revengerat | hxxps://github[.]com/conspiracylol/conspiracylol/releases/download/test/GameInput[.]dll

Analysis

max time kernel
451s
max time network
452s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
16/03/2025, 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/conspiracylol/conspiracylol/releases/download/test/GameInput.dll

Score

10^/10

revengerat guest aspackv2 credential_access defense_evasion discovery persistence spyware stealer trojan

Malware Config

Extracted

Family

revengerat

Botnet

Guest

0.tcp.ngrok.io:19521

Mutex

RV_MUTEX

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
Revengerat family
revengerat

RevengeRat Executable 1 IoCs

stealer

resource	yara_rule
behavioral1/files/0x001c00000002b4a1-3781.dat	revengerat

Disables Task Manager via registry modification
defense_evasion

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x002900000002b4c4-4101.dat	aspack_v212_v242

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe	RegSvcs.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Executes dropped EXE 15 IoCs

pid	Process
924	WinNuke.98.exe
1220	Bezilom.exe
2424	RevengeRAT.exe
2888	VanToM-Rat.bat
3728	Server.exe
5960	svchost.exe
3780	Popup.exe
4348	svchost.exe
3796	WindowsUpdate.exe
1912	rickroll.exe
4552	Trololo.exe
2404	Popup.exe
4428	Trololo.exe
3168	Trololo.exe
4208	svchost.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\svchost.exe"	RegSvcs.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\StartUp = "C:\\Windows\\Maria.doc .exe"	Bezilom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\Downloads\\VanToM-Rat.bat"	VanToM-Rat.bat
Set value (str)	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Roaming\\VanToM Folder\\Server.exe"	Server.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
352	raw.githubusercontent.com
21	0.tcp.ngrok.io
22	0.tcp.ngrok.io
86	0.tcp.ngrok.io
87	0.tcp.ngrok.io
88	0.tcp.ngrok.io
237	raw.githubusercontent.com
239	raw.githubusercontent.com
350	raw.githubusercontent.com
238	raw.githubusercontent.com
351	raw.githubusercontent.com

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 2424 set thread context of 5592	2424	RevengeRAT.exe	148
PID 5592 set thread context of 4288	5592	RegSvcs.exe	149
PID 5960 set thread context of 1512	5960	svchost.exe	186
PID 1512 set thread context of 1456	1512	RegSvcs.exe	187
PID 4348 set thread context of 3012	4348	svchost.exe	227
PID 3012 set thread context of 5304	3012	RegSvcs.exe	228
PID 4208 set thread context of 1920	4208	svchost.exe	265
PID 1920 set thread context of 5524	1920	RegSvcs.exe	266

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-tokenized-card\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-shared-components\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\wallet.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_497586150\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-mobile-hub\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification-shared\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1584998379\_platform_specific\win_x64\widevinecdm.dll	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1584998379\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\Tokenized-Card\tokenized-card.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\crypto.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification-shared\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_497586150\product_page.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification\pt-BR\strings.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\Notification\notification.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\vendor.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_497586150\edge_confirmation_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-mobile-hub\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification\fr\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-shared-components\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-tokenized-card\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-mobile-hub\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1268400507\Part-IT	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_497586150\shoppingfre.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-mobile-hub\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-tokenized-card\zh-Hans\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\wallet-webui-227.bb2c3c84778e2589775f.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-shared-components\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\bnpl\bnpl.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-shared-components\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-tokenized-card\zh-Hant\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1584998379\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1268400507\Part-NL	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification\ru\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\Tokenized-Card\tokenized-card.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\wallet-icon.svg	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1811854431\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-notification-shared\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\wallet-webui-101.079f5d74a18127cd9d6a.chunk.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1268400507\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-ec\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-hub\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-shared-components\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-tokenized-card\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt	msedge.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 10 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WindowsUpdate.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Popup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WindowsUpdate (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\rickroll.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Trololo.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 52 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Popup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bezilom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinNuke.98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Popup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Kills process with taskkill 6 IoCs

defense_evasion

pid	Process
1044	taskkill.exe
5496	taskkill.exe
1964	taskkill.exe
5576	taskkill.exe
3056	taskkill.exe
5764	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133865976478797798"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1678082226-3994841222-899489560-1000\{C6F43E6B-C334-4E33-B80D-70F2AA729357}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1678082226-3994841222-899489560-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

NTFS ADS 16 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WindowsUpdate (1).exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\rickroll.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Trololo.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Melissa.doc:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\RevengeRAT.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VanToM-Rat.bat:Zone.Identifier	msedge.exe
File created	C:\svchost\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe
File opened for modification	C:\Users\Admin\Downloads\Adwind.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WindowsUpdate.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\gameinput.dll:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe\:Zone.Identifier:$DATA	VanToM-Rat.bat
File opened for modification	C:\Users\Admin\Downloads\Popup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\svchost.exe\:Zone.Identifier:$DATA	RegSvcs.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
736	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
5840	WINWORD.EXE
5840	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
5372	msedge.exe
5372	msedge.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3728	Server.exe
3796	WindowsUpdate.exe
3796	WindowsUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: 33	4908	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4908	AUDIODG.EXE
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: 33	6056	msedge.exe
Token: SeIncBasePriorityPrivilege	6056	msedge.exe
Token: SeDebugPrivilege	2424	RevengeRAT.exe
Token: SeDebugPrivilege	5592	RegSvcs.exe
Token: SeDebugPrivilege	5960	svchost.exe
Token: SeDebugPrivilege	1512	RegSvcs.exe
Token: SeDebugPrivilege	3728	Server.exe
Token: SeDebugPrivilege	4348	svchost.exe
Token: SeDebugPrivilege	3012	RegSvcs.exe
Token: SeDebugPrivilege	3056	taskkill.exe
Token: SeDebugPrivilege	5576	taskkill.exe
Token: SeDebugPrivilege	5764	taskkill.exe
Token: SeDebugPrivilege	1044	taskkill.exe
Token: SeDebugPrivilege	5496	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	4208	svchost.exe
Token: SeDebugPrivilege	1920	RegSvcs.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe

Suspicious use of SendNotifyMessage 19 IoCs

pid	Process
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3216	msedge.exe
3796	WindowsUpdate.exe
3796	WindowsUpdate.exe
3796	WindowsUpdate.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
3216	msedge.exe
5840	WINWORD.EXE
5840	WINWORD.EXE
5840	WINWORD.EXE
5840	WINWORD.EXE
5840	WINWORD.EXE
5840	WINWORD.EXE
5840	WINWORD.EXE
5840	WINWORD.EXE
1220	Bezilom.exe
2888	VanToM-Rat.bat
3728	Server.exe
3216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3216 wrote to memory of 2620	3216	msedge.exe	78
PID 3216 wrote to memory of 2620	3216	msedge.exe	78
PID 3216 wrote to memory of 4772	3216	msedge.exe	79
PID 3216 wrote to memory of 4772	3216	msedge.exe	79
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 5900	3216	msedge.exe	80
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81
PID 3216 wrote to memory of 1416	3216	msedge.exe	81

