbb19af61e7a4cff5084faa000bb68b70f1672

SHA256
a796efce4dc4cdaaed006e1475b1d6a1f69750d4c59abe848d4ab3d51ad600e7

SHA512
24a3fad9532dcd4d1aef6fa184aad20065f896107fe2f53f0de6322509d044a64d192ad59e36cfd79b53392f38807e66dc158e3fad21751390c8cac9b01b609f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
156KB

MD5
e33492057e5e85e8f688b38b0e118f83

SHA1
2c0af3b38ec1aac5f44b9ffbde7c1b6d1dc3451e

SHA256
b0f646aede4360f1694f454b96de4214a92d100f1b8a17d4ccd32002c3a52230

SHA512
62d9dcb41144cf8a4c5537ea00a6ec33a48861315694a3ede7b26797cb95edbcd35aac579d00d00352f859059b6d0dec4ca416095d348f7b1061f39170e20885

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003e

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000044

Filesize
17KB

MD5
29b8ae1d50ef8543dcebf4e9f53089ef

SHA1
90297279de99683b3903534459bc9962924d79fa

SHA256
2dcbd24e8f78b008251a1a0499c981a79be59fdf154ff9938a28ecb7e64cf12d

SHA512
6de295089b62bd50ff955c2e381be6bb0e59b1f0776946c5d3b5109fffb84ee2a673f49d2d5a56e5600d3b09fd8e9cecbcd0e677234a6f96c1194dd1e1c27c94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000045

Filesize
20KB

MD5
4f45418761264b0518669abb3872d552

SHA1
cc09cfae03fde26e0b6d7d24e6427f278a421776

SHA256
8d72fd76d38dda8f184c1c35090ed5a4eb6a237df62bef32250af13805a6976f

SHA512
5874873cf1c6a7bdc5bf4663428900ff80b71da8a8d70ef3bd46c10ab57925a54201818086cb92aab1b4a44144cb7a419bfd8d037c9fbed6335e27d7dd3f23d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
103KB

MD5
c12602b8ebdfd5ea5113f42ee978d526

SHA1
1159db5c354e5c9a73b2e072b3c0c5d02f3ff07b

SHA256
412aad14e7b55e51c4c56a88949c8f5ac81e06bd1d9b23da4378b1d9711a0794

SHA512
00ba76a1f0f08c969a96f4418c158d482eba611fa5984cec234ded9c7a1aa2e9e4dc2a69816c2940783289767212ac729cb7b3ae4cd002f772a5dc5d45bce3db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
33KB

MD5
646db53457923d02f47f5727f742c3ad

SHA1
8d249b3db6e923b3c1fdca9e26e11e976d95a2d2

SHA256
c44347c09c3f861e927596425e24a51ddbb4217371dfafff72fa094fda4deadc

SHA512
194d60ac64476aabea668f16a0e04e2e63cc6dd212e8fae5bdc63a89e72c24a40d08aeb3f5f0dc6e8b3695a14705506fbe344b52a2b72bb9959a2303928c0bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
151KB

MD5
5798ed517441299ceadfac1ceafbb1b7

SHA1
013971967d3148004d9fb388958ad5f7a497d4c0

SHA256
acb453284daf339512548d79ba355c5c11cfbff24b9ff5d06c3dff05c087cea3

SHA512
a8fe1e471fa08dfb3c97d8ba3019be5cb562b11ed71654b38c98aa54404f8970420b39a29161e544b6adc50d2a34518a5237bd7e0d1cb10adadf1a52886093e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
95KB

MD5
6c8bfe16dd4ae7b6e4ba9e3ec5a22775

SHA1
a73b1e05046876c41a1895515f56348ca64e3087

SHA256
f691b63a8fa0b8bb7c683e3a4afe993d59bb1276725f8763a6e28057aad03860

SHA512
340e09cf614e94db3f6e15f177eb15f0d2c95e9c3b5cc6eb05c79a316447b824339cfd4d4fa8c4a17547b82b9dfec866a325dbeeee8328ecdb0004a96c96ebcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
20KB

MD5
35e7f38567cf6977e6a2b77a4ef0de0b

SHA1
41b3b8a8bbb1b888f695e62bc464561094bb6b22

SHA256
efec2e67bd876ac3b00b4fb6c93c5f09f1487f5651aa74196e2de529c9975e40

SHA512
cb8042f83335a16c66765ede6b8bcd13add0c27710d74bada2f0aac91ccf4ad120931439e421449c5deaf9517431db78f0ccbcd94e28317723052d512f772e53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004c

Filesize
28KB

MD5
1752326ce45c039f4c5e81ea24c27c35

SHA1
4a22a9151c3c94d170cd3d23659e8e1a5a6f0070

SHA256
13dac981c708b9d1c6d7be7666ab5ff34718fe7d1362428217e88c75530774ad

SHA512
7ca5eb8b11184b97b7ecfed373420f7b9926839edcd36ea6bcc37a09190478175c49d7cfdb6dcbf1ecc8f2570feec9a0ac8aae08442fddef7986330043ff2d08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
91KB

MD5
93fa17bd5d5cb7c8a0b86d7aa0e732c5

SHA1
e282d9743e921b8f1d32978b27f8019287ccaf76

SHA256
ffc58ee1bf9f9681b4c431ee10b9f7f150c5d9b58371ca4b8cdcb68e38679900

SHA512
60439b80e6c21d097434a7dc7645febfa884290009547d9253cc232d2caff7d2979c8b338e4f29f200fb0086b3cd06f38c850e25a24bc7732080c3301d0b8c36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004e

Filesize
139KB

MD5
d70f41ed0825c97f04c3b962a8e7e2e2

SHA1
d2ae04955c2113b54aaa7b7e9a14aea57d8a6086

SHA256
4845c654ff7e9cb944a921779e30e7269d98b13e4e09939c6319d9f870f3602e

SHA512
f0b0ace43659df2c6c88004bc5f7f815afaf743813e2a1fc2902da95497a8f7ff4ddd2ff90c7d40e2112b65c5b9c0c3ea4dbebbc2eabde1924c8406082497eed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
155KB

MD5
f58ab33f98dffa842edbff8ef1391c8d

SHA1
7a1c23c3e84a7c68920fb44ae2a61da6303d27f2

SHA256
3eee5335b9fcbc91d0f730966eb41fc52a61b195a0215586b2101b6bbfefd2e9

SHA512
a5e71bcb88f1dfb9529578d0ace0dc10668168d9fd8c79e69403e0ccd21e0760179572f89994208cf6eb90d5101cb270ea891bdc47c6ad57609abbe9feb21ca7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000050

