xworm | 56ef629323495497970ffe5efd4c3197bd8043825ba264b9e6294113675820ac

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
03/03/2025, 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

X.exe
Size

44KB
MD5

d8dec448ddbb0749bbe3f4259c9bc29b
SHA1

93886a2b1c55fa6ff41ac5bce6945e601d355f8c
SHA256

56ef629323495497970ffe5efd4c3197bd8043825ba264b9e6294113675820ac
SHA512

20739296d87d15b801086a8e7478875722e83dc1fd4004e9905a1c6f8c0c8913644bcf7e5b7aecb760f4870354118fc10d218f952fcd7b204c1f0ebae4e4a400
SSDEEP

768:lFM3oVOl50FADMe/e2TSAlsUUd3FFRPG9+I6OOChwvmbW5:jMK650osOirFw9+I6OOCCui5

Score

10^/10

xworm discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

127.0.0.1:36623

fax-scenarios.gl.at.ply.gg:36623

Mutex

iq4Cbvqxc9yxmDW5

Attributes

Install_directory
%AppData%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/memory/3356-1-0x0000000000650000-0x0000000000662000-memory.dmp	family_xworm
behavioral1/files/0x001500000001e452-61.dat	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
3552	powershell.exe
1584	powershell.exe
2260	powershell.exe
2020	powershell.exe
4076	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	X.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	X.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	X.exe

Executes dropped EXE 2 IoCs

pid	Process
688	svchost.exe
4700	svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	X.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 18 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
4076	powershell.exe
4076	powershell.exe
1584	powershell.exe
1584	powershell.exe
2260	powershell.exe
2260	powershell.exe
2020	powershell.exe
2020	powershell.exe
3356	X.exe
3552	powershell.exe
3552	powershell.exe
764	msedge.exe
764	msedge.exe
3488	msedge.exe
3488	msedge.exe
3168	identity_helper.exe
3168	identity_helper.exe
5384	msedge.exe
5384	msedge.exe
5280	msedge.exe
5280	msedge.exe
3748	identity_helper.exe
3748	identity_helper.exe
5048	msedge.exe
5048	msedge.exe
5268	msedge.exe
5268	msedge.exe
5388	msedge.exe
5388	msedge.exe
2344	msedge.exe
2344	msedge.exe
5168	msedge.exe
5168	msedge.exe
5136	msedge.exe
5136	msedge.exe
5504	identity_helper.exe
5504	identity_helper.exe
6920	msedge.exe
6920	msedge.exe
644	msedge.exe
644	msedge.exe
5364	identity_helper.exe
5364	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 34 IoCs

pid	Process
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
5280	msedge.exe
5280	msedge.exe
5268	msedge.exe
5268	msedge.exe
2344	msedge.exe
2344	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
5136	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe
644	msedge.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	3356	X.exe
Token: SeDebugPrivilege	4076	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	3356	X.exe
Token: SeDebugPrivilege	688	svchost.exe
Token: SeDebugPrivilege	3552	powershell.exe
Token: 33	2600	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2600	AUDIODG.EXE
Token: SeDebugPrivilege	4700	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
3488	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5280	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe
5268	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3356	X.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3356 wrote to memory of 4076	3356	X.exe	89
PID 3356 wrote to memory of 4076	3356	X.exe	89
PID 3356 wrote to memory of 1584	3356	X.exe	93
PID 3356 wrote to memory of 1584	3356	X.exe	93
PID 3356 wrote to memory of 2260	3356	X.exe	95
PID 3356 wrote to memory of 2260	3356	X.exe	95
PID 3356 wrote to memory of 2020	3356	X.exe	97
PID 3356 wrote to memory of 2020	3356	X.exe	97
PID 3356 wrote to memory of 3628	3356	X.exe	101
PID 3356 wrote to memory of 3628	3356	X.exe	101
PID 3356 wrote to memory of 2336	3356	X.exe	109
PID 3356 wrote to memory of 2336	3356	X.exe	109
PID 2336 wrote to memory of 3552	2336	CMD.EXE	121
PID 2336 wrote to memory of 3552	2336	CMD.EXE	121
PID 3552 wrote to memory of 3488	3552	powershell.exe	122
PID 3552 wrote to memory of 3488	3552	powershell.exe	122
PID 3488 wrote to memory of 32	3488	msedge.exe	123
PID 3488 wrote to memory of 32	3488	msedge.exe	123
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 3452	3488	msedge.exe	124
PID 3488 wrote to memory of 764	3488	msedge.exe	125
PID 3488 wrote to memory of 764	3488	msedge.exe	125
PID 3488 wrote to memory of 656	3488	msedge.exe	126
PID 3488 wrote to memory of 656	3488	msedge.exe	126
PID 3488 wrote to memory of 656	3488	msedge.exe	126
PID 3488 wrote to memory of 656	3488	msedge.exe	126

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\X.exe
"C:\Users\Admin\AppData\Local\Temp\X.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3356
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4076
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2260
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2020
- C:\Windows\System32\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:3628
- C:\Windows\SYSTEM32\CMD.EXE
  "CMD.EXE"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "while ($true) { Start-Process 'https://rickroll.it/rickroll.mp4'; Start-Sleep -Seconds 5 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3488
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:32
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
        5⤵
        
        PID:3452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:764
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
        5⤵
        
        PID:656
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
        5⤵
        
        PID:2628
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
        5⤵
        
        PID:4640
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4940 /prefetch:8
        5⤵
        
        PID:3336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        5⤵
        
        PID:4924
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
        5⤵
        
        PID:5232
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
        5⤵
        
        PID:5352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
        5⤵
        
        PID:5360
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
        5⤵
        
        PID:5540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,9721257399585418835,15922250924778396157,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
        5⤵
        
        PID:5548
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:5164
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:5176
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:5292
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
        5⤵
        
        PID:5416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
        5⤵
        
        PID:4072
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
        5⤵
        
        PID:5856
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
        5⤵
        
        PID:5868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4952 /prefetch:8
        5⤵
        
        PID:4676
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:8
        5⤵
        
        PID:1008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2236,1171377721090620167,12652059058697694226,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3716 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:3748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:5268
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,3611255073052926773,6472034157183879999,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        5⤵
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,3611255073052926773,6472034157183879999,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5048
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,3611255073052926773,6472034157183879999,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
        5⤵
        
