cryptolocker | hxxps://github[.]com/topics/ransomware

Analysis

max time kernel
208s
max time network
209s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/topics/ransomware

Score

10^/10

cryptolocker fantom evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>QVbAytjTtTVFBoMU72bJ/rdhApDcQx7ztsVMIvyy9Udg419KO3MiKYrtB7AQoHVYLEulDAx0gSyzXUA698QLu7UKHTWEy2+oNOtp0O6r/5a8QexwSHvwE+B1hmhm56yRsKZw9WiX9chrvKsulauVYlkggy4C1kssPNA86Xdt/zSJp8aIcC14629S/Qvsi/R4d67EEcmMo51oGpCS6VxtR641AxPsk7wmGDWq015McE+aA4hNk8k0FqzwBHkRXYzb9XnybodIVqsLvKta2QMrdr1zUKKQ5Vtnw9x37xd1jxA/vISm6h8yMbrAvJmTrSYWNBgL7G44kcxSytmoDBJXuQ==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Renames multiple (1035) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

Fantom.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation Fantom.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation	Fantom.exe

Executes dropped EXE 5 IoCs

Processes:

CryptoLocker.exe{34184A33-0407-212E-3320-09040709E2C2}.exe{34184A33-0407-212E-3320-09040709E2C2}.exeFantom.exeWindowsUpdate.exe

pid	process
5056	CryptoLocker.exe
3244	{34184A33-0407-212E-3320-09040709E2C2}.exe
4416	{34184A33-0407-212E-3320-09040709E2C2}.exe
2864	Fantom.exe
3268	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

{34184A33-0407-212E-3320-09040709E2C2}.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

74 raw.githubusercontent.com
75 raw.githubusercontent.com

flow	ioc
74	raw.githubusercontent.com
75	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

Processes:

Fantom.exe

description	ioc	process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\Microsoft.WindowsDesktop.App.deps.json	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11cryptotoken.md	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchWide310x150Logo.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionWideTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\LargeTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\wefgallery_strings.js	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MedTile.scale-150_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-200_contrast-black.png	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppPackageWideTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\AppPackageAppList.targetsize-24.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsSoundRecorder_10.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-32_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteAppList.targetsize-64_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ScreenSketchStoreLogo.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\MedTile.scale-125.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows NT\TableTextService\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\Square44x44Logo.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\fa.pak	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\OneNoteNewNoteSmallTile.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteAppList.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Dtmf_7.m4a	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\NoProfilePicture.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSplashLogo.scale-400.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png	Fantom.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\RenderingControl_DMP.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\32.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-80_contrast-black.png	Fantom.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\Classic.dotx	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\en-us\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\it\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\LockScreenBadgeLogo.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionGroupWideTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\LocalizedStrings_cs.json	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\assembly\GAC_MSIL\Microsoft.AnalysisServices.SPClient.Interfaces\13.0.0.0__89845DCD8080CC91\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-48_altform-unplated_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-96_altform-unplated_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\styles\WefGalleryOnenote.css	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-72_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ClippingTool.targetsize-64.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\pkcs11wrapper.md	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\AppxMetadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe

Modifies registry class 64 IoCs

Processes:

explorer.exemsedge.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-601#immutable1 = "Indexing Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3000#immutable1 = "Sync Center"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-2000#immutable1 = "View and manage devices, printers, and print jobs"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\colorcpl.exe,-6#immutable1 = "Color Management"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupView = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-101#immutable1 = "Customize your mouse settings, such as the button configuration, double-click speed, mouse pointers, and motion speed."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\SyncCenter.dll,-3001#immutable1 = "Sync files between your computer and network folders"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\DeviceCenter.dll,-1000#immutable1 = "Devices and Printers"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-101#immutable1 = "Backup and Restore (Windows 7)"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-1#immutable1 = "Power Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-1#immutable1 = "User Accounts"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-160#immutable1 = "Uninstall or change programs on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4312#immutable1 = "Internet Options"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sdcpl.dll,-100#immutable1 = "Recover copies of your files backed up in Windows 7"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Mode = "6"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-1#immutable1 = "Phone and Modem"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-1#immutable1 = "Speech Recognition"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-101#immutable1 = "Recovery"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874369"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\Vault.dll,-2#immutable1 = "Manage your Windows credentials."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\telephon.cpl,-2#immutable1 = "Configure your telephone dialing rules and modem settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\Speech\SpeechUX\speechuxcpl.dll,-2#immutable1 = "Configure how speech recognition works on your computer."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-1#immutable1 = "System"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\systemcpl.dll,-2#immutable1 = "View information about your computer, and change settings for hardware, performance, and remote connections."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-1#immutable1 = "BitLocker Drive Encryption"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2 = 14001f706806ee260aa0d7449371beb064c986830000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:PID = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\netcenter.dll,-2#immutable1 = "Check network status, change network settings and set preferences for sharing files and printers."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-2#immutable1 = "Change default settings for CDs, DVDs, and devices so that you can automatically play music, view pictures, install software, and play games."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\timedate.cpl,-52#immutable1 = "Set the date, time, and time zone for your computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\autoplay.dll,-1#immutable1 = "AutoPlay"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\sud.dll,-10#immutable1 = "Choose which programs you want Windows to use for activities like web browsing, editing photos, sending e-mail, and playing music."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-4#immutable1 = "Device Manager"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\recovery.dll,-2#immutable1 = "Recovery"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\inetcpl.cpl,-4313#immutable1 = "Configure your Internet display and connection settings."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fvecpl.dll,-2#immutable1 = "Protect your PC using BitLocker Drive Encryption."	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\DiagCpl.dll,-15#immutable1 = "Troubleshoot and fix common computer problems."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\accessibilitycpl.dll,-45#immutable1 = "Make your computer easier to use."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\fhcpl.dll,-2#immutable1 = "Keep a history of your files"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\intl.cpl,-2#immutable1 = "Customize settings for the display of languages, numbers, times, and dates."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\main.cpl,-103#immutable1 = "Customize your keyboard settings, such as the cursor blink rate and the character repeat rate."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\system32\appwiz.cpl,-159#immutable1 = "Programs and Features"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\2\NodeSlot = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12123#immutable1 = "Set firewall security options to help protect your computer from hackers and malicious software."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\srchadmin.dll,-602#immutable1 = "Change how Windows indexes to search faster"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\mmsys.cpl,-301#immutable1 = "Configure your audio devices or change the sound scheme for your computer."	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\FFlags = "18874385"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{DE4F0660-FA10-4B8F-A494-068B20B22307}\IconSize = "48"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\powercpl.dll,-2#immutable1 = "Conserve energy or maximize performance by choosing how your computer manages power."	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\usercpl.dll,-2#immutable1 = "Change user account settings and passwords for people who share this computer."	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\FirewallControlPanel.dll,-12122#immutable1 = "Windows Defender Firewall"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings\ImmutableMuiCache\Strings\52C64B7E\@C:\Windows\System32\devmgr.dll,-5#immutable1 = "View and update your device hardware settings and driver software."	explorer.exe

NTFS ADS 3 IoCs

Processes:

msedge.exeCryptoLocker.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 87363.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 308837.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

explorer.exe

pid process

748 explorer.exe

pid	process
748	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exetaskmgr.exemsedge.exe

pid	process
3612	msedge.exe
3612	msedge.exe
1868	msedge.exe
1868	msedge.exe
2700	identity_helper.exe
2700	identity_helper.exe
4484	msedge.exe
4484	msedge.exe
1152	msedge.exe
1152	msedge.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
3812	msedge.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