Filesize
20KB

MD5
e051fda9a4f2045f30b1bbb384714039

SHA1
fc9dc55b28e8ba83915343c734bed5937f3443b2

SHA256
3f569a7476e2187330dc593b7981f0291391181c609d6438973d690f463b6f4c

SHA512
a6388085504a848f6c4681acc91391e105a041c8522a95d0045c8137a9899eb87b9bed27ec53f6f8529415f422596ee66a3557e430437b6edd58289b25c2defd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
86KB

MD5
263edcef637a4d7ffac15ce24f41457c

SHA1
e6274006880d622d06f6fe7eb1aa290c8b7adba5

SHA256
b05714111c839214a2d7eb79e7728e112509c07e2571295a1836a7c3888880a3

SHA512
a83cae303dfd645e85d021f1e00076a549b9c40f11a0504553fad844333c7a856e412d5f2e5b4a8c4284c292695ce49e07bcb6dfd237ac9c1abbc5c91f1a7ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000053

Filesize
91KB

MD5
ddfc6ef2853a643eeaaa5f41985050ef

SHA1
bc5c734b7fefbff977f7f4be630a067b72207af1

SHA256
481f5d9b9d6b6bdb1521650c3f72eced2d9e80acc7d5172df8fc986a12842eb9

SHA512
93d777d7d1b3f40df3a3883ef6cc4741cf4a6ab26adccb4982eed5c640a42546aa364c7e8bc8313ee43237ff325c03276ee6af390b61b4adfafe8211dd2519bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000054

Filesize
28KB

MD5
9ebf52e1e4c1627a5b060601ffb483e9

SHA1
1cd01bdd300ccb77571251dde0be74a907e2ec6b

SHA256
216ea1737cacccb1a0e1a0c506bbfff5bd0c68aad94822fbf578cb81c7d72f49

SHA512
b029afb97638d132521022952ff84aebe822a53fa0fbdfaa359c410b03c63c72a23a9602cb64cf927e142dde1d3746ab7e0420c8cf7ac0c02af09eb11818a4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000055

Filesize
48KB

MD5
73a453ea5d4a2fb2916473737ffa7224

SHA1
6401625619addf96a9a64c7c3a8c3608b15233d1

SHA256
88d6624cced4fc50d398d759513b1475da2c29dca62572afa65859bea2950dbd

SHA512
8ecdda35045b2ecd76d08c985c87a065a152f7a2119fb50e5102a48f7bd098377ab2f772b19c6049269612a2b4bb3279de94b26f787705b98ad0d9c723e2a29c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000057

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005c

Filesize
66KB

MD5
06702fdff4205590c1caa29b580e9620

SHA1
966017a8f488ddc3707f7d2c22a6c7eb51f58f29

SHA256
7586590346cdb9520dc3cf7131e5662b3c4407d2624ec22dd0e1c1eb9725ce36

SHA512
7c39333eb130eba6c9f57c50b8b6fbebf90c3cd49bbd7a967c6d31f7b997ea085770b84caf4ae2d984898a445535a20777c671e382e2da01e21e1c40248d322d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005d

Filesize
41KB

MD5
3bc2b6052ff1b9feff010ae9d919c002

SHA1
dd7da7b896641e71dca655640357522f8112c078

SHA256
483a3494759a05772019e091d3d8e5dc429d098c30007d430639926c3ffa16e5

SHA512
0b1632b73fd87e8e634922b730f83b7950e9a39697a46a3429f0bebb3f1ebd14c815a4651ee8f663a437d00ecbeb6ddaa47b2fcad719777edf1b1de8a7cad0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005e

Filesize
20KB

MD5
6408c37d09ecb7370b4d61ea51a15ad0

SHA1
8fa447851c7db6c2a4e20a13d769ed926daee5d5

SHA256
38c4bb35d2dc312b0e82bf8c5098495fd12d73029dedb6014c8f3ead635e641e

SHA512
5436d6204625fcc424989776d5ceb7fbbe286bd37bf077967289ce336ecea0e1db85f064d51d4a18877cd96be0d20557c682bbf2ccc6e34d6e096557aa357311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000062

Filesize
20KB

MD5
b07da7aa3e4f363c5cdbc11312239e8c

SHA1
47bf5b2f24ea4a4caafccc89b9d2a6677ef9e3b8

SHA256
e44c11f4834bdd4d6b6da7b8ee5eaebc8acb41250cd6bce5cc82ea8262140eaa

SHA512
420729406b315d8af34b62b78f39e763f5cf33cbf94467457b393fde0573dd7ffc6a23f25680988f9b82a4a3b719876ff76f3e1db047ce82615f544fc3a82532

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000076

Filesize
39KB

MD5
9a01b69183a9604ab3a439e388b30501

SHA1
8ed1d59003d0dbe6360481017b44665153665fbe

SHA256
20b535fa80c8189e3b87d1803038389960203a886d502bc2ef1857affc2f38d2

SHA512
0e6795255b6eea00b5403fd7e3b904d52776d49ac63a31c2778361262883697943aedcb29feee85694ba6f19eaa34dddb9a5bfe7118f4a25b4757e92c331feca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
e2ab4bb321567ff96286c57f1fb53bd5

SHA1
a26d5700c908d2ce34be2547017cf9f737f40f04

SHA256
6b8f67b02668b129b90d95b20e34ff6e8193cfb6ff8b9c34f9e432e7a56cd6f1

SHA512
920a743634f7981bec51a3e8f312200f91cd396f02b1b5ade79358e4c8aafdd18ef5168ae7e159f5184abf4f71337cf613770906b831a6ab13cca994b46bddff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
771c0f26123ec196d40aa16dacc39ca9

SHA1
9020a439d06743593daed7145983a50c95f11585

SHA256
33e8988523fcf1513044d3703717202b0cf1717797f1d13cf417b4b48e2ac42f

SHA512
87fbfce962773b95c5a4011c39723843fb29b9473e30d17e7976849e9ce4524919608b4b2c155dba80155febe9b3768e06050549c0a5c775e5aa5b16bf1b8143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c2d0b839a62ad8029be64d91e07eedcd

SHA1
edac84cfe0c847541b026b9d7870ed531abf6876

SHA256
394e80f8867c56b5d46f6a9d5acff2984a36867700a2e7785f2bef53bf443efd

SHA512
e890ce4a2f1325887fed91444ef7dd39ab36399771aedff3eaf466b038e4e8fb374d0686d8283d96119871c0b9c20b6d6e9f03dd5a544314178f71268a5e20ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
37037ad9f5886921fd75d32787f055d0

SHA1
da51fac314e1fe8e04a3a5e6e0283ec9d3fcf5be

SHA256
f07b38cc67d4ee6ee08655c503462c510ff6c06b6a6b95a9821bc563d5c4a413

SHA512
85e24001717c8d339f8d2901126413a84787f8b8520f4fb00725e93e402c9aba833bf82c13433137236452f27d3c7e64168a5c35b2cec68ccaa955359d39fbb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
2c881b7a18ddf39cbad7163f3da92fbf