        PID:6132
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3611255073052926773,6472034157183879999,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
        5⤵
        
        PID:1540
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,3611255073052926773,6472034157183879999,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
        5⤵
        
        PID:2864
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,3611255073052926773,6472034157183879999,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4932 /prefetch:8
        5⤵
        
        PID:6060
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:2344
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:1156
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,1797081220073131362,5610375244660229742,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
        5⤵
        
        PID:5384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,1797081220073131362,5610375244660229742,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,1797081220073131362,5610375244660229742,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2976 /prefetch:8
        5⤵
        
        PID:568
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1797081220073131362,5610375244660229742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
        5⤵
        
        PID:3748
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,1797081220073131362,5610375244660229742,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
        5⤵
        
        PID:6092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2108,1797081220073131362,5610375244660229742,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4928 /prefetch:8
        5⤵
        
        PID:1208
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5136
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:5680
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
        5⤵
        
        PID:5160
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5168
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
        5⤵
        
        PID:5820
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:4336
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
        5⤵
        
        PID:5356
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4868 /prefetch:8
        5⤵
        
        PID:5224
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
        5⤵
        
        PID:784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
        5⤵
        
        PID:4352
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4004 /prefetch:1
        5⤵
        
        PID:4752
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
        5⤵
        
        PID:5372
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
        5⤵
        
        PID:5348
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
        5⤵
        
        PID:6140
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
        5⤵
        
        PID:2184
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
        5⤵
        
        PID:1648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
        5⤵
        
        PID:4404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
        5⤵
        
        PID:5080
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
        5⤵
        
        PID:6496
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1948,2241669764155735675,4868174258371909487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3076 /prefetch:1
        5⤵
        
        PID:6912
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:3028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:5648
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:5956
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:4768
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:6068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:4748
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:6028
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:4048
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:5560
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:3936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:6428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:6444
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:6776
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:6828
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:644
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:5472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
        5⤵
        
        PID:3596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:6920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
        5⤵
        
        PID:6736
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
        5⤵
        
        PID:412
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
        5⤵
        
        PID:5500
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4892 /prefetch:8
        5⤵
        
        PID:5960
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 /prefetch:8
        5⤵
        
        PID:5248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3700 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5364
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4316 /prefetch:1
        5⤵
        
        PID:5340
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3804 /prefetch:1
        5⤵
        
        PID:3452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
        5⤵
        
        PID:5884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
        5⤵
        
        PID:5888
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
        5⤵
        
        PID:3188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,5909268337235211730,2902447625759822372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
        5⤵
        
        PID:5436
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:5720
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:2404
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rickroll.it/rickroll.mp4
      4⤵
      PID:6940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae55f46f8,0x7ffae55f4708,0x7ffae55f4718
        5⤵
        
        PID:6928

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1752

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x504 0x4f0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2472

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5892

C:\Users\Admin\AppData\Roaming\svchost.exe
C:\Users\Admin\AppData\Roaming\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4700

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0c8d17c0803da7963bf2e75195081def

SHA1
e064328ba2e157154c77e2396e7dea800c114c5c

SHA256
780a142eb8cdfa96ffbd74b72cb820fd97d114686952b2ef8549904401fa5ffd

SHA512
d79f64aa07f21c02e75dd83aace4ffeee1ce1049dd3f95854bb4d8253336f5c539fa90a86fcf331aef7df776214a5893b638b89d9284022cdb40d62d48326865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84cf47bd9feb07da84a28d9606051f1c

SHA1
c5fe213b264b1c2817cbe56fa01d547f41ebc54d

SHA256
c8c2f3ccc6fccad685b3e8c13ffd512f0a7b3fe9c7c7197e13436562aabb938b

SHA512
1dc4842c1394fd0c424cee0d56e0ba1f36fc7baa70a9f306cb97abe5cd96bcb831cb59060622efbf7084e167eaaf54d827e4a353cd3cbc8a19780959835e347e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
846a19d156186d1666f9a5c498621a56

SHA1
4ba9013b6287bfd09bd4b43904e472c8d03b3ee9

SHA256
37c9108ea56be4326d0beb33b775cf800b8e024531eed4dd5c868211ebde1d97

SHA512
60775334fcbc0283b3d0736820914b3f21e59154e44d5ea667919b922e869c76f27135358c1c4e5df1c0fe31b2d252e4aa936d0e2041802ba224966ed9c33a8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ccbcae768486ba0e224c02930e7497d3

SHA1
d4284410d373710102d96b98689129ce42655dd4

SHA256
ba40951f7117f68100a886bcd76f1150dd190819980075b76375fdb1110bcb7d

SHA512
e43b2fa9bdc1a31dab423db36b6df906a474932340d2de23d9e29439611889184816f6030b819d45676f4ebe54dec05c6c6cab3e460f5ed53ce42400279a7d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aef7f449ddaa5e102bc11c62141e4d44

SHA1
093531875706d9029b9b736d55761c2de88c245b

SHA256
a76d491a234441c115ddfd1c6a31b067a8029effb44341238d4364ca2554fbfc

SHA512
f68a673f23bea2eb643b604f60b3213495edbc7fe7af24816aecf3da269ec7b2bc7fef7fc0f080b9ac8bd3a4623e33135c303bff389dc8966d7a1f8f669be438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d25234aa7ec137e985c58b04ab001e40

SHA1
bb72bec8830ffceeaf73da8c783122f9819d43c7

SHA256
8378e13684d274def6d25718b9f010eff2ad6d111897bd05e12974db8014c12d

SHA512
007113ef5024d7350e953bacc41c40af56f2df709e41f36765f1ca1cbfea324dee584a7c2c9f0404c5567fb90f472af27200c2c4c52951cd4459ea8caf7aba43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e27df0383d108b2d6cd975d1b42b1afe

SHA1
c216daa71094da3ffa15c787c41b0bc7b32ed40b

SHA256
812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855

SHA512
471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
395082c6d7ec10a326236e60b79602f2