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/conspiracylol/conspiracylol/releases/download/test/GameInput.dll
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x264,0x7ffd9d59f208,0x7ffd9d59f214,0x7ffd9d59f220
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1820,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=2248 /prefetch:11
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2220,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:5900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2488,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=2472 /prefetch:13
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3468,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4892,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4964 /prefetch:14
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4900,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:14
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5028,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:14
  2⤵
  PID:5976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --always-read-main-dll --field-trial-handle=5268,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5280,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:14
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6136,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6168 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5792,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6432 /prefetch:14
  2⤵
  PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1128
    3⤵
    PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6492,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:14
  2⤵
  PID:236
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6492,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4148 /prefetch:14
  2⤵
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6956,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6812 /prefetch:14
  2⤵
  PID:816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6960,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6972 /prefetch:14
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6940,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6976 /prefetch:14
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5040,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5056 /prefetch:14
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5448,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6252 /prefetch:14
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3212,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6952 /prefetch:14
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6252,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5488,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=764 /prefetch:14
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --always-read-main-dll --field-trial-handle=3604,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=3560,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --always-read-main-dll --field-trial-handle=7152,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7208 /prefetch:1
  2⤵
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=6344,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:5908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7024,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7596 /prefetch:14
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=3740,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --always-read-main-dll --field-trial-handle=7488,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7784 /prefetch:1
  2⤵
  PID:276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=7712,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=3728 /prefetch:10
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7192,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4848 /prefetch:12
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5504,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6500 /prefetch:14
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=5564,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --always-read-main-dll --field-trial-handle=7248,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7732 /prefetch:1
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=5332,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7336 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=7752,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5276 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3368,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7076 /prefetch:14
  2⤵
  PID:5988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5572,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8124 /prefetch:14
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7744,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8032 /prefetch:14
  2⤵
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --always-read-main-dll --field-trial-handle=5580,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7140,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5344 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6092,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7036 /prefetch:14
  2⤵
  PID:5532
- C:\Users\Admin\Downloads\WinNuke.98.exe
  "C:\Users\Admin\Downloads\WinNuke.98.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=6496,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8464 /prefetch:1
  2⤵
  PID:3468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8500,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8528 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8532,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7588 /prefetch:14
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=8656,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7580 /prefetch:1
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6820,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8004 /prefetch:14
  2⤵
  - NTFS ADS
  PID:5808
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\Melissa.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:5840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7836,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8492 /prefetch:14
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=4972,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7388,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=3692 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5880
- C:\Users\Admin\Downloads\Bezilom.exe
  "C:\Users\Admin\Downloads\Bezilom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=8128,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7896 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7196,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5984 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:748
- C:\Users\Admin\Downloads\RevengeRAT.exe
  "C:\Users\Admin\Downloads\RevengeRAT.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - Drops startup file
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    PID:5592
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4288
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\et8sq6tr.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3352
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CC2.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcCC25ADF4F9A947C59B2987246D6B39CE.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xz-pcu4q.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2328
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D4F.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcF1F6CA3764F949428D546CBE9FFDA7B1.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lgmlut6u.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:424
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3DDB.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB633DB57C864A8E84362E1481CEA57A.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\1e1-4l1h.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3832
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3E49.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4C20C00D40184747848FAF5BFC726A5A.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5916
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\pee6rbzw.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5140
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3ED5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcB82F3F7DB423427997ED551EEEF1741.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\g7q1esne.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4880
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3F33.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4502DF093174BB4B2D2F8B4144239.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\xz5_llpj.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:5028
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FB0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAF54AD171174455E9B77F2CB6F7988A0.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:672
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\zmg7bo1q.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3608
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES402D.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6D83135B3FBD48B193F724609916995.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4428
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\nfyyiapo.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1360
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES408B.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6C76B1E9D3E54C548659C24A923A8E2.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1044
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious use of AdjustPrivilegeToken
      PID:5960
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        5⤵
        Drops startup file
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1456
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:736
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\bpf0weoi.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBCC.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc179CF441FAFD4793A753D84E35BA685.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4412
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\ymdqw_fz.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFC69.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc60B771537D24267ADE6908A76DE5FBD.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\hgtxsyph.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCF5.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcDF59E7C76ACA4D7E9EF25B9EC64F3F9.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:5372
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\-0iolnr-.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:968
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD63.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcD75D9EA4FF244F0D9FE276377F06358.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1168
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\fckyhop_.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4892
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFDEF.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc4DCB828E109449EF80B89C2FB8B52BA4.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lxyfic6u.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1624
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE6C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6B79129F20EA46C8B29251D6C77ACBD.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:760
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\cyaetm38.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5896
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFEE9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcA30F9FF619234E4EA14BD1A48AB86E.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3452
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\l4jpyieg.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3156
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFF66.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE0A07E552B4145548E4E272FDCD7E6E6.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2116
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\slpsxlzi.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFFC4.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcFD993C85F71A41A297419ADDDF946DB.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\vyi6qabr.cmdline"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5148
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES41.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc87C2DDB5C46B45CB9B5E2F17F4A5A23C.TMP"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8468,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7072 /prefetch:14
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=6544,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5728,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8680 /prefetch:14
  2⤵
  - NTFS ADS
  PID:4832
- C:\Users\Admin\Downloads\VanToM-Rat.bat
  "C:\Users\Admin\Downloads\VanToM-Rat.bat"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - NTFS ADS
  - Suspicious use of SetWindowsHookEx
  PID:2888
- - C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
    "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=4956,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8744,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=4776 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=63 --always-read-main-dll --field-trial-handle=6364,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8688 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8552,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1460
- C:\Users\Admin\Downloads\Popup.exe
  "C:\Users\Admin\Downloads\Popup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=65 --always-read-main-dll --field-trial-handle=8520,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6736 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6368,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8464 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1476
- C:\Users\Admin\Downloads\WindowsUpdate.exe
  "C:\Users\Admin\Downloads\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SendNotifyMessage
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --always-read-main-dll --field-trial-handle=6412,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8692,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8548 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --always-read-main-dll --field-trial-handle=8088,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7928 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8136,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=7584 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8212,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=2724 /prefetch:14
  2⤵
  PID:4420
- C:\Users\Admin\Downloads\rickroll.exe
  "C:\Users\Admin\Downloads\rickroll.exe"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --always-read-main-dll --field-trial-handle=8200,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3600,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:14
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:5008
- C:\Users\Admin\Downloads\Trololo.exe
  "C:\Users\Admin\Downloads\Trololo.exe"
  2⤵
  - Executes dropped EXE
  PID:4552
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5576
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --always-read-main-dll --field-trial-handle=8288,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8880 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=75 --always-read-main-dll --field-trial-handle=8324,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:1
  2⤵
  PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8688,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8508 /prefetch:14
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6888,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=8004 /prefetch:14
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=78 --always-read-main-dll --field-trial-handle=8144,i,16344730402918439230,3670894134039318571,262144 --variations-seed-version --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:1928
- C:\Users\Admin\Downloads\Popup.exe
  "C:\Users\Admin\Downloads\Popup.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2404
- C:\Users\Admin\Downloads\Trololo.exe
  "C:\Users\Admin\Downloads\Trololo.exe"
  2⤵
  - Executes dropped EXE
  PID:4428
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5764
- C:\Users\Admin\Downloads\Trololo.exe
  "C:\Users\Admin\Downloads\Trololo.exe"
  2⤵
  - Executes dropped EXE
  PID:3168
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im explorer.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5496
- - C:\Windows\SYSTEM32\taskkill.exe
    taskkill.exe /f /im taskmgr.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1964

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:3404

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004C0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4348
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3012
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5304

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:4208
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1920
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
19a88bad99bffbae6102e191cfedd75b

SHA1
df476b325df883b73eda1b2349bab45aa22e808d

SHA256
0d576dfbde1712b7288e4561e3eea75ffdad84dc50a77ceb57a6e9c37d60465a

SHA512
9ec5eb487d8c8fc8e283a94bd43afd740edc4df6a4509d83629416d040586bd42330eb0da6dd41ec1e5550bce9a6643319ff8584f8638a9cde9042fa406825fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\000007.log

Filesize
21KB

MD5
8b03d56a5a968131690d8239802a628d

SHA1
ca4e5e372ff601c1568406e05869ee36f458979f

SHA256
ba58d7cb1c7dc395bdcc2e4ced2c8099bc9e48fa85baf91743970033302e5245

SHA512
5573818205946f50c53bb7b52e4ae40c1a8e18750c19a4d7e0667d0abd0a8771e0f0dc3c2cabc3d1fa0574bf67b1ff904de318afe85a5435ff7786ffae45fb5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
8b1225019a40c71f94047c6cd7f04186

SHA1
64c65c87d16787ee83fc785e9269f91d313757ac

SHA256
2b2eed5cd1cbb171cf5ee7f8621b8f45ea3cb740699a39166cf9eeb38af66fb1

SHA512
61a673209dee925e33b9d3fc6cc45608ab9517106f1f898bf5a0f87091a5c501dae49c171775fc06c707e637b0295a995d1acddaecf007f93de5b12afd2a3377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000068

Filesize
162KB

MD5
87129728187b13f7d4461c7d0ee58b95

SHA1
6ce0027a1c6d296a1108d94438dacbae32d68f37

SHA256
83bac7bf9f20624cbb52362f76f146040e4cbe1f3bb0362fc906155a6d1c8b6c

SHA512
cfed1c78732f838d80253d460359d3afe143821b2d919ef0a60d8495cce2d0d6a96cf3849556b9df7e0c06abe049b73c36bbd3b08152b76e6081b773ce485f33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006a

Filesize
107KB

MD5
1d7e0dd28985ed1f79f3da9baf0c25f0

SHA1
6551ab1e517e2652fb142e0b2d52fbcc5f32712c

SHA256
38bd14dafcc9212e329c9a97c24059e49b2180be6bc4a06a388ba7f1437a9843

SHA512
f9bfa37858b30180182089aa5edb7d474edacc46da9cf7d561645205ad90cc29aa731ec5a2fae8c1ff8507e85941cb2db078ba2953129e41fedd28218637d971

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006b

Filesize
75KB

MD5
a54e9e084ea45dd544c63f77f7b6e180

SHA1
c593ac95c67dced996e57c5c3b7d16657ba29ba1

SHA256
7a1a701f456cc4a79f5d25cf5e7b4c6a16471dbf2d71533c167d0046ad445689

SHA512
7dc6f99a523e046266e47ed757a89e4c912a9ca98374460dee5049ca7c3475a419849427d6f8264327ae2aa42b961ad31049ed2a134282b232bbb94632b83f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006d

Filesize
65KB

MD5
2b3a50da14baa1b43f0f413a84e34c8b

SHA1
a23f693526a16507733ad96d54423e6ffc2a32be

SHA256
63f8d57468e48e6695b1c9e6eb42b25f113e26c8d6f99e30f2f04e5f82fabeea

SHA512
ce00e74df7d3bba84e631a8086426272b6998ad2583a158d8c2e01e6ce96e0819125546eb8b161eca525540853929b862b0aafc8ca231915a80ef1b51907691a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006e

Filesize
19KB

MD5
8c92c48c3348c1423c9cb6b01209efb4

SHA1
12404940d88038617bd4cb6a71b4f069e22e8faa

SHA256
5375a24a147420d5d9e2eb3808208868b52729bf10205cf133c8b14755dc7b1c

SHA512
cae81988eb040245ed253d16c584347d40a9601f7f0a97de08da56d6f65a86b97f6fe23b129f01d1aa0beb450a937e33e59d9ef678a5f32c902507be7d5283ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f

Filesize
53KB

MD5
b5120fd7e64f0159366be263f7aee8ee

SHA1
4a08b208681e5222181c3943d9a66e22803cf204

SHA256
3433a1b80f7ab65846cf4aacaba23ada663d64e5944abf03f66d02e3693de087

SHA512
d353c687287f9da5ed3e08ae454650de6a3129b0fe7704ffd84dd1f5aa7f744cce91ab82ae6565690dcd849b5f50cd20ecae93dcd9e05a59edf208a0045ccf68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070

Filesize
58KB

MD5
ec2ddce00f510e1e53fad24ea4a6b149

SHA1
f750bb4521481142d4fcb10879dac4b67f5b8f0a

SHA256
aaab72412601e9d3162567cf0a3a9d9b4750d4666ab875c65942830a1d0182c5

SHA512
5d8b3fe9cd0617283d8de0da4cbb9b8c141401a7d27e70906363d450b031b92f949351a540e926088943030b479297354783ed15b644e0522e10f3c19cb72ce3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000073

Filesize
134KB

MD5
2ea86888cffdc9fa78756dc2ee6877fb

SHA1
450b2014d256f4f488f8b35e918c676177aad157

SHA256
d7cab57401d560fded725fc6c3daf444cb1897c578f422936153a5fa6d1c0d61

SHA512
f8d72ce5d3cafbb6017acda7dbd70a0751688a772e0ba5deef76bd659f146b6274143e629b82c9d0f21c07787704cd32820efd0a88e8c883e03080a19f59d077

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007f

Filesize
60KB

MD5
4a7b69e96089d9665cb8000979b4fa20

SHA1
951b0e3c82b0ee5289317569acdc03c235d171c4

SHA256
02e6a68538ca98bee2ad14430b05e073f62e1ee5b5802e7e9b6add7987eb3948

SHA512
c6ae9f5149df8dc7504835610eee95b04658aaec97acaab5cdbecdd1d17cc7f7db4e37d428c956ee3e9729e0cfc62493404c21173b79a638bbf726a9d709b2d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000099

Filesize
16KB

MD5
7b9375982bde355aacce1fd0af91a509

SHA1
d9d74eea24403716c3fea9c35ab2cf9d74748acb

SHA256
b93cbadf4110a14ac4baab56a036ece1b02cd64ce1609310968d717aa5a92383

SHA512
21e7a0a85339ca038c14de782ec9612aff8f13817bd568b85974ca74892d6edfe302e1360b1dc4d1541c0375bb405213ffc9292352f2a8651c90d34104721fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009b