1404 taskmgr.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

1868 msedge.exe
1868 msedge.exe
1868 msedge.exe
1868 msedge.exe
1868 msedge.exe
1868 msedge.exe
1868 msedge.exe
1868 msedge.exe

pid	process
1404	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Fantom.exetaskmgr.exeexplorer.exe

description	pid	process
Token: SeDebugPrivilege	2864	Fantom.exe
Token: SeDebugPrivilege	1404	taskmgr.exe
Token: SeSystemProfilePrivilege	1404	taskmgr.exe
Token: SeCreateGlobalPrivilege	1404	taskmgr.exe
Token: SeShutdownPrivilege	748	explorer.exe
Token: SeCreatePagefilePrivilege	748	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

msedge.exetaskmgr.exe

pid	process
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1868	msedge.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe
1404	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1868 wrote to memory of 1860	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1860	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 1436	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 3612	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 3612	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe
PID 1868 wrote to memory of 756	1868	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/topics/ransomware
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84d3746f8,0x7ff84d374708,0x7ff84d374718
2⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
2⤵
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
2⤵
PID:1536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
2⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
2⤵
PID:2540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
2⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
2⤵
PID:4364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5488 /prefetch:8
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
2⤵
PID:3284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6232 /prefetch:8
2⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6320 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4484

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
2⤵
- Executes dropped EXE
- NTFS ADS
PID:5056

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3244

C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
"C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
4⤵
- Executes dropped EXE
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
2⤵
PID:636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2808 /prefetch:8
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6624 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12606242372230335892,6702368598092628901,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3812

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4492

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
2⤵
- Executes dropped EXE
PID:3268

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1404

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:748

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:4688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML
Filesize
1KB

MD5
b9f4ea8c96e79e7412f5c2e1aea14bcc

SHA1
c8ea8d45742dc7dac7ac9f9e34a9bab82cca3b41

SHA256
234085fe3dd8d4f534d5e66103acc29cda6ee1c9484eff7a4a7e517ed68ece07

SHA512
a072081cd2b599f0e43d4f54e3c15bac7292f538298130e3b08f7f045d7f87126742d87d43fd6caa8b44a73183dc0a2b62939252d1c9a59a7d1c67b7d0c546d6

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif
Filesize
160B

MD5
f1c2c116d5abefca4beb67dbaee3ba45

SHA1
a608092ec7b36a7e6dfdf02551ee4fee015a580e

SHA256
8b56b2017b802894ff84eecc33677cadd93219223eaf63789bc85f54dc35d177

SHA512
03786bcb80db74cad69f19a40e28b0f1339e86dc083dc596c68b70964c59c4abe7ffee1994965bbe5b55c970b85151e6493b569d684c7321c2e4e6bd2a54a263

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt
Filesize
192B

MD5
3d199fbc94cc5c155dfe1c931bbdb017

SHA1
2cfed34c07adb20ca41c504baae2d922d1c21fc3

SHA256
9dd63ee56c523b8daa317712b49255f4fe597945a4f2e45d4b2292d81cbcd60c

SHA512
edd21ed5db3bc530dcbb6753887b1f326f0296af049b246a9708505ca47b850164843340785e73644549410d9da3b7ff50e43814c241fe735d2e6ce219f78334

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt
Filesize
192B

MD5
cc062f8ae68eb55fb5f023d1e7672026

SHA1
3fa2c935eac637c65b441ed1c339fd42c131b839

SHA256
27dd2c2aa946b99466e1cfd227e494ef399e98746e03fe7d17d9aa8dbce33077

SHA512
8569b8907d4454558cf89f4f10288bcb2079e369532da74d02efc7bacd3158133fa5d29716df3a024f6432345fbeb2447ea185ccc14b96243bad6bffd564dbbe

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md
Filesize
1KB

MD5
9f25fe45d1edae67419de25767db41a4

SHA1
5912a4e97c2918964c9497379615abb8bd567b37

SHA256
8bc0632bbd0f281afd20f8614db3977bd292b9a7a50bc9c3f5cc72d8a4e9ee30

SHA512
13f61b008664f7022483d90367ec9ff14fa711aad68c50d70c6b889206a4491448d8d00058f20f31790517c2f3b4b79bf4f45502210350f67f86c62f70e84239

