troldesh | 1f55ed37f443441f832854493f3b658cd955e0abcc855e45bc950c80224c3b67

Analysis

max time kernel
376s
max time network
299s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gorilla-tag-monke.html
Size

156KB
MD5

c90731af4650b56d9e83b9b3628b1017
SHA1

0793b17f8c0376261c75a042f81757d64860d56c
SHA256

1f55ed37f443441f832854493f3b658cd955e0abcc855e45bc950c80224c3b67
SHA512

67f1b66dd2729f7ec88bee53b7c80b6323354a42f1f2bbb79a03d2652d5f8232f906994d6df2a981cdf894d493ad8e8ab967c20f66be621d4c08e666bd83bdd3
SSDEEP

1536:BUvTJMcdX5G8oz66l3gT3eWr2Y+NXdBAC7ho9kLfnYXTlGykh3u9kV/tWGzjy0EY:EJTzeLgERGKt0csjFh1+6Di

Score

10^/10

troldesh wannacry aspackv2 persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Extracted

Path

C:\Users\Admin\Downloads\r.wry

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send %s to this bitcoin address: %s Next, please find the decrypt software on your desktop, an executable file named "%s". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) %s rar password: wcry123 Run and follow the instructions!

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x00080000000235d4-2784.dat	aspack_v212_v242

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD51EA.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5210.tmp	WannaCry.exe

Executes dropped EXE 15 IoCs

pid	Process
216	NoMoreRansom.exe
4804	NoMoreRansom.exe
3592	NoMoreRansom.exe
2520	WannaCry.exe
2404	!WannaDecryptor!.exe
1408	WannaCry.exe
1104	!WannaDecryptor!.exe
2104	!WannaDecryptor!.exe
1596	!WannaDecryptor!.exe
1928	WannaCry.exe
1712	WannaCry.exe
3028	WannaCry.exe
1740	NoMoreRansom.exe
3084	Popup.exe
2872	Melting.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 41 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/216-611-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-613-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4804-612-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-619-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4804-620-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4804-618-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-617-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4804-625-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-624-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-628-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4804-629-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3592-633-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3592-634-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3592-635-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3592-689-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-692-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-700-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-864-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-891-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-923-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-1259-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-1816-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2386-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2388-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2392-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2431-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2432-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2433-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1740-2446-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1740-2448-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/1740-2466-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2471-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2511-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2547-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2554-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2599-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2661-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2685-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2749-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2782-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/216-2840-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
236	raw.githubusercontent.com
124	raw.githubusercontent.com
125	raw.githubusercontent.com
179	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
860	taskkill.exe
824	taskkill.exe
1624	taskkill.exe
1504	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3198953144-1466794930-246379610-1000\{0605186C-C27A-4AE1-8815-A2FBB7371599}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3198953144-1466794930-246379610-1000\{375A6630-F49E-400B-8BDA-FA2A33E01C95}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3198953144-1466794930-246379610-1000\{82C85581-A14E-4169-87FE-D23DF779FD7F}	msedge.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 508493.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 767409.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 346348.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 686490.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
4184	msedge.exe
4184	msedge.exe
3704	identity_helper.exe
3704	identity_helper.exe
4452	msedge.exe
4452	msedge.exe
4556	msedge.exe
4556	msedge.exe
216	NoMoreRansom.exe
216	NoMoreRansom.exe
4804	NoMoreRansom.exe
4804	NoMoreRansom.exe
216	NoMoreRansom.exe
216	NoMoreRansom.exe
4804	NoMoreRansom.exe
4804	NoMoreRansom.exe
3592	NoMoreRansom.exe
3592	NoMoreRansom.exe
3592	NoMoreRansom.exe
3592	NoMoreRansom.exe
3936	msedge.exe
3936	msedge.exe
964	msedge.exe
964	msedge.exe
4272	msedge.exe
4272	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe
1624	msedge.exe
1624	msedge.exe
1740	NoMoreRansom.exe
1740	NoMoreRansom.exe
1740	NoMoreRansom.exe
1740	NoMoreRansom.exe
5016	msedge.exe
5016	msedge.exe
4896	msedge.exe
4896	msedge.exe
3456	identity_helper.exe
3456	identity_helper.exe
2612	msedge.exe
2612	msedge.exe
2020	msedge.exe
2020	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	824	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	1624	taskkill.exe
Token: SeDebugPrivilege	1504	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4464	WMIC.exe
Token: SeSecurityPrivilege	4464	WMIC.exe
Token: SeTakeOwnershipPrivilege	4464	WMIC.exe
Token: SeLoadDriverPrivilege	4464	WMIC.exe
Token: SeSystemProfilePrivilege	4464	WMIC.exe
Token: SeSystemtimePrivilege	4464	WMIC.exe
Token: SeProfSingleProcessPrivilege	4464	WMIC.exe
Token: SeIncBasePriorityPrivilege	4464	WMIC.exe
Token: SeCreatePagefilePrivilege	4464	WMIC.exe
Token: SeBackupPrivilege	4464	WMIC.exe
Token: SeRestorePrivilege	4464	WMIC.exe
Token: SeShutdownPrivilege	4464	WMIC.exe
Token: SeDebugPrivilege	4464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4464	WMIC.exe
Token: SeRemoteShutdownPrivilege	4464	WMIC.exe
Token: SeUndockPrivilege	4464	WMIC.exe
Token: SeManageVolumePrivilege	4464	WMIC.exe
Token: 33	4464	WMIC.exe
Token: 34	4464	WMIC.exe
Token: 35	4464	WMIC.exe
Token: 36	4464	WMIC.exe
Token: SeBackupPrivilege	928	vssvc.exe
Token: SeRestorePrivilege	928	vssvc.exe
Token: SeAuditPrivilege	928	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
4184	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
964	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2404	!WannaDecryptor!.exe
2404	!WannaDecryptor!.exe
1104	!WannaDecryptor!.exe
1104	!WannaDecryptor!.exe
2104	!WannaDecryptor!.exe
2104	!WannaDecryptor!.exe
1596	!WannaDecryptor!.exe
1596	!WannaDecryptor!.exe
4896	msedge.exe
4896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4184 wrote to memory of 1784	4184	msedge.exe	82
PID 4184 wrote to memory of 1784	4184	msedge.exe	82
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2960	4184	msedge.exe	85
PID 4184 wrote to memory of 2800	4184	msedge.exe	86
PID 4184 wrote to memory of 2800	4184	msedge.exe	86
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87
PID 4184 wrote to memory of 4816	4184	msedge.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\gorilla-tag-monke.html
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa6eff46f8,0x7ffa6eff4708,0x7ffa6eff4718
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2968 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4844 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4288 /prefetch:8
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2312 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5848 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2132,3575286262104745068,964034606271252618,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4556
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:216
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2064