SHA1
203db9756fc9f65a0181ac49bca7f0e7e4edfb5b

SHA256
b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25

SHA512
7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\11926c8e-7bbe-4ecc-9bd4-b96dc6b4946b.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\317aff31-5341-4807-bec0-2810a3d0db3b.tmp

Filesize
5KB

MD5
0306591c455072972d541206744c957c

SHA1
60f2521a0a87f30ab3926e19e50c7db12b843504

SHA256
65d66c51d7464b4ba7aacfccdfa640bec1df0902c4d28e5ccdaa9b2b60db3071

SHA512
f8316218223d804f46f658536297a152dca7cfa835a67e9daaeb74bcaa2a70469ed3f4324ae0680d7bc1e6e9fe66a802b6042900df0c9c975f027949e75cd1d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
f7c7e6b58b653b8056ca8441bb245453

SHA1
3fadedf14ce486b0db69fe9debd3c9f464d44f38

SHA256
b9ca598f40660f5c232c5bdfc13b794465fb5d49f7fbed9034404b7ce0d09b49

SHA512
a87a5e5c0994f2d0ecc1f56d383f1ecfdddd2138745c902b56400143701fe77c6e3756d3175cac4b7f13c4eee574d9b744deb22a33293ac122513148f545c8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
f9ef8d5e18437b37f52cc59d00942766

SHA1
862eb72d2ade0c9092eb3c2d981515b04704f07e

SHA256
ecaccca09aa34972d98bb71b28f9d33ffc7df24f591ce3a0136fe2d5749a862b

SHA512
4df2d0c6a7de939d6996fef77b196dc001a15a392282f5b1f14573dce448b9d0c87186254bfa4e8ae934bb4d417e71f54de348965c1a43f141ad0d98485a1484

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
b00ee25d3aef21db1f220f12c39d5069

SHA1
91d95a5b7cc49f827ed28e5f30824ae638325c33

SHA256
cd2db2192bfed9bcaaebb6b017643932ff767185a9752730152196bab04fe736

SHA512
41a0b4def02a8c37431d3c91c0ac94206713fb81e929a6b3e392b4c305e80c79d855bd1d84e7a766f8d246318a0bf36b6096e571e47d1453c4714196ef2be56d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
a7e720352bc3fc7ed32f7f1225a3e87b

SHA1
5faff883098758ee92fb28340e67e1d1362b0279

SHA256
7f2ab4fcd5da3c298a9d2d3bbd6a3701076ba2024711fd1048edc2eee5986477

SHA512
c7fec8a3cc1b81f6bf9cbeb1e4e921173cb46b0fb021dc64ff8f35e830d738288f16be8ccf583365d46f0577265ede13b59ad33382052bc3beca78d1f4e5af4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
b68d508d0cde7913e352d9defa79c8d3

SHA1
aef05d0f3262d5377a36f8c47c377bd080e2e9af

SHA256
73d92412dd3d3f424a307a72213b28ac3ba69c6260fcb471cb0ec388129e6230

SHA512
524319e4daf6ebe5726c456eae78edc0e8b84cb3f32a9644bac2351424d965deb5a15455e4bbd35e86037983ddb6eddd2cb1bd675ff6c9204f85b3047719f729

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
1024KB

MD5
bd1d6a942e7e9d0334970cc8b725a1f5

SHA1
22276b9f36d0b1aaa74a385c6d1d03950834084d

SHA256
348c5273bbeb29d55cd08fb4897c6c090611eed51696e2f88f71f70e22b25d92

SHA512
ca1fd87ee5abc5faeaf3e6a39a75c4e2f96deae5616a47f9d5c4d43f265ec18d84fa45787c632d1832fb9ff6260ffaa33dde2f2b9750cd26c1ff947aa8b01d17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
1024KB

MD5
5d183b4f57271988585cd87031591247

SHA1
0a08b74378987f268793f132f843b675696fa54c

SHA256
c7155a682843abe24731bc57fb0a4df4ceacb72031f742e3047b254bd705ae7f

SHA512
ae25a0c1402289ab8079facb8794e2f999b490604fae11a0bb8ed92b3fe6f5015cda6a5d426dbd71e9982dbb2be7b80b748ff4ed6fd66234b931545af53a4ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
1024KB

MD5
0580030eef7635de52c99395474199f9

SHA1
cbfcbb495c7d16112024b39aca4920079ac2a450

SHA256
32202d9ac9e59faf0a7d512625033c81cac71081f76a75f5ccda3365fe6473f9

SHA512
6205231651c3a1950998f82d435b2e34ec0f98bfba37b73da51dfc6b69fbd1c0c34f05e2f7e23f6ecb47eb82a89f4577c4200a6a0d4c22995186012e6f97fbe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
1024KB

MD5
0c07b7b9dc77ae67487ecd81cc4a15dd

SHA1
834a317d42e0997916463ad5703d23ae99ce1d79

SHA256
a4492bb512edea9bcb5e51d40ef5e929811d0210ea468f3fad13fe6d3315931b

SHA512
17357325a2e17848fb551407934e885fc1270b8d34d29c99e89cf0b1194726e7698fb1ea12b7406565ed38c61fc56605d547f9fc414ff82247b4ea8a5af6ae18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
1024KB

MD5
2899abc971022dc32b80bf5e7f8532c9

SHA1
7ef0370ec472f2e10420831ba8c6b7f78e62bd39

SHA256
4b9ba2b5b8bb04a7d506dc2c3d8d08fe5bf7dd5e1b40568eac16d903189d7bbf

SHA512
44b452bf49803d34f4262c918fb64e8ce26836a244ea3fbeb51e520c6faecccc43647bfeaa303cea6ebf585ce5682f172bda96c116c0db4c9186cc229ea3509f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
238KB

MD5
fdf973f986797a80010ad0f6195879b1

SHA1
9a65aab7381016c3d7bb2f8285c134c1073d3048

SHA256
6734658c87ab8e9039aa392601913d2619cdd74b849b8e0672a23a4f26ab8734

SHA512
4e360d027d0c9774df7c43cd8db01f56527343d1dd2b4bcf1f9064f7314a1c15e222f0d15a7c2a4570e8256e4433887018e40071424d80527f93593a81dc37b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
1024KB