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md
Filesize
31KB

MD5
e718df216bf382da0ef307e0feb8bb07

SHA1
68d29fe999951a5858471e32e96ca1d136c02d0a

SHA256
0fb2d9a3352496b2eca35ad796aa4be18eb959c97d130185c83b96f6c6ac32b5

SHA512
eb2aea803cac22c2ff8cc5d43149b0f1fc8db8d026bca606145ef9c4a605c9452ddfeefdb64a6e17db00a99ec8b8f0cdbd1d332c1fe6e63502e7813c4c28b5d4

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md
Filesize
34KB

MD5
3494a5bb9a41cca8cc53b4e38b452b50

SHA1
edf8b891c64807f54beb51cb06b5cff6db27c6d0

SHA256
2328ddccaf3d515da9483090c9a933ca46ef54ad6508d0c314d6a4bfacff813f

SHA512
d8fa4d675ed2c691da116cf5acf2f8b43103b7ab8dded4bd91a652ed6f7fec7020271672eb49ea56ee9884a9e4b4feccb6b8c278856675f861378401f081ff16

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md
Filesize
2KB

MD5
ae71e9d1f90c7a79a889a9d2169f801e

SHA1
06b665907a27340b47ef4a944a542ce904e3eac9

SHA256
5c45e1cf4fa5c196b414a6e783ee8aaaec6d8a05a2df33f1d79ba6d4638aad96

SHA512
a1907376836ce800d9a6e225c552228cd28b04e301f0d6c581a3cadbed3be3d7a63f76106fd8aac2aabb1318a186a98eb0159756d69e2b5dcf57e18efc4be7e7

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md
Filesize
3KB

MD5
3072c27b69c409d2952099ab7c2a4738

SHA1
4dffb6f5dc13999050bc8df2cc1218d4f3bb70e3

SHA256
56f65d34e1a50927e4970998953fcec44047dffc01fd2aa5e7ad5c71c0bf832e

SHA512
889031f2dc238a58fd51b6608b62722d02531caecce64e751b0ba14966f1747ff958a10ff34a5122ae5bb48b91b36dc6886f06d3c150287159ed611c51cfbf3e

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md
Filesize
2KB

MD5
d885ccc251efa9fd50c65b6ee80f8f02

SHA1
0b8454487417cb73a5d769421853919170a2762a

SHA256
9b999eb081d1c0bcc46248532d9f2566d0858a2beb7d0cfcc7392035b9ee0edf

SHA512
c7216fdadcc193d168c3eef390d00e47d61a203b6cfecae47e407dfc93442a9349bf626a5e4ff6ccbe9560bf941b060e0aafa9bf0f0c2c2899eb8e68bb63c88e

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md
Filesize
5KB

MD5
7c4eadc8c07a4a539435d23722d8ebdc

SHA1
51b0a528a648b2590f0026810abb7ac7474ac823

SHA256
ce3f654db66c659dca195ebd31fab07d8f6b6861edf1c01bc2b73c4a8bddf2e2

SHA512
df1951a26e0480e1ae419046540fcab8b237f7a33470e6ba481293fb7d0303766cc24cafdfb8b12e36530b8630a01ee70d42becb822ec1c599abbb02b1ccdc93

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md
Filesize
1KB

MD5
dfab313d532e5cdccb3e574e3cc918cb

SHA1
88a26b92779e437df229fbffce8b33ac00ca43b3

SHA256
d74735bd1120bb7e381856a1374a1c820f05beb45a3d1cded55d6d75cd49247c

SHA512
78ce85aef89e6cb7d81069d93be33b3233af524b71a2581288d5c895634ca989bc8759e5c91682d9abc2b9c8c45292e0174fc700d7e52b5682adb18f361de4f0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md
Filesize
10KB