SHA1
422f8d1655890c0d100b06848959890cd32d9877

SHA256
c68c770db4a9312a314a6f58bf4386cb6c81e86eeb6287d888cd629c972af0eb

SHA512
08862f330e1cf938842a8009bbf9c6972571bb95fe9eda1721e577c02bc05650c00eb888dc3145d31bf9d3def551f24ba9aaa217768e97f724c09a69f95be015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
07270a3c3d923cb41b5b4418e6d1f337

SHA1
707425a06933ea825dad346f607892f94d5e54ff

SHA256
98335e7e15e5c2e2a11ab4aaf6c6bc9f4f5fe467f834666237951cecd3ec3927

SHA512
316d931b85f5ccde7b798df23ee2664c9e507adeb3c4d054e18ad2b13d2a80326f002533060044fe49204b2ffed68e734c18161afef45feb1d4b90746e7920c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
c630678ab025afa9d100d3a12a9b44be

SHA1
78617781fe5118f81bd2a63514df06d7c7d1d5c0

SHA256
7f5dc6ac34bb7346d088bbcb1e0a901164ffc7eb8168bab0a5f093c26384d6fa

SHA512
fb097bfd7f0e84adc7583cf316a5b1b1462b6f85d80fc0a0a8943aadbcd04aac18a8ca6ae3028d11cd5bbb46ccebf5f7a57bb203c6648d1918f75fe0be72a3fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
169da748249719ccf3dbc0dedf7b94cf

SHA1
582914916459dc19cd19a5d595358da8d23d48d7

SHA256
fecd2743e7a9b0aa0b80015a1e7d5b090f9199bdc0aa30cb1171c0cd62107090

SHA512
26b5769ba95a627524b0ca5af02e950d1c8a8b9489a0ce43ae7d2b8193984994665f45b04f5f543c69b50292a2cf671fcada04810168765c03a147a7e81fe230

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
19f87bbc10565899fb113a4f89fc3552

SHA1
f748aebac00e48e9213857fafa5bceb7c6656c50

SHA256
bf081c67a08dff26641c7dad77b53263c808ee407172f76a887e09298eaa5ad4

SHA512
f5b2f83b1700a43675548a64e3d89fb90b7cfd492d912537f63725c708f6a7249f8c44450fa12969ed231c6fea090fd9ceea31729c13f461d7de113fa4f9d431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
802B

MD5
cf99fdfcc9fa4af6f1a5308ae68eae8e

SHA1
983bb75e26b68c8d72388d9bc1bd30f5e0f7af2d

SHA256
a69ab47f2d0ee55010243e1a1859718a26672fc46ae6d32c07f680daf382797b

SHA512
446753adb2990f0421199b43ca835f87ab1150be875e3a2b1ce8bf6a98d30516cb55e42f8e4ef4a5a7fdc3a04a3ea803e9b0a0c22cc1ed666b4b8b9c71b5857b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
7886855602f2ffd2b4cec1a864949250

SHA1
24f8b6ebe0f967aa4747dd100084c3c4939d0c92

SHA256
c78f62850180e8842c0b6631faf2f55f4814f720321f09ada2b28b3954128ae1

SHA512
31f33b61e423bfa93cde4c53dc56f8b4af1d5f33dea44af2d2159bc0f691493b683269a812ea511651e8a382d03ff1310b9780e3d292252aa593e584c8903139

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
86d48a8ac926f9694229d3aad9782c8a

SHA1
db9c800895147014680f2fba0e3f4ac22a1f0856

SHA256
09629f8bc1d7ea6fc0b08e4392085f6344da9d34dfe6dee2113efae13be53eae

SHA512
1890476abd694f7bf5c4e914b39ba8c204be08e1e0df9560e6bc0157759de8e0d545d2cb504eb0375a213e3e3f5215e6bf36da454625b275dcdb8ac175ed78ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
643B

MD5
9b14771a4c375b2c1c330ed765b8c77b

SHA1
d4bcf337406a86cb6629a5a2f15eb827679ed1bb

SHA256
e4419e5f62e694a66a2cf41bde3ab8b99ca92d11751c3ffa6add9d1aa598b3bf

SHA512
ce2b0a6f60d95d463ee3d630775b7c4f61421b607b2a8cbc70f2c7c330f30feffadfe23e708bf993a37828e9447acf57729d55efc2e3776c7b7b6abe1c5c0ff7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
17KB

MD5
c97933690b16aa03858791d9113703a5

SHA1
77a031bad9ba210d6aadcd0761f7f4d0966ba4ce

SHA256
34d5d37b8f418b2cdc43b4e61ea3d3a84a47c22451c429c263a63d471fa46164

SHA512
c67319a94567b67ec60962b4e58998a836f9aa206d2ea40df03be5d1590c0952bb0147dad7997e8a28971c6641cb9118dab217f8d36777fcbc4eed9ab9ae6169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c86761a946af707fe7f2d57171c7b357

SHA1
1757cc290c7b483fef125df18a29c901af043ef2

SHA256
3b4178af33f75dbe631afbc90a5ff50b799d2a9ad3cc315c9de33b4b760c451a

SHA512
da4ec2c839a58e59b4e1ed47739032ddca8caa11cba6d7c7b5648531b4f137648be93426a93a46140aa62cb5d3b9906b3a49d8a2549d85712b35bbe514a55e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
6KB

MD5
569ea44fa2253cc0acb3edf6144dc4ba

SHA1
e56a35fc431eee6ee82d072e16f86aedc49398ce

SHA256
bf58964b6a3424cb7be846f00d0a36f0463882fe4afb5735bcca4805b180bdf8

SHA512
067e52ba82537b54b54c8ba237b9b35c065746fb8d3b33fba3bb5b1308097ebcd782ea6501df4936383e71b67ccfff0b9d37dcae4b997c7791e793514e52fa7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Platform Notifications\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
514ade9339181b6fa46dc3d730f9d4a4

SHA1
8528a5f37c5d6aa573ffa836531f0823f7601d57

SHA256
5b2f35f6027665de6ac62cc1e18b24bd63c2d70834d4151665445b63ebb56108

SHA512
2aa7b8cfb9ab93498d8ff303bb1d9e7fbcc09de54823cada8af15d5387b74979a3d3d443dbc87b4eaa83595b4584b0aab1ffa1e5af532464e65fabd0eea45d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72f98a8322eff8b6ced797b0d89f43b9

SHA1
3bebc276acfcc50001d5d6f3165f48097c1b97ff

SHA256
ca0fdf2b69ece53e3ee459a2bccb20dfae6bb29ee83013ae4bbcee7c6a30dc9a

SHA512
a3b497bdedb71232ca6ceae354a0a1a74e138d6a358623c0eaf0d8362b8bb159c9f17920bc2dd94a21726797d2ce42e4acee994911ed2b66852ab8b4d5f5c49c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f87e1da46a926894d5353ec5300a1d9