MD5
89a39a5cebf37ec9709c7607a6b0c01e

SHA1
0bf23d4535873ba0cb1cafa8952c91912350329c

SHA256
b9428ce8f9eb713bf74c187671915b481b13903014ff36ec70deb56511f6146d

SHA512
ec3175c2b3d8897617badad467cdc9b4242c5ab6ef04be73ad205d2ab32b0985c3e38ad644f310e1770e2d8d13c26a0e08c9848e22cf595231ea4a20b637474f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001f

Filesize
1024KB

MD5
aad7dee553e46de0a67ae57893b9cf57

SHA1
7b343eb44b87076118b3aaf6e037a5834a485a12

SHA256
96d93180c3fe07e40363f545e923160caa1447a1e6d28f530e6f05d166fd01e0

SHA512
8c94375713fa17ff8a1281bc9637ac2a96899f7e4961e5b9c1ff532efde6b1d4be8e97b8d53ac831d5a6854b0481d443079a2ecd0f53288965d8ad8c631233c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

Filesize
1024KB

MD5
34d1436dcab4abaca593470b8638c98b

SHA1
03c412c5ab0abbd23821ec490d4856c7ee843b3e

SHA256
3bfd41d9917f2659190e78d89e1e1b40dbb8ec334a9a0446a7c5c2451463cb5a

SHA512
5e6c26277d7878ee453448f165af5539023af56285bd0a791bd9cdfac633d303680ee6caa0974e330f35c4ec230b8077463a7421e682099567151c0409d0363c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000026

Filesize
1024KB

MD5
6bd6f4bc764c07b19b9a1b89a144d4a6

SHA1
ddf2e95e5cec928e6b83a3ffefa47dac34596629

SHA256
7d682b5736cd0815862aaf4edfed66fd47fb85eabcab7ca7b7630389cc2438ca

SHA512
5ec72009f932d84b61087201cd8a2e3d0570f5d71d985894e0b163c6ec884a250cc6f9c87bbe9a4da3e8e5f606e2ad073521dba8102b4ce063bed735198d8eec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002a

Filesize
1024KB

MD5
adb5aa55034aa142f1ef7d6ab6c4a6b0

SHA1
3e5388b1f87a682a3d5bc368acba514095a88640

SHA256
9bc1a1d39b43dfc04646ab5a69af1d909b5837577fbf9adfe21bb8b607e5e7ec

SHA512
4d8e872aee4eda05d9b598eb1170bf013a8c2632911ca9373524cd4472ab3ab2c6beda266dd71a62f31c12752ee6d8dae7113513d405df8bd829b16894e50648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00002d

Filesize
1024KB

MD5
e18ab6882bb9e56e1f8fa4a8f03f9277

SHA1
cdde3c844cd94cdb26821fee86ddba9927af5f03

SHA256
f9ca50f2ec04333c51938dfd89765d4f3af2c94e86c585efb2700c16dd11637f

SHA512
c264a38afc70b5e777ca78f15294d5d27ccac14d6da622da318bf164d8d1c4ab90d195e5b90790abfdfc357c3578a71bb536ca528b3a434b5ad3d281f0a715cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000036

Filesize
1024KB

MD5
3e0eb051aefeea9153acc668a4dac581

SHA1
66fc780b5dee9318e51a1447bf78698e359d268e

SHA256
79e1d32ebc7927c026240f75267a5041173c27cd61bb142ae6564e23d891515a

SHA512
8196866e13e270c7ce841b492ba382435141e6c652c47a7a2c0033a4cd240eddb416ef043f42ca903bd49168b87c1d00985ab57d163372a7132bf00138d6b2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006a

Filesize
1024KB

MD5
6ac14a46dd0629726cc592653d3f73b9

SHA1
c75997899eff2797e842b166c0a6efa3ecdef43f

SHA256
a90f5078eb96f31ab5c0e5db922965ba99e55437b68327f42428938699f603d1

SHA512
4ecd6cce7554a77f9df39b02263d09f2b81ad2b7bc8fbcd6ca63469aade338ba2c66917ae20b83f5eed61323efd4314ea2d3af9625a4fd6322f15dc0e1dca366

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006b

Filesize
1024KB

MD5
3dfcdea770a0a99441f8a778cd975068

SHA1
3c305049d20f4738ba19a09a8fcbf80c85ac26fb

SHA256
033777a0bbb561a5b14362d8bb8912c9be18cbbec16bfc59ff8ed2768b372d9d

SHA512
62aef816a697c673e9c6ec3f588aa5079886627148903b43bdd04702b7c777060c86a939f8e0fc7212ea30277c541b46508a5a3035b2dd6b0bec63b73e672338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00006d

Filesize
1024KB

MD5
9c8e0ded755b0346e1e5b0c4848c17ee

SHA1
54a43335fcdf4ba491785f211479d8601be70dc7

SHA256
b2d7c5b57756eaef1eaffcc049a1babc35f2f8b67638c004d7a64b0cb988507f

SHA512
434f556a6e31ab4e5b8bb1c4e57086a54bc5bda9308a09a49509b5b7cdffb88ade8365015581781c71dd331c45f980b7b4cb0e1ce983c2bcf4399b1c5b0dec31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
396940fcc3963d08aaec7559eeda6cbf

SHA1
67ba9b6ae86421ff6eaf331c72244d703453b67c

SHA256
bec3504f972f1cf52c6662bb5df6ef815d2fabe8093512529549ef8727deb47e

SHA512
1b7cc945d7fc96380e1653a5bb8c843941e4d72714246d72f038a21e822f8463dc3f39e7a1d64de42371f00bd808dc1b543195047e72787d647a0ab899cf62f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
303e63d76bcbd780b8746fe2b63ecc0d

SHA1
74d0cf2d41dd1e5e0e24fcc68498e98bd5ba42f3

SHA256
8f870d0213050fc6acfb7715caee485adf483df991da0d68731f94c6db1dddfa

SHA512
34ff941a5e4ed2c4eb161959acebf40b79bd223ea41e17ef267cd84d64c1fe01627bc4dd4ba50aeb36497bea4dd0fa167a5bde4bf5fc5f88f1b8d50f1b0a8694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
343B