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa6eff46f8,0x7ffa6eff4708,0x7ffa6eff4718
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2736 /prefetch:8
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5036 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3484 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,7367982255137360773,3344840506055189892,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1624
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 222861713451104.bat
    3⤵
    PID:4240
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:4680
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe f
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:2404
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:824
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1624
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:1104
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b !WannaDecryptor!.exe v
    3⤵
    PID:4452
  - - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
      !WannaDecryptor!.exe v
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:4824
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:1596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
PID:1408

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
PID:1712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:928

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\Downloads\NoMoreRansom.exe
"C:\Users\Admin\Downloads\NoMoreRansom.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6eff46f8,0x7ffa6eff4708,0x7ffa6eff4718
  2⤵
  PID:4692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2908 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4380 /prefetch:1
  2⤵
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4324 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4496 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3472 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4352 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4300 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1124 /prefetch:1
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3540 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6036 /prefetch:1
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4420 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6024 /prefetch:8
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5864 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6944 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2188,15306624771277307207,11470807869281754684,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6eff46f8,0x7ffa6eff4708,0x7ffa6eff4718
  2⤵
  PID:908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa6eff46f8,0x7ffa6eff4708,0x7ffa6eff4718
  2⤵
  PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa6eff46f8,0x7ffa6eff4708,0x7ffa6eff4718
  2⤵
  PID:1616

C:\Users\Admin\Desktop\Popup.exe
"C:\Users\Admin\Desktop\Popup.exe"
1⤵
- Executes dropped EXE
PID:3084

C:\Users\Admin\Desktop\Melting.exe
"C:\Users\Admin\Desktop\Melting.exe"
1⤵
- Executes dropped EXE
PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
2657c2363fec4b4389fb9c567c2d525b

SHA1
47bd0f5128c4bffd9d57f9b3586ea974e9b517bb

SHA256
806096f197bda437558a95a1b1ceabcdf6c239937f3ca3ceb8eeda7b0eeda27f

SHA512
6c29431d7c6532a2eed217fb5971646421b2f6acd72e4a8de7f769a76d048b1407a00c1ac24997bf0684598c9bec1defe9f57c854516232d2f101e3724324142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e2ece0fcb9f6256efba522462a9a9288

SHA1
ccc599f64d30e15833b45c7e52924d4bd2f54acb

SHA256
0eff6f3011208a312a1010db0620bb6680fe49d4fa3344930302e950b74ad005

SHA512
ead68dd972cfb1eccc194572279ae3e4ac989546bfb9e8d511c6bc178fc12aaebd20b49860d2b70ac1f5d4236b0df1b484a979b926edbe23f281b8139ff1a9ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dff816a48c76f455c6dd31289d52ffa3

SHA1
17b79e2a07d7942ab41a97c7c4e345b63e8af8f6

SHA256
7d7911ff08c73bac5f0bd7c46c1a7a87e3bc2f39adcd6676edd6958b00e60bb8

SHA512
d3ba31a283d75877e2005336f298459121db7c27c38f17b91e9c891257aa713f77370c1c46f3691bc4cd1c57c24726f5c87b4dded902c0932443ac1d06c2b5e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
864aa9768ef47143c455b31fd314d660

SHA1
09d879e0e77698f28b435ed0e7d8e166e28fafa2

SHA256
3118d55d1f04ecdd849971d8c49896b5c874bdbea63e5288547b9812c0640e10

SHA512
75dce411fce8166c8905ed8da910adb1dd08ab1c9d7cd5431ef905531f2f0374caf73dedd5d238b457ece61273f6c81e632d23eb8409efbb6bf0d01442008488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1d8405c01b37d370a7bf2f19be36c61b

SHA1
3c376dd3c17a44bd005d9bc36390ac4154fe4b6f

SHA256
0edc81d93878a2cfb436b691562605875e21c873e976f3e3121cf6f91258ca74

SHA512
8cb3134185bc07bff94b61f106bb4624f28d88ea50c3d42d96fe2df2b2d740cebbf8d32d0bcdc809a338c9ae834cb2104ebdf101bb293cb6124a8d1d0b93225a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7d31ccc78a52f91feb43e9428849f24e

SHA1
b2274f2dfd3cc72c040ecff58a043a4f29b2c9fa

SHA256
3a568c978c59f5b62fd3ab1f31a7e745b66b8972094cbf44562a5896072971c6

SHA512
c2b075132fa9ea946b5c61a1922d750c69287ba55511590cfe091b17510f010c201dcaee9c0f65bfb283f205bb1abee1ccbef1d1669f5d0bfad8bace9a095a1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
1b075ed2567978763c8b5e1bca5034c3