SHA1
3058e4fa3cfc24eab68858e02ee91ba0d721379c

SHA256
5c21a84dad42151300cdd664ee196185f8b8e4dc83fe613fd11adb87eaae8344

SHA512
92589b74bd0f73524008fbe5f02d274627f61fc571e5c3d17da8b79a2665c32cb35da53d6b9a2e48b27df5cefe841a4c98822ea799a0697c71483d9d3b7c2fd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
dd32e60991229380431c8b793da50c76

SHA1
8f5be92fbdb7479b241b0b4eb6a52a27316e484d

SHA256
e828dd886375b7bc5c4ae217e3183faa92e337a0ce2881d65489fd375082375c

SHA512
65e5a9efb5878917af7e48f3f20d4e57450e18c1b6a81495b625ed9596dab43a04ea04343c7c066e925a506e48f98d49bf46b2495393e381bcf615f18b445709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
cf2c8eaefa18dda84efc5682e02df38b

SHA1
732a248282d675b369f93c750e894e0eda833400

SHA256
46ec5259f2d0e342d57e6020ce4b2c004fa07a327fc021002e5a0d145a4fe537

SHA512
07144a3677a783febca3c23de86a99f80e949795ec2c42f8d356cf4c4937cf0b695b87fbb3bffa53048562fa109a38cc8744c3134f017811d7f6981c814ad7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d51193a0399992c56868e900ef51fbd1

SHA1
250d88fc518f5a14774bfa23cdad61afa77e5d64

SHA256
cfceddeae99e10ab29c7372d6c28505a94f7a4c006dabf471a43f10659505898

SHA512
5fb0ee5011308f8b801001a3bf35959a4c8463891b21be6b113c692dd2928372edd6017201251b36b7d197cdca458285932a886e792a524e1e5ae910597e78ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fd705470e033dee9203e2505c3d0885d

SHA1
048488611d09420f6bb3c3ce0ad45617333a2ef5

SHA256
9aa101aa9062e0b9b9d92197ccf15ee060ff26c8f6c04c825c7070601be9fd04

SHA512
6daaa88357a60ca0132bc90df467ed134c1c5478a38b073131ec8ff219649c1e8eee43f8911f75f036e20e01093da39c0f3d69748cf32bb388bc4620fb72e9e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7ff0d32f0cd9339eb4cb4a3117b6c2aa

SHA1
b4aa01a9f38590d035dcebdb190ee2c2bbe789e7

SHA256
f9dc4cb88936adeaddfd25295b08f51ce2c611982ec4f247ef714fb1fc9bac84

SHA512
63d88f7aa03a8cf25972efd434b847103ccda96e24e108423c88e383930b60564123a078a5cfcb9e30a6e59083efe4040cb6c21f2c5d597f862a27665ecb7962

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
229793694374c452bd7bd133efe67ab5

SHA1
f9e157d891414de8a8b40f835367ca5af7614e66

SHA256
f7ec4c1f3758370ac05660e649267ae65073cfeb978e2b5982b45cadbb77f2c1

SHA512
f463dcfdefa32a2894c15efbdb8fb38fb152ebb08dc9d7823844940f752c71cecea653acc59d489e08e431eba96be034ffc5a572c7a9c9057e3f55029064f4ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
79b27b7206f273157541fb429aa9e19b

SHA1
eff44548ea62522ffd1b1ec45f6e9523ab50495e

SHA256
747dfc7b82f628ef9c4ffc789a348d27d375ae0681e884da1533a16b9d6b84c9

SHA512
06191a04f1850a50639c57d21b713a468e6f6ffa7dbcacbe40fcd9fb76dd4597e357a6335dc9447c2ffa7f862fc8852adcbf947f28c09c168901b940a240285c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
60aee9a74229c3a0c68b3792f759adce

SHA1
3738e5a40db6bde57d59014ec9c1dbd63b74b9bd

SHA256
e43b1b27952de23077398b53bf654b2931e41135b5dda46aafe11b51f4e1336a

SHA512
53894ac3904de7156f7d08f455e57f30ca8119d2a997f54830d13608c817a1666d41bcbb20dc70b71b1a2d61078b0f01a112c58bbb20f9c938a261f15ce4dcbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d4f6fefc74aed605280dceedc4290300

SHA1
bb0d14360e8287ebec7b6bc5db90b9e9ab54d94a

SHA256
ec3b1fedf5bee9052ef71607fa29d6bc4ba5cd6ce154d4c71d1a56792a33d861

SHA512
001162144e35c69be6ed491691955a86bc53a1f7026511e6afd128f9cf06026a8456f47979c1c61c9fa507d31966fea48e9c34cbc4393e8f3d709d7a475f339d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
66ed55d780696da15505d6596f2f2f9c

SHA1
39ecb828c637277bab4b37b3244d3f76e38bac26

SHA256
c3650de6998d499f3f23f29e13219e03a3dc28c953988870b9a093dcf50a4416

SHA512
e2211c6fe6a9e26c868b3b1c672f1f4fdbc3b70d5bbfa8842437c174bded09a8eafe8362f7540a7b1ec905f72f9cc85be3b3b6b8394e3a7e3fb99429b93bff56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ae91a03c32e19b60548adccc8b446f8

SHA1
e93461f378a9c4e0e08c10aace7e277482bc8803

SHA256
0215f3330ffbdf02f68976f6714231de1d0592ccc2ece21cd79528e23eb12994

SHA512
7d3021f9112607e20c91983047936a06bad48a1105fbaabdcd8980fc55cb08047eec9bf30afa3c486e0554d75dce0a70feed15eff9a437c56564bd286a9a60f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
e2cc835122eb51ad020c070b74eba7ce

SHA1
9509f4ca9e288c3a982615b395c1a870c1b1cd34

SHA256
6558ce64986f13ff679b3f4fc0d0b3ef22c330902054fcd23b9bb3cdb3de7687

SHA512
8191f990da041539479f49da90e7850e36acc27bd71a4c7944ad01ef9e813395cbfc2d122164b9e5fee8b4fab28c22463828e5cee3cd7ebf9c337dbf3abfec82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d10f8e98c5dd38b59c2ec9ea36633430

SHA1
ec6e2fbf7e0d1bc21ef9d1597f2d0072d1b3feee

SHA256
1d652c9b852a96e19c3459382eb73462f33f86fb3e45cb82c1593f93096aac98

SHA512
c0d876added9d3ce30709806f0b77e91b4ee46ccc66e5e55a20e17dca94f60e4f72db1375f16a83029730a916aad85fa00a47eed9d71ad99ba2bfbcc67ec0821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
7ef837978c18ce40479a19bdab2ebd7b