MD5
d422004b2adb708ffa285410334b2a50

SHA1
689aac00a9f81db687376264063ff23298a46b58

SHA256
d83ad168b98a93d281c07c5ce96cc2e9f705dde806cb5144a9bd53205edcd645

SHA512
ef3b0bd28e9de1cf231648a62936a3c9df7ad530425634e78da70ef5e381b8585b8d38f556f4e59ae63c5536ec3b8434d8e5dfa2aa1382fd23ec80abc3b54fbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
20KB

MD5
46b27d131ad43acf6e51198bf5531077

SHA1
eed977d93ce21cb1bf8d5d24ca29e96c217d08a5

SHA256
031fec6f7c31942eb1ea8c1541c19f774fbf2aa9f24edbf45b48782f9fa99ca4

SHA512
1fda78e69175775e8305cd8c05752a8e5d1b71168c5f4ccbd90cb9c39f70923f6d439db39f972ce4e0603d961abb37a4569c10713db7a32bd0c6155739532b19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
bca963104c15973ca549231290e24edc

SHA1
0838ea2de4adb600a9694f138552cb88d74ce1b0

SHA256
fc8b9a969a8c8b5851b9f490053a7039676c7a441fe463fdecaffe6c5f336c25

SHA512
b572da41b1e6686ff30ae5e47cbb9ff113e4dd006f27f4cc2c060d84b6fe90c101294f599c2c14ff68a4324e5a5ef98bd86e2e028d1d8a719e6d641612cf6f0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
179B

MD5
841d3b5f54d115e709f38abefb6ad99c

SHA1
22d6136bf1e90b83cb848131b3bf98638e1799b0

SHA256
7fd3aacea241d73513ce475bfc78567d999b12d0f0821237864a4b0207445b0e

SHA512
0f767f9ac3470a4f49576066361dc691ba5650d3fe1446ddad9198f07fd4fc6ac04afadd035fd049b4367628b4fc8ca4bcda3c126daac3d6717cebf60cbf39fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
179B

MD5
5abf9fcf5affec8012d2d44d427b04d2

SHA1
95c1ed52573ef1ff2b92da57668c6b962e526315

SHA256
bfb601cda4d33d2d708b9881dbd3288712ffc0c895432cad0864817e9138bacc

SHA512
8132281d1b7d9dca392e13bc7f8a77197be718c7799f84b21aacb13bc7ecbc8b4444985c5018ddff69be79ae31be606240f47f340d64648af0d1ebd2ef3a2728

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
73c10628433b04814ce32ca775ca982b

SHA1
e6e046e897e381e844ddbab14adb1df81830bc24

SHA256
75b0be9247db35c52447d7a00295d200ac9428d1d1384682c226292610302824

SHA512
528a55f30d12897115ab794c9e2d7e5256be5115257dfb24196f3b601a0913710a6891c43dd0d381a2cf7ba9f6ff3587534ca82e00716572a2889f6fcf384308

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c81979ba2b1844c8698c2959508fec07

SHA1
cb278e6058f1c7c6636b386a6c3a6b26cb6836d8

SHA256
e3cfb6df6cb278c0b332b3fa57128c2b88ee0608f9607ff90f7a4b771927e1b8

SHA512
6a577374f455137a7f510f4180192f35ae127043b33d9add4f407937b09981e647f7c2e6b07cffa0e340c2f22b586008048745e2fded236083f395d70f4b3e9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f025024782fbc39a881a208842cc8e53

SHA1
021ac48f8029ef16acb7ebbf673b5491ec6da7ab

SHA256
253251603abb0cb1815c6f49f4099dce5562560447ce7f9a45636f9985abb547

SHA512
9ee6542af6f7f54765be6014cfc4a880863572887d75487b39bf92dda5b79dee92ea209043433693f29a88621c7409f356c2cb0f6843ce7b3a5e2e6e6cab5655

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ffdb126362319e331c7c6812df80d19c

SHA1
580ffa62562a7300ce929a0a35fda77ade12f127

SHA256
bab167bce1eb73e428e09c84593eb30912a5e447f48b85c78ca396a7da648654

SHA512
124d9b95ca42b14fca53bee137707136c43d8ba9a569731f2f7a6ab201583b16ab25d069583124c50a2baaa77bdefa92b6a4855b6834eba5354d4dc14ed98a49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53b2467ceeca503e63a4c018b5ae65b3

SHA1
8da28b49ced870c2cacee109163d1f34872f667e

SHA256
550623a046daae274012b02117fba667731d306fcd4a6f4bfc300eae6323d3b6

SHA512
18556f4e7dc19f751a60b9111bf75178866bb6e5a00a77c4c9eb115553de8ff40e577f1f9835422df4ff7d6b6a6f96a109c2caf355324825b133239641bd8698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6467d13d6312bdac42388df6a9ed5157

SHA1
60c87a8b36e25c5fc4ff3f40fe88b0f8e6aaf15d

SHA256
f211b6aeb51b81cabe3db28228f07d861e385f07567e692b13db4f0011b36a35

SHA512
1372ad39081583211550175324f1a962044921f51b9367c32f2c4e733b65e1b8d42d17cc3fe24ecc2db644fa81011ad8b050aeb251e527e7e63f5dba1509f179

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fcf79b6bf0241e5559424dbfb264b649

SHA1
6038009f4345132744ef06a0071bdeef7dec3387

SHA256
e4a21a509141d7ed0f8f0329f5acee41d6dc9fbb38f8529cc020a28495f65be6

SHA512
f5e28c09f0890b5f879765cad5e17d2de67dbd0a25f2e7526e902bc56ee4799e0ce460252b5d5b286a25eff39fc025b7f85a32f4a3e6fd7f11e3471ff35eec78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8478c93b1bd76f9040e55ff516ac7d5b

SHA1
0450d37edbc8652b073e19e80fb496346c9e8f4e

SHA256
3cf8660406e672566d6e0aea48fd40eee127619f0171bdd2073d9a306e5d4471

SHA512
7aba6fe7a8152d8d26b0f29fb6d06b4e6c35f8842044486bce92c5406d1aa43d77f5eea24e139f715e7c7de3163ac02f44cf5eb41397c14c95c9be9063af3174