Filesize
29KB

MD5
656a13b894c460504dcd9da92a5a9cf2

SHA1
b141c3d737ce2b1a8b77e3584f6ba3b14da24dce

SHA256
f0943a6c5419dd2307288d45e878f16b9f8569f3b9d8d8c21b103973b9dd150d

SHA512
04e6e23fad77353cddc8d5dfe0e2746793993b37ccfe1b860ef131ccab5858f7fee05205e79fcdab3e587ab26bb5af0f6f6daddc703599df8fdca712f65b7167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00009f

Filesize
44KB

MD5
ebf0187290f40cc7823bc6985226a841

SHA1
ff3167eac86668a5fd113ed12f8451cb9567c482

SHA256
59b393a701b03c670422af07c663adb9fad0fc8a6a445ac091dc79f2f820d372

SHA512
52d3eda5a9c255187fd8acce00bec4cbeb3a20efe1e0bcba163eb226cc0453095cc777217a97fcbbae1446a89b753cece6cdfeff4619ee7a4a0aa0b89b676df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000a9

Filesize
48KB

MD5
06e32a5d1e2d387ce562ee7aede8192d

SHA1
67f9d64c29663f6865d0d134db189938a92503cb

SHA256
46ec4156584d2cfcd0ea2dd2eed85a0545ddf4e30a8c20c26b2ff3fc7c065317

SHA512
0d1de74efa671be757ac49d1b864ed89cca90bd56114d79432ab91407ef5987d4f4573ef3f2e307b32601ab335a43f8cd1860954f986dd5d887a02ae37ea0717

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000aa

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ab

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ac

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ad

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b0

Filesize
25KB

MD5
112349552e5ba8ea511c5e4bce0e25f3

SHA1
f434e5829f3dd7d986f1cd318356ebbb81c7ab6f

SHA256
f6fdc21a606c6668dcc05390d7c53830b1903c14c510224ba1f8e059a527a0ba

SHA512
2561c5bc86c82eb87c6325944524e9e1dfeb84977e2b5f414aad887b9d87e3cb83e352ae596501aed4fd4036cf41a641ffa7afc2f30c4670c85251638ced18f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b6

Filesize
39KB

MD5
f370988ec88296a996205c97989819a6

SHA1
fddbbd1750d5fab2d742725e998a5323d4171fee

SHA256
f5f5f688542ae8fa71909c89611eb6cf7e2a6466326ee4d6a9b148ed0a4f87c7

SHA512
df55a00304c7058e8e8c56f13b3844b7d6120808fbcf923a7b72738a6d9741dd35300fe1bf1cd472b1bc9eb90376d8739bcc06311cf02174a6a35980a3469bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000bb

Filesize
53KB

MD5
2c4e31a462b7c6406c277dafdc1d6718

SHA1
1a413f0eeec5fa359e73d943286869432cdda237

SHA256
d960f9461fd2d1cfe0c0f574a9334fa284713f239c0b72b5ed8fa43f9ed5f968

SHA512
fff5596f81c8b7ad3bcae08807628d30dcec576291d765e12e45e3b9807d6d58f6dfb46542dfec3e8ff8e076ac4d2fe689e1a4d6064f5256e08068a79ad8b3c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000d0

Filesize
202KB

MD5
9901c48297a339c554e405b4fefe7407

SHA1
5182e80bd6d4bb6bb1b7f0752849fe09e4aa330e

SHA256
9a5974509d9692162d491cf45136f072c54ddc650b201336818c76a9f257d4d2

SHA512
b68ef68c4dcc31716ce25d486617f6ef929ddbb8f7030dd4838320e2803dd6dd1c83966b3484d2986b19f3bd866484c5a432f4f6533bb3e72f5c7457a9bb9742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
cefb7180f19368d1e0bdcc4e00ee07fe

SHA1
e36b57c67e5ad6d6c00ce84f53d4ec4f22202e5b

SHA256
993fcec326eb41dff8054cc93d313da0ba33b45919a5c2b7463411dfa7f1729f

SHA512
cdfc09ec52b5cc72f08edf8fcce0069e79087eb7b375b4c70cebbef2ed687c65b44b2b2343e5e26cd277b863516ffade1f31eff2ab2bbfa999515ee2dcfa8464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
76030704cbbfbf7376466de322827d3b

SHA1
333b9dad68eee57e07cb9a7283c536bfd2b65db8

SHA256
cf2b6aad572c20b0f7088d4be631222e935dfe1cfe3b25ab12f483d699b161dd

SHA512
575fc01bc4d42dcde66f1069e6cb1f639bb216b37c147c4f3a117994749ef434c7c6d59bd5f1629a47e1ddb8aa05f5ab62ad76c2a58a874b09c909325750a0bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe598f27.TMP

Filesize
3KB

MD5
31cc2d828fe130e8c413922d6f056c91

SHA1
5bf02684f9d5abe7aceac0064cdcb1acd8dc6ab2

SHA256
17558baa8bca4e2518070d02834f0aa83ef3a6ba59a11ff2d6a21faeb16ffa83

SHA512
53e7d1d38c9ba8047c344418adb352e3d3ce9f42f082959ea6763972521f7dd68ab3d2dc049a9ffaa150cf79cb75113f0ec488710b0c3a978c32268a21b2ac29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log

Filesize
47KB

MD5
f395780838874f1e691cee3ed2ef5987

SHA1
09f9d3528bd9b7aa6770e8968e285d6ba5239ead

SHA256
36346540ccd7a01511ae5210d0d50cbde903f17b1ed2add1d3069435c3214b2f

SHA512
88f2012af525ea7882c2758f4d85367615e86db7131ccdc4e6e7d560bed77d66d5ee9283d395abe4d1f3ec3858d617e10db0b0881232d4fa1e247e8ac3bc886c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\LOG

Filesize
383B

MD5
63ce4f8654904658cd743e444a39bc93

SHA1
5c10cfc37f54a20e7567026c1a70eb8e27536c03

SHA256
300967c9acc8859633b1bae681ee8fe5dff9edcd280218a423be844ff1940a55

SHA512
4ec15cecbc23e1d04e188dc7a5347a4ab97d8fc39214b9bbe352cfe3a34f1d3031015ac11ff6058284c43ef531476952687d4b1100abf6d2ae42524e36d89c14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\LOG

Filesize
343B

MD5
67cdfd26c084d5cc58033386b06177aa

SHA1
2cf72e494055c047727dc46ebb22abcafe4eda91

SHA256
76fed980f855b156e4d12e39e87fda224f2a34cc9e8d052920451efff5f96fc0

SHA512
e01c4144c2f67a43307f0678f8eaeff15e3fbe4014d1771a9b029800381623612f5af32ab94babcbfe0661be727002af05d9e70baaacbfc875496c38d78189eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
a13636f5891cfdd8d06e93985758dd3f

SHA1
ccc5abc0e74302cd5cba5a4f8b402cb66e49f2e7

SHA256
2bbbcf8fe07117d7a18ce860261843e3e1c86fb4123f08040f799d401c8600e9

SHA512
ddfc327ab3ff03204175c34a54ab256b2605f704d3210724cee58b6d48335cee182fa6941759c5c6376432194dca63f874add51fdfe702ef9c40e773eca101b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
7ed400e22aa50241bbb3ede0a82f7eee

SHA1
fb41f45b7beaa12d5443ad3de6d002ecc16d0ce0

SHA256
60a68a3b471f2e7c9d3ddd67041a56eb5a3a8d8afff92abd76144b42bb8f7afd

SHA512
00650b3f10a2a9b929e784c8e846cda86e2e8c1fe51157ff53a8ad97f46e4ca92843ad8e57a8595d7a414c306de5339edbb786d65534b155110922083beb7140

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
673972494ab6ff2e3a142a1162638ba9

SHA1
186a64830c43fb0deb2b01bab97e80595f0a7b75

SHA256
8a6ce820aa53d7e27909a5c8cd56dd16dfd8a03ff72ca40bfc9ff1ebc12010e5

SHA512
648594cc78f8dfd50abee1ea6c22c0397f4f3e2dd9c7ea66a723c21211df31e01d408d511349e42c204f6a0f422cfe3b1522beb31be0b6f1a4bdb807c4f3df04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
7e31770c6ecf5a1a1ccd8f5ee493f5af

SHA1
2af897bc630a316d7a618204fbefe263d91f9c58

SHA256
156c19d493a6bc836f6359af9578ea7b725abe4f8735dd47976cbcd18eec64d8

SHA512
5d3246e09d621d232980b2fc9325ba14de10cb98fc61e5aa1e3de8f37be5721bded09606a6f07b6c51cdf8bef6c9b2b83aa4b3e4e51e0a738523fb8fd911356c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
d4250e5dfb04722d3d6c35d148683d71

SHA1
79f63cf871d5388e585a0045cda97462cab58c57

SHA256
73706c3886383552d215a47d73c5526cb5f16a9b7c2504bf866eb1a528811e40

SHA512
2b039304e853a65a17106ca760945788768fe6dddd72228824034b05af2e1be46802d45a37d5cfd45838be3a54e996780cb564ea83a8b1cc37cb1871860fb580

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
2493313047ebd204e382289926f2eab8

SHA1
b25346a02bf1c123ad49f92eebf6f1504cde19cf

SHA256
b48a8dea26a414c3d2586bf78ca1d01df39a8e6e151dfb49bffb0f21f5c331f6

SHA512
b4f07a8331780705c8670d837c3a1516833918ea3cc8b7c3d941f950a5a6f2d068958e62074251bf1a718c94d8b3e1b93d8d2823e422fd280135f6b8cebdf1cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
8cb1f3590dad4f11c1b6082f68bcfd84

SHA1
86e5dd0c5ccf5180f0ef3eb863414d86d905f0c4

SHA256
9076c5da18b652a8a7652b205f2f89e4b44f513169829e520b77a96396648165

SHA512
4921eb344431f634267cf1a42fe00361c43112cba96139fffb382ac0f4506630a521b0f489025d31a9c18a33656be5a29f38500ec6b87d29fc7e8e657be6d7a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
069f05aa79d35952202051391ea40723

