crimsonrat | hxxps://github[.]com/Endermanch/MalwareDatabase

Resubmissions

23-02-2024 18:12

240223-wtnsnsef55 10

23-02-2024 18:04

240223-wn3dwaee82 6

Analysis

max time kernel
452s
max time network
476s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23-02-2024 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

crimsonrat metasploit seon backdoor bootkit macro macro_on_action persistence ransomware rat spyware stealer trojan

Malware Config

Extracted

Family

crimsonrat

185.136.161.124

Extracted

Family

metasploit

Version

windows/single_exec

Extracted

Path

C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Ransom Note

You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/sZkAodeU http://goldeny4vs3nyoht.onion/sZkAodeU 3. Enter your personal decryption code there: sZkAodeUrseqzABs186kMMDeH2DYh59aJpYaWhcXbds5zKDohtrPhamqEAukvCFRmqrkJ32wqtVduQFk3CjMiZyFBUdPhoPL

URLs

http://golden5a4eqranh7.onion/sZkAodeU

http://goldeny4vs3nyoht.onion/sZkAodeU

Signatures

CrimsonRAT main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000023370-1571.dat	family_crimsonrat

CrimsonRat
Crimson RAT is a malware linked to a Pakistani-linked threat actor.
rat crimsonrat
MetaSploit
Detected malicious payload which is part of the Metasploit Framework, likely generated with msfvenom or similar.
trojan backdoor metasploit
Seon
The Seon Ransomware is an encryption ransomware Trojan first observed on November 14, 2018.
trojan ransomware seon
Renames multiple (424) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Office macro that triggers on suspicious action 1 IoCs

Office document macro which triggers in special circumstances - often malicious.

macro macro_on_action

resource	yara_rule
behavioral1/files/0x000b000000023316-1178.dat	office_macro_on_action

Checks computer location settings 2 TTPs 8 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation	CrimsonRAT.exe

Executes dropped EXE 23 IoCs

pid	Process
3176	CrimsonRAT.exe
3036	dlrarhsiva.exe
4884	CrimsonRAT.exe
2600	dlrarhsiva.exe
2416	CrimsonRAT.exe
3544	CrimsonRAT.exe
1340	dlrarhsiva.exe
2872	dlrarhsiva.exe
1488	CrimsonRAT.exe
2272	dlrarhsiva.exe
4836	CrimsonRAT.exe
2244	dlrarhsiva.exe
3124	CrimsonRAT.exe
4776	dlrarhsiva.exe
2832	CrimsonRAT.exe
2976	dlrarhsiva.exe
2008	GoldenEye.exe
4252	netbtugc.exe
4536	GoldenEye.exe
2780	GoldenEye.exe
5040	eudcedit.exe
1136	shrpubw.exe
4672	GoldenEye.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
34	camo.githubusercontent.com
229	raw.githubusercontent.com
230	raw.githubusercontent.com

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	netbtugc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1790404759-2178872477-2616469472-1000\{F66F3FF2-7ACB-4F75-8EB4-A1F48E159CAC}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000_Classes\Local Settings	msedge.exe

NTFS ADS 7 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\{6b318b58-f8ea-4c0b-b054-b86eeb08c341}\netbtugc.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{8f61f0b2-d1ea-47d4-a1a4-9e9c420327ab}\eudcedit.exe\:SmartScreen:$DATA	GoldenEye.exe
File created	C:\Users\Admin\AppData\Roaming\{89846a1f-9472-406b-ada2-f7e25fdbd11e}\shrpubw.exe\:SmartScreen:$DATA	GoldenEye.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 739721.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\{1A88429C-F5BB-496C-A1CA-CA0FD532E96A}\8tr.exe:Zone.Identifier	WINWORD.EXE
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 766832.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 356187.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 3 IoCs

pid	Process
1748	WINWORD.EXE
1748	WINWORD.EXE
1720	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
920	msedge.exe
920	msedge.exe
1764	msedge.exe
1764	msedge.exe
2220	identity_helper.exe
2220	identity_helper.exe
4644	msedge.exe
4644	msedge.exe
1244	msedge.exe
1244	msedge.exe
2500	identity_helper.exe
2500	identity_helper.exe
4624	msedge.exe
4624	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
4252	msedge.exe
4252	msedge.exe
1488	msedge.exe
1488	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 30 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4252	netbtugc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe
1244	msedge.exe

Suspicious use of SetWindowsHookEx 25 IoCs

pid	Process
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1748	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1720	WINWORD.EXE
1748	WINWORD.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 3680	1764	msedge.exe	59
PID 1764 wrote to memory of 3680	1764	msedge.exe	59
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 4828	1764	msedge.exe	89
PID 1764 wrote to memory of 920	1764	msedge.exe	88
PID 1764 wrote to memory of 920	1764	msedge.exe	88
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90
PID 1764 wrote to memory of 4484	1764	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8b4d746f8,0x7ff8b4d74708,0x7ff8b4d74718
  2⤵
  PID:3680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4340
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:3556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,7462207431444874366,14764463653910036691,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3080 /prefetch:1
  2⤵
  PID:3724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8b4d746f8,0x7ff8b4d74708,0x7ff8b4d74718
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:4276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3724 /prefetch:8
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5692 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4932 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2804 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6092 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6720 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6928 /prefetch:1
  2⤵
  PID:1500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7000 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7052 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7352 /prefetch:8
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4252
- C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
  "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Downloads\metrofax.doc" /o ""
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1748
- - C:\Windows\splwow64.exe
    C:\Windows\splwow64.exe 12288
    3⤵
    PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7532 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1488
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3176
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:3036
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4884
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2600
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2416
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:1340
- C:\Users\Admin\Downloads\CrimsonRAT.exe
  "C:\Users\Admin\Downloads\CrimsonRAT.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:3544
- - C:\ProgramData\Hdlharas\dlrarhsiva.exe
    "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
    3⤵
    - Executes dropped EXE
    PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6932 /prefetch:8
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6344 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,14784509443958490763,18426475748814239966,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7704 /prefetch:1
  2⤵
  PID:3636
- C:\Users\Admin\Downloads\GoldenEye.exe
  "C:\Users\Admin\Downloads\GoldenEye.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:2008
- - C:\Users\Admin\AppData\Roaming\{6b318b58-f8ea-4c0b-b054-b86eeb08c341}\netbtugc.exe
    "C:\Users\Admin\AppData\Roaming\{6b318b58-f8ea-4c0b-b054-b86eeb08c341}\netbtugc.exe"
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of AdjustPrivilegeToken
    PID:4252

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1964

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4b8
1⤵
PID:772

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1720

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4536

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:1488
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2272

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4836
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2244

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:3124
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:4776

C:\Users\Admin\Downloads\CrimsonRAT.exe
"C:\Users\Admin\Downloads\CrimsonRAT.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2832
- C:\ProgramData\Hdlharas\dlrarhsiva.exe
  "C:\ProgramData\Hdlharas\dlrarhsiva.exe"
  2⤵
  - Executes dropped EXE
  PID:2976

C:\Users\Admin\Downloads\GoldenEye.exe
"C:\Users\Admin\Downloads\GoldenEye.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:4536
- C:\Users\Admin\AppData\Roaming\{8f61f0b2-d1ea-47d4-a1a4-9e9c420327ab}\eudcedit.exe
  "C:\Users\Admin\AppData\Roaming\{8f61f0b2-d1ea-47d4-a1a4-9e9c420327ab}\eudcedit.exe"
  2⤵
  - Executes dropped EXE
  PID:5040

C:\Users\Admin\Downloads\GoldenEye.exe
"C:\Users\Admin\Downloads\GoldenEye.exe"
1⤵
- Executes dropped EXE
- NTFS ADS
PID:2780
- C:\Users\Admin\AppData\Roaming\{89846a1f-9472-406b-ada2-f7e25fdbd11e}\shrpubw.exe
  "C:\Users\Admin\AppData\Roaming\{89846a1f-9472-406b-ada2-f7e25fdbd11e}\shrpubw.exe"
  2⤵
  - Executes dropped EXE
  PID:1136

C:\Users\Admin\Downloads\GoldenEye.exe
"C:\Users\Admin\Downloads\GoldenEye.exe"
1⤵
- Executes dropped EXE
PID:4672

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {088E3905-0323-4B02-9826-5D99428E115F} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:4068

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {088E3905-0323-4B02-9826-5D99428E115F} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:1980

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {1CF1260C-4DD0-4EBB-811F-33C572699FDE} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:3792

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {B4BFCC3A-DB2C-424C-B029-7FE99A87C641} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:3784