SHA1
2c536620242f53a6a61ac12e86a46c098c809a98

SHA256
663e0021ad684033958373ad622c7049483ee2a9f15ff16a70c767d81b8bcf43

SHA512
e5bf293f68d9faac4dcfa02ef832dfec09bc21847906e8dab99c8b70f438a36ace84b7ea256348c0139b31e432b2c38a7be68cda167263d3d9689d18ef6d7f6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
f4f24bcbd712b96d5450db4e5dbba9af

SHA1
a369e36e9f9305cf8726f2512f07978b8cfa9939

SHA256
98aaf7ed3ff3d51ab0c22f381e334be81b401c8b3194e9ab0edd13a9a65eb598

SHA512
d5feb789169d62990040e7a4438a3e0b09d445ece82fd2223f62c9c4ed35395b94eee3d64a1d6583e584ca3793b4ec3e4d19213b5afa7751e99f996e4cf29759

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
6eb0a418b78a2aae650e0f8cce66d0e6

SHA1
a1218de76f9acbc721484321daf07b4f66050cfd

SHA256
4ee7fe436e2248ee66db378d393d62006d9c8ed6e5b5fd1d76c0c665dec5fe6e

SHA512
07b13002e3a9ea07b36eed63c9b48582f0c75522b70851b318c5ac87869c2583f3e4353855e1fb4d3b138fb7fd8052be2b88de9889c3e5b3292063fa0ca02b3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3eabf6b1354a82a9dd21c494a34c1645

SHA1
325ccfe3059c3e87f242a82c5356717141deb352

SHA256
ae7bb012daa79af20662a183745312492ce2bff0a9b703c5625ae0860e0b70b0

SHA512
26307f8df2b4b6aedab14dcdafe2b546255d58ffbc52de4246d6ec4d8a27dff61fe0b85d4beb26b745111e3794a7a2ff297bd7ea2bcfb06e1fc8bc65b7f545c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
e730b60b2d56fa7f2ea8a80e99c9e5b4

SHA1
b388d84eb75e6d20ccecec411bb0d27e174096e8

SHA256
889a957d4f3034207064a4a445a9a090ce22439df87193e14e370bfa7522d25b

SHA512
e1b0d4ca4d5bd91cccbedf8deab006eba65733c9fe404d4c3d4e0f62d65fc4e29642b095e2500bf462ab64806f33e2dd265078e38ec5d73c6824b567aade8f08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
15b89bdbe0d9619fd7b39221120cac11

SHA1
20efe7084726db8d0545914d33287f49442f5c66

SHA256
51f478dfdcdb77e73f326d95fdb13663142939444996d86d686dde0ffde5ae2b

SHA512
ff9694acc318d9954aaae03dcf35be41894a77f4c9ba90427b3d9dfe96cbbd3a90ae25e9b787fed6ad39da094bfcee4b930cbd1ac4b0aaa39e4a271ba8ad2060

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5bcce2.TMP

Filesize
4KB

MD5
ba77b83a03bf319634ccb618893573bc

SHA1
8a352af8190c00f2d13e5a650fb65647e23fef56

SHA256
7bc6e1e76c80f724976282ac1b28eb9d248a90d0e0e67fbeffdbea986c51e449

SHA512
b7d79b102e0585e725e3de6850f3075a8beb2a910d5cbc76ab407461771c38854667efddff06999480c4b1333d163dd33a5bfeaddef743bfd9f35041c1f2c14c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
68fd0a9bc90c3ddb0e85564dca8c7404

SHA1
95a0cbedb1ed7895eb54fb79a21d3195233229ca

SHA256
becf4811a8c43d7a6185def454b24e2d3409b5c97ead70e97e068c16aa3e5cec

SHA512
29555acee73b770f0f72bdb281a2c894b2d19702695d1363580279fd157c5b02741a23cef6269ecea0a54d96b70e7e8635d88f85e3c33e8ffb13c8474d33211b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
f4adf25871a88c1ce5b55e13ee938629

SHA1
1306a0ed8ca38790871ffa7e75e733ca8b925091

SHA256
3c842bfb0c6f4b65316be981f7b527146acaaf2c18e690774fab3e081394a253

SHA512
5777e073bf36e80833a41be086d685ee80a3938cba33b19666c3b568cbe7abd0157d0ac1538be3ab01ceb0a3380992d9a0a9e89af488d5da3a607e83020c726f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
0d10f0b26d22817931ef71a7d3394974

SHA1
3ffa33b6f7a47569a7721f707f257bc199d72d23

SHA256
898044bb053d270c5a474722543cab894c070fedda85fc00a029679e94b1ed31

SHA512
ea018c40941c3cd690e6ebfb635153f6ad24250e035aed1783bdcdcd8329342fb24158f9db12d492f2d42e08b3151da3aa8c11bc26e8b4bb45f15e503a480c10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
c31becbdef601cd66623bdd7da4f95ba

SHA1
c74873895b209be1a7510d6f9c3e9a05d9f8e14a

SHA256
54d267215363dfa1b0f12a0b1cb2928d11110952f30e60fe4481cf62d9bad72c

SHA512
32f60e12e4057d4c281e3a9969c387bfec7d305b6966558b6c0b75e825ff62283ed4dbed577fddc168b6d56cc77da0809787dadd40f7830510076caf51a19c86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
a41f80545deb6750463e638e2a261a5b

SHA1
b7d960e92f46e1647e250e76bb16a33325c41bda

SHA256
3e276454fa04e4201b3fc6feca5aacab49edec513994b834a71602f129bef467

SHA512
29189d8730cc09e1ab63bc6c820a2fa5a54717808d65bdb736492ccd619f6a3c69c03bcb7d89d70ba1d67c00c0919b91ae67e6e3fbbe2224313db5a0c9c2ebe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
d108cf46288b59f52f6bfcccf19f1262