SHA1
ce04f99cea83b80b082f9ba13ed626de51cd1ee7

SHA256
c2bfb8f441e9d5cf5b6b93aab54ddcc5fa9ce9f4f3a88de6402fe8599101500e

SHA512
fe16b6231d3ade8076a7fde199b578f0975308eebb7f078ecf66d9be12ce4338918b3031704d24c73a79f493e13db1e638d465e0686d12340de789f262941d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
3127ca22f9e05d0b79cda68f91c978cb

SHA1
2e7e5d57da0dd656c4ce57625ea4ebcf5a27bd98

SHA256
d10017955d115829e0fdf61807983640f7e4856f92e50dff9400b067b40900d6

SHA512
0598e501d479dd8e0a31e93c0f08846b8562c7b302f7db35b9447a8cdcaade36aafc0d83954bc9074bb17233693f7c7328e44e1bcf82ccaf7d936d34f4e235fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
628817a44d359d1fd51a2199b707ca09

SHA1
e87ec5c080cac587cd7fe29f1e4f22d0c56b7748

SHA256
9e9916b87c9f865965ed5e030839982b7d04f2e840870762764645069113932e

SHA512
5a223f5ebe0382c02c39807c8ff8a062a42741f68d61ae518164d0ce5dc96c1792cc0c6624fde2851818f18ee8b5fc25a92e4f5c7abdeb6503107870627f7f2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
fd0213778a5ca6c85b91d5d3af05e318

SHA1
d40c8cf3cd9fd002cb79514fbb46f3c064fd3c94

SHA256
c6b4b6e6bd4471e94671d99b55a25eb21bc6082f73a60a21f78cd7fcf07236e0

SHA512
d7d023ad70bd02f0aaf38cd6071312aa05d577d721e9bacaa5020bd152564d3744261c6c30593cc1d97b59531c9c643f9ef77e22bed20338d720dfe257a7a2a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
abb8f1387d54e193650792047f842ee9

SHA1
aa856b1e6dfee13d9d92af39c0f2abf0482740e0

SHA256
a79c24f53be583822074368c109533225f0dec5cced1a84b05f02583ef76dec5

SHA512
f214c04f77e0336a21ad675a8445fa7d8c23fb46b3f3d7db5976431e884ead0abc2396722f394ff4e1da81db5a3590de0a4b8375411a064bcd835c123ef968e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
556f59f6319bb26df590b674fa9913c9

SHA1
25c6b927beb5a44ba751afe8b7557e5078059401

SHA256
863ae0191f45c9d1c8b43fedc3a4a67e14d6ada018063bfeff34029643e76fac

SHA512
d0b26cb95fdc888e6511814785d43e7018752c36cfd3312fcf81cda50ecf85e5ef5c88f3886402f3a655d645bdc65368ccfe6bcad8d62ba8fb02b64dcf7d21eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
19KB

MD5
7a16529392ccd39ba5e01368b37bfd7c

SHA1
a1e974bd779502d20aefddc03c9e0124e1bc193b

SHA256
d7369e8a4bbcba20111eff057062ce5d6ed14f5d881c175bf4051565ec7632e0

SHA512
0c3489c3aac087ae4d018303400cc0c076e30d4205f7e0b1beb882df55b4050b3e6d38a6434f72686ebc938961580c6624e54593e304bdf3e1cfaa437c1526c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
415KB

MD5
80462916443f0a4d82697587af7f31c0

SHA1
90a2b3abadbe143d2896482e1c1d7a00b968332f

SHA256
4d1dbc8c6b06d21520340ad8029bec7f318da5675faf731da8039d852a65a6ce

SHA512
c84af471612e4d08e86c2695f644c72d6c7528ac588926ccb6e1c19405e900b9d00b23f9b98ef173e858277261b38ac5c62190257da95785baf288e98f577aa7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
d52ad19b40c7d3803027f1496f0156d3

SHA1
2736772f56f50dbcf19633202c265c2b76597c93

SHA256
20dcf50b9db428dafccda16b3e43243bda66caa3d735b5de8b8775cb65eb8a74

SHA512
b8d3bed1f82830bedaae2c9ded2a10695ace7ff3215f30d37acac8e0bde32654cd6cf63d0cb41ce3a721c9fadb92303bc87641b0ae9169ac19df00ccdc1d9400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
8425acfcde45062437f354ead8c0101e

SHA1
98d84b3d9bb77c1952458d5f021a5418013250cd

SHA256
5d743fd57f742b03d42f923ab4c7bc480f73c1d6dc0ae68bd27453f52efcdcb4

SHA512
7682509563dd0faada88e358a14fd0ea06db4aab17e3309bae2ae1f59b67746233c2ecdbe6a6143c87a3c7a318fa649f59d62111b52fc86431e0000b7c83678f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\170ce29fd1bcbf73_0

Filesize
57KB

MD5
e4ecb729cc445d9fe01dffa57564787f

SHA1
48e5f8ffd757f87a3b50dda5aab177552f3754b9

SHA256
8c3f3a63cfc2579fb81cf6dc93debd7ce5215ae9902ca945b66293b823ead47c

SHA512
5a5c8eb3b0aab53f3fdeb1166f419fbfd45360731fb9e056282d3ca10763da5acf17bc0d9416b493f1d03d4ab234c0fe1808801b49c6b3684139733c13210a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\index-dir\the-real-index

Filesize
72B

MD5
407cb036d0c0a7074cdaa32d8ad35ffb

SHA1
9b20b995d3d421788cad09ec99fecb927bc1bff4

SHA256
d77efc3a226ba07b78ecf714de71eef5c464f409bc937d62d12b09b187534ebf

SHA512
6b6b39c332f544d27729cea76acfe20cbc7175598072801ee4ff975de06419232d44396215f0251c2b1f577f2db90af2999f7c9bf09a350ba133291f6d27d360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\index-dir\the-real-index

Filesize
72B

MD5
fe205d0c4e946c1b2728c90a0e26977f

SHA1
614a93c9d68ace4be2f840fc06ba8697b99fd992

SHA256
3362dacc9e29b2db7ad512e6d714abc69995d03efadc11068101b87e2652b55d

SHA512
79d31f15a2c71b54b321578db3eddda0a0e64cfe8fe4ef089d8bed76cbf3a2a0d242774bedfe015bbd9d83145fbe1e11034c8276bae3606950dbe1939d644d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\13bf7cd5-3f0a-4967-869d-004c84656018\index-dir\the-real-index

Filesize
72B

MD5
d9718902d8575477e90fb5073119fa3a

SHA1
4cdb711e6cc86a6c9322af0801736bb8cddefa53

SHA256
4e0a59481a99c382341c3e1382f33d7acb0f039ed82b08316107c4f0d6c378f0

SHA512
7bfc36e9b2b87e4bf2548c4fedb1cb9c3b8126556aced2cc6f488712f47906338c7fff7b01c2d649292232d2f01739aa8a38b62e401aca925a02bf999a00fe5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1f5a8dee-1a76-409a-8770-425e2ade70b0\18bef58cff3009da_0

Filesize
434KB

MD5
6a795c1a321efdd1bb23e8840d45bd6f

SHA1
f13e3a7c7a792e0fb2fd74d2349d3cba8a7e0299

SHA256
135f6313fe51285d55c76d1856b8a391b8dcb3b351d87d8916cff51bb5959b6f

SHA512
ee73e91c272c65b17a2949d55997a83e84e3aae37a03a2dd5257b7ef30bf3f0bd378c0ad0ea50e4d058b021e0285fd68307120f29d2f4953154f8d595f50846f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1f5a8dee-1a76-409a-8770-425e2ade70b0\index-dir\the-real-index

Filesize
120B

MD5
ce8653f7c415350114c3d39bf70babe7

SHA1
f7cbd86342943faf1c7d072a085a176680081b96

SHA256
b2673c75d4949cf1441be377b6586d80489c35a448b77e43520b10ceb5b5725c

SHA512
1fbd6ef0cd5772ae92b5d884e5f6881761b246805f9fa584aa0aab5305ee65c9e84afce8d9ad205e1a0d0340223e0a5f4e42f3d6133f0474b6d665c17c820e57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1f5a8dee-1a76-409a-8770-425e2ade70b0\index-dir\the-real-index

Filesize
120B

MD5
cccf35864205d76b23d1b234de2c4451

SHA1
7f1458eccf07fa295629a86ebbb439986ce3725d

SHA256
0b978d641411296d8576a9be67ad51262594d0cc1fc010293bf2863a755e9751

SHA512
5c245bf275d138edfe4bf3ccc61b70d0e3e996459bfd93ad0a4c48bcdf4a8caa5279d9c48d26ea7497af44da354c4a73aeb215045a4916ffee5322e46cfa9f1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1f5a8dee-1a76-409a-8770-425e2ade70b0\index-dir\the-real-index

Filesize
120B

MD5
39caa751d82673585f2cf53ec350b97b

SHA1
274a0601a1d0c7ad7d97612793383bf9b30bcd08

SHA256
3526ba0a108b981097c0dd41e4d1d5235351b92b03529859c3e8b1da1cc9c888

SHA512
257aa978e9f920a0aabbdcfd26e673bd09e01daa49a7d6f10d05f61328c66182e64dad2f6b44748b481aa1e76e7a20f944ce4d6aa463c74592b9048add77a91a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\1f5a8dee-1a76-409a-8770-425e2ade70b0\index-dir\the-real-index~RFe5926a9.TMP

Filesize
48B

MD5
9024d0ff8d365e4f78ef10966a6f9be7

SHA1
fa080d32be7707d7b94c6d72a1e5b3aeb5798c51

SHA256
269f08881064db792767d102a0f2d36f914f620575b8734bdddc0bf484eb711c

SHA512
d676c39841d4d2e9488ba9c73b7559ba3a12eefd4fdc458b0235c1217cae75c5a9d0b42a0b8fd4ad0e980637b44c95d0f00d5ac73d4af822043e9495e5c658a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\42fb933176677e91_0

Filesize
7KB

MD5
52c1ec02ebaf098d0094f1138ccd9f05

SHA1
294b644b70dc09d40a53c9725f5be1e3838d3918

SHA256
c175b1f4f79fc55e0a544cdd326e61d7ffac6be81a9d503ef8ca81cd00cdae09

SHA512
db67a1d40fe335b6c8b59e8ee6b60abb1806f3bcda6e56de3b61ba515247404943249ee8a56a1af6eb57fa63ebd962cafe19dc900ddf707fbf569d0433856b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\42fb933176677e91_1