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {1F3427C8-5C10-4210-AA03-2EE45287D668} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:4004

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {374DE290-123F-4565-9164-39C4925E467B} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:880

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {3ADD1653-EB32-4CB0-BBD7-DFA0ABB5ACCA} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:3620

C:\Windows\system32\verclsid.exe
"C:\Windows\system32\verclsid.exe" /S /C {374DE290-123F-4565-9164-39C4925E467B} /I {000214E6-0000-0000-C000-000000000046} /X 0x401
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Hdlharas\dlrarhsiva.exe

Filesize
610KB

MD5
50d2b119c8147870dfe31145f8df3ba4

SHA1
3f821c927353884720daad865afa9b4d4a5b26fd

SHA256
c8eacca7029ae937d64b33696ce32839cafa3951abde9e8eeb6bf2c7bd900f18

SHA512
04aaf1b1577eabc011b7b04964079ec2109c76ef20a8d7ec2551fc9ec7c41fc38c9a3295348e5524ebe637a47f3de117c2b6dec715455678c7d0903dc241ee94

Download Submit
C:\ProgramData\Hdlharas\mdkhm.zip

Filesize
56KB

MD5
b635f6f767e485c7e17833411d567712

SHA1
5a9cbdca7794aae308c44edfa7a1ff5b155e4aa8

SHA256
6838286fb88e9e4e68882601a13fa770f1b510a0a86389b6a29070a129bf2e5e

SHA512
551ba05bd44e66685f359802b35a8c9775792a12844906b4b53e1a000d56624c6db323754331c9f399072790991c1b256d9114a50fb78111652a1c973d2880af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3bde7b7b0c0c9c66bdd8e3f712bd71eb

SHA1
266bd462e249f029df05311255a15c8f42719acc

SHA256
2ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a

SHA512
5fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9cafa4c8eee7ab605ab279aafd19cc14

SHA1
e362e5d37d1a79e7b4a8642b068934e4571a55f1

SHA256
d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166

SHA512
eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3624cfcb355c6c7888cfb022b59a03b3

SHA1
8269bb7265487ced0f15c3705188714640d1df3f

SHA256
28abe3d6f18ebac6166dc8dc601f6672a609bbf3d857d4fb1d9e8f6564ae172d

SHA512
70b3510103bbd50779bb464806d7e15e5d3044269edaa863313fa5ea5cc9dd5fcc3d3e000a4b5f2c4b3fde604c84a89b85a1a12ae17797ce3ab80a23f61fe802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\321cda8d-1dd2-489e-b9ce-88e624c59e2a.tmp

Filesize
3KB

MD5
7053b9085ff1f81482b6f5afe4e9cf7d

SHA1
d6ef3d9c1f9a7d73bdffe0e4346a839f61d2898e

SHA256
da2e2a47fe7e66ab0561a822a21ea483ea5d4dd07e4353d4f00518807e787ca9

SHA512
99fc5f6baa40cae1654f36758de2208ce7183a408ee23522002e8fee0704118119ee8a7e2eef6028cfab56df4d07fba7a02abcc3eadd91945b97bf8a1d6b5a5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
dca2ed5c32945b24520762136c273f75

SHA1
7f236ade0841f8fbaaff2e1bea1c838d86b6061e

SHA256
d42083c1ceee6600900b2ad1cb17d9a30b37d6e0d55acd4a52732e5d1a2ba413

SHA512
9119bab2196af4648f4db618af72245bc69817485b0ec451a729f57c54907c7e60d871152cbce5a2a2306dc164e9adcccc7ad392753f2f2e016c5548d016b783

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
29e5ca148485f7eb455d5305c316d533

SHA1
dc9309b288935de2052d4499e991611513a4d77e

SHA256
4b79aa02e465441350f1c51d01168541937bc457f015b9176e2c17636e559103

SHA512
55d67e7edf29f8cdbab492a488c91aacdaef7f926ddb086e4534dcb3d4824af3e8e574620d9ac7cdb01ff67e85d6ea1f185c85a24e36338bda5ceee8d0a0b2e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
1ce79c7319af2e4454fa36063be318b1

SHA1
3ed6354d2d7e627c21f27148aaa398d735b9d9c9

SHA256
469161b34f81b7c114dc6ccc48f16de91f944afef8f9ee51c382d54dfe69e0f1

SHA512
919546607f3944ae2986da7f0252f081b2c895edc57c3cb06fbb76e354ac8bf72ce4d9428b205aee7fa56da060c85bf44f39387c412a1cb116239f5c1a9ef8d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
44b720c654301307d80e6dabdf522e9f

SHA1
706beeda5b339a251d76d8f4b95c20ab4f76e7bc

SHA256
dcacfa85cdd6ff690326341c53c5de4a911a0381f6ca61716af75c2e61f9e206

SHA512
2d2be14f6736b89785c60403582aff89d75cd3e55f39567229ce67633b89977779b5ea9ba08c32dfc03e52e54c66c5c1f8592e0fcd7f9e564bc4d2119b26c032

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6709dbd71dd802749b7080e7055c4443

SHA1
73b96ae29e02ad7fc846c68282d33d416689dddb

SHA256
516c477ccbc88be6614c6e0fc872cad840364749017acdc6c3989189bebfa214

SHA512
b7d5f065b9b565e4cdf400639c68b53539289e2407d7f17f331e7f43411d66c6afe0fbb950d7fef3b2ab89e76583cd8d98ca1383edc80dc55420a4fc67f7a2d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
4b07641d6929591f024eff407694918a

SHA1
10917a04944d6557a9ff92055742866785de3506

SHA256
796cb2be5481d94849220f09ec2425bae27297a1fb489e3a5e03ffbc10533910

SHA512
862e28986460ab8eba1f37ce9101243053b2a5173eb5b12d631151292bf5a98d0a1608c75a9e271a8b832c58511017c91c3b8f889029ff1c603c0a5ed9535e76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
e877b0172595463f28b6e2d54a61d1ee

SHA1
448b3c17d332581ce11e044f6cdca0ded55a7e96

SHA256
3bed257a5643a5896075617b156747720f24c36b027853994d67c7e67b68d05c

SHA512
ce0137b4efc5bf20aef625e13ece615cd2e7fc10e6cf7134f81377af6593e604b5350376e93ac7e5598c457bd9466208fd88317e527a424335b45dce65fcc281

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
ce2c2645f5cd44d8be2368a3ca60cea7

SHA1
7e186aea19715c4afaaa23a3ef2230108cbbed6c

SHA256
efe405aab56d85dfc11762427a49c993bad33c6742fe62c655813f248fb623d9

SHA512
6ef5da92f6edb175e9f293afb55d8168e64ff4d340c1a88d61116d082432145d26553ac7d3cdb26b52d14479b0005dfa5cdcb8027fd65e3b733eff4d0b1660ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f289998eeac169cf475a9b33cbd48f84

SHA1
20b9a283089ebfa66810dd6ce58949ea3aa67cf0

SHA256
05b92c1b628674f9d756a29d352b3dee8f7896f5d6600fa5a4fa7b5793fb431f

SHA512
2a33b4c8fbc35cdc6efb7ef4166609a833f462962fae206d74e6c44eaeece52b3aa2d189e0b591cf7f65937ff4778e1db584487877ce9c894227abf149ed14ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
23c58a565a4a52b18fd54b75d3f63eab

SHA1
d6784ac87bb98fdad8796b3345214be5af6949b1

SHA256
c766af576a2845ae54d5e2f183ce3768e5e629b23c49fc4ff50e25bee1d208f5

SHA512
3ea4fcbd39a7d75a812550bd64d9153c5bed7ea04bd497baec9cf9cfa83f94fcaf48029b576c3e704d53923feec67e16679f955f695717e1349146a3a729d635

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
27KB

MD5
557742dfda48cd81d0a14135f52becc3

SHA1
3b3b635bbe25c049d4ce9edc79f855d14c4a99b0

SHA256
f8da51622443f13e1979fea5c6059a78a72d4fd4187be80659df71f369f799a6

SHA512
96a93d2e84b418fc19d7ace05db402b208f4bd27461ab6808c1f8f23f67a74bf53cab11b55897b24ad46baa68ca071f0226c6986fcdb9dc06eacab31cadac20a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
399cc990762bb562a04086db57c9ed89

SHA1
91594cdb1bf8dcc5357ed3b30695bfea0ecb12f0

SHA256
28e50be1564ae69e3fd9bc7e5f10c40c8505499e23e0f05e7d7d27076a533737

SHA512
6a5ce3ce6382e04c25772cc0cb64eb954debeab9a80e969f73a0988fdfae1c7a5fc4ff8a9deb39080d07b615b4312bd78a1c156100509bc08a5df8961d3afd73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
7e94eef311a6778053e0f2c7316d4a4e