SHA1
460b311c46e241d8fd4ea60234669a20d53408a5

SHA256
4616aa26e0b2d8f437a20712abe20f151c3c0161afe1e1e8f180780b85308b4d

SHA512
9f3ab9d2bcf1bad7b05efbc6d2efcd7764dcddcff2c804a499e9dc6725f2b49bde775da8ed8ec7c706f9f2bdfb974ad4ad53d4794b1968fee0e6128926f94678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
4KB

MD5
d001b12f46979a996afc42e795a0fcc0

SHA1
50774552bc873ff17b83cf1f660f40adea70c145

SHA256
c7d15886b85c804e69bd2d4f9ea5cb708ac5cc99e7cbd02e858f123df224e536

SHA512
90ffd47aa43f1ded990c42549c0a122e449cc7bcfa28e1352b3f49c85798ded1b06fa610a12e581b805bf70671fe1d110896261460fcbe7279231fe2a193d526

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
13KB

MD5
6465fdb2d40df13dd56e4102ed90646c

SHA1
6c3b4786ce727a3a54bdcfb4b6b3515af3d11289

SHA256
55394396d12ca23bb806bc8833176cf269f50ae952b5f5e80babb1646e5a0560

SHA512
96a448454927e95e894e39d2911d1d7499fff34acda15b42c788121c137c2cd350408c2127809d68d42293e1711ae11226699b7fe2b911a021c41590c7fa2e0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c80aac81c0058e2f6e2a1a3eca8ddd2a

SHA1
ed9e93ebc9a4f0ce1d253e1b43d6fc56498e1704

SHA256
5e1dc64ee579bf7dce29f096253068ec27f5ff4df353baf5dceda9ec707d34e7

SHA512
163ccf8a3d34a6cf6dbd99d949eabd13afa75679471b60a183e3ac8f0b4e5b307549d61006fdce20cc02d68d203b1d24035881d75017c7e22dffe3e09ff73797

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c361a5fed0c84d16895890f6be62689d

SHA1
2d82c08755566c7c41aff8a5c1023dc2e481fc0b

SHA256
075947cbbc5471336db6e126ba9201e3903b4783189af8af5138ac728c56bc1f

SHA512
ede72b56566a69ddacbf421ac40e8aeff345af08c29ac6fcb179c063b60af7bfa4e21d21ff20d3613e2f92151db48682e16a4765b6e72f1cc6925ce638dc4f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
030b841c799486cd32ba9bb9f08dbf67

SHA1
2b732bb16a8635c7d24430578bad653fff32173a

SHA256
2b545e4b9b322383bddad9c1114b1c1e334f25cbc59ae56d0af3d07dc8d6764c

SHA512
6ac3d017e0a0514907fd8baedd94c29aa6b0337a743c746bfc58b4d956700a8db274d566fa5c76f83c3571721f6be3550e7cb96a7e3b9386e4e1686bc7fda4e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c654e86c7a436e9ab31456e0cbf41d49

SHA1
a74f12d4db69edd219bd8e91f5774bea441e8085

SHA256
9550b753b5c7122d5fe751005c246c05c2724ce42a690c32dcea6766fd9440ad

SHA512
5a0314def64057bf4a72360f60a2fc69ab8524555a49bb7934b9fcb1714e5c7bf7c36f47f88134ddc975e97628ae7a72e2b7a0a0dad0a9891219526c57f595a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ad2afc07ae574d6a090a48be0ebd25c

SHA1
05609ddb986026bef4dd578073e7c02dc1dbd3d7

SHA256
07219484629d7c1ed27b81d0e349efdd9a73e22f5499722e950f9d7969cb57b3

SHA512
24d910b8a341e263671446d8b2fb6da705f6b55d5edb98cfc3ce7730d32341339d19032e42063d209c2c19891bd1add136ebc638ae1d28cce2ca774feec9ee35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1bd20d090b641f03335f15ee9fa3cbba

SHA1
fde1f5084ce475397c002a3c42937551d2bd2f43

SHA256
7191404f9421da1ff4d061c84bd1c6b7124e4874ce9c63fd6094199f7fbcbf79

SHA512
210f3689b5753b2baf35b6dfd60504476a98508a56aecc073ab39673da78aec8aadd291ca9f14c7bef7a9f9381e5403ab16f3c600357bb9138e950a8cdda3adc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
118d06c90b06f8e84ce20f24a618ebbf

SHA1
7f6eb894fb93c4d9b5b458cabcb6a7d5173b1a94

SHA256
1675504be0ab01b5336eeb92a5b9a239f0f0a42c3106b24c80e43e0947c3e930

SHA512
8b5a96540d5d335700e9af20544f630162e37642eefdd4b24e0a1a6bb7d6787a4ac2b9dbe1b683adf01a21033da04fad426f9d397f693ee81e451b5ce7311933

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8376397f9cb92d7436112b63c145d01b

SHA1
900454e62d927fe16cf2ec08f5a1c895fc7eed3b

SHA256
175cc9e9208c38704b1f566fb549a8521133951956a7c4ae8a121ad6c3c96644

SHA512
4286facfef2c8fe732e5ecefa0ff87b6f53f8ec84b35298cdf0ccf0362c3041d115cbfa55f626cfb0e56a1077a44cf58c0efbf539572ee9b53815379ec5862e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
81cca180ed4045f667a12269a7e29e2b

SHA1
98b6314a0fe60fdf0b56b7705e1aa3368d0d3211

SHA256
b05540a4f5b770ee751c5c62b5e81a41530a9779ba6d470c18ce91d0bd87f6d0

SHA512
8245ea967bf893d7469ebffc9b7083f51f2a8c0c1f2f2bf03a5d4592b2e57facb6d68d930d0a2b59a6b91983137018474c14a4f0fd63efa746cfd9bfb294b565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
85b8abfb87498a117c6325dada2185eb