SHA1
aeeea78ad7eddb78f9e4cb232bba576fa68b2491

SHA256
75dcaf176a98d6a73d4d8005bfc8f540feba20bd093019594a14b84293abcc90

SHA512
07719bf2a41693409e33a5f7b84d87c8c8f4d8f4ebfc5e451590d8ec31fa0cbe4d6ca05e46d727222c05c37752423e6f33a1f279e94454f1958e80f291a5bec8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
168B

MD5
17638f6cf9f3f61668cbfd135cc67db0

SHA1
3d66db6c4d85ee6d3952d6767a2979b4d4475f0d

SHA256
9a2c88c966c038e8ea67360ece7462ddfbf7bd358e38a4986eea9bce00c1798f

SHA512
1465fb1bc0f058bf5b1952f5c19305ebe893cb81f7cfc0aa6ed240d11c2a34e705d1e71707ad01452a9ceb3631dcf99edce9ae107e56031aff15e6ab6c4279d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
a665a9068cec35105421cd3c3159032f

SHA1
2d0b77fff4b0b30fc2a5746d08feeb55fdcbea30

SHA256
c90f7c211cabab53a683accb1017a353a5c51a14b6aec936041e4046aa1035ac

SHA512
8a535f7bf19b4ba6b0bb58c7b06e4b4a0f9b4fd2315fca7b3ce0159b074d957be9bb63674ea79bcce6297dcc99c4d08d8e8be9eeda4bc3573829fa36d31bb701

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e9bb19b2f90a70d4d72ed057b3b39f16

SHA1
8fb2c9c51470f57a69247c9618fdc5ed58d68c1f

SHA256
f6574a2551eae63cd450b67a8e565d34750e8dc1cbcb9bbc59fb805420c9ff06

SHA512
6549fd278f21ec03919ca4c51686fab915ecc59737a2d5adf8048becec689464b26409f1f466b23016fb5c5424ed12a6a201466d50eb706b1c6199bbeac09756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5a959a.TMP

Filesize
48B

MD5
b6dbe8ce72b58fdb7cba346b2b454ef7

SHA1
d753acf7dbb41160562f34a10f704340c932905c

SHA256
beed3574de9e6cc6765f39fe21c38de59dbbf3a34b42395273c48d45600cb42a

SHA512
3bc1c25702cf3ac65d53e72f8154882eb3a32c2f5d5dbe731384f04f8c8cf84fe92225aebb86c0e1743aafa41a0c64ff4ab10a01bcf3c7d99093921ec8f0905b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
434B

MD5
eb36f4ace41bea9a29888f4e9203001a

SHA1
691a6571c713a6e25d204682b838971995566d4b

SHA256
87591714aa828e05c734e7f231c667ce32665e1b5f148caeebdee99e65abad79

SHA512
f3f10a9d1a8b392ce289d1889c6dfedb988579094532d022d8b38ef19e6c4f4e10cf33e6971a44c4daf0977f32b9fa89ef2847afc291935cfd503365ec50c31c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
419513dc7716c4c75c88f995e5b1e5c9

SHA1
09504ba9fb4b769c9f1a9902a9bfd3329cab94fd

SHA256
1a1855680ba3e669eba875e3696c9c967849f156ba1a78a3ab610d9dfedba8a8

SHA512
515aba8fcf7cd2c043b667245b9767d414251317017c529b58eb62a995dcab5beae3711658eab46b820dd5b93356dfe953ef15a6d183feba9bfecea856851eb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13381807856201037

Filesize
6KB

MD5
0a56097fb639bd000b763147793213b1

SHA1
30c141b805d871671c926fe6984440806aa273ac

SHA256
3b8f5da5f5abf2278308662e90ce8dbda6d2d034ae6f4375683bc58d5fc9cc92

SHA512
c0d3a3a6491182e20ac6f5971d462e1737ba5675f6877f4c6eff5119b6f2a5a5264828c09b08abd014262c40f85c4bf5b6d152f0bab5068464079b47d48336cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13381807856335037

Filesize
3KB

MD5
2334b5eb9ed5d3802673ebdccd2daec4

SHA1
70ee56340f6f943769495c5f3da14e846d4241dd

SHA256
b951da7d8db928ce98409aca5bda9df02c28a9fab09420730cab90e05c5bc500

SHA512
c9c20eda92839e8c9be72111f077a67b472bf67beab5cdeada5cda25054ae97ec7f16efddfa7829c2f1765907509b6c5bad0da3354197fe787a9fa4cd803047a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
db66474d512f28183b5af7569bdb75c5

SHA1
253aecb4e17e0711fc11672c5b3f868479050fe5

SHA256
6c48b1889ef86bc5c11a2a264d5248324a0d9ecf8622b638e153f718c804f506

SHA512
e1dd0928d2ff2d5a4b2e40f8dca03ab98781facc6abd506aa969d2a7e66608057115350436bf24d1bf0a00f1170dbfc9a0a825506347ca1a8c95c167a4637cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
1a781c166fc57ce3440ea0274df676ee

SHA1
85e36e130a8acf0bfb20c39cef653ef3c247bf97

SHA256
c9d0f29670ee575ecd102a7742b267e8cb011be8948466699165077cb30b2454

SHA512
fff564b8cd353677dd29a3768fd88b3c11d6ccfd44666096a58f8904d54a21fa65533ff6a89852a9857ff28c9d198a0946182e7bee9e96ef54d4278aae7a833e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
e61b06701e3dc182137f8616dfed1f66

SHA1
14f1887a152d6464b8cb9fb6152e2a5d079125bb

SHA256
98c52e7f26353feb48f4e54ae882e7e5b3aac0d6c0939166249cde66b85e12fc

SHA512
24a63323f8b5ea621264f8d08e5aaf6587e790bcd56fae98ed752d1dbb4916caa884940a36b4736cf192261c507cba590c40f74a4746cf55eac5f99768c73250

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e4ed95c0e4c65ec164ddac9f759f6433

SHA1
e30dbe15352287dd1b94f305e3381064bd5f2eee

SHA256
7542774fcd588f3ce45f0e3af5119bd3db1ee26dabbcc8e8a99617f42836bf0c

SHA512
b9a4cad36c59f8f29d869cb71920df8f50313c15b27bcba16bcd1f25a61e6d652507e80456a0d4f1ffe42c8407497b3d6c2fed7e5d335dfd345f8a0e8eb2b4c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cb3ffa86af94cfc5f5dc296121efb75d

SHA1
56d5592adb25edddc969734d16718d4c937d5efc

SHA256
8ab3b6d5d0916d4bd4da46546ffaf566b732e122514226bdd2db2183f028d429

SHA512
110cc08d7637485ec7bf082017b370fb64a3608628b5de0bc5bde9a523acc1bd533463df3987aaf4c85f540195939c27a86a492382d865e43fe76f6d4e54b8d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
43ce8e5aee034ee0af9279a09d899e56