SHA1
c3c0bbc8c947db2654ac5857903a1733196a93e5

SHA256
430b64782d816e293bb7a8b12e49acd5366b5f3a6508429a05600269248601b5

SHA512
ca3a9c084e988e4bb968960e2480fa89c5a6c72f1d3810138695e243a3ae54b22e4041988c4de1f817a6cf8c289652e60c19671292c7a4d5c7939097b3a94b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
0757b2e451fbdc578ed4fb6b3dbc724d

SHA1
435d154566e598ecd6e4e1f3cf8a98d8838a3b47

SHA256
146c667c8eeafd467de3640b11337db6354e0d8f868eaf4d9be0d6bc7efb9a1f

SHA512
dea3a7364977b21738cbbc953c1887d13f28efe2f37d6e42f8841d2e97d0b4846a40a539a7a9e3d53da0261335bc314e96902c6371890bed6f3f9fcd9b2b68dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
8d5a6b060862c6e1bb736c597e327e7b

SHA1
0d7a0a12af9113337945b539221a353185c2d193

SHA256
b492a501f381638493460138b719369536b7212dc31fc6772025bcb2b960d20e

SHA512
1653f41bb31a13307536fcfbe8da14a9e498f8e6eff2d861f76add901df30a3ce6652671b3be51dd08fd6ed068f682d3007d4e1552817846a476c8bcb12b40c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
c4897aa78d9edac4710b6abd9081210d

SHA1
82fff6d6a6c64af2e1e64a0a56c46cfc2a3470bf

SHA256
1c2dbad9b7fe623f7907fe8875ae1df241de6ea09e8dbb063b885983420fc005

SHA512
207439940f16c3a029f465c4f4b6d290f15deea00c5d46365d2bbe5a27c48371315a7a5e39366638a4d256c843470b6e9acd6fc7c0b85aac10dde6176aba026c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
e96f10122b1127cd263d0208398d4b83

SHA1
b3ca9ef071228c4a4c85fa60353eaeeab6dbb423

SHA256
1faa8024f88608862fce4c65007969c7fb5990a664705c4bd3a08ba739fcd211

SHA512
8644ff2e492ebda1131d60aec7ca49bb3c2473e2c9352e9d79768662da83ae8f67004cd5b8428213af094a8580546e72935b4dc7a7397f40f1b9643b9ad25923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f368d0a440d8cd23de35a28f6757c3e3

SHA1
0444a925c3eed193042321cfb2cc1fc5c75511ba

SHA256
8be8ec3dd401afe91973c30c3b57b11793d13386f840691460850c0dc403052f

SHA512
7678b3c93a43e163068b2dd75493afedaede879b939845b95bd6789cfa36600d39aef5969d4bcc0d0ea8117f7c71e7d9d5ee95d27423b83d21d709e56f6f3e48

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7f2acc34b56ce316ba44eb80ac9e988b

SHA1
da0711e7c65f14672781ce5c4ab4999421868170

SHA256
3f4f1ac9c28a3e2a6bc6a3d8320f1ad27a97cf2294ab31a529fdbc3f72a14fc1

SHA512
0a3ed5c424008b1c30c30d928d90a5888e9ce68c0a5344d97bf38365920de8d845ba2f8528180267378ec1ae27c9042118591e8ef8ead8d6185e2644eb14a150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
94aa84d8caa87fc38237a1e8e4fc3b58

SHA1
3622bb66482cc6a6399c64982959f2e5a164b514

SHA256
e238d1a48e1de36950d89f5d7bb99a7ce358481677b8228745271c2147c46baf

SHA512
74c7bc99277dec5f4374b5dc0601bee25e3c70f684c8510c7b0b1023aa10c8cfca4a8a554c8e2d5a5f24046b74313a0f8816aed6cb3ab52f8757e8d6772e36de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4537a1b1af336d9c4fa4d564c1e314ea

SHA1
bf18038da5a36232e75bc55a5bb75081e9f485b0

SHA256
3dd9f3bb7bf30806eeca409da680ba2a50cd1c82ab798a08900d5edfd9a243c6

SHA512
ffdf9b04f6ad05b491e62437c69291595256b134a3889c7d9145827d37b713e2cc6a90d31cd8e0929c02512bc106ca73c8bd206028d08795dbf305b0d08936a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7a2ac011939fd864c07297c40e0970a0

SHA1
a1ec41c0f723c01cf9ed3063c79499a1d095f0fd

SHA256
3255bcd27b6cf4389fb6061f4a31a7c092a64539ee29ae61f5e58e1892d31fd5

SHA512
b1300ffd0ce23f6aee818c8c60dc8fbd6fdf8da7ae153bd9cbcb47aa60f8f2d669634281e9a8b31c8546e4772ed412788aca36c36b48fcd66a00983186bf6268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
31e0b0c2f992b7aa299154925e5d6f38

SHA1
9ec228c1aab33f3eedc1dff30b049e76ff9b95bb

SHA256
261fe02981911f7e37055b80ad93fac0858a6979df86b005a8286d51b4a967dd

SHA512
8576c7ce2681fb76c2dafcff0af2a7b777a2000357f1486feaa4b3f7a65d5752084ecf762c15b42a4f40cfcc484df58cd9d68e7a66e0b70b13736c998ee7c6c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
757cfce52091a6a1c94901f2e75dc194

SHA1
134423437410be3dd8376c06d4e91235ec98216d

SHA256
4dc3b62304e48e5181ba7abc1ce2322d5ce6577e35efd5eeda851d11e8c26de5

SHA512
ca51e6e94f87dd7a0ab92af9a2b7c30aabc798f4d2a24f39a1beed695e4bbe1678f62cf99a5e54afa96631db1a15b4c6cf7164ecd5e11c9d0ebcbaff0ad855a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
5df533b9666866dd46d66abd541a0863

SHA1
8aba5e0f53b968b56b58cca2a5910406010814cc

SHA256
9511943b831595f2569c7d5d8c7bc938b245c8292e7ab01e08814ea2114e1df3

SHA512
a1c57f0a9312207a677aba6e949e312e6890d103f93966de2a576c056bd6b72eae4ccfdac415d47a5f16cc0c30b05afa631bb4b7daf95082db68519d54263384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
92c5b85676789045d8ad71a4df163d4b

SHA1
d76bbe48f56fa68863628589df71c71f96fdd397

SHA256
91dea52c50f08a05c49fb138873d9ed53c7d281c357d319af02ba7c90495f246

SHA512
43db57c98e9df716ee06f29fbecc0d11d2f6470b9b127f4cb1bd6a67427e18bf5aab8eb1772b4599eea1f0d8cfb2ec1aa6ea900dd7deb5dfd9146aac108019f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36806e95219acbd4baaf0046e25f00d0

SHA1
e92b92db9ecaf008edddab47871e50f156787092

SHA256
8edaed2cca0613cb63ba6a572f9fdb69f358de9937224b18607edf4bd3f07339

SHA512
7ac416b64e6defecedcdcf4f66192e6eb9fb925581d55f6162df0475eeece44d9053ec3b0ad3007b94eb05835e7300a130462840f01afd7273107f1379e7e43c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
693B

MD5
9696970d03b1b36df8141f0b29c5a6ee

SHA1
cace1647bb0949f1a1c0dae315a2aeb98db2c4d5

SHA256
0b0f21cca25d63ae9b1b81e0be4cf1f2de0bccb5b6dc692f5391743867e57427

SHA512
4ecf4292f4cd43c51b2fc93d0f39050bf941cba797a3163ff9871372b52868b6c82155175b142e99dfa94a4a104b791958ad14336e3b87c3e992e2cce510dde9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
1ba4d753dad37a05c734bec5058790c5

SHA1
c9b575c3ff7317d46f264ad0ab2bdcc510d15833

SHA256
c8b5a39627186dc56aa41cc77ce04763ebbfbdb9f29ac4081a026884290887af

SHA512
fc95970b77c90bae92da89d805f2f21aa20bbcad2b854c97bcc6fbf18d5740e877f8587341cb1ac7e6e9c00818879eb2d94d0a77a00fe4d9d7c36f832e4f823b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13353185600297397

Filesize
5KB

MD5
db29b679426dbfd02b3c24b88e017b43

SHA1
3a8e3efc2142c3a86a0df924c021851a6f85b623

SHA256
50ea42c32e9d4852e26f8b7c154ab4bf137b5e9d3651f53b4008321dae9557b1

SHA512
6d73b4abb0412b191bab49b917e98955ff826501a8e02c7828cba9150549b6ee053101f530878381a2899cace2d28b2d276e34398b7d9ec6000e185ed1fac5f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
7e429e70ef8b0fd30ed543e545b1db6a