SHA1
26bdeda45f6bbcd432eb940a96a17049fd87a9fd

SHA256
b4b8067fc2673e2c52ad893a83521eb0ee948ced03fd70f36176b31eef674944

SHA512
38db3301a554b27aec4b6c0302fa777b3f8a32aecdc59b96a9286cc3adbb82f5877ffcecd52933f240340aeade4059e7a2f63edbb0a9d48a1f9f9258d06a93a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
eb690478e768ca973067448ec73d123e

SHA1
cae825787abd1523d5220cfc0bb91c4e391af212

SHA256
f8137b1490db070fef0a0705f17a2db1f0399042f5c090ce789e98d2fb19289c

SHA512
9db66c4f856705801ced8cc1d8b38f21a5dd48750608817a0bb27d3e85e1b3d3b24d68734285cd620b45a245985f7f6f744cf1614155f79a1a9af35a6df43287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6af3c7a950726ce36a74e81737c73f54

SHA1
36bf86a9590240df79d5f51122ad3d127f4a0a4a

SHA256
5269e12f6c4fd1f712db6c5db2919758a142118cda048413d7a3d336bbd6ca24

SHA512
3ac7aecf8035bbe77a49363fe6580fe2a9522175202f7fb11ab317bf5fd8b7984cd31bb844c9af4ca00e19a5af571839a9836708a58ce17c1a2c1af25e110e7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b8ccf7976c26f0c513e804021464b602

SHA1
848a81acf8e9ae6dcf519bc0490d3c1c499708af

SHA256
4d1c4fefcbfac872107173f83f91331a2cb1116b174e6546789c466c214e4a89

SHA512
af437a772d144c6ee734f6ec0d93bf8815fddca40acf10a5d07269eadf5f3893d47f0c3e4cf03d978aaf88305111afefab743a6404ed7ea2a2e5c7a53e4890b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a25aded32464ca9a7a58524519b1db60

SHA1
3bb53da149b00f8a1a8b696c63b046ffdffebd6f

SHA256
5fe0a3a1de4b73e324414a1b2cf741af36ceac39ea895cf94fe88dda6b96757e

SHA512
5632643e871deabf0cf6b6993c8e4e38122b31c7a9c94c174303a19b261340fd469600fa681917cf33cafc62163ae76682c32ca81ea4d6bef0023ac0468d28a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
5861ad782b5e5f786372ca894545d219

SHA1
168cf45ed0c9a83d28f3c5ee2c83892d9611e252

SHA256
2d009cc99e02a8561f7ce3207d99ea35451089220e07e2c308c1936dd1d34dc5

SHA512
2bc76cab90af488861325cb4907f1e36ce195138e641659e8697b87e3f2e0836528f1daa8d87855eb77d678654e7b40b42b027cfed0fe3c8405bc8cd8d0b5b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1fe61e069f17f12b354e1503e78024dc

SHA1
26244a5a051815689c2637f7a041a3962efe5cc6

SHA256
228cffd0c98547fe71be4d80fd5e57be18b8895f76c62bc45533b2ffd3b0b2bc

SHA512
72f1abcbd84cf6e434b631253a806dcbf0674f135bcad974e54ed6452bd470848e105405fe1c207931dc01e4acc09ac936fec51d2e663f434055109193bb8156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
a91d61bd7ba5605d99eca6bd04d4260d

SHA1
7278987b5a84721e8db4d1fbf125dc35e4e0e2ec

SHA256
a1f69a085282ad2cde23f9c4221d4352a2abb4d05040ddf7b4c2b1ee13b1c149

SHA512
8bc8e61fe2db0e24f4975ebec6782e5dcc56099ac6b9f371628bf3cf8c2e9573206c88e8db2dc293da367e71e4c0676d7c7e18f7cdc4fe1e6bf13e35cf32b30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
f46f381ba993f2a162e805eefa1d3197

SHA1
949e711b7d0d00ba6dd5b1b2a2eb5c189dc9f11b

SHA256
634b46c4294e100c2721662c3a24a438e61f46014e9d15aee8f71919325a586a

SHA512
9a31e9acfe0250a552e2bde9008d00bad0eb9f5f28a60e611d4ed0ca9de7e51fea28523f912561cc014abbb8e4c78c95be6fafd3fdd6d58f31a65b0aee8aa201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
765bbf54da0de2c34df8c7031e31dd5c

SHA1
0ebfc23329c6a84cc8419b37bde2d8aa10a22c4b

SHA256
d843fa53226213c23888af9e1acbc304802407e5d67b1d8f980c5be7b5acd78c

SHA512
61c3449addcb339cf90b3a62414d582dfaf70d5769dc612dc0e1455413edb4c32a9862f7fdcc2b72c8af5ee1e4efbddd7d616f46cce5e15fe7b58f9f3aba5aa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
c95b9dbd44022967765cbedd147b6914

SHA1
a21563f270a4d489b8b2fa43e0c0741ddd32a7c5

SHA256
f85cd893e777805b3fcd8a7aa0fc564ebf60c4f54e404ecb9fd9f2b11a18d4f6

SHA512
9181d9808cca1c0424df3a6219bd31d4a42caf9f4529c9edd78767e062b23d8fca891dc66833af13d140100efe7a53017f3848b954dccb5008774efda7389279