MD5
960ffdb26fa62c468faccdb72294e245

SHA1
7f9ea83d77b385e40dfcf0d137896b52cd3354a0

SHA256
44b012e37fbd66a82aa78d80e66de8bc154c6ba143ce36b322efc9d4e4fd6c8b

SHA512
63a966e175b2553b7a59f326aaa4370f28b9cd73d6fdbe691257717c03190f883693050d14b744a7d9333c6a049c71b97e82f919856b10af5258c9f9aaa6ba4c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md
Filesize
3KB

MD5
7db9f9ee40d12634fc79c3283732540a

SHA1
74c15526c28ace49b96882e402d5c52a6bca7402

SHA256
f83f9edfc6df6a6cd32d48118b46e11ed5c27045f41336a0422d49cd7fd29d77

SHA512
41845ad50576244b52366494f79bb7e46b20d9f2139673a9cf66620f7707313f699fedaf5337bbe7f6edcf014c3985278e0fc0f43d105486567083faf946ea2d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md
Filesize
176B

MD5
50720090ff685cd1887d434bad47e0a9

SHA1
1238db5095c6fa7130e0e30fbea0601808ea9dfa

SHA256
afadd40f92c4b7ae0efe9d82157101449b8ff70fc3e9a124a78f582fe5bfd560

SHA512
603fe8a8a00bc9503c091b64e82079d7e044867b7243b46873d4b301d1a9b34dd534aeaa71f902021cf4b5ff4e8c9557bb0901f5ddcdb3371cbb088acd65878a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md
Filesize
1KB

MD5
240cd2f7145e9eb2261f0720576fe210

SHA1
a5263d82660b122c6cfd7cec512327ae58068866

SHA256
bbe68f22e41c6f162d58578d482f571ec52b4552bfde80c5eb38538d955b7531

SHA512
f2d4d5b60421419f5b3d0352d39106de259d13930a873c1c732dc40435081560c57898fc2be5798c12e3ad43e5a10c994ac6d22cca9b3b1344348ea58b946a82

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md
Filesize
3KB

MD5
07dadd2ea1883f7aad7f1bbef99bc976

SHA1
776154ac66a5957453563ec23b090b5cfbaa87f9

SHA256
877cc0dca79600ab6dbc38ea85144189e4b6c6beb66f611108c3eb2a8d66f26e

SHA512
52e8a4e6dca108aa2e15751e33a902cb5821d21ea49c500d3913310c4cb32d53ffc1e7fbb9dfa77d0806c567bfba8c2fdd5cded0277232f08a9cf65569eaa330

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md
Filesize
1KB

MD5
ae0d433a732f044a54217e568938f6c4

SHA1
3a7662f24859e84ff4622a19bb4245be3a95078f

SHA256
f23a7e0cda1923b6a217f1ec86a8160b29425ca8fe8889634b3a0f31bc1a7d5b

SHA512
4e64c9855e268adeccec845517e856197829e5edd6094c934096ecaf872033360a971e1e7b8fcc3b3de604211b6beb86364197f9ad1653b2a62ab693a6a48024

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md
Filesize
28KB

MD5
a99bfe02d7149601063ac3dd2dc77d79

SHA1
54e165a37f7e2a8c28540b4c2005255536ec32f6

SHA256
b008629e922a006418843c6dcd67b192c41053099d2d64431a972caf8cc1f043

SHA512
8bfa15c55dee8de64d19ca48c9ac23947456ab6c3af3312beae3fd484cae244a309d16b60b12ac0c8e7944e57797336cb84c6d57da19e0b2a98df15e924b7080

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md
Filesize
2KB

MD5
6974171038fb3a16251fdfc377619a7f

SHA1
8910138fc1e4429dbecc422dd6c719d78442b565

SHA256
0c8d7fd40cb9bf4eeeb37fadd38b2d82dd2eb09c1d322e78a7f4fc70be0bdaf9

SHA512
c649c68664a4e742c552e2e80b90e6f17002655ff52e7d3d2dff6a85aa031bf8b623cdec3cb66c09bb535064a52d0d007794db36895c8b6e18998505f7f4d438