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
346517bec48f8a6c72d19337d241d9c1

SHA1
2da478532d99baf14c71d3a1f93abdc7f68d2be6

SHA256
c66af8cd5a4dda9dbbfd379964993a1ad0879e3cd9b7eba7ba2d7c253c7c61ad

SHA512
5d4e492a534c8e95cea7eb0b66e10b66acdaa1c7b0c246327e6bb9880ab6592a8ae0cb0d231595cefffd625487061262474c7381aaa322cc0785c51ba6739292

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f34f9219a4c601e876c315ee58a9ab92

SHA1
022aee9c7b9fa850916702f15e1b69e1b7f56780

SHA256
872ad4fdfb2bad841dd9a49b7c2b7d92ebff7d88ac1bf35fff7d00cbfe89fed6

SHA512
64ba5f76d43c6948c31e2f23c21491477e13230cefafb06ccaa25ae4bbcac38358293987a451bdd38c4a1f704c66070436c05b0b324e743c0040d5a2458cb345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
eb2b0820d93b0c1a9acc703fbf165b08

SHA1
cc198bc409e9269604116d437349df80ad2f2582

SHA256
dcfe7737b3f37148a6841582148c052391a467cd738ce76f5bd7de0562b544a6

SHA512
d3e12fa7d4089b49581c47311f4a5afd0e86c2a339e4b461c8afa1551ba40402188da62ca7472dc54651fb710e6ac86244f70be5b5598c23f9364198ea34d99b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
68e8d1625359bcf23b6a881dcc89b6dd

SHA1
1486d88cbfc17895500b86d92b1fa979af0e885b

SHA256
8c3710cfce3b948e9cd7528fd42317f79d01f80ebdaa8ef015c14d0e017a0a94

SHA512
9c73c33c902e9033af61cc529b3f68c96f087ab28ae0068d0a277993ffa97b6e83f9ab6cc151ec2ddf08c966673ed1a8ecf8897e97e095dcfb99df48a72f823f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
0317edac3a7e27c425db88f12600b2a9

SHA1
29922ebffc213614376167299cd99630f20cb050

SHA256
6c8c6acdb0cd2327a44c0de8b03c29e768f08379877ec97b1ce1d1e93abf752c

SHA512
8d3aabe00d44cf78cd6c2fa4f95841446fc0036340d75ee5f6881377cdd5b93ac46e230510132d42e66cdab9631ff11c60a70e1dafa4669731ffaf535120c0c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13385500160061887

Filesize
2KB

MD5
1005d663ef62803e8f7cefdd563b9747

SHA1
7d9f4c53934402eff9ebe3f61fd82d2c0a4722de

SHA256
1cc600cf44d873494d888012cf194a8d58c49bef9fea17e53bf21ca70ede7a2f

SHA512
33f12d55bc1e36935ead1ecc2af2f1cea052b474de8ce2ed8603c820e11bee8bbf83a01d6b2c7d124c96b52f7fb4dcf7fb4b28253aa33e8e3522b6d27f64c1ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13385500160292887

Filesize
2KB

MD5
8c0be6414e22e14686b11afdec906221

SHA1
3cba48eb92d361b1efc5c2fcb3ee7aae14752e0a

SHA256
c1690c305a642236299c80ee1e50c37f609881eff1e544e4213210fe2162073a

SHA512
cd9af16282a386890b7f0428e665155675734cccb0721e594a8705bb62fb88668cf477a4cac8f35b3d3dd221468128329b7582b87288e88de53278b73e6b133e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
6c90bd4e7105c2fc377398d281cc5b4c

SHA1
405ea0aa1515b4c619b07fcbfb2acf8593d6529b

SHA256
c4733a28194415282490fb01854c6cd8b092ed1e874cc49e05aa2426b57e23d9

SHA512
ab9871fe3751273def5d93f30625432274aaa1e9f424f4de44d5d01c777095bf38071e5421c822652b3c264a1ecb1f07298f80fd672a1e5f4fc48d74a0dbc108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
198d35ed7240510b1eb47a7628d94ad2

SHA1
1a9605a788e8fde82abfdde281e6583cd9080104

SHA256
18d009e9428afaeb207c6b1c987d1101125234e0aed9285b6ec1c91f943d3f56

SHA512
5d60f0465052310cc186beecbc92e60f08a529076bc076bf28835388b6222ad80787113796ecc94e0b156891034cfd0635b6f8a66bdd21d147cb527fc66c9cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
e247a3387e7d08b925cc2345c2dec14c

SHA1
09705047f4a508616dfc8706b2a12ae800c0c797

SHA256
46c28104bbe22713d61daff3af4f03f4b539ce1832cc4bc320c6b95be1136a74

SHA512
21c8ae3cd9ecc323d14f4a25cc5a1b92fa4576be60714e35e3419a1b3be259628807f62628d4dadb66d9b4f01770c41347d04f0a3c2256aa75ff3872ab080f19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
cc0fd24e99cf6b1e40354191e5c1c416

SHA1
3ee066429c4fe2c7685486d11e67440cf75cb8d3

SHA256
3bcf25393ba49f77b0e36b08e5f594a08a7084138369c385d2f9dcacb0938af0

SHA512
82433b1b78d36959d9368ef0df684b6b2e29a2f9afe3df1ef8539cba170830ab4a426cb15de74c2f88fe7d69113469d696d8139a997e034c86888adbad4cfdb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
200B

MD5
ebb0d3c8700d61f3e0ea04240d6618b3

SHA1
f0529aabbcd6150bacf0fbb52351d9420a70de79

SHA256
c976e610146c467326254101ec6820e3b85bb029e230d716b3fea30edcd95d36

SHA512
847575f148e24200a2f3779a6f8de70b20cea33b7aab9341ca0da3ab8697816e3c088394c49bd4ba6df1e28565df42a54f57995db44c853a5afa8d95e8b7805d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
b89e41e9bebb1e8745537d27921557d6

SHA1
826ace5808d421bcd0c997e641b453b37df29349

SHA256
b3bdffa237303600fde6dc00da94eaac65d9a3c60628844aa14479f510b7abe5

SHA512
05c74c32f14a07d826137630dcf3b1f993e162daeedfa8f8d5dc0c9bee964d5f6cd2a92cf891bead537fa79afe085aa56446ecc011b4bfab377a073f022482f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
60b94e9cfd29dadefe56add46547251e