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13357924595336437

Filesize
18KB

MD5
9e78161aaf01b44ff1d5aa6f4513af28

SHA1
e0e803b812735db5ad6d82ebc7870df917f5f4a5

SHA256
30c63bdb69c1dc3f82d1e48d0cbbc456fb70a8410fa16bb62e9386c666885191

SHA512
a0924f324897622f0bad3390bbbfbb99ad23016f1adb5a622fa4f3d15359e37462e3134c8e2e41cacc04b2bdceb63242f5a8b7ef0845409c5ecc613b4b5e07e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
d56689d49423f79fe716189bb242c32a

SHA1
d0f3352fe1a980c7f8d413e0a58688f561f6dabf

SHA256
a9163fd035046330430328fadc480b8e02d7a9adfbf19688979ff0d48d1ff34d

SHA512
8de94d530666f5e69d01e6f218ef86b2e163330b121828f46da667d2c7e366c30d08443789039d8d209b5834fbfb9fe698d11e8cce645070e3c53eecfc5794fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
5964a50dd632fb1666b3918a012cf2a8

SHA1
200580ff4eff7af1b91308e2f2881c486561971c

SHA256
37104d12f3273fe7cc6299e08d3afe7865ee3242da2b7c7b1a5b7bff317d56e3

SHA512
f89a805405a4fb74c8a9f7e4eb7b4977e0ec56d1b9e57a00af420f6b5b6fb9af01537cf96c6d72580ff149cb04db249de850c3c75516ad8b0f80ab09bac93e42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
49ad43550b3a52026a39d53522cd3395

SHA1
86e485b97d2e3f2ab8a8bc93bafd7aeac701ee4c

SHA256
9830f9b6d4c62488f91391ccf11c0bac78248bdb3bb7cbff12d87f52e55ead86

SHA512
e2c174429785d2529d5c705d51ca64e4bdaf64e037b08efe290e8031e149af82178828c9c67d65ba0ff1e9a7d1f7bf713d8a2d1fc98f8b880916e180b982bb22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
25372181091bf6cd0962fb52b6f6b370

SHA1
9f4df64a8dc5cc48798edd8bbc8bdee843db4bf5

SHA256
f70be580f6b50d7a716a0bac2b0f3f847b95cef9f95d822c316aef2cffbd5b3a

SHA512
a43482d5a01ef859d9ca43340a17acf2437e2ce5168c06f2c7bc80ba97eae210cd4bee1953d0d58fdf47dea4bc84d863dd53ecee87c8be0aefb21ec2f0cd5b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c62134a0a8a44f9240f6fae0fe4a07de

SHA1
fe8ef6993492791f9189dac7a727b061781dc431

SHA256
0d1f42ded2cc547e472213c5f4708b29f5c691167fba9e94f2501e955d90bd61

SHA512
67f1801476c36a3fce1f4b46d31bdf5584e508dc11162cd4e2f83c6adac21a0e888f897f4e3d6de9a25b5264d043f2eb1dae460e0d0e6b428248153e230f06d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
15af3a014cb4c5d17bc45e235fbd37e5

SHA1
ce7c6fbf2e08685af60422c4085777f02f8163cf

SHA256
2d4d5effddd02041bcfc04396376ca51450cedbac32c7d538c424779e65602dc

SHA512
48cb277f1dc0583853606476323003a1877e73d9cade16454b3f4cc96cbba40137d1ac3d9ef479ebea9325f4bb0d7eeb4d82f8afb2d46c730cdfbae8ce381038

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6c5b4205a10deaef12c2568c1d1de0fe

SHA1
f11360544b4784de6a64c9d7e5fee529c97055e9

SHA256
4d5362810493bd4bd5082ca514f961f04050b5d5b5c6e4da9266d43ea4f28b71

SHA512
0d95c987b3c4dc6bf691c80bba6d10c1bbb47e2bfc426e28828625ace46f20479fb2299e239a15ce4cccc31795d2647639d4277dd49b89358c1559d7e966f5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
93f9b9a10546873c60931df014e5337e

SHA1
ef7342f98c78d7792865b312cf0e1b5f93db8b9b

SHA256
864f0fc1db111efe65ec2a346c4a069f55b1fbf608499fdf9013deaf2525a8b3

SHA512
224769fdfe900e5ecfbb1187275baeaff8d9d69a3bcc84690442228fd38b4d1b810b894efa3acf86b3b994c29ffd26ff147e38a91714fe9a398ab1a8555bfee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
910c74abcdf0cc47f552707c19525982

SHA1
016d05b79af1975dbb7696d4ba772906dcf03759

SHA256
5baea707376ae68c495908453050845a6a24ac7840031728d7b95bd5d9d16bfb

SHA512
a1844a00b4dffe20f12a51c4476d99bd04cb82eceb8b51db4d0787893a36cd608cf185bedea90dbc38b356eceb41567e740a67562759675b4a9386f373855881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
7f841b08b4e557d243c096465ccb8a17

SHA1
7a035f43b94a6dc6ea9fb7ec7932a7b2d6935b91

SHA256
1c13054dbc6074b1df84ba58a7b2cbf27e9f08bcfb41b969a0f5cb28119419d4

SHA512
682e1460a8d07bcbace188c0852d2ee908b950c84214ec5205607e724ebaa047ee5f508204fd277dcf0366728ffba3e7ad5f317d28780445a0e85e95d49944f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
c51f0ca5caa76e29ee7c28682ae7d837

SHA1
784f9894b1f6e208b595ec699c626d0db3ac9a29

SHA256
fe2ce4c6bfa1821ed286ae49784defc12524d74fad14bd13c633221c9f44bbe5

SHA512
eece1f746a6a8de82162171d71c614a15444df41462f09ec61d1efd5e9fdd0703b46b7ab019904115a2308ca6b934ff417cc5b179b08fa395eb99691968edc7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d3be7c4745a2d2ba34f649a71af6da23