SHA1
b2a214b4fea18699ad05ad9461247e9a33f63178

SHA256
ae5dd476887b9e5b16ff99395582496f00b1e6ce7bb3aee7cfa88f3bb8136f7e

SHA512
8f344b487d33ef634d59e3f2d17234af89a21f91f739ff274e4b8ae6d693841da509584a8f929e369157942a3f3df21d7fccb3fb4ef3154f3a514ceefe715044

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0442031c5f1c00f76aa7897a53aac4a4

SHA1
0d70aaabf574109015592e7f77456c0e54ae8c30

SHA256
edd91d900101233d0ba4c3ca70d68f1cba799fec2c11091df8f727835da32f4b

SHA512
d0090c78d95f160e851cef383b5425955d1cf827cdfc753b58ecfe294c3358dd748bd2956a6ae47d126458cd6cba05cc89a25ff059bd2c093ee30900c2780067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
2b3335c93a38ffd9a258d221bd491f05

SHA1
61024368daae030f6a24e280136845b635aa0077

SHA256
dc08b63562a31d580e3b339e6f9b3d92677d592c80d6690f9afaf4f9c8da3ede

SHA512
242d6ef6a71dccfd48d9ee8d280e36915ca6ae272b3b5fe76f62cc70f6eb46b2d4151ca9e88ff68cf1f8b272e0611ccf8c03bd1e36094e2470696e7ff2e6bec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
3677a928ce1efa4f314931b1e5ec5525

SHA1
607d898fc2e8fe5b0d079be75cae3898417353ef

SHA256
48e9e1a35ad038933cc0078cc6266e1eca8df55136c592e7814210531261e422

SHA512
3d2d8c30b9db5f603c4d6052cf8ba73941c980a167ea5ec2a6cf7688ed14c846cad7b32e9342e5b946701e922481bc74e8c3af7a440761964c32f051be7d4642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
28e30c39294855c201f93a95cb698ba9

SHA1
fb2f094cc5a3beb4381c747fdd53193c9eab0b7e

SHA256
53f592a1eede263a5d3d8859f7f3ec47a43d113c53ea1dba460bc4247e87c353

SHA512
78fb7472bc0972fbab862112e9e7bd8f0353a2f87b47b500aa89f9ebcb099489003b219538befb7c369f271bd0d4e74603159bdedf23187d067f149445188f18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fb134c6956bd0e7da80489ff2da23130

SHA1
ede1c146e5fffeae8b1fa60dabed791b8aad2dec

SHA256
01d6ff9e2debf77694b980e182ceda0e94a2968dcbebe2805def7d1abec77963

SHA512
04a6582d36c6c368b0918c53b1a799d3fd66df371b0750d13ae72691c5197bbf1f9be7076dde1e7928f12b3dbf22d3709d2b1aca4c5d162c578587fdfbd69e66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cd2114dd1747122de0c93c142b2c2f29

SHA1
c0450b85e8288097de98afd99b5e37ac4fc8226b

SHA256
c693b4c3efb907f1a8175d922484623fca070595abbbdfb20ecc6224fe9dd18b

SHA512
664a7560e6cd555952a0968ed8c57af6a1d6e8148b0167cc69d1e1de866c56ab6fff7f2ef84df77c8015a80e80f81ec8f82ad1b1e8e005cd11c3ab699d9f28f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
0a783a552c9cfd16b78cae22b4f06a18

SHA1
b19cf304bc346e2fe5c94a0a19f42ab70dd7b0ce

SHA256
136918bd224f3a8be1654e0ceb3049df9efbc5cac26ebf234b222d6bc71f5670

SHA512
86baa37e5e5a924924f591e1452e8b5553a6e6f78856c3a0225c46336ee79cad36d059f9234e97701a25cb90fc2af7687d5839d42421262aeeb8b7340d473825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c8824179667a92e07aa04750e329d3c9

SHA1
1d23ae1567e206e8455c0042c8c2a2f9cbf09110

SHA256
86267b544d22542c60ba25d3f04a6bca32cab501fa40a3e3c04ea6008a7e6663

SHA512
7192d4f1cefda713d6fb8f0ad23bd7c921ab51836fad4fb1cfee7ad8b25f14e8c326925e8aa9f4660769cef61cb673a92ffbd4730e844f9a64cc40bd2b74ec66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
1b83492a4de238b047bcf79744f245de

SHA1
a672af68c2febb64b0bb4b0d295965e873dd353b

SHA256
ef5d0fab6b8ba2496ed89b0e9b62c8a51f742d0fe67d80ab452a6703beaf108d

SHA512
38dfa0d2083ea4a27df14b3d2832538904f15f0e7e423adfb97421314856b2da98943764a50fca91022a23b04821620c0b6681b46adf8b5f7199ac83dedbdf0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d254.TMP

Filesize
1KB

MD5
099949b29f024fbfb90fa3a049fad13d

SHA1
0ec67b373143470f84712b75003a89ace1b72f4f

SHA256
130cd11adf93e169d14d17f641b2b20777efe707b2d2f25df21e354c5b44a6de

SHA512
e2f1fc44c8a4dec6bdcee7da0a5b33b1a6664e25e0054f7ae57f9bce18e033501067af0baebfa21e0fec9da1138de7c3073cacb5308a1ef32e5bc00384812223

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
d28554f3c6c0529ab81c8fba471ccf43

SHA1
d83a3f5855242a6fed008954e9fe7ebed649715a

SHA256
6ab1d7ae9a3b4a1d26910857b1d33ecc77fcb2b694e6386dd776d8a1e8d078a5

SHA512
3f8a23b2d1e62af7dd7e796d9c8ba9d18270b490ff901e7453d632e6f543efe04c1887c3d3f6c8bc8e942b392112ffec59eb7b9d371934f112a9e1f850c42447

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
6e6e469ed7af3ff3c4486258854302f7

SHA1
86a19e21825cc723fe623d42269fd5a544cb171d

SHA256
f61693b21388cecd9e2d1fa86b77eed356b58bb85d163cc22f377aa405c35ac6

SHA512
f03d5b9677c9f66cab80dc6dc30710a2e11adfa673287ed51fe53768e0b98533d11c69d518b0bad40605fb336528a15895a347fdc28b0eed089c8630d400a0e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
f3d59dd61315e228e4e9526cbeb89a33

SHA1
b44216f99d67e9831454593e039c463ebc2173cf

SHA256
bcf7f0f4b727f95ceebdfe73b10337f325473efe62e9969a36a25ab07358b725

SHA512
90f9c25ba4d6b45aaf9bf03294d6123a1d4e627dfcfe8c18be068612c533c83e1fe6de185d81036cf9c066d8a6902a563f7dc3abbf668766b6422cb68a94f31f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
57KB