SHA1
7e3b107ef131f77c6a7ae62a57b08080c2efe87f

SHA256
6a41e7ccdd00df0572353821c5f57d0bad66e72a245ab8b89861199fb8e6727f

SHA512
fbbd0e32340469e2a9f83304807bca6b13a50734795d2d48531741ebc16deda7f9c18e318c9142a4c923af9ba07287ea044e5456fcdcb6b331ceb5724fa1886c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
187B

MD5
93d6ab9e4bea84dc967bb1159e7f7d5b

SHA1
8677d2dd322ae927e861c49ebb5f64f69a04d744

SHA256
1879493e8702a3b8f97f8275a72c3688e5ad606835e45b533b29937238c46888

SHA512
e45749edd72afcd9519df9357a2500377901c8c95892410c78f74df3cded408ce3b884a1dadbb1990601de765341d10f7e5d7f871cbd5943220950ce0250563b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
192af16a4a3bb762d4e7b878486bf82e

SHA1
c218956ea5289220449b69cd98d0f8657247535a

SHA256
f7e3a39554c5a71fab35e0fa5a632a5a5d5627d025784dece7a2f4645f80c795

SHA512
72eb8a906521028a57db32c44d8850dc46c69336cbd04ee252e1d1a2c46c022600704b4c31dd6439792d67867d420440f906b2142ffed5385f01dbe13f59cf67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
5b7ea226c5263a006c9187b892e43061

SHA1
ab5b38263c8c2049426c37210d9c24031b3ec91b

SHA256
520d4b93b3505aa88b622c948b1fad6574b8c9230958da72eb6c9a186b090dde

SHA512
5eef6aedf137d130918f7b18d8f8dd421ecf7b9f29bac0677906750806bb00801c0fd2d57ea2612c6278669a35bdab7fbfca7ab9d085e9820d704630b982dfb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
8eb40c331a157d3294bf12f038b8a032

SHA1
d1a5bdaad4869bddab7c1f3bbab07836dfcd1be1

SHA256
f53c70a71a17907282d11526da7c081c94b41668c7a692b1a8d3a831d9a0a5ec

SHA512
a5cf034b287e372c1f8bef81b5eba6d82eff2ebea0c4a62fbafe480c37a80e5b71cb0ed8aa322c8ea35666f8c55b4d1aac4b2b368de519c84f45f57815f55d1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
848cae03f0f2c30bb4071035800ad66d

SHA1
0321abd08b4a73413c6196beadbb662d80dd4acb

SHA256
5d91e84c58318f957424e651d00696cd415effdf13fac0a96f1a27e09c64ba0f

SHA512
f849a3796a1d492a818f9aad7b65acfcfc0d2925f2953c17edfd0f35bc765daab045164bebe0a675fd023702f07d27f57a7289d0b2bd83b07dc7f319b8958a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
8e7d33b9517fc7cf252d73c7c9791d2e

SHA1
a658583be05095df9e2cd88191ddd18a35144abe

SHA256
39ecc62429ffe48a03f3f29aee36819700e2947d9cdd2cde13de8329fba42998

SHA512
a913c49e16c5e321536936a0bea5ab334181ec810464ce190d2d9b0e62a766028ae27fe2e71989392e8eca55a2073db96d10c15f42e860959abcf7cb7d56c4a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
1015806e4bd9fc258ff5be7063e1c50f

SHA1
989e8209933677d800b58890562e296537c989bf

SHA256
5fe6ca65ea2a00a107735e968a2316a7fb26482b0e319ed8b0b89374d496d533

SHA512
b91dc51784c19c18e304903511e56376b83496f6d940c69d5316552553df3fe8012ccac34dd7b534105a4cfcea80f9f2d5f5aadbca4ec767635ab9bccddac83d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ca6401ccbea76706fc424a0a943f16b4

SHA1
572cd6be8f4ca51509cfcb5f8a7871bbbf4498f0

SHA256
c2c0353df4595014d12a835c9a03d2ac48ddae2b5f59ca92f4d913dbc164e010

SHA512
625d6b176e9f53ec8720634988274f0e2fa9e4b8e604f08400e1ef30548dfd40f876e174b6275e6924d44905507c4c5915b8d5728ebc7d7d58e365bfa8b6843c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
d43634ecf21e3b026896b7ed9a18bb4f

SHA1
ef56863845f13e89edd1f2b8464ca8ba11af2463

SHA256
eeaf14e61090e6313b25957239eda099c7c13a43d009bd334b95b41c1bd28ff5

SHA512
99b0186978bb8d5bcbbb199e2c6dd52a81809f70b6c56133f9c756729ba9a547981d10d5d020f3436590818d5898a54f1c27f17ea43d04e3d4f3a7e7b96885b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
17KB

MD5
6bc4851424575eaf03ebe2efee6073ab

SHA1
2d014fe2feb929d03a46322645a94556ca5c9e96

SHA256
abaded8e235fdf329521806af30a1cc7701eaca3fe2efccb9da760ec6d8e5e4e

SHA512
af3b7d93fa2243475d74d4bd7f918ce2706bf6eca28029b9e49869f5f793e483efaafdfab1fed6306d5fc77a5ed3b27097b27448cd04560bed4df6fa3268ccf9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
17KB

MD5
fc97b88a7ce0b008366cd0260b0321dc

SHA1
4eae02aecb04fa15f0bb62036151fa016e64f7a9

SHA256
6388415a307a208b0a43b817ccd9e5fcdda9b6939ecd20ef4c0eda1aa3a0e49e

SHA512
889a0db0eb5ad4de4279b620783964bfda8edc6b137059d1ec1da9282716fe930f8c4ebfadea7cd5247a997f8d4d2990f7b972a17106de491365e3c2d2138175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000003

Filesize
17KB

MD5
155dd00748042ef822805a842c427ffe

SHA1
985a03f618b9f3ef0484eda606e4c55379aa5a41

SHA256
adc859645825abb4276982e04aee2dfbf5aa548695cb17e7438b61dcd27a18e9

SHA512
0745ad83bbcf010b5e55a10e6e6b02b699ac7f0ab4330727016797ba20a3101b6b90534f61a372991060dec6dba4eb87aabb30d131ffe3c4b9895a4d80ba1396