Filesize
14KB

MD5
99c404cf036e3a91cd3e3d2741c41d78

SHA1
ebeee257ebaf6cec92c2b1396bf8b9a7bf128859

SHA256
7d41a8b90b0d6e2f82c2f9d6688b8bf4e64d1dd6f4ba1268b9e4c86a6041e631

SHA512
7b952fbdb25f6e6f445e7f5b3f406f86a3a983e28bb37523841db9ccd290f9284f943cd9e43254e2cc0d4f07fb61653f2aa87ad3e7603eecf472a6a03cf81c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\67006a411009bf15_0

Filesize
80KB

MD5
e64c48569ccc37d320389d8eb7ec1c68

SHA1
2a55ca67e9ee9d62eed79ae8d452bbda7ac35726

SHA256
81f2c7f956682dd3bdd6dbda20e7cdf0febdd15647e73c4cd3ac4bed3e6c67b4

SHA512
2251e71ffc1558e97e30e457e3ea3a65e34af1bd47ff398852d12ee17cd44c45f39862151e22b0fc3e649e333c6f503c9691a5b73ec85be33a07aacf14bc00eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\67006a411009bf15_1

Filesize
178KB

MD5
2be1ab75c988c5bba108ec79ac84c46c

SHA1
ad370857b4db2f8a8fa66e8cb7d03b4e4e39f339

SHA256
39494980f11c5ab103415d30da445b406bd489d5d35e01790e4d301b1c3c366c

SHA512
74e8daefb20d8dcb47ab42ee871aff3332453a5b448b51f7d6bdc147f4776361f74e88d4785753707b8b25e19765b731c808508565f9dd1c64787b222703bb2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\70e51bd8e7ef93a9_0

Filesize
124KB

MD5
9f7f93b6b7cef6cad18ccc4c843c1c3e

SHA1
2eeed96926fc72c91f6d624fe512423d93ea53aa

SHA256
26d1d47090577c877dc8f502064505dd32adb9356a247892a7d255564f88e098

SHA512
79590c6d29f6b34c6354c6dc9aa8f9737cf04f530715032fee9c700cca6242d625ffd4296fad4c0c0ef2758236d53b9f35808e8ce83bb1090c64684b2c9121ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\70e51bd8e7ef93a9_1

Filesize
216KB

MD5
2608ce7b566054e64d9d5e03a84f283f

SHA1
ae62346bfee485e2ac4c39be66e9ed7dff7b930e

SHA256
438ee9deb8c4a79a83f5be6d4cf18f927f87d295d77749aad5f9eff1f499e3e9

SHA512
2ea7c0c6619e0040c67a1247d959bb869a3aadd2fd390fb99a71973c3a8cb3cfe2fab2b9d4b81ac10fd251e47d479cb58f0faa6fb962e82e409ae52f5d5f24e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\895d9fadb6945187_0

Filesize
144KB

MD5
6b142fb6089510cdf280003a5fde0c59

SHA1
20e53814bad64054946499fc31f6f338c79b7b1f

SHA256
20eb9f7f5ba598a812a18e9a5ed5c00dc40eae8745f5c3195b02bbaaf2ce22b6

SHA512
402f65236f00fa8a726a6b0c92e5729ab71c3041a965d67f0fcd6a91cb2b9f7b7d7412abb29f5fbeda9c4990d8927562fae3571cc9acca6ed699b8a7305c15b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\895d9fadb6945187_1

Filesize
305KB

MD5
f43177ab27ae40b69395ed053cf9b70b

SHA1
44713bb78c7ad7e27fa4897ee2cc542e914f67f1

SHA256
6e399ee0fccce156c9b19ba94856ffd4eb2c73c28b4e4191e11d7b63dc6b3abd

SHA512
d729b77b63a61392e8119de684726c825cca6a43b2f82ce0f77d559f4933358f2bb850e403ef261015547b257077b00a87c0f4ef488671f02c99b004b6e274fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\cef06dc0c7d251bd_0

Filesize
54KB

MD5
f6e372f9d20f2e720c678e032778eaf6

SHA1
01636e4a5c6bb0e4164905f2b2471d02bd8aa5b8

SHA256
418c6ea97fa12e2852131bf2bfdafe273ce9de91e1f199f09cb072a59d9f41f8

SHA512
e59608340c70e7a0a5de62f27de898d8e1e80a016c902162c65cfa22c7fc16800c58cf6b6c9f2c7ecfbd5bd32314cd43a71cace6f5434fbb6558db69d459b5f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\cef06dc0c7d251bd_1

Filesize
122KB

MD5
80cd483abb3f92d5703cee6205319a2c

SHA1
d4e8dfa7a8ba72ed1cc767abb4bad655cd7f9f64

SHA256
f2293a31ae6584bcaef32bfd581d8ca7c38d06d719ba32f47376fcf0cedefccd

SHA512
0e03ab20e6faf367b811206a3c72f2330f9a114c255b0d7263630ab87a3a5227960f7881937592cf88bfa735518d35a8fb25200ecebe4c9181fdea36e17b07b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\the-real-index

Filesize
2KB

MD5
c762b06921d2d4b4452400e303f60024

SHA1
75b9fa55573c607deffaba50b59d553bc59f1919

SHA256
76f4ab5830da01c1aaa666a0e0fcacd19d9b2ff555db4d75ee796271448874c4

SHA512
506467db499e63b42a7d165c5b170f7bb4758f8be0be9a1c7b3e36f40d489bbe8ec5506597d6d52a7f6a2b54192f1c0b09d87cff0206c1903fce1bb2d62314bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\6de81848-5b24-4103-b044-7a04b1ce3981\index-dir\the-real-index~RFe593752.TMP

Filesize
2KB

MD5
0b8aa8e295ff1f0d7da5456906e9ee1f

SHA1
1ad6fb3221eeb70cf2cb9c2cc75a44287a4321c7

SHA256
c8e50801626b69101f8b3a880cedbd1e8a815b3d43e6508877e06264ed2da3e8

SHA512
b885f75d0e777f897ba3b835dbfb475383edd7c5d98b63762e25bc3244bdc208f78e763058897d4771d1bb23b1f612ab1b00fd120d4edf231217827a81958c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\ee91b116cc2005be_0

Filesize
57KB

MD5
6b75d74ea5ff1974816f0140358485f4

SHA1
b6a7471f8e49aeb9b8920876d1807bfe8f6cf83c

SHA256
7930cfcbe10345ec39ca83b54ed822ee8ba2811c2e2a68e943977137acd88a52

SHA512
d12af8c4a8b1d57ef34a06fca295292cbf1191ffbb8e7350c899011100b131a9511afcb34aa0b96eff197cc1afbb260681e60773d88e550351c1270b1d107cc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\index-dir\the-real-index

Filesize
72B

MD5
00c54f1982740a72a6391d0abdc25df1

SHA1
5ec70ac833c219009d3991144d3ae3127aa4e03c

SHA256
43202b885f149a999c2731210e81cb3a80a8ef58502798bc336782ff8dadc54f

SHA512
a91f5ae0ec20adf14b35f4d2d045c15c5acbb5b338ce8c30a6e90814f999c21c4d60d7218bf17f05b603b117a015f11c233acf23cd1204011a0e3a78dbb0cd6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\index-dir\the-real-index

Filesize
72B

MD5
093a7075583ae979457c12d69a354d35

SHA1
9b702675c72ca6eabafc2e9f414ae12f88cbbe65

SHA256
7d819b8d185414b6b961f87fdc59c949c5ee58b1995d5348bfa4f1633ac96909

SHA512
6e9a877a47a8c24201cdf10d27d9e377f230f90ef0b68027a2b45a75193b32bcadf7d080fb5c9b7c840ec237890831c4cbf73d5a0d8fe0987f9617fff2444a76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\cc7ad1e6-2a51-4dc0-9579-f8bf6674ff51\index-dir\the-real-index~RFe59500a.TMP

Filesize
72B

MD5
ae29160f15b7f2fd1dbc246f96c4940d

SHA1
8b4b1b9188e74240a2c7138196624c5499043a99

SHA256
49134f4b5810df62371da51286f315c9a446c838ef8ac177d453355f19561c0f

SHA512
cbbffc718d9eaed09961971f6c14da136781418fcef18de586b9f216f53bd4ca16a99caaba333a4b89e9f97f1710ffd5e36a267f2b87090c64f98300332d3b17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
2050a29183ab884025f8c721c8444e1c

SHA1
731109ba256a8092bce48ac21789547d2048c9cc

SHA256
382d19be3150d7c3e02e69a53720b1a8f1bdd0520a5a83f6c33647bcfe8bcd6d

SHA512
493cc413b7a349814b654b81c5a8e475cd88628f67e6bab0e0986aa21b25ebf2d05b52ae8df2bb4b6a670da2bd6d0314b46dd7c12fac814e2cdcc6736f561d23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
bf37c3d14e1e017d7720e2743e53f6f9

SHA1
43e913794a8294e298affa983c51c0400357b1bc

SHA256
b4e6448630546e869f1ca35f76b2111c8f98ecb8aefed029028b4a4451b3d278

SHA512
2386818f66eabccab212f669290037d4fdb960ddeb339b353cf31fb09ae7a2f89f56085b70bf74e224342be6e7f58995d5627d5683f1d0a1cae2417259576808

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
d93e9ebf2c26fdda0cbc5f574b8a371e

SHA1
01d34fc093f2fa8c0486bdeaee077b9f6bcffd24

SHA256
2e0275003db66e613866adc31407a31234354fd73d7b1290c7992517a0930ade

SHA512
b9975875147176253d00ecb3e66f05aca9858cbb12e6897fd12c193a21b6cec5d45936f7e946752e35504d298ff71e2938530d6ef2413cc3bf6394e36b4f68e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
bbda03ca8205b8dd38f48f45c5d2b5f1

SHA1
9a9f4999d5da83636c92a6bfe9e80ccd6bbcbc0b

SHA256
18b1b323c6fb5a527c0d5be54e78e92aa5223a1c27b91507288ee672da5cbb49

SHA512
d0dc0d120dbafceb255ec2d55180451d4a6eff04b49ffe7ad0837765e5412df83ac70809d7e3e551b0de928e58a295af6835f4e39a922227cbbd6480858c02a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
115KB

MD5
eeac368ea1b85e652b9d125e030659ba

SHA1
29cd1f4f48a91f96fea1035b49cf4312cbda795f

SHA256
11e68ef8a7aa75e1c112a0e4ed9e688ea5a99a4d65ea1ff8d5523d6cb14ac29b

SHA512
8d56a4781b0d8e9a28adccda6677bf3c3e88045b6282b805a37d8caaeacb7bea4d51d74f2dc85aba1e8167d4dc464543e5b7e0a16018400f87fbf7d1f40ea5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3d4ef971435040a8ed76a79ffc8695c2