MD5
c0e2e4fcd6b8f26c1906a49747f76a2b

SHA1
8146308c0409203f8c55cc022d1601378f5eea39

SHA256
a1065f4acdcf2cdc64b3e1929ed37ca85877c7d29aca35cba4b7d2c06e8342aa

SHA512
15107d38f33746c60fd11fcc3ddbe98c211f8d13424aa2c76bc8ff158134db59aec4094a8c8a537980f99bbca3a11628ca8136e88b347c8a070910654947cdd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
45a6e5c0320e094b69b0322e7fd6b1b8

SHA1
29334a069518a023e5e7c40aad526d74e58590db

SHA256
f5ff3dcb5322710ca771f541f399b2bf54c928122841f54d6c4be2dd7aca86ef

SHA512
3772472f889416d85dba90c234e4367747b7e624625e0f9a9bee1806108b92220a2102c8f3babb84d9778b0b12b0997949f6325debe38480a4604c49dd9f2ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
77f5751eb8862e3ad683f41f3239543f

SHA1
6508a33235d11fdfa753e2a30b2d07229647fa07

SHA256
31c7cdff82e1f70f8274545f944ac7e9e62ae5d7e0a103f1506ad2480289b53a

SHA512
480e86b6b5f60cf3869a424d1ab7f2dbc948416dae7cdd86a99a10b69edc18e0ebc919a7d20cc90592eb2d6f7c8f2bf0f5e123828743d2d7303c9f30898cb8e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
96bbdfe9ea52f3d5cefb1f2c5e4d4b17

SHA1
bfa76cf28ff35e004f10cf7a63f833e41a2db544

SHA256
dbedc8b5e74724df36d77004d7b012e4e4aad8b0f1008dc2ce775e6905ef0bc0

SHA512
be85c078ab616637c6fb7ca206aeed646debff0e2cdd18848e9fefbaf853d54d67b64e14bb794b7908a1de3f666b124a3c780941acdd8ab5df6aa6d00e4e3a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
fe38431cfa5fc4546ab5c66002df4d26

SHA1
8f07a7bfc99c8e5ed8460790bdb38360992a5d35

SHA256
a7fe515a2932d3e515c613b12243a8a627987a01765845ae76a4536e947f0111

SHA512
ccb504ac1da7827d2799d8113a84acba64f818f403ef81ab8ccbb97c47b72dbe114d2d001e1c5044d46846e757150071fc918b128e9c9427ea5e25fafb6e4b1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
60ed1aa8d7e700d2f5acc84cbbe7673e

SHA1
e82c92a5609a05850d1ad6906a92e993b28d0cba

SHA256
904e9975d2f6da95e31b187a9136f9dcf98c101cd34c22e47ff7b8b918b4a90a

SHA512
b8500291f15dc455c8009be9f169d418ae6227fcc2a88e67803903cd02057f8f065ab88dfc5870d362c3e1b46d801256c1913ff2aa8fef209b6f494084852e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
8a6de8d42190b548b82ec37c0e897701

SHA1
67d744d42ccd8c94d4eeec6b5af7e4ec3e48a33e

SHA256
38f1fb3102c900d269afdd197cad95b531f87ccbf90d2688709f16729b9ac447

SHA512
518bd33cf7e8733af5105ccae18490f6cf329d33280601d509ef86d0e95f097023ec0402d4f32b8618ba93ba77db0fd56f352c145331b3c9e5895cd0c2d0db40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
20KB

MD5
ef9588ca82f853399e5968af99985e74

SHA1
80d9df4f75c3e789ddf10584d9ff9de2b6154cb0

SHA256
9d550015f47a4d5d502f8a2f5b33bd9cbd136f4fea7c64754c8cc5a9651f7fe5

SHA512
a77b6b0bcea459ab4fc1e5d0983e85b86a6b0835849345f6afbfb27a5e84d8d1a38ff16e21ecf862e95d0a74e3fe97fda28bea66752b8bd64fd44c8ba680a5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000004

Filesize
16KB

MD5
d9a68b04c3acd7ae8b7ab84b30dadacf

SHA1
15fa5365fcb7f850c972a49bd8e4d17e1555b676

SHA256
8e0551ab1f33d2f58d48228f918a1bd13ceb2f9837d3210e498be756681ddc5f

SHA512
9cd59753e3a8e750d37fbdb4de27cb7a4255180e85c9deff601a1824f17dc3d2bc1a0cfffea565d825cb27e6304987ba9456d733ab7af11fdbbe5b4460a1b6e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000005

Filesize
17KB

MD5
c163efe909c3e529ef27177fd126f9d1

SHA1
248d4c24fb1fb7f8d6f37629cb04b8175ac2e8bc

SHA256
f816041d56546ab402df3210ba540f9c3e645a2ee7b4fd4608a6da48749b6489

SHA512
4613a2bfee55f12b8ef67a01a45f164ecd40ece1c3e41f419b490d8ab5e112a66257806585e1c024b421677e6453e07ebc6c68faba5ff7cd1efda99afc55a1c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
38210208fc2154e7b0dbee8a5b0f160b

SHA1
47244f0a80afda4a0b0111aa99c08e62d3e75ed6

SHA256
c7ac174f58555bb4290eb48a023cfdaae95c2c48c5ec5465dfefa1410532c9a5

SHA512
d61c84eef0bd6da647bb393a648304b68cec3ecaa9413e75e4c814dfde3ea963a85d0eed4cab5db6280aa0586ded567582c9ec54f6feb9a207634afc6dd5e2d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7b50edf5b04cc54e9059016af3a9fdc8

SHA1
c75f54edb35f41b6bd6a224079f68351c644c684

SHA256
399404ddeef30ec7c7cdf5a9112f18c46894f825b46290bb1a5b56c9ad585a9d

SHA512
a1eeab6559bc2148105847b85227b1ec108b4a6996c4c467ff75eb4b9825165d9c24e099fc29d416a188c05b235b934d6a853793792f085c803ae2b550768ee9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
87c7c4b9b99214e341e6014fcbd39c53

SHA1
ca1745af82a4c521a78262b793289bc4c5a9a4b6

SHA256
2db71ac0ef39e7607f48acded4b619275f074e667da4891636cc63db3b5ac1e7

SHA512
1de965e5c0d698629b4efb3960f328e40ed0caa1a43909fc8f9aa883f4d1c0b6237176582719ac6335fe30efd6867fdda679d9ac628c5e35fa43823f1abb6e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
97a97955fe62b306be334c459aa42043

SHA1
6f81c84da91866de69a160519d35713c347e62af

SHA256
94a2a3fce138d99dbe8a2889e0691933b2c64a2a249cfab51bf6f498f72bbfd4

SHA512
ec0a6c5a442ca22462973469ecdd581da1a570acadf3de40de41cdab68feec7f50523c2da5bdef3ac99d9bc0244cce9e331f3515a027cb7cd416dfa991653d8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d64333e009199bf1500bd0065becdd2