SHA1
e23fe60612d2f62eca67d3428bcca6632a540e1a

SHA256
df602108636fc486c50d990990e9d4aa7527c764ad79273cc865ecc384708cd2

SHA512
77312baa6ef548d6a188cd5c7f4e067a536d0659d11d1f3ab0d2273584f6a27956692ab99bd9943c1cdd8349234c5386e02c31c32f8b3b3db4a06d3cfcd0d606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
4b095e88dbbbe42b3f8ec957d47e643a

SHA1
b90034900ac9981181ff920a4560c91a6345787e

SHA256
06ce6f15101cc85d72a6831df63aeded620e2079bb5c57e2d18180aa31deb920

SHA512
e5837a2fa2039b984f40fdd947ea45510ab586c32c3c14fa3c21255cab2b5db2c294a7019003c9b39d0941a1b80fb3e8d7396419fe9420bf7139ab4cda97ddd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c13d.TMP

Filesize
871B

MD5
0ee713a3c666b24c459844ab5ec1b7ff

SHA1
29f47190b8cb639c96302e12ddb15c9d211a9bff

SHA256
bc1ba5ceb19c5f7b1275abf5b36096ffe630c6f94aea96916c1f41242299824c

SHA512
c293a30217ab9d4447f710179c75cccb9b991b3a428550af8a989a06781f31330f00fc5f431db089ccf7744c94f0f4717e5ef033f9d0d9d396e7b591a21b1172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
9695d07a7105f81f74cd007732767982

SHA1
bf112cfb723e73cefdf2e54dadd4094e1b3a8baa

SHA256
1dcc7d4371825686ee2da735b9b5c19c6957f6451f30dd0822e680ebe308cdfc

SHA512
5533784ab042503790d9f68682892acff66801767b7c8251e71f94304f2ed3efb354030681b1ef9cf15b08442554e0b20c5b761b612684dce68b3f8fb70a5444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
233998e6b328be0c46793d7d918a2e86

SHA1
2d36b3b134a4058c15f700bb22b8a6e74fdc487e

SHA256
046389f4f07fc98b3331bb23fa2dbe2d9a2ce4457140b042e26d96e8934b9e0f

SHA512
a7d70d9df9bfd4381e884ba3a822f09fb5e8617959f91c94cf1fd6b04e3f4f2c4e53ad61065858007da195e7311ed47f0024745d407f04936723a64de7ea5c5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a5075852-d562-4b59-9788-506d7e54e313.tmp

Filesize
2KB

MD5
2ea6e8b41a6123949ca8dba7a27ba196

SHA1
3dac7e8855e69e29d48464048fec70337c4c4cbd

SHA256
70533e3331792c3c4f50b8edc5fb2cf37fc1df33803b4ab31f85451b90a24c68

SHA512
58313571600521784a42e0f840fbd4382fb379696855b9d173345db65e1aa2e5a441726e909068ae969934357011b886d3d684b89acd2f2febd929d212981184

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ba0ad7d2-24c5-4039-89cc-4792bb318707.tmp

Filesize
2KB

MD5
3bc1813a8b8262cef28548a836aa6f29

SHA1
9245068b13bfa68fb42e671b3949de8d7187b494

SHA256
9297fd4ccaa7af488a03e5cc8ffac2bfc5ed8ab2a43b6ee7c5844bf02bd661eb

SHA512
abeeb0dd5e8e3b0808faa0a5bf303e2f81fce0fc811fad97861f7518fd4f9642228f2e0eafbc8bde09606f4e2f204f0b3054c23933802c0d0ca05c269a3d2c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\dfcd07c3-fab9-40cf-89a2-a804a65756c3.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
69f9e26b09c5f618d43e4089baf23d34

SHA1
373cdeeed291187ea246cee81b1c10f88ebd7c6f

SHA256
826bb6e27f6af57ca2ae148645501650e4d2138e65f3fef7a4d00dc9727924d8

SHA512
331605a838ff144c1d75e4ed9c05fd78d1b05f69996ab0609bdf3e9b8a35abfa520012deb0e97001cb1dc08b7dbdee753864508d19567e0c58614973fb03fe3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
4KB

MD5
422433613d3d3669ef12c6de50d9d9cd

SHA1
9b3c91e4c1193be8453b96c6575746ee4beb12f1

SHA256
35c71a35adef7a7c46be81aa9a4b5b414abe05cc551a0af4c650353fb92f2a65

SHA512
e70afb3397d547fbcc8a69b25fa299f8e777bdf085a2041d2366f29ddc143d8de40ddc75e0e3261e12d6b150e470a7eb5d6a266ddc99c99b55cdf56b0538c868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
7e8c540752910773c2c34112f0bdd8c2

SHA1
a8a729caa9f2ba659c172ed755eb5d0bff01428a

SHA256
9064aa21e89dec340b2cde1192e0dafa49ceac862ccdf3a3813ddcf50c9333d0

SHA512
aa7cd216e1bab07f3ce2128ff41b154493641372118ea813cc91bb0a367b1904e172dd5acc1d394894152b9954b762bef7ac5fb0e49af0b142553a601cf8c87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
594B

MD5
e587f67d71a9eb3397d7f15003fb2b19

SHA1
2115ec0f27b8b0a825497681a6bbc704927950d0

SHA256
1c70d3097594aef5e83e39e32693ee40b6f9f018b79b2e7aef8e108c742f7f4b

SHA512
e57929d75a516b667b7621513158c9a17b9089f5e232bb50e2875555dd4d223db51ae6178c87bceae64a318851b7f091298cb5f641a07d19e9538e96f31d3574

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
41a07d56560dc2c0939e463ed06e6d70