SHA1
f478811f2fbc9f470ab1aa35be9da40eb593e8ec

SHA256
8ea0408da90480f420a6905de170c819c1cd63ff6ffc1a3abeb182405ff03391

SHA512
1a9297fc3b8e13b5d53de378023521ff065100a291dfc74e5d9d4e185164f1a76d52e4ea3027190c52a7f9bca298a5035243cd1088b87205f66129fbcaac3519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59333b.TMP

Filesize
72B

MD5
1d129f177ed37f3a3c2fcb9493ab6532

SHA1
801fa8b2d3e76514540a45c899a3df1fa54c57f2

SHA256
49184463c5defcc4d63e355d44c5c0d181b24d103bf7631be9fd1b3cee3a9e03

SHA512
7d11a3e9e6dbd9023bdcfe5324b93096bf68d5c86dfd57896448caf87a9c03f6d104ea91c34c371a718f350a8b709ec27ecc75bc49270e0391088f91ed8fbcb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
5163aa4ecdbfb36f536c104100436215

SHA1
a12fa35dc1a7050959987da9798046673b062cf2

SHA256
70a11a2d4c24e062e22d2687c9cd5da464ef26f80f00618a2cdcd684bed2dc53

SHA512
c86456fa7ca4284a6d69b218acda527a94fc3d09d70afbf9035f2971f2c20fc90893219d450d3dbfc6eeb8dd5fb351b694ad1e818801e513121a2700c9348344

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
464B

MD5
0a7fc61a71b49a1337e66d73fa5011c2

SHA1
86f15c1e9321e678c431aed0e84e64fe00318568

SHA256
e482b96ddab54d6b1930498d5034ce81b9d03b6cd2f9344a6d9bdbba9c69de0c

SHA512
09d9bdc9f5a9df200e9df8a29b9ae47841d89a06c2c77ad57a8be8f2151726f09a9e22576c1a9a8f539c0f81244ec9e61c684a9f1efa8cd67b6a35752398eefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18340.18330.1\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
191f8d9b8024cb50ea4a87b8842facf1

SHA1
667879bf5207add99ddbcede25f1e0a1e28ba903

SHA256
cd286171c70c5e719ad1ac3de49173000cc7d31c1f2ff58be7d13be408c89646

SHA512
7fd70e038bbcdfd2696ce46109350b761362ef958598b1180e0ebb829afaad692314654ceb6a49a41d60156851ef2904ede5bb20e61a7eed9f8a7899a7225404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
f99c43f247e0cbb45ada9bf69a365fd1

SHA1
f8217e9d3bafc9c04e0a257d67a8ff1df6eadae4

SHA256
ac448105508045932b9362c6928c845a18ac89f29e0243a22ca22e1a401eaf1b

SHA512
f55550d848e9e87406ffb442799595208ba3ad128d33591bd904e77beaddc7ddc046512d3885b959d8dac1225cb9c0139027d139577346c8267237542cf6e8c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
26cf2ba7bdac9e0309198d5b419d9372

SHA1
d4bde766244ccaf2af97a40ad82e5ba21e3777f7

SHA256
66f9e36c114390a20bbc9c9f446631b7e0aec5aa8a36d9fd6c8ac6b6f6bfd9eb

SHA512
05d5e5796392c3fb9fa5c5187fa679b81554f716bbb027120e2e212cb6d3f630253bcbd4b7f552f83f25d9367a0e9564bbb06f7fe5f49eed17dfac801f18f98f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
9c45ec82d400f50ab788fedf1433a89e

SHA1
2a9e58c422e05159f9d5936c5d44411ae097922a

SHA256
beb23f465470f22457ef63c0bb7e829798c0bcade8bda9a95a0d2e68a2bc974c

SHA512
e47346acdeddcb9f97818e3bc21865b34d500f2862df02abb9ea700bbb59fbc9038253e8a1221e069e0808f3f6f3796dd1c3ae900dc8ee4f71321f8685594e30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
d308a6892f6baa5c340d1a39fa6830fa

SHA1
6329ab3757137443ab0143d6c90f34d937e3ecea

SHA256
27c4036218438ce8d38d187322bd2b3667a12ce7cf2ab03894fc4abd91b7a221

SHA512
36a1e9b7dca4876e06de5e57cb4f0995ba4d3753497d4f91fa8fd9fa2d2040026411885876d7928d3ce3d9e6e351245162cb7ad94e4949f6e62e85d48dbf7bd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
8cffb7ecd1a157761fd0a5f7370a7d89

SHA1
568a4d6c34b914616ee88cb319e689adaee35ca8

SHA256
c1a8be68e0825dcd64d1ba8a23c5691cea9a5a8fd0d3c29744b990ff9fc6042e

SHA512
022654ed3c490010aca1ee127b48c331c3efd7bf72ca1118f9f634e2e5bc718e6e82f3bbdfac106ce7ed4d9979eeb2859980151d9ae5adf5c65b3e6695b8c8a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
a0d79a9f41fdd52bf561623d742002f8

SHA1
24534aa7c3ae82ae47f8db671cd44e106f158f09

SHA256
3c7a6c6d630d1624ef33b7d04213e08b5a51cf7c7f4365368d0edc6e254dc563

SHA512
c94c7c2a2e9528bfe5f92410e19e26d3a1a4ac9c7abffd17f06a6b930ed19d6dbf6c59be9186287e9207b9f14d2bd46525d34043c8ff20fba472750945b6b557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
e3744b9c7a24555a630170e8c6cfc463

SHA1
873c036761f13541c56fd0cfea9e18dd2a9efed7

SHA256
8a2de6e25ae3a61d59a2eebdadd839fc9bdb2d3310d61e527dde3c0826f21895

SHA512
04ac82b730b8cb94d42001fff4a888577cdcb140dff2ebe86cc78bbfd506f8886bf20bc0e30a4edeffd89a4e91bcee3e484c87ec85b3dc1409c1359595a4278b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
b28030f322c9b02a48052ca8e7bd4c20

SHA1
f0b2bddb7718c8c2ad90d22aa4dbc25197ffbd98

SHA256
efe1e77a5deeb17bed447beed0b04d4a3eced8ce0834d1353b1d1f0f33ad887a

SHA512
1e68545440f08fda8475eae901e2c058ec34decc89ff096c811d0d768fce6e6c623618082267479f67e0fbab1cc81f8028b41aa77419db42585614457ce40163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ecdd4671d004b348ec448eed4b098ea7

SHA1
d379276ab694f882e9ff05df9b9bc3936c64def6

SHA256
94e214617eb3d15ca5ff3b4c77ed6b3de85839e22d5f7e2fbe5beb257c91f1c7

SHA512
fffcdc484414d415c299b15da5b51da4c41aec31c77cbc76c073ac4de5f9728402655b590441566015a9fbc1c3a5c218d79e65a070fd3c0e5b01b18297d1deae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
9ed96d106ff6d384f05a75518e889619

SHA1
fdd03c44a1ec3859a5d2c776b3bef8423d7d3f0b

SHA256
1bb2b90e92485d7df6ca074be04481946a0c75619e01c62ba8d1eac962be6d84

SHA512
d8fa909e312b10c4ab427b66fbc6e40f8fb391ccfbe3a9362dbd2352e309604e09fd52780ebf1869427bc45d018b48fc4cf3139e046d4f5ece77d42c8ddb7566

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
fcd015710a0603f245ec6921c06b9e1d

SHA1
670dc594393e693bbd4a8e0a35a56ca0d9feb129

SHA256
1e1715b632017c0d1085029053d48b32aa5d99256472106e8d1e6d3ccbc203a6

SHA512
40f9fef495a506597a5fa95eac27fa1bf2475fa0b0caab2066e18f36890d80ac179fc0ab7921db68daecbd798b719a50ab1fbb9729fed486c9627c37dc0637d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
39531e1692ce2af2c45a13b48806d794

SHA1
117f0dc793278763d1d58b941923fe690f34cc43

SHA256
3e897379fd0207ed627c1ae843f268dee679ad2003ce4210f1e1eb664bd05911

SHA512
f0efc7d02d61f39dc85adb1279952ac42b808cab976eed016311a033247076e68628283fb52a2f481a43cc9d00e7b32ef7183a4fccb46ff8d341d262b69530bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
fbb4cec2e774df00df7d8cf9c7e7e8ea

SHA1
3e828d57d4422c67cd327f1df6b7da03706fea75

SHA256
633cfcad8d2c931ae6769fa9e6b2cc6492e33895f75a8cf7ae0809e5c2d0dc98

SHA512
af8443034dd0b8e16f56a435a1b44cf0b393e4185b7e2538470457f65b250bb83af0c33667e5cf5fd8e2f8eb68b8fcdfe0dfeb839e0421f6db25008c4a2630c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
dfbe6b0128d70fd93642c0effaa3a438

SHA1
28a7ed5957d17f11b00619bba3380d317ebfa1fb

SHA256
959519ce6a6d28923ff8753816eb43891cb16d39d65e25b99b86db216afcfc5e

SHA512
c795ef133fa00cd53595402e94f22c4bf01224b0f9effed9d117dee593e0bc3d9a99ce58b3b4d451e90177620ea5dd3fcd8aaeb6c3c29de0025c6111b0f22128

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
6979893a15c06b00d78fb3408d44e843

SHA1
4e7dc75381e2352cf7b85cf6e27c40a6f2d89e64

SHA256
786635a313eefe416ca7dbaa5c35eb04dce0665a4a8f9aab366cadb17407d2b6

SHA512
b0e19a4ca0791ec03d456f2f4b0ea63cab87cf3e73e82c4ea664814be83e2a75334c6aa6e1ccc5581d5fd340f79b0ab5710deb30b94441c8d8920398002d36d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
169e49b625307de46949b9d4e2b21adb

SHA1
fd3a64f74a4530761d62dccdeec420139479ddf4

SHA256
44e46143834f888e792991143410f402a9d73b275148285d226b1da57b5b24bb

SHA512
db0363d5e95185b9ad369c8a1a8cae9a58e79c323b7fcd3db3b1d65db5ab5383dc7abcea88ac4cba705a0a9a77e576ed718b15a66248f6fa910ef4d97123101a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
15fa5b609e45fcfa8342674bc5c70db6