SHA1
c541fd8a69cd59be46f40870665350be42f0b707

SHA256
c4ace44e90bac5deae0ac7356ae6f76cb26854f9661f0117ba9c4adde407371a

SHA512
544a7bc3f9cf8724cf16036ea290f566a907dc0c7f3c960c21b3fc2e1740b8d948a00c03d8bc1c3379b158737b9f7842f78e09b809354c7db7d1ef33e54c2b26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7f0fad313030c520220ce26dafdf77ae

SHA1
081ccf1942423246ed36ae8feb7cffa29e8f28ab

SHA256
8e9aade5f9d950ebead58619d207f2d05cca81deab4b2258e673a79368f2c93b

SHA512
83aa6f2eb3634a782af2015920edda7884416b3d97bd17aad41d5e881b58a2eb6575ba9c7ca53c5737b57a72b961f941c752f2ebc5000d14fbd071f7e8d751b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c3ad27b28d84e8e6fe17edf563e21662

SHA1
247ec885af16c688268862e8d38ab730c7ed82ec

SHA256
73ada7c5c81a7a713a52c64c3e258c93a611f867c4f97ce3c609b8930300926d

SHA512
ecc7508209f25066be916e3533f90dab37cfd4369b130e49081086fe6f79bc1a8ef15445c9f2d9552214931c7d52d54a074a9f7df5370f5981c927174acb320b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
55d034eb7aa8b40d6aeae9301d0d5744

SHA1
bcfc02823f5ef356dda49cf13040582acb37a6b9

SHA256
3d9f42be2670854b189802b83c4b214101901c9938d134621987cdbaee093c88

SHA512
2648add00eea55a078f0a8865e93ac8d1f3e36593948071ef67f3a515d0ad3f0de0e47aa77c6f3b11edf4c85a9b863ac8a9e9892711af0ac9ee802f05bde7846

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\c0810d09-538c-4332-9897-7bb57e236b4b.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\uRClgZblR.txt

Filesize
88B

MD5
afcdb79d339b5b838d1540bf0d93bfa6

SHA1
4864a2453754e2516850e0431de8cade3e096e43

SHA256
3628cee0bef5a5dd39f2057b69fbf2206c4c4a320ea2b1ef687510d7aa648d95

SHA512
38e7e92f913822cc023e220035ada6944ffbc427023687938fe5cbb7a486abad94808239f63577c195afb520fe1a1a1b14e1050c0c03c7d324ddbf7cffdc304c

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc77FB7EEAB2D84055A2CFB6256DB6C988.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcFCBB236C9DE4813A4E1FED987A0FC57.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\0a6994ff-a17c-4b41-b492-0135a60e9634.tmp

Filesize
5.1MB

MD5
5fac76048031c23f7dfe756326b58eca

SHA1
1f067389fbb7318913aafeb3679c31e95df68e18

SHA256
9908e40b17d875ef65d21e9376c932a4c0047c6c198e062009dc3e299294f386

SHA512
bf964dbc5aa98ed9a48deceac71a6f474ef0d1d43044a5e7c58ee2518239aa3f3a3457326f0b110577304e51a2fecff6841ad22149a4a410d6897ba0e9002c78

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe

Filesize
756KB

MD5
c7dcd585b7e8b046f209052bcd6dd84b

SHA1
604dcfae9eed4f65c80a4a39454db409291e08fa

SHA256
0e8336ed51fe4551ced7d9aa5ce2dde945df8a0cc4e7c60199c24dd1cf7ccd48

SHA512
c5ba102b12d2c685312d7dc8d58d98891b73243f56a8491ea7c41c2edaaad44ad90b8bc0748dbd8c84e92e9ae9bbd0b0157265ebe35fb9b63668c57d0e1ed5f2

Download Submit
C:\Windows\SysWOW64\Windupdt\winupdate.exe:Zone.Identifier

Filesize
92B

MD5
c6c7806bab4e3c932bb5acb3280b793e

SHA1
a2a90b8008e5b27bdc53a15dc345be1d8bd5386b

SHA256
5ba37b532dbb714d29f33e79dacb5740096fd1e89da0a07b9b8e6b803931c61a

SHA512
c648be984413fdbaeb34808c8164c48b5441a8f3f35533b189f420230e5e90605c15fde2ce0d9fe42e9755c594dd1ef32de71a24016277ad2cef2f9afcf0ad93

Download Submit
memory/1752-2078-0x0000000010410000-0x000000001047E000-memory.dmp

Filesize
440KB

Download
memory/2156-3015-0x000000001C5E0000-0x000000001CAAE000-memory.dmp

Filesize
4.8MB

Download
memory/2156-3017-0x000000001CBD0000-0x000000001CC32000-memory.dmp

Filesize
392KB

Download
memory/2156-3016-0x000000001CAB0000-0x000000001CB56000-memory.dmp

Filesize
664KB

Download
memory/2300-3375-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/2300-3374-0x0000000004EF0000-0x0000000004F46000-memory.dmp

Filesize
344KB

Download
memory/2300-3373-0x0000000004BF0000-0x0000000004BFA000-memory.dmp

Filesize
40KB

Download
memory/2300-3372-0x0000000000210000-0x0000000000282000-memory.dmp

Filesize
456KB

Download
memory/2340-3022-0x000001C7D4000000-0x000001C7D401E000-memory.dmp

Filesize
120KB

Download
memory/5848-2079-0x00000000001F0000-0x00000000001F1000-memory.dmp

Filesize
4KB

Download
memory/5848-2080-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/5880-3084-0x0000000005620000-0x00000000056BC000-memory.dmp

Filesize
624KB

Download
memory/5880-3085-0x0000000005580000-0x00000000055A8000-memory.dmp

Filesize
160KB

Download
memory/5880-3083-0x0000000004F30000-0x0000000004F38000-memory.dmp

Filesize
32KB

Download
memory/5880-3082-0x00000000051F0000-0x0000000005282000-memory.dmp

Filesize
584KB

Download
memory/5880-3081-0x0000000005700000-0x0000000005CA6000-memory.dmp

Filesize
5.6MB

Download
memory/5880-3080-0x0000000000320000-0x0000000000376000-memory.dmp

Filesize
344KB

Download
memory/6384-3058-0x000000001E140000-0x000000001E450000-memory.dmp

Filesize
3.1MB

Download
memory/6384-3057-0x000000001BFC0000-0x000000001C00C000-memory.dmp

Filesize
304KB

Download
memory/6384-3056-0x000000001B240000-0x000000001B248000-memory.dmp

Filesize
32KB

Download
memory/6384-3054-0x000000001BD60000-0x000000001BDFC000-memory.dmp

Filesize
624KB

Download
memory/6416-3052-0x0000027592640000-0x0000027592F54000-memory.dmp

Filesize
9.1MB

Download