SHA1
18a3e40e1cc0567c4f1e8c3f13850f114f28d27e

SHA256
7d10b7a95121dd5cadc8060e53524e05c1ff3f7eaaf00ed5b070b05c951e228a

SHA512
0e82b709131b318daefd2d60a57cb08af492435abf1b6916709b27414b6703717214014ec68c4a2199e3f9f5ccbf753b590b1f12041a116132c70e0c521f956b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
7f9f9c30667cef11ea11872f1cfaaecb

SHA1
6cefdc5c65c123940d73ebd6329b111cb51b1894

SHA256
b4574ee37fec43bd69f14207728373defc1e5fb3b95d36f9375121a2eabf93fd

SHA512
1feab6499067e2d7cd327cd2e4b9058f621d927bf3a088097e38736c959333d8f3ded7122a835d19793644af60edf8c906afd444e783e6adaf81754ad705da87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
b8feab275cd019f55eabd9e85358f41f

SHA1
0cdb819d0923e1755ce5f68a36d4f9e610382867

SHA256
4103f8463265287f389272830e37636bfe1106f37ee026e072b969867f1eafb1

SHA512
22c5e40b19eb40e6c1da601028dc6e4d0c5420319e89ad880269eddb9304ffe2bd9f9d7a737bdbf06bf332a353369e63513dad34606e8694618ed38a1203b5d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
724778b0c3d0a6d937074704009db158

SHA1
a49b4871830a75d7ad0a3d56c551b43929f6e7b4

SHA256
fac661b972e0f9d03705c8cf3704b8c0fdfe3e6b9bb7440ba065dedb68c62160

SHA512
9aa3fc5e6e1a210429731c4c8cfdf3015e5f6b9343a185aa53e587e05768bff466912bb4ddd94e8aed6fad2670a2e707a40b72a5236a495eb4e9af491cc85258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8db71b7b2c5d2413d14d18c6dcd22d6f

SHA1
191a6527532590494727317a2c57ee5e359eafb5

SHA256
5e33edc77caf74294c2927b62d4dab3de957cc40c08202dd71f234b4e093bef6

SHA512
bcd8da5b55cc11f7ddb01f4b92eca8fc0b41fbb73003f86f71de3a365d5c8dc47a1b03ec2a6e3249aba3f325ea348f7c71f94ef842b0bce56c27a2659ef45e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
caa7bf435832f384909b8051dac3e77e

SHA1
603ea6beb091fdeca13f6b4702828e3faa28184a

SHA256
c9bade17e05bf7f0ca75ffc0f7e34a43e6c07eca5d6f414f014544e4971c57d9

SHA512
e8c2588d3e29d1aa05567432e06c28b84237b86d9f2c78aa96a639b5cf5762dec1c4052138228013d1604f581093805a1059e453b696f744ed315cc7284a8c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5296c59549d879c62472eec6fa399ea2

SHA1
87c6daa1ac9f8037c504ee77d4e886445f3d07e7

SHA256
1ef185a134433e7ed103e8bec191ad93394bcb2028b9779a23029b47a91b330f

SHA512
81b13d8469340397709759fcacb0b7c531e04bb67da95c768717b2050b113c3d5ac186bd8308c4008e2948650a84ac2bc229810b0e7ffe9720ab70b725e68ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
79a86ce3e6cd5f185a98b163de994255

SHA1
2863a5f4ff079337dfc34f66d0b42a8563329caf

SHA256
7e30f721e05fb6e034b9a91a1246e788f10ccbd80938a5205052b4a38a54bc79

SHA512
0176ecc3dfd4f485cd6266de8e44098c62b9290c037d1eab1a9f38bb7ef4e5dcede87a63c6cb31adabecc8666d4eb2de4f77b545dbe971fc38a99cd88235d01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
9b1de385e59f3976e3564a0b5c203c79

SHA1
15355f8eeee68671545f8260115baa187706d8e5

SHA256
67935b392ddfd5fa6d5677196b97ef459c8119535bff5a1a5e62c82e0be17433

SHA512
8b711215282141e7f06638f2d4e3d0f1cee4eb38d35e0d5fdc5ee43b11ec343ce2dfc7054dfb22d81e882b5e350ea7304750a81160c461729441f241949d39a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ee42a09b3bc4ffaa8eabc7eadbb77611

SHA1
2712f70dc29304d8cc4e7dba79b773e34c786324

SHA256
91a8c992b90a6d3828ffc0ffc02de53d5db6c00fbc4d1fdc950e09a18351e8cd

SHA512
d57600c0b4ab816bd5d7e0f31b57af883063f3af3f7846faa66fd41baa646bfdbbfc379ff6ed61bcb9c6cb10937ef3949a44253165888e28bb056e8a9219ecee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
56a97685e72d29ce089374dd0605be1a

SHA1
531164d8ca5258868fb99c59c96338fe56995dfe

SHA256
054d89be1ff815f0b961622905e7758675aa436c33a008a4b8c4a0e5db62a4bc

SHA512
80da5c75c00dd5d2fdc263c3764457f00afc145f200ca520bfb42517f89559d25907eb17cf0a3814894e578c2521b34240bb8e0cfaf7667b6bb4ef25a3ee4418

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
4af4cd14598db9b984c4cbb442d9e8a7

SHA1
5d36d6beca9d354b8d4fc9714502b2c14eb33443

SHA256
387914751aeb033042252c828f3967de16b8f883af36d96512de3bfa8dea1b4a

SHA512
9b57de05ca55a1e7764bf20fef1d0690b32b111b0ccb23c5c01a76ccc71eaed8d34f3ad15f0e50b13e92ed9f67c1a68c2c0cb7c226563dbe9fa04f858c00d374

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
61509f12812a8dbd39b94d8063238586

SHA1
3f517ae0e1d7960cbfc1e50b2c50103d48900bf1

SHA256
2380542a841248727fc656ec60fa604aee25a243144ec29f3c8e03332eb5ad2a

SHA512
874507f1f4b60c847b0b826f7f5c6821f1564f41b29917506a29e59ac373037bc06730dfca7ea72771eda3e88d8cf8cd164ae307f60ba8a026c2989cdd1ca913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e9ad46461dfa8bf576d12bd76187a0cf

SHA1
c0ef9efb1eac13d23d67a4c7dd8447d53ac176b5

SHA256
a696d56183256aa5973d806fd0a26fa9c457acbbc3d452e68408fe725e33f82b

SHA512
96d1e23a762bbb7b52d80abdee0a1c0b07f354bb5713b4e3c3fabbe7d3953362b2bea937220e12dbbebb20df35a8b1f3f96aab37e53422b78bece2507668e29a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
736cdb98572a16d6fa05b333e5915f4b

SHA1
ed22e847482f1e85090d42cc1e6a1405b17da807

SHA256
cfcca8d11e7baf26eed2f4132ea77e95a4e3d1fd3e2d71558aa4d6f0577d2bde

SHA512
3a9dd3037151854236050448c50be9e8452ea8567459925b25bff1592d85779bfcceae81b73dd00a2cbed970f18c53799a6d5796d77650247cf009453de87fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d8806ac0124cbf72038182d749c9924

SHA1
48e53d8ddb598ab379170c513950d708d9381ef6

SHA256
7c6fe29c35a8e52b3d2c568b3b61454025f4f0c2076a7d3cd5a89eee28c7aeb6

SHA512
be1686f28b95ccfd44a4c07318ef19543897275bac2536d536d3c4701b5701f39b90b4108258a6d392b416b9c0c51b4a20cd68ed490f8d4cd62b0d41d3da14e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d51015867d032f2e6699a64c4635da24

SHA1
0e2556773201e03e4726807c15cc3b5682b2d4f1

SHA256
937d5a69c27b75f70262344405b5b3c4836bd4ab240c4aa0f3f938fb6442958a

SHA512
0302b7421df289149304b600679ec82678c39f59ac8fb5168da04ae99226be07c8629fdd7482767d85cda8d37fe85c45af41f52525b2517101a4ae33988defe2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
66c6c70f6c4e8698cd276901cf2eb924

SHA1
05ca62217b7afe5a6e6e12310e434fb002280185

SHA256
2da07ffadf6490818db31e518f3841752d2a8f4f8f51c618ed22b9cdfa9f94b0

SHA512
f4dfd6e831ddf2b67afc99bcbc2e9afe9a5547108f8ceac4a868e77db124ce5ea9e3c939421ee7467f17502e91cef3689b54963ca8e6d3e021e9393d2250cead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d84f.TMP