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
32d5b32482923be2eab6e2988f2dd33b

SHA1
d9313f7a5982e2bcbfb0eb09fb50959ba20bbf2b

SHA256
cb849fab2183a22d1860290db4055c428c686aa2c679b015cad2242e7dc38af9

SHA512
63686c9a563095b6d27f34ae66eb286b5ec06d007e8b983e9a294296fe0ab72679aa59a70ad732a3b529f24353c98d4381c2a181da159fd33b837868ed4766da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9b1c1d88a97ea85570b5e0e1bf0b2ce5

SHA1
fc7605d59bbe9d3ba4c9d453ca7a1b72b2443c9b

SHA256
8058ac5296c4698d0211186b0eb4c371fe15217f2a54555a15e4aaf3d14ea1d8

SHA512
bd52b912336b686618a19b7fdf7ae3e04c5dfd90b697eb3c8ba7ef07bff255d3ef0707accb3daa8f53d967ee28a6932795ccf608d867108cf8c4eac28c3007f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5329ad02eb3500fa22134b3f4245de07

SHA1
0aaad7aa6f58e44706a3c10f3379d7908114a1af

SHA256
56c2c65466795f27bbdd86ce430af6940d290d36d48aec08d0eee5978a9a9efd

SHA512
f887effdaac55eef67c7b4d1e638dd97a2bb34c7b4008542eae99a8201f8fb230015abe6aced37a7a7d29fbce96de9016832db197741311bd6b5b208d9d34196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
40d2d596ad2a81aae8725d6fb1ccbf01

SHA1
71bd17aed846229f8a7950574b9f568ddca4d5ce

SHA256
83c3755850c032417a2fc264a5c1acf61eb1b2893c3d18c71a639478a8418c50

SHA512
fc594f05c8c476aac91112cca35546001127b9b6cc386a387b78378654a808859fce80ee425240a4eb69c153d3a2886a70844d8e3c41acba8787b92b93ef745c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
46c15a5fdf8bfe5179b6ced935b1da1a

SHA1
14307450dc7d52fa9c8fa049a1679131f598158c

SHA256
10dd00792b12bb7a0aa08fa42ac6c63fbc339760605d18eee938d279e9bf362e

SHA512
dc2699cc541f4f233984cf6e6991df09799b19e9e63a7b53eace8928f1edc92eeb1dc88f9a4e10e9d5c12167bb336bce684e8f013199e74bcf22912a16a54df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a2731e3f-4849-4bf9-9f69-c93852d0efdc.tmp

Filesize
10KB

MD5
45d2c82f0bde1c7ea551505954acaa03

SHA1
d43665c20eaaea925bb1bff78d18fe80c152c708

SHA256
d559f44d536c9221e522ae0eb3fea795c403d22e6912f96db72987884c0ce16d

SHA512
903505b7a7bf0fc798b15b1492663cafe59556c0fb600164b69b8fd3c163fa4828cb6abb5296fec59b4bc6c943133948572300a2c1b51b3da42c6ea770dbf12e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
ec99c32868cc5214ef98076e1cabd888

SHA1
6dc31901adb6670f0bb75199b6b0e334ca46ccd1

SHA256
f000148ebd44b604c85c904a3520bb103ea1932e93ab540783041d455f26af23

SHA512
bfc76c37ade92be65a44c89d0694bbd07c9a8322823b8dfb7a6dccb7e6a9d9e8d66085352c14a94ef974740e579671054aee3d973351e1e2ac254bad0d26d466

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\9cd93bc6dcf544bae69531052e64647ec02f2bb4.tbres

Filesize
4KB

MD5
f7e28c1ab5be15003ebb00d697752f63

SHA1
944e8a76dbc3768873266d56bb6ad08b552d1300

SHA256
d78034dbd4ba3f8952a44b943478ec2407e649b6da19f03f700f728df13ebb75

SHA512
48328f7482d6a3d3ced6c7878bbd7a332c2904c71e301cf334a13bb0b5f2db9631eed8a59fc2516fe95355594afd9b88510089c99d40184b660b6bfb155d13ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
34f595487e6bfd1d11c7de88ee50356a

SHA1
4caad088c15766cc0fa1f42009260e9a02f953bb

SHA256
0f9a4b52e01cb051052228a55d0515911b7ef5a8db3cf925528c746df511424d

SHA512
10976c5deaf9fac449e703e852c3b08d099f430de2d7c7b8e2525c35d63e28b890e5aab63feff9b20bca0aaf9f35a3ba411aee3fbeee9ea59f90ed25bd617a0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ba169f4dcbbf147fe78ef0061a95e83b

SHA1
92a571a6eef49fff666e0f62a3545bcd1cdcda67

SHA256
5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

SHA512
8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2y14htje.lk2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
44KB

MD5
d8dec448ddbb0749bbe3f4259c9bc29b

SHA1
93886a2b1c55fa6ff41ac5bce6945e601d355f8c

SHA256
56ef629323495497970ffe5efd4c3197bd8043825ba264b9e6294113675820ac

SHA512
20739296d87d15b801086a8e7478875722e83dc1fd4004e9905a1c6f8c0c8913644bcf7e5b7aecb760f4870354118fc10d218f952fcd7b204c1f0ebae4e4a400

Download Submit
memory/3356-57-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-0-0x00007FFAF18E3000-0x00007FFAF18E5000-memory.dmp

Filesize
8KB

Download
memory/3356-1-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/3356-58-0x00007FFAF18E3000-0x00007FFAF18E5000-memory.dmp

Filesize
8KB

Download
memory/3356-59-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-60-0x0000000000FC0000-0x0000000000FCA000-memory.dmp

Filesize
40KB

Download
memory/4076-18-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-12-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-13-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-4-0x00000158D60A0000-0x00000158D60C2000-memory.dmp

Filesize
136KB

Download
memory/4076-14-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download
memory/4076-15-0x00007FFAF18E0000-0x00007FFAF23A1000-memory.dmp

Filesize
10.8MB

Download