SHA1
f84c4cafbfc280b382602dda6e74a06fec321c6d

SHA256
cf3644cb511ca9bb84a2ffd6e4cd56963876235feb3d0c633a28d27215fde998

SHA512
df20a031f9e2b1b6af63dc950142934292adec9b6fa3341789191a2916a128c45a7438c08301a3c90104de0dcec0a6f1dd25ea14504b758dff032029bd40bec3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
767562ac6877c9202e0a1e614ccd5bfc

SHA1
5fa76389dae6af097b702dcf607c62e62c0bf329

SHA256
c756667b86eef386e405bc12d806b6261e905de1c668cdd8c3efae5f39483c4b

SHA512
30e4a8c76030196dbab6a19b3a2cc849a72984661355003e2fb9870962276c7736676266e7009eb808d2a8ec2db534fde9f352c72cf559744454525a9ff0c970

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
e1039023eb464f9164f0558d4e192649

SHA1
ea8dabe9a86a2167a1d26f2ca6fab5963846424d

SHA256
196ab8f1419023bf7da36426cac6ef881106f8bed4bfa0879293ab272648fc73

SHA512
ed5c9ca28bf9497279031aac1ca409a841106d026d9060883171b398ff62bff23f8ac3136a5d34f7fdcf5d3345acfa75c8c944585b705204058bbd4acdbe4e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ecbb6387d65486e6fd79383cedeb112c

SHA1
c8def795fe858199cd74d89c450ce1f23987eeb9

SHA256
c82137deaabfad59b45cc40453c0c5052f7fa48217a9714ad1bec9dd7bcc3157

SHA512
84da2d269ebda0aabcfbedd8faedb31a98c7b13359003b4f2d57772dff28897b89e5fb652fd698321607595fe1c70c51dadffe36acb05ed1bd3adbf83ed6e15e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
27bc14cec12306407a8490f4a159c7c7

SHA1
8cf9ca288b8f77f0bb4e166504553711cfd45dd7

SHA256
0d561816878017e14e97b8fa1ae101d4767b45ddec1d12dd38f9dc7a125d0c20

SHA512
b7ba6deb24db178cd625ee3408a51091d10fd04d7802bd6cbbf1094c390b3c52ef6979e1395157568fccbf672e4280651126f1d92647e300b13894c1f86a0de2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
3246bf6a19614cfe8480f604ce1d9c7f

SHA1
b74bce1dc399d019d5a1fe0e4804206d743f3bb1

SHA256
54ed1d29e8111d9865436ba6d82f86169b08b54c6faffd697704a7e2f13772f1

SHA512
a9efbd5a5d1520d7808de1fef850dda47f22ff19ffce12bf708a4f591ba4377b6fdc8aa3983b3bde5bf72c87f1842e372bcdeda5a65d62f85f28108f561fc3f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
72192398f60bb4345d5771adf5979f74

SHA1
3758debfe750cbe36b86a01394ec4ff53a985a71

SHA256
b3adbdea82d96ece159fc4c991bb45d1a69c0540fc7e79b8ebfc8e2c3d1c9a84

SHA512
08e596590cb869273def8dc617dc26a9cfbcebf8f04eb07363c1a87f199d091ef788f9ecbb0c66bb7af01798a4258efb9e1a1cb12347d91d83b0991d21805da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
96af7fe7f13e41bed5ce7c6ab95f673e

SHA1
2afa644567fa46e49a59c76a0588e4a1624ea8b0

SHA256
12d1030885266af7cd8f180af38a90307cfe2c9b92c04f98067249f662612f35

SHA512
e16d0b47a0ecadd67bfb407c7746e82464d6a7a39709efb217e9905a51e9dcbe7d5a8f07eb81f730efd34dedd77e722e0a75ac971b564bc9115f32f23f59f48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
3c31e905b6a276e92a313ff170933a2b

SHA1
cff0958270e2e0edfb245cda34a277b8b66926e7

SHA256
f9b476421010cd471c5859200f364076e0705bf9ef45a2717c78d21049990cc4

SHA512
8a37442d2e68158f2a8bc0c58179bbc720ddec7710d1906489ccbdde109021b7f2746a0c265d72af8323bdad198c7b6e2a31b54dd87eb2f0f71a757f80ea9da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
d9fecd734adbaf8d9713d3e4a42f1b5f

SHA1
2808ef0bd67700588ef774802e8eb2c05cf3574c

SHA256
b62edc72f8e7a4b652ec11d56c6d6addb1f16ce884e72039a08574bb73dc93b2

SHA512
b5a80d6c08c71044ba245c45221ef1264916b3efac63614f0ed25153bb4ac58ceb1dee77726bcfa0687f59dd436650a044a4e38b93a13d35c2847f27a13f16e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
6875e7efe554b7b26c6cdd4bd1a5dce0

SHA1
47e0741d90aa03c93739797b45eb8aede2df845f

SHA256
ab707da8ec9e8d0c2a7c78f66ebf2bb17d3a54945ec7652ca7d6d17a22dd6d68

SHA512
0e029584956f679cc58ce0dce9717022099d6f36ed9d487aecb5c61dc564427a277ed316c52d816e8fe4cdacd9da6a4ca5a3661f01ddd90059caad91823e3c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe5913fb.TMP

Filesize
392B

MD5
a8f5279027ba0ba352ae807aaf435483

SHA1
12f3413a9381daac5c97e600d597653daf2e1c65

SHA256
ed6d6c6bd6ceb42d2b5ba619d98d3fd880380bb467214459182bfcaf55218598

SHA512
cc5cfefe11d456fb8589e1c43ba53d7cfccd3255987cd8a5e607e0bf67663a312c132f87d981de35598fcf66c583f1da7613a4e1803ba0553ae2d33839f133ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\Filtering Rules

Filesize
1.8MB

MD5
d7c9c6d2e1d9ae242d68a8316f41198c

SHA1
8d2ddccc88a10468e5bffad1bd377be82d053357

SHA256
f215127185b2ee6b01e12b6ca75d3e5c4e454598dd4aed36124ae13d59afd547

SHA512
7fd14824e9200dd99e1fd2cee402656dc0cfc3d0a60058c5eb05c68e9e65b7f0b47e550fb4d6c2b59eba204dbf3ef9e69dc9723b43a9b3ccd5412d6b77715fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Subresource Filter\Unindexed Rules\10.34.0.57\LICENSE

Filesize
24KB

MD5
aad9405766b20014ab3beb08b99536de

SHA1
486a379bdfeecdc99ed3f4617f35ae65babe9d47

SHA256
ed0f972d56566a96fb2f128a7b58091dfbf32dc365b975bc9318c9701677f44d

SHA512
bd9bf257306fdaff3f1e3e1fccb1f0d6a3181d436035124bd4953679d1af2cd5b4cc053b0e2ef17745ae44ae919cd8fd9663fbc0cd9ed36607e9b2472c206852

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.16.1\typosquatting_list.pb

Filesize
631KB

MD5
c3ec8bf0a625c2583833a3340825f1cb

SHA1
582054710a312897117128ed59ddadc983525eb6

SHA256
7d10e035e0b2e152a1fe32a92b0b34295a979f7db2269cfba69d4aaf3401b77f

SHA512
175125259eb39225d0584fa4e3c5cbfc66bd22646cf32677f0eb7514a0abeb2c08118375210a69207be85e6e7ebdd9b6fa9a967d3c4ecd40ecd514e306873c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc4DCB828E109449EF80B89C2FB8B52BA4.TMP

Filesize
676B

MD5
85c61c03055878407f9433e0cc278eb7

SHA1
15a60f1519aefb81cb63c5993400dd7d31b1202f

SHA256
f0c9936a6fa84969548f9ffb4185b7380ceef7e8b17a3e7520e4acd1e369234b

SHA512
7099b06ac453208b8d7692882a76baceec3749d5e19abc1287783691a10c739210f6bdc3ee60592de8402ca0b9a864eb6613f77914b76aec1fc35157d0741756

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcA30F9FF619234E4EA14BD1A48AB86E.TMP

Filesize
644B

MD5
dac60af34e6b37e2ce48ac2551aee4e7

SHA1
968c21d77c1f80b3e962d928c35893dbc8f12c09

SHA256
2edc4ef99552bd0fbc52d0792de6aaa85527621f5c56d0340d9a2963cbc9eed6

SHA512
1f1badd87be7c366221eaa184ae9b9ae0593a793f37e3c1ce2d4669c83f06de470053550890ad6781b323b201a8b9d45a5e2df5b88e01c460df45278e1228084

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcDF59E7C76ACA4D7E9EF25B9EC64F3F9.TMP

Filesize
668B

MD5
3906bddee0286f09007add3cffcaa5d5

SHA1
0e7ec4da19db060ab3c90b19070d39699561aae2

SHA256
0deb26dcfb2f74e666344c39bd16544fcaae1a950be704b1fd4e146e77b12c00

SHA512
0a73de0e70211323d9a8469ec60042a6892426e30ad798a39864ba123c1905d6e22cb8458a446e2f45ec19cf0233fa18d90e5f87ec987b657a35e35a49fea3b0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
309B

MD5
b60e18fa277e26bd4296f182d4facb32

SHA1
2555a492d2fe5a89df3fb330a3a82de63b58f85d

SHA256
ef207e6aa1dad829fd53552739664e0dc081d01153f1367f445474d3fe2ae47c

SHA512
6a3f064775b619d02a75a73377556029b14756e2b9c586ed63e2832e33f35238d90594642f38b6b587e299419aa1d3b0a8417891c4f4ceb803c0b0040d7e00fc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Templates\~WRD0000.tmp

Filesize
31KB

MD5
0eb9230de1b7d6214f85d45b2396d0ed

SHA1
694e164aacd69680088163b9b3a6039caaaaaebe

SHA256
fe17bb44345b79630854f56c269fd7badb45ef4befe5f805585932358ba4b287

SHA512
2c7f6c938826a6e981f0981bc57356a61acab83537161753d759f863e333cf4b74f4b04d8c4716ff8ff2ccf501656cc5aa2e68d5111d84394b6a10170e29ca36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
8KB

MD5
6fc320c38d69c7a19229a06d27846f8c

SHA1
ce2fe5c63d9542f192b57cb9dce8772ef40ce9db

SHA256
218508876f972d91fcffecbc068db360b012643332e55272e4e0cbd022a87bca

SHA512
a9b31b689f0c614a0829143bd3ae2e06ec05c17ab7421490a4a864e0da41e784b264390f58a43b23a24378f44996269fba2180f97ff4e75c6d2034d2b3b4cf81