Filesize
1KB

MD5
6c07dcb1d1d54bc2f8c750baa8a389d0

SHA1
c530c8e53c3306bec9801548fd81f2a8294b0f9d

SHA256
cca45a56e4958b662926cd61a576e19721aacf5c23aa552178243c728441e38f

SHA512
f50bf6d7f8b32a66684a8f321705bfdd0e0a3a99d39712204b4fd6c9ec8423c374603e1ed127e4a5e2b49b264cca7d652263c076dffc2e778317ccd8fcfb3cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
5c60ccaa9eb5f8b00d83b4cc22588733

SHA1
cba454c2a4c7f6c778f096d3427077da1ff03bb3

SHA256
e1b3e4a76c17803b596843e99f9fc322b309b951499b19dd33c35ff301cec59d

SHA512
d465114cb63106e17d64dc8411366927d38708b35104e1cfca1ac10dd4a5be29f8112ed6645fb18065a9e595893260804d6fc450d4fbd3b7b01cbec6ec85b719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
76KB

MD5
583dc19ecde98649221facb3fd1b6952

SHA1
3600a1478a95ecad1c1a35567b0796cbd5f58c9c

SHA256
3632a6102cc90d0d410825acd502e7a4989ca08366f2b0f6563f0c6a2fa33cb0

SHA512
7773f783ccfae0292db503bf26e546c470dfcf1034710f0b13ea205fad44557b956b36b9eb8a0e4da904826802a3bf3d46ea4f6b741a41585bff0bd1605d24e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
206B

MD5
0cfe3c540b3ff2af21148e7fb1847004

SHA1
410f72b7f7a014a2d961c38fe62a96ccd2643edd

SHA256
5c7eea083dbff6321abbc28c746a4f6038122318530923ad84443dce8a417f4c

SHA512
28297ee87a7aab1a63bd8dfbcd0f3b16c4ff01c7a24433a4d605c98b28ce66320c1c7d551a14dbef9136a726b4ad7ff33679b0e87ecf24f14007f9f8c3ea1cd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
438b205d9a8b787a3190a8458816c48e

SHA1
b8ca1c849a75236a310f4096291a66e134c4476c

SHA256
bcb01c814bfdb56e21047c47398b29653eca77849c8f6acf04484035bea3a23c

SHA512
d46ea1970043746a51e994dfec8f66f638b200f4c68b761123d05dc88d15c0074648952874ac7d784fd91ed4fda65d7426d6fdf61b894dafe72f47cc991b17ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
335588d33947a3cec5ee70c9152336b5

SHA1
7be7da2a64d04812192444d2454ef668fda22706

SHA256
c29ea527927c5f7631debc82c195c4977defc04c957f1310e50572153cbf5b3f

SHA512
38a7632cbfb0b3ece3506de7cb951923a2df12e3b4471044bf5519c79742620244f7b73c10ab7b77b4194c9ffb11a83a9c27c47da1b5d8434a9e789c05b924af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
751a71d0cacff4489264a547dfa12e15

SHA1
23a36ae6fda6c213ab093fbc6c20f769b25c151a

SHA256
27bd99d7ac8a598ea844964cd9fe84b580538e8ee18871b7ca905c4584c419ba

SHA512
faaf2ec4baadef8de6a43cdcd667eefc605ed28e97d1296832645fac26f2de21f5a3f6776abeafdd07cf99199695a12388d5a2bc6a0bd71781c4246c4b262616

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
40dfb6d17bbd23fbb8cf9d8b04476df6

SHA1
6c035fd361a4d2b101e24cb07033cf47950a1ddc

SHA256
285fe9ce6493c48d9ce49d838b4a5128729e72a212718e1e61b5661c8ef41f44

SHA512
87579e8701502844147bdf51f38eea5551836eadb0f4606b9eed59aebafbe5d9db2bc06fb4d544d36cc47e2d0b5fc90c749cff27689d5d4db8df6f0ade746509

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
cd2b58d70c25b770e57b3bd2f084e7a9

SHA1
2982dd5aa88d679bf3b0b0dc03a9a74d64dfa6ef

SHA256
b6616798665008380543e7358b64b4e3f81d738ea83a2a2c6f89d10d4ecf8718

SHA512
25b10b2d3dee1f367df3aa642998eec6b4acda4527487cc6505b4571b351c695f38178d38147dfcdfa7214804ca6a5ba8041779c0845be4740838293d10e3930

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
82979ab20b6e5f0b4fc8628f7ef8a1b8

SHA1
7891b93b0151e6303e1ecbd350f22d175e16773e

SHA256
d62372b5573da5a70bfc48d0a4127990d585aa70d0fe355cbcbcac2a6a7a722a

SHA512
bfe1ee183bdf5932680c8752d369d56885f1c132264dbeb56e9a53a09e384a6dc8924bcb654a525a59ed37e9bb5d7bb0737ab7b5a4e13b8e7e16fe530da8850b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c355d814a977d87f195f6a9655c0a9e3

SHA1
d926e356a29139076229d3bf0418117eac4d6a53

SHA256
f53b8b13508f08555cf70b6e93f3ae05f6920cf84bdb52140dac5ce3d8c01c97

SHA512
a02584347a836db98f671c2f167f1dc675d01b54afe3c19851d35d9c73caca942f16d473d030c1b62e7783fc34b165f616c6942b85699d5d1c756ea94908b2a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
1ce8aefd8c3b0b0c0fe1d966c9f0b78f

SHA1
0c620f7642e156229713e00c8701b063f50a8f53

SHA256
66e5e7773cf5ff0b59f3d7839ca437416cfcca245948e27cea0b98c7146ff08f

SHA512
20eaf94ee7edb32babf7a8a7adb36645256192dbb3afafd25a3aae55e662e0685a690b7561db0096521e9f028f4e06eaf4dd5c4026592c04b9ee3c9f7a730fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fb90429e-054c-4692-9f22-4cc22a09620d.tmp

Filesize
11KB

MD5
a861b2e29bfe9b1297815f94481120f5

SHA1
623dfe1fcc800a12bbdf91275c8140d42f2b3d70

SHA256
72675fd8b9f56fde5f4bbcdea29b8bc9f6d3f4cad7cc2a1fa1a91b6ce6662fef

SHA512
6bbd905cf3bc7d401c99876f1f2e585c73221f5a66d4649c61463367bee4f6de3280bab07d6e7af86d597dfc7ef55d909568ce5164db01f71c3f0fc63b188b3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml

Filesize
366KB

MD5
4f64829e8d192281881bf40e3b92f560

SHA1
8c6cbb02ab8ba14a373eb24cf10b51ce23145244

SHA256
ade868ca7b7eb1802878fb3a420557e4e6b4603c4349b7fe7ff168ca8e0fc007

SHA512
9d1b6177156f73a6b1f825c72a6c339302c0ba4000797269fff5981265d355046356310f2f12c2210fe9bfd42d2488ed5d16646c67b831d6d2360f3cf3f64ad8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\CC665A2E.emf

Filesize
5KB

MD5
0ed5bc16545d23c325d756013579a697

SHA1
dcdde3196414a743177131d7d906cb67315d88e7

SHA256
3e430584cd9774ea3b21d8e19b485b48212fe356776158dd5f3c5f63a5bde7d3

SHA512
c93072d11058fa50e3b09ff4da9f3dbe2637c2b5df05e616bd8ddd04557ea1e8b0db106b1545fad334619118c467776f81cf97ca52d3f2fcbbe007f30032b8af

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\container.dat

Filesize
118B

MD5
f937b827e376e315a1f04a967e7297e0

SHA1
09e930484213c63a894844991a44469dcbb19f3e

SHA256
e55dbc03fd0fd7a5110d1ab29fd74c092a06cbf34dddfefdd34d539a3651d951

SHA512
d36497e5cbc20a99a587b750f38d31364b2c718e7f241517fd5f14432b0d34c8af7f80d2d874014e3040222828626cf63f792e5f53b0cd32450cc3da1a91db24

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c3ed338a-70ee-4f0b-a90a-46f6dc7778ac}\0.1.filtertrie.intermediate.txt

Filesize
1KB

MD5
341ae8c2ed73844d8d41584d5732ab59

SHA1
95a302e240e330fc1c98ffb5910a7b987a33a513

SHA256
cc570aa790f15e17d548f86f6e9b4986fa82325a59c73c47644a69f119c652e0

SHA512
04ba35d858f0618d60d26e6f773a69398280fce34e7bd074e4e100ead6c4d05fa083b8de070be465cb671920ab26f00890980f7e3211d6ab5e2728e7e06ebdee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{c3ed338a-70ee-4f0b-a90a-46f6dc7778ac}\0.2.filtertrie.intermediate.txt