SHA1
61c3ded6c976c6a2ee6677235e34fb18722f5b75

SHA256
fd3aa949b3d5c1a931b12a2330cd24a82774bc488606cfe8730cd818514c9c2d

SHA512
c1130e6000a453430a094f88313f6327faed46e8c51cc717b8bb0fd16db20198c0d0e8dab3499dbf5ca8537987764438007f0a757b2a7e2f15ccc76f43a0a01e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
60a42f4174335b68a269d19de6ae6c7e

SHA1
0558c17ce36a41741eea724c81ed97d58e94d7a7

SHA256
9e1e0242dbb268048b2fc32fcd1ac7473da093fa566174b250454dfc566025f9

SHA512
bfe261119014bdd666e2293f2f01d85adb75740a4552df80d26b17cb01159945937fa8968de56a4207d9dfbe3cbbf512408194030da0313959a12554c04951a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1b5caa951c52f86ecb28789d8c28f16d

SHA1
ecf904d5ff541bb35989544f1ed5106c528659d4

SHA256
7ffe5584bad6577de2aa54654748f938111e85e72c0b5a40b100d9fcd864be84

SHA512
bf67a64a6dca009c528ffbef001afec3fe1a6b670d3c4003bf78a68eca4a4052377ce77c336021106f93a6586cf8089e98dbc126a3acb0efc0f8da34c7aa6160

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
893725c0825ccd2f04436054003b5ad8

SHA1
e1a4f3c4c00e83f4489247a3ece0c69854c2b2a2

SHA256
8b0f57eadba5637c3678730bb26262c73d832299907279c39b1730182b76c726

SHA512
97809c6730cfc1d9a254e2c9f92cd7a9559afed09504f7f712093babead67f37831c439ff2030c4822876592faa31e3abd3085ff692e4ec4c6532fffb07f2f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bb2de22a7f4a7db7a3a2e28e83afabfa

SHA1
ee08daa22e4014c2e6272e2a55efdbfa42a452e2

SHA256
ee3a21de5662dfd324322bf509a891c974d112f6d2f6fee205f31c86c36b07fa

SHA512
69cdde6a5654a3d201289cd488104ba694f6c0393274b09b7ed3f7c78292f2214621a9fc972433a0bdc699bc18afc4cc291b86257aa1ca02200b598d989ff6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
180049723d55afc2e1e4274112795935

SHA1
480d8f5426cc72faf100b8263650ca9799dfdede

SHA256
f1fc15246ffbc428ec7f35a1bfb2e13aefb9e7bad287ebaf726134896a9126d8

SHA512
7c7887fff9fdc958ecf89e428ccad42a0f5c7ecb5b50c86e1671df5d77a1485eaceeefc7d38327f1f899ae5f7e786c93746b6e193a7e6d1ebb1e0a0781c0b69d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7d24d100b8bf56dd30d059ed8316c083

SHA1
bbe3d675a57d0b328fde13a80696b8490c1689d6

SHA256
e6960ec80ccef389f752e83c9205f468e4bec9b0b34c08d33ddf703af578abce

SHA512
ce7ca61ee72929bbe1f005786723702d620d8fdd7a5c085c9f6e51136ab8a3a0ea0da02425957837d474a20bafcbc61f62a2b60d6a07eee236146dfdd3427e99

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\Melting.exe

Filesize
12KB

MD5
833619a4c9e8c808f092bf477af62618

SHA1
b4a0efa26f790e991cb17542c8e6aeb5030d1ebf

SHA256
92a284981c7ca33f1af45ce61738479fbcbb5a4111f5498e2cb54931c8a36c76

SHA512
4f231fc16339d568b5cf9353133aeae835eb262dab68bc80d92f37b43df64dce4fae0e913cbaa3bb61351a759aeecf9d280bc5779b0853c980559a654d6cca11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 346348.crdownload

Filesize
373KB

MD5
9c3e9e30d51489a891513e8a14d931e4

SHA1
4e5a5898389eef8f464dee04a74f3b5c217b7176

SHA256
f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

SHA512
bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 508493.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 767409.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\r.wry

Filesize
729B

MD5
880e6a619106b3def7e1255f67cb8099

SHA1
8b3a90b2103a92d9facbfb1f64cb0841d97b4de7

SHA256
c9e9dc06f500ae39bfeb4671233cc97bb6dab58d97bb94aba4a2e0e509418d35

SHA512
c35ca30e0131ae4ee3429610ce4914a36b681d2c406f67816f725aa336969c2996347268cb3d19c22abaa4e2740ae86f4210b872610a38b4fa09ee80fcf36243

Download Submit
C:\Users\Admin\Downloads\t.wry

Filesize
68KB

MD5
5557ee73699322602d9ae8294e64ce10

SHA1
1759643cf8bfd0fb8447fd31c5b616397c27be96

SHA256
a7dd727b4e0707026186fcab24ff922da50368e1a4825350bd9c4828c739a825

SHA512
77740de21603fe5dbb0d9971e18ec438a9df7aaa5cea6bd6ef5410e0ab38a06ce77fbaeb8fc68e0177323e6f21d0cee9410e21b7e77e8d60cc17f7d93fdb3d5e

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/216-624-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2392-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2388-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2386-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2431-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2432-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2433-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-1816-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-1259-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-923-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-891-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-864-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2782-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2471-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-700-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2511-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-692-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2749-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2547-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2554-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2840-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-628-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2599-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-617-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2661-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-619-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-2685-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-613-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-611-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/216-610-0x0000000002390000-0x000000000245E000-memory.dmp

Filesize
824KB

Download
memory/1740-2446-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1740-2466-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/1740-2448-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2520-956-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download
memory/3084-2988-0x0000000002120000-0x0000000002121000-memory.dmp

Filesize
4KB

Download
memory/3592-633-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3592-634-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3592-635-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3592-689-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4804-629-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4804-625-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4804-618-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4804-620-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4804-612-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download