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
0c3963e0639a84890f8c793bfc8033be

SHA1
9bdb8c9ab90a34c74a4fba140786170ec405b145

SHA256
a687d4d084a0f835b625c7c32e3b40c50eac5ce6c9e6f6f7d9cbbef9eaec8114

SHA512
443b089d641b8976a1ba56528b2841b1480d8f55ee1572f174d0ba8ba4eb4b0d86dca99430dfc951218d4a0f7b92b3d3aa4cbb3ae687af03cdcad92d40975f78

Download Submit
C:\Users\Admin\Downloads\Bezilom.exe

Filesize
28KB

MD5
8e9d7feb3b955e6def8365fd83007080

SHA1
df7522e270506b1a2c874700a9beeb9d3d233e23

SHA256
94d2b1da2c4ce7db94ee9603bc2f81386032687e7c664aff6460ba0f5dac0022

SHA512
4157a5628dc7f47489be2c30dbf2b14458a813eb66e942bba881615c101df25001c09afb9a54f88831fa4c1858f42d897f8f55fbf6b4c1a82d2509bd52ba1536

Download Submit
C:\Users\Admin\Downloads\Bezilom.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\MadMan.exe

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Melissa.doc

Filesize
40KB

MD5
4b68fdec8e89b3983ceb5190a2924003

SHA1
45588547dc335d87ea5768512b9f3fc72ffd84a3

SHA256
554701bc874da646285689df79e5002b3b1a1f76daf705bea9586640026697ca

SHA512
b2205ad850301f179a078219c6ce29da82f8259f4ec05d980c210718551de916df52c314cb3963f3dd99dcfb9de188bd1c7c9ee310662ece426706493500036f

Download Submit
C:\Users\Admin\Downloads\Popup.exe

Filesize
373KB

MD5
9c3e9e30d51489a891513e8a14d931e4

SHA1
4e5a5898389eef8f464dee04a74f3b5c217b7176

SHA256
f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

SHA512
bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

Download Submit
C:\Users\Admin\Downloads\RevengeRAT.exe.crdownload

Filesize
4.0MB

MD5
1d9045870dbd31e2e399a4e8ecd9302f

SHA1
7857c1ebfd1b37756d106027ed03121d8e7887cf

SHA256
9b4826b8876ca2f1378b1dfe47b0c0d6e972bf9f0b3a36e299b26fbc86283885

SHA512
9419ed0a1c5e43f48a3534e36be9b2b03738e017c327e13586601381a8342c4c9b09aa9b89f80414d0d458284d2d17f48d27934a6b2d6d49450d045f49c10909

Download Submit
C:\Users\Admin\Downloads\Trololo.exe.crdownload

Filesize
3.0MB

MD5
b6d61b516d41e209b207b41d91e3b90d

SHA1
e50d4b7bf005075cb63d6bd9ad48c92a00ee9444

SHA256
3d0efd55bde5fb7a73817940bac2a901d934b496738b7c5cab7ea0f6228e28fe

SHA512
3217fc904e4c71b399dd273786634a6a6c19064a9bf96960df9b3357001c12b9547813412173149f6185eb5d300492d290342ec955a8347c6f9dcac338c136da

Download Submit
C:\Users\Admin\Downloads\VanToM-Rat.bat

Filesize
183KB

MD5
3d4e3f149f3d0cdfe76bf8b235742c97

SHA1
0e0e34b5fd8c15547ca98027e49b1dcf37146d95

SHA256
b15c7cf9097195fb5426d4028fd2f6352325400beb1e32431395393910e0b10a

SHA512
8c9d2a506135431adcfd35446b69b20fe12f39c0694f1464c534a6bf01ebc5f815c948783508e06b14ff4cc33f44e220122bf2a42d2e97afa646b714a88addff

Download Submit
C:\Users\Admin\Downloads\WinNuke.98.exe

Filesize
32KB

MD5
eb9324121994e5e41f1738b5af8944b1

SHA1
aa63c521b64602fa9c3a73dadd412fdaf181b690

SHA256
2f1f93ede80502d153e301baf9b7f68e7c7a9344cfa90cfae396aac17e81ce5a

SHA512
7f7a702ddec8d94cb2177b4736d94ec53e575be3dd2d610410cb3154ba9ad2936c98e0e72ed7ab5ebbcbe0329be0d9b20a3bcd84670a6d1c8d7e0a9a3056edd2

Download Submit
C:\Users\Admin\Downloads\WinNuke.98.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\WindowsUpdate.exe

Filesize
760KB

MD5
515198a8dfa7825f746d5921a4bc4db9

SHA1
e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

SHA256
0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

SHA512
9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

Download Submit
C:\Users\Admin\Downloads\gameinput.dll

Filesize
11B

MD5
dd0968cca79b2469e7a0f2af6a216690

SHA1
b0d82109c156fd74a3332db93d46f5a32c7a7403

SHA256
e2f6cb0dce5b145a6fa8a81b730272ea4efd50f342c52866135d8d588806869d

SHA512
ef91dd40d70afea2043293707acea709427aa87bf385291235a28c25b17627073d3f2b5e0696fc77b069bfb32528cf8aa9b50fcee58eaba56ee2ca515777d3db

Download Submit
C:\Users\Admin\Downloads\gameinput.dll:Zone.Identifier

Filesize
546B

MD5
1f4011fdfa7f13d92d05d019eddcd07a

SHA1
5b95385560f3d4d18ccc7c34684a9f840ddadaba

SHA256
f8bff9c5c301a74b1768a373038982f027c0c952df61a031b451df0329cb16e3

SHA512
068a5d0208efb08d429bb5657b666862e8792e55ef094c34dcc373cf0b2a1e583db152ea44ab99997cab619dfccb4da88ebedfbe3d78df190e5cbb9109269025

Download Submit
C:\Users\Admin\Downloads\rickroll.exe

Filesize
129KB

MD5
0ec108e32c12ca7648254cf9718ad8d5

SHA1
78e07f54eeb6af5191c744ebb8da83dad895eca1

SHA256
48b08ea78124ca010784d9f0faae751fc4a0c72c0e7149ded81fc03819f5d723

SHA512
1129e685f5dd0cb2fa22ef4fe5da3f1e2632e890333ce17d3d06d04a4097b4d9f4ca7d242611ffc9e26079900945cf04ab6565a1c322e88e161f1929d18a2072

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1268400507\manifest.json

Filesize
116B

MD5
2188c7ec4e86e29013803d6b85b0d5bb

SHA1
5a9b4a91c63e0013f661dfc472edb01385d0e3ce

SHA256
ac47cc331bb96271da2140941926a8accc6cb7599a6f3c17bd31c78f46709a62

SHA512
37c21eaff24a54c2c7571e480ff4f349267e4404111508f241f54a41542ce06bcde4c830c6e195fc48d1bf831ed1fe78da361d1e43416cfd6c02afa8188af656

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1584998379\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1629587407\manifest.json

Filesize
121B

MD5
fde1edabd926edaf85bd8dcfd6d26f0d

SHA1
380c447a4df3871885c99d926edd1e689f247b99

SHA256
3bab6a96aa24d25d5f838199dff00837be00480f92a559d30a24f67334e02a2a

SHA512
acc5b7ee98a6652a74477d2a9b295ecdacfd0182b75931653d373fdb15c52d1d869bbe3a41e4a79db36ed91ed55c39c47526268b56b123e9b7f19479bbe8dc13

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1678879000\manifest.fingerprint

Filesize
66B

MD5
a9ad1318d1471dd1400e12e76d7a2c0c

SHA1
4fcb197b74943af818f72405ae2b4c0057bf47a9

SHA256
434cd3a6a04ec7395a5414afc841ce3757feac54a3bfe9173823a79e5751a55a

SHA512
341b4c3bb5792cbb8b092351fc0ff38a5698cc79d041fee9023fba37e7131b53de7c2b619a7b6c18e7d77973158fdfb94c8b76ecb617bace97f0c00155f7d5a0

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_1678879000\manifest.json

Filesize
118B

MD5
ffa5fcfeb00002903f6cf667e9fe6a3c

SHA1
ad765ea344c8cfd95a591da8259fe412e52d13b0

SHA256
dd0679c622258bad2e2ddaec3470297259dc68b55b8c4f4d7f2f28a378826217

SHA512
8da9b780e9bc6785efbd56b51a4decc8703c9f1d41b33469153cc0aea8190c1b6a9001128c6022756a66ee539086ad6f787da84b6b7082dc51939077365e7beb

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3216_497586150\manifest.json

Filesize
145B

MD5
0df2306638bd60162686e9c4bafbd505

SHA1
ef9e16bf867f7950d5a30172e1d34d38686b0e72

SHA256
fd7b554588c5e72506a0bfed89bc298911a5649b9f5168ad7c1804d1c75de42e

SHA512
73fca229097631104cf352061d62455b6c5520bf59777520165719d2368b0e77f3ce66f52873fec53ac60e35274bf397ba321bc62610f0b7b172a7c5c4975174

Download Submit
memory/1912-4372-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2404-4428-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/2424-3826-0x000000001C310000-0x000000001C372000-memory.dmp

Filesize
392KB

Download
memory/2424-3824-0x000000001BD20000-0x000000001C1EE000-memory.dmp

Filesize
4.8MB

Download
memory/2424-3825-0x000000001C1F0000-0x000000001C296000-memory.dmp

Filesize
664KB

Download
memory/2888-3864-0x000000001C650000-0x000000001C69C000-memory.dmp

Filesize
304KB

Download
memory/2888-3865-0x000000001E7D0000-0x000000001EAE0000-memory.dmp

Filesize
3.1MB

Download
memory/2888-3863-0x000000001B760000-0x000000001B768000-memory.dmp

Filesize
32KB

Download
memory/2888-3862-0x000000001C3F0000-0x000000001C48C000-memory.dmp

Filesize
624KB

Download
memory/3780-4132-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3780-4234-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/3796-4313-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/3796-4280-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4288-3829-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5592-3828-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5840-3525-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3526-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3527-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3529-0x00007FFD6ACD0000-0x00007FFD6ACE0000-memory.dmp

Filesize
64KB

Download
memory/5840-3539-0x00007FFD6ACD0000-0x00007FFD6ACE0000-memory.dmp

Filesize
64KB

Download
memory/5840-3642-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3644-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3528-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3643-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3524-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download
memory/5840-3645-0x00007FFD6C230000-0x00007FFD6C240000-memory.dmp

Filesize
64KB

Download