Filesize
1KB

MD5
4ecf44b5bb78c9d02ef904b032532580

SHA1
2c02a66a6479572010ce4650ba594ef1614b6f24

SHA256
c4111d2a8469f7f9ad2f86366ec624dc96440ac0108adbd1958fd64372478105

SHA512
8d6c737a3053a0bd868d7b3605661cc5d4459739d41319c8eac1c1b91b0da4551ef73e4af8f50ae7bc09a6aa191bfa2a9b36cb0d0aaa3d9bc0e1f0269fe0d08a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529876862510261.txt

Filesize
78KB

MD5
084da23042ee204bfe703d52596619a7

SHA1
49eefcb6c4d80d803bc6dc7bcd74d3f2c90787eb

SHA256
9aa0e43972823f1d470256158f065d520233425afce2232c63354c01ece1dbfe

SHA512
090fda205a2edf65656bac3eab332a2d53254fe106ebac6a2c08f61c7d3e27f1f2afc4a2adf71c454bceb086613ff8023e21e0908e78643c10f2074e9ff440d0

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529877329035355.txt

Filesize
54KB

MD5
1be989b9d0b652b8d901a95857769525

SHA1
88674675b3eb471cbe7d2b5c349cce563863e797

SHA256
3e43f9b23ab507268e2af21c685fe004fbb319e367af430cfdb12bb943923726

SHA512
60535fb81cee33ee251f82c509c40fc8c5bbe605a2905141219db519596bb558da77fcff58dfd1b680f36c6c7633969913821702285ee6732c98c52161c341f7

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529884844769199.txt

Filesize
64KB

MD5
6b65263eb640200b3840efd9f41f9fb0

SHA1
43512d21f21ea5acd151c0f6f82f2b21bcececa4

SHA256
1cc6c95fd1e2b58f6ebe19b5baf16a300568c04a7fa061ad0a86e341ec9b7bea

SHA512
1f934bfb6b39b103de394ad0f9d7ebbc66833721c9403ca207f13a76caa67d31d2d3b04cc005d5a96083d28a9cf49a3239ee3d7ac599b14f562874c8641a7b66

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133529931220460736.txt

Filesize
75KB

MD5
99e2d6303b58df8ee85b67159ac1bd40

SHA1
c4f2e0606e0d81d29a84699406b3fd21baf4f06f

SHA256
f1614dda998d1333e33e9537fa5f85b62dc1fbe5d28c1dc116853bd8732eb29f

SHA512
4d1e63e04456e0daeb00a57803e136b1130c9494ebd542721bef9835779964503a41422fcfc24113f53f2cdf641a780a1f8d9f7591e0dbc3d6313bc16f3a1c96

Download Submit
C:\Users\Admin\AppData\Local\Packages\NcsiUwpApp_8wekyb3d8bbwe\Settings\settings.dat

Filesize
8KB

MD5
c21f4f077ea63e24df7fc56983643716

SHA1
3533fe63ad955927446bc8cd042f16bb34993fea

SHA256
2ed998badd87a431d5eb831512c922d43ade05e8c22fc1b5bf38edd1fb2a45aa

SHA512
76218c581146a7fc5565e9f4f0105c90f2f15292ef97597ef0b43f1ba9b0c50d8c998a0d665cf842207ab934d771cc77198acf3fe2d7d0bcc88d6f6e830bae29

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbhja.rtf

Filesize
816KB

MD5
82f2a7fcac096d8d0c7c2b212b422742

SHA1
453b8b02735da6f90b7cee15283f34e5b447a779

SHA256
9d5a3a9898291e6a9bfb46db0814f77958dfa21931f45283c820011c4136d801

SHA512
d431268321c297e64a5c147dfa5bca09152c7b343a608a2c6887311ad65c5cf396204f4635bc749bf0d8bdacb7e5f20b87f67f5e7da77963014f439861e42175

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat

Filesize
249B

MD5
74635f6e5554ebd726fdca0c002dbee2

SHA1
278e66625144f9d89050b0bedb482a68855b97d4

SHA256
483e814b8f7ff4423f67f93987147b151908e1eef88479b67d4c7c69e5444424

SHA512
bb5dfc5a78b97bd7a5bc0bfe1083b1f03b5592543abf9ce00a7a36c84fb540ddfb1c8ec8994f7e6eabc30b6de896414d171d7eb3c0735ee9708093162fd17f34

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
35d04b8fbd68572ad246850c2aea9769

SHA1
427e99225056025afa3cef94df885171afeee0b8

SHA256
5a60a68e0e38bddc3ba057ebf5d1da64e50c7cb7611704a0df16f59823377d5b

SHA512
d4f5fd1cd1975b4926497744e021c26a68cf68f64ec578f3c9ee8aacbb1b358e3af7de0ff6452063681df20dc5990e52d66ea3cf9d6a2491cd9a1010db2ee591

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms~RFe5b7367.TMP

Filesize
3KB

MD5
affa3e72080666cbbb464384c45dff5a

SHA1
6aad12f00ed40ff23682b1a2a04660a1b8fba0b3

SHA256
9a8133ef174ce9de4bd763f2d19585b3059f51a91dc1cd14a0637d8ab710ff08

SHA512
8279181f0108430896676f3ba517727a885e0581a858a4267ca95cab9d89a231b81b5e681349d2a06d6a9558dcbff26bf843e24901b656f205a9fe958b8eae6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\storage\permanent\chrome\idb\2823318777ntouromlalnodry--naod.sqlite

Filesize
48KB

MD5
af7b46f5740b124c41b431d04d70d6d8

SHA1
278ed6fb13caadaf6e8088c34dab1158338f8c0e

SHA256
f6bb731df84b0da2d09cfe6b8021c1f712caeb5f8769e3e2b58dc01fefd3f90f

SHA512
762e74fee13970e18e8e89f883bcb5164e44559ca681ad0702ff70a5155eea64fe5c61df08dc329cf2ae782fc6c39e2ceeb23219c4d6b4b6c2c6abda72f30962

Download Submit
C:\Users\Admin\AppData\Roaming\{8f61f0b2-d1ea-47d4-a1a4-9e9c420327ab}\eudcedit.exe:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Desktop\AddStop.dll

Filesize
983KB

MD5
139e518218c8edd92f29d566d34e7e7e

SHA1
b81509ce8b2da25fed5f6ee600fc47b06331a508

SHA256
dbdf64af0252179bfdcdcbd3339ce1f8b54f27f706b803592725bda2a56cec76

SHA512
e1bbe05eb6d8f56661aa89c802996a3b151c874c755ed7ae6c8eee8bf51e9c24bf7d05f8a40fdb60f172153dba9b2f7dae4e61bbce038685c2f043567264c14a

Download Submit
C:\Users\Admin\Desktop\CheckpointReset.vbe

Filesize
1023KB

MD5
0f42ac11c76e09ef35f1be759545bf59

SHA1
0204db7464e520a99b50bd89492c6d1d325cf742

SHA256
691547990a86569bc9ea2b14426d0ad97cb45c8696cd99ee9d9c608b0c5378f6

SHA512
7621d9ea73438cdf978546eefce8643f4f2e756d15878ee96473594886909e0314b15789a45a923fca80eff25dc1fa91d9ddf1c5fc1688449a280895f408644d

Download Submit
C:\Users\Admin\Desktop\ClearSplit.rmi

Filesize
655KB

MD5
1514a68ed1c70fd069987ac8626ab3a7

SHA1
6e13f5dc3bb9bc0751099af78e864d0ec2c094c4

SHA256
5213ccc7400b3c896ea3ae3fabd630e0affcd629ba9ba1f8bc5964cba64a1cf0

SHA512
b39a4d36e2a42a7e43adac6ebaf72c2f1e1432f481a3754f89ca1a26f14d02e16207d2f41a915a21d86825c8dcfe1691719ef7c7192d41bc39daebeb4fb98e0b

Download Submit
C:\Users\Admin\Desktop\ConvertFromSave.rm

Filesize
491KB

MD5
c4ec3fc3fba80ff4499c28bf1e22d1e7

SHA1
f44541873a9c19d31fd4518c002267884ba0ecec

SHA256
15ba2ae80cda72ad0a52c7a7de7fafeef94b9b00b5de1b8031919c97320fd0a1

SHA512
25ddb8608989fdb581f4c1f9212c301f9e3a8b6f361026f4ca08cfc9767371e3c57cd98514d2bfda80b6d4bef4aa9d8ebb0a66a2388c4a51ab25023eaff0e920

Download Submit
C:\Users\Admin\Desktop\EditConvert.wpl

Filesize
737KB

MD5
c76ff88b14db0c9e0f1df151e32ee7c4

SHA1
197b9b9a2d271b0f4ade703c40e87641dfa088b3

SHA256
75d83afe849d63eb43dc205de86fb20aff1807e9c9ad54f0a7e94319bf870ca3

SHA512
09e35ebfb5e1d3fcb7ff215d27c84fe49ddd798fd8c7488f88586bab1e9c0b8e9d414027e0cd090186b9e45bfe3e2942aed23c10818ca89bcebaef1491d5cb19

Download Submit
C:\Users\Admin\Desktop\ExpandBackup.xsl

Filesize
1.1MB

MD5
0e198dd9bec8561eda9457037fc3ce81

SHA1
e3ce13e7f789a9f87905cc4dfd7769632caa5a2f

SHA256
6b3d575d79c669c5f0a0dbc6276cad30167dcfc4612962831a0997abd8b7f9eb

SHA512
fb91b8d096e076e26c53d83079e0185a3ed9112e8a99cc8429e76843f5c132dcf296042e55f588ba6c930347e2574f8bb5b4dad9c814a924d93bb6bd9fea36df

Download Submit
C:\Users\Admin\Desktop\GrantTest.wdp

Filesize
778KB

MD5
d82bf70d199bfa192104a62b43d30a57

SHA1
664ad039a8c6735c49ce4c36f7759b9bde10043b

SHA256
1f639f5bc7d7a79ed1e398b40806c612415896bcdb8db7f17ed7aa61814daabc

SHA512
6c8a38d9e97cb6df73a9165336150ad1b5fc77aba123c84343ff180fc662d1a0682e12af31b361e52b2279a0b3dc0ef0664bac0ded9dd7fcb7ec6755ea6ab5c5

Download Submit
C:\Users\Admin\Desktop\InvokeInitialize.odt

Filesize
901KB

MD5
8d1b2919a4958e16b13816dd71d2eb0f

SHA1
fbc283de188ae256383befe7e7ea9a62cfbb1f7e

SHA256
12d94a11328808c864722d50c833b19c78fa8cb9496f95241dbf91663d61626a

SHA512
b23a6d4b4a3aa0635ff99215a1fb817ff79738c0d625afd6b9f546c5cdac90efc07aecb14c3bcc2bc98ba2c1b82ee67eaa4a08db673ae39ca17bc7d8433aed5c

Download Submit
C:\Users\Admin\Desktop\JoinProtect.DVR

Filesize
696KB

MD5
05c64c366b7ddf16c6d95ee243d35544

SHA1
8d592fbb463681d1e09cdaf34931cb53194b5b00

SHA256
dd16d3a1dba2a80c045b0d6d225ff54bf98b2c8730b47c962a2e25b91035a755

SHA512
5aedb9efcdeb7ad569897a972425009b74f159409cd5f251596a731e3cb15143cc8de6704aed973703457174fe2215b4b8a978aea698f84935d4e9446a1cc768

Download Submit
C:\Users\Admin\Desktop\Microsoft Edge.lnk

Filesize
2KB

MD5
045c9549abb3b6815215a05248e4b3d8

SHA1
badd2d10b600fe6cfa478ff719100d385527e81f

SHA256
a2578a9647217c3e98d1c83512d0e4df66c932193f789b1bec13456fe7041bce

SHA512
be4b5a6e9cf8652f62fa1dc5997d3b8279ae323f3c1b33d1f185e8baedab90b722a94802f57916846d2c5052317d8cb7ed6499edb125f9cf01f5253ba3afa78a

Download Submit
C:\Users\Admin\Desktop\MoveUnblock.inf

Filesize
614KB

MD5
2230c4ece5b8e2374f405df7fa8bdde1

SHA1
d940b49bf61eba6dd484411e7ba62be728e093f6

SHA256
929c7184e924ffe303f5cae51c3875fa8c3dbcca79b3b3660b4f4f39f589abe5

SHA512
d8ddb9f9762c8ac0a3a6de20743e4e45b9be42954f9b3488229e7a4375106dc5ef993b6c3524f78381f494c6f8a6cc43b4fdac7b7d0b2c0e7d0789ebcf6e5103

Download Submit
C:\Users\Admin\Desktop\OpenFind.jpg

Filesize
942KB

MD5
d7c563c1ce16ed2974d6c12256c47cec

SHA1
fc5b42e195be0f5ca195fcf45c9ccb9f5bd88bcc

SHA256
0bb3a7c2ebc26bb878f534fdc5bb1b0fe7cfcc1823e4a348a8b26daeff0c727d

SHA512
68df436923b4a40cf60aa6255870ec472d0dffa06da819d660a2d22d80e0afee6ca42d4e489757199114585cb0de9ef0bb0e10728bc8416f2c658597915441d0

Download Submit
C:\Users\Admin\Desktop\OptimizeEdit.fon

Filesize
532KB

MD5
a3e82479b954ea749695a5e0fd5d3d59

SHA1
54e9de7833a96aa50d3178455e51c46b443e073e

SHA256
df8d33f29c3769243f660f09ef6bb2dcd5a76bd3088c7090e597130ee45da46e

SHA512
306e3cf813c120faac803c789cba13860a500a89b7c5497a6223adec76f81ab764c8b69802fa9988185f58436ca1a45def16f57ed492dade230748a001adeff9

Download Submit
C:\Users\Admin\Desktop\PopUnpublish.mht

Filesize
573KB

MD5
386029ab66f88ea807cc5fc0fb6bd763

SHA1
2f511f36d01c146d0154b086a3b166d5a3957748

SHA256
e08dca855b6e2b27c36642b7267a03bfc2d65e5a72e2578a625eb615d9b72dc1

SHA512
683eb7df5931664bb3aed26b813efcd9b627d4a4153963a028ee88f4638435ad5c3f349d46b984f1ed7bf285d57b84bd41d99821edb4a0ee3dd10a5e56993a81

Download Submit
C:\Users\Admin\Desktop\RequestGrant.bmp

Filesize
819KB

MD5
6e5fb33434f269c9b0c9d6e957c89011

SHA1
e119abebbbeab0bb8b6bbc926911701b103637ba

SHA256
107a0a74d7fffb69dfa7296eee2a8afba100849b9eefbdf7773d4ca8beb46681

SHA512
6f8f181e322fbc7b6099604b05272e5879d4fd47c53a86c49c4ecd151c6c8fe3237e05eeb7a7ee9067a8665d928581f20c7ab22fa43a1d8e60ab41326ac13bce

Download Submit
C:\Users\Admin\Desktop\ResolveSet.otf

Filesize
409KB

MD5
b79c85be1bec074109d9ad2feb37962a

SHA1
e108a92a42ea363830458f8bc366dc9a77b4cf4d

SHA256
f6e00846b5f3d340f8a38dfcb2b8dddf5f451013f3cdef5fbdcff8f9505e2b2b

SHA512
4f79fa7dbca84e5a8b6c8fe9951bbd47397720c4d1e2f6468cd242f3e726305a730c508f516775cae8b667168ffeec5ad51f12f8f3d506eb31ed2a88ba7ff6fa

Download Submit
C:\Users\Admin\Desktop\SaveClose.vsdm

Filesize
860KB

MD5
f81469142a3ba1695274c8ec9b8e672e

SHA1
08a085962315d47aff5ddb0e9144b7da53093e29

SHA256
d3e10d8b0e0795588306cff271d640abbbd473328e568ece79e94e83b2796088

SHA512
bd86b570424e860d4a472160e1142b9f3d9ccf6340ca50f25babd72b107404fb6cc89224188eab92575c6dc91abf64aee81c4bc42ed1598add34d4b5b053ddd4

Download Submit
C:\Users\Admin\Desktop\SubmitProtect.odt

Filesize
1.1MB

MD5
3d6c51573a3146df5d03a43a0a545ca4

SHA1
a55f880dcd3926db2eabaa7b962329cec457c5ae

SHA256
4ebc6fb76c78ec085ca261ad87f14e8e26196f9d3f9406f6651af72eb7238d1e

SHA512
3c376a45ab410035b1dc5a66cfe29ff6e21f68209538d089ef12ba640f2ccf374e269d233bb051938ebc03a5b4657296b80488227b04b87a3d1d290e49755753

Download Submit
C:\Users\Admin\Desktop\UnlockConvertTo.gif

Filesize
1.0MB

MD5
4e22e4fbdad451c4592f335898d55822

SHA1
3dab84b85c3d088477dda819d7d229538dde0f20

SHA256
f3c6f47f1f19802d689a8ab34e67e4e92005e0849b9310d328863ff8dc28fdde

SHA512
d4b3800b596a2e0127252e3ebf026d94aba510cdfb8873aa34afbc6386f4a8fb2a7b458d81a7012fef22c097fb2e613ea0cda7e00b73c16392bb2c3f102c2b6d

Download Submit
C:\Users\Admin\Desktop\UnlockResume.DVR-MS

Filesize
450KB

MD5
8fa35ab9bc07485711b7a8cbf45fde14

SHA1
77551a1f2ad0f2f13d2d1e6640abc140ab549862

SHA256
d69660daaf3bb2a7aafe8aba1b84c227406ca308c7f86d4dfa22339e8363d760

SHA512
741d08b02fe188896f23c8dec1d4fc17ff70de662f10b094af78ca41f4aa6cc0ff52deff64eb41630bff450fab391355945688834fe22b3758a4039504a60fce

Download Submit
C:\Users\Admin\Desktop\UnregisterResize.mp4v

Filesize
1.6MB

MD5
2409230fac559207d457f837e38e7e44

SHA1
fd1131a7f8e213dbc990431768aa4c291d0c3f2f

SHA256
723812b92e1d7e36f382271467f86482103e35bf86e0213b35b69a4da246aa4e

SHA512
92c621efec7660469bec8f90121242b536694fceabdaa673cb4d5374f1ba218f365b485d5315ddaeed99cb62e2270a45718150a984e9bcf9f65f9798209e448a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 356187.crdownload

Filesize
254KB

MD5
e3b7d39be5e821b59636d0fe7c2944cc

SHA1
00479a97e415e9b6a5dfb5d04f5d9244bc8fbe88

SHA256
389a7d395492c2da6f8abf5a8a7c49c3482f7844f77fe681808c71e961bcae97

SHA512
8f977c60658063051968049245512b6aea68dd89005d0eefde26e4b2757210e9e95aabcef9aee173f57614b52cfbac924d36516b7bc7d3a5cc67daae4dee3ad5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 739721.crdownload

Filesize
670KB

MD5
5cc9e44078f5a9740fa7692c8252a25a

SHA1
ad2256d2cf6d13e8aef26089bafa70c480c73623

SHA256
3ba30ffbb1a0059f5d0c2de7b38a33ba05031404d8cd8c970e50861e4c892475

SHA512
e024c97ca1273cd0660d128aad5ba44aa020701f50b9b6fd391576c652967876a7ea5cb18a84ef3a6b95a376d0cfe1d3c2119d9afd32d34378235ee369b002fa

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 766832.crdownload

Filesize
84KB

MD5
b6e148ee1a2a3b460dd2a0adbf1dd39c

SHA1
ec0efbe8fd2fa5300164e9e4eded0d40da549c60

SHA256
dc31e710277eac1b125de6f4626765a2684d992147691a33964e368e5f269cba

SHA512
4b8c62ddfc7cd3e5ce1f8b5a1ba4a611ab1bfccf81d80cf2cfc831cffa1d7a4b6da0494616a53b419168bc3a324b57382d4a6186af083de6fc93d144c4503741

Download Submit
C:\Users\Admin\Downloads\metrofax.doc

Filesize
221KB

MD5
28e855032f83adbd2d8499af6d2d0e22

SHA1
6b590325e2e465d9762fa5d1877846667268558a

SHA256
b13b29772c29ccb412d6ab360ff38525836fcf0f65be637a7945a83a446dfd5e

SHA512
e401cbd41e044ff7d557f57960d50fb821244eaa97ce1218191d58e0935f6c069e6a0ff4788ed91ead279f36ba4eddfaa08dc3de01082c41dc9c2fc3c4b0ae34

Download Submit
C:\Users\Public\Desktop\Acrobat Reader DC.lnk

Filesize
2KB

MD5
7326229284c8910299af6d1e2d604097

SHA1
c7d19c1997f04604162390ba2bb27df5962d3c57

SHA256
3d2f4f8820800d57d5596ca2bcf84ce75da9a618d03efe599aa4a24fcea87e9a

SHA512
305064db64eeaee25bab006f8035490bebb711a93fd4d45f6369d9f95854a01b42889fb6b6fb3f5efb266b8ec48985a210d1f161e491550f4ca27fe6966abf25

Download Submit
C:\Users\Public\Desktop\Firefox.lnk

Filesize
1000B

MD5
6ef4a48edbc51ef9eb69deb5263f4784

SHA1
25da5c6dc2c3c8a886cb62c291412072e2b084ca

SHA256
f28f610875f9763381f64fded6479f3fdbbc43b587943ac39100320274eb6e05

SHA512
833eb13bc719c8b4ac7fbbf34dfc86aa0ef2a96562869b99661cf089a05882ec13ae1c7689696b5ba4b01deb0f59551eeb7e416248f91d30493504220cca1f1e

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk

Filesize
2KB

MD5
2ebdb007750c82c8866af03689a26530

SHA1
631b0db3bde072f90d6bea1ff131f0d1c9d76b29

SHA256
697459b7c36e673687257457a50c7f24a03544f1746c8dd1575580bfc8cf0039

SHA512
ab8fc755987a4e22f9496254d21756e0a9a66e126487d24171b4d542e347adcd5f2e8218d7c93d8199c7996b249a1ad186ccf2357e226ec670478d3ba50dc12f

Download Submit
C:\Users\Public\Desktop\VLC media player.lnk

Filesize
923B

MD5
cfa32e3d8f744fe3736fb423e6c85a8a

SHA1
d4843e415972880a2a3b2d16a3831d9ec627b8e4

SHA256
d46d0f6cdfc895491ff03c43535a45b2d5dbebbe70a8de45a5e19cff6864df83

SHA512
09d1249dd842e1df021098ff857cf09d50a25513bc37d83ead341e59fb70d58559c002233906b20919618c504bc8b8bdc355c8af930445a1033ae4803a40c08f

Download Submit
C:\Users\Public\YOUR_FILES_ARE_ENCRYPTED.TXT

Filesize
778B

MD5
23bcada57e40b8ad09adca806ea49300

SHA1
1e3f86152b25e458019626d291b8f149983141c4

SHA256
b892a5eedb1ec2f47814560de5545c3976df3783c3882b5bbf8aa00af231d041

SHA512
96a082e924efc76f2373a3123a03810fbc95e79c62a1435071b58f31f3b0b4b16b4bcbf0718a7336eb5c3a22dbcdf18f29aec3cfdccab38da4e9fbe4cea9d716

Download Submit
memory/1720-1347-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1366-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1358-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1360-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1420-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1720-1419-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1720-1363-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1364-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1365-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1423-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1368-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1369-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1370-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1371-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1373-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1375-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1374-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1376-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1720-1417-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1720-1418-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1748-1207-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1295-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1395-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1342-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1422-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1424-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1425-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1426-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1421-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1427-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1428-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1341-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1429-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1430-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1432-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1433-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1434-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1435-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1431-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1436-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1446-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1447-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1448-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1449-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1475-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1476-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1296-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1396-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1293-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1283-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1278-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1245-0x000001F7F7310000-0x000001F7F82E0000-memory.dmp

Filesize
15.8MB

Download
memory/1748-1217-0x00007FF8818F0000-0x00007FF881900000-memory.dmp

Filesize
64KB

Download
memory/1748-1216-0x00007FF8818F0000-0x00007FF881900000-memory.dmp

Filesize
64KB

Download
memory/1748-1215-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1214-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1213-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1212-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1211-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1210-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1209-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1198-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1748-1200-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1748-1201-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1203-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1208-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1206-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1205-0x00007FF8C38D0000-0x00007FF8C3AC5000-memory.dmp

Filesize
2.0MB

Download
memory/1748-1199-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1748-1204-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/1748-1202-0x00007FF883950000-0x00007FF883960000-memory.dmp

Filesize
64KB

Download
memory/3036-1578-0x0000018503F70000-0x0000018504884000-memory.dmp

Filesize
9.1MB

Download
memory/3176-1548-0x000001EE3E210000-0x000001EE3E220000-memory.dmp

Filesize
64KB

Download
memory/3176-1547-0x00007FF8A0F00000-0x00007FF8A19C1000-memory.dmp

Filesize
10.8MB

Download
memory/3176-1546-0x000001EE23B60000-0x000001EE23B7E000-memory.dmp

Filesize
120KB

Download
memory/5040-1798-0x00000000005A0000-0x00000000005BA000-memory.dmp

Filesize
104KB

Download