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md
Filesize
1KB

MD5
b78b99e9add0088d143315de3f703a0e

SHA1
d78350d1cabf448fbee31be0963cc615fae1cdf3

SHA256
4b8e9a3cfd6d49dc535d99ca56fd48b21716c44977eb34f7a129fc6653e3b205

SHA512
2c9725224ccc4324274a937f6a7db49dbb69d38451614020e59abaa58fa8020a9730dac2164d09cc9bfe31b6ff6f130e818ecdcb89f2a180f6c6176691c871eb

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md
Filesize
2KB

MD5
38fd35dd6b8666746b008bafdedef8cb

SHA1
65c9a2be8979ab567838ccd4c3b4b66e53fc965f

SHA256
029be2fe4d53df0e14163e2a6c376de5207556f6463b51ad59303100b28ccd38

SHA512
734990f6746aa661a1fdc37a010df5823eb7a8c840dcce45c3e6f64be412a636af1dd4bcffb5aa3ae45c8e47bec5de5aee37f8b56dc4ab44501ee12721548a9a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md
Filesize
1KB

MD5
8119b2433e2ed66060b178b92ef37f76

SHA1
958b59a305bada992fe3275ff6c9f7921261910d

SHA256
4437a6004a1fac53b308c824eb197b15e0af87f280df6eb1949e69d94288c97d

SHA512
5739e58924eb799fb8f004e054a3de588982827cf00e085467a8f92948e5b03f1049a60f296b099cbd359386b519f4d6b35c7121e9e28cb7150b64af18dc4a9e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md
Filesize
1KB

MD5
b2381cd641718d66eed380b8b7c93200

SHA1
caf583badc5695b6958689dee37cb30831cf18b9

SHA256
a8215335c0cd002d7ca6a915a39f03a7c5bdebbbc63f323c56f74006c4ed3b70

SHA512
40a8c659def50c68dc77763a408d72c9097e5165b9196d53664ec27173b465b302d0585bc2e6a966c63b32035958a749aa23131ce04b6db1d92bfc52643320b7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md
Filesize
1KB

MD5
d5ea82473522f4edbf780dcba7fc0222

SHA1
93f656f9748795f0bf7eed26edd5f5bc8e9eae7c

SHA256
07c50ec7ceddb39b861c50ab397521c6ca56f584a266e9e2683d098b69c2a06c

SHA512
4baec984cdae7b34cb857f8c582d05eb60ed2c0fc69125693d1c13de1aef27dc4a7a0cd42e33b773201b68424f08001d227cb1212030937d9bd8d55e84082328

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md
Filesize
3KB

MD5
5483134cb568397112a2319a72f95c08

SHA1
a37cdf75ac919137a8fa63a21cbd392dcf136aa0

SHA256
45a50c5db3197e0953a2ace1c76778258a22b79fa9abc5c4169c350ecd8809a9

SHA512
56c07e784f565a2a1d8b26faffcf6daeffe22a99b1d6d93ab30e2d3dffed867f11f38f4e0120ec46dffbe712405200db9c4b8e01e06abe5540b4ef88c3f19d9f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md
Filesize
2KB

MD5
7603e4383f3fd993a147d329dec6bd3b

SHA1
8c95d70c84ddd55d0eefce7d9aa2d0cbace4bbb1

SHA256
3e7a9955739510a9867aa97243619a7aafe92f02e2144f2575847507a864c8a3

SHA512
2b5118ff3f6f981f7e3d42a22fe31d15f011c7454680e35b29084ac8942dcca5d67a0b042f49840f81bbb392afb1f642436e016502d2658ff131c47e176b45a8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md
Filesize
5KB

MD5
9aebf9b425730dbbd200e4ca2c272936

SHA1
c5508c90b57fa0845e852f3db6c517a36a96cd75

SHA256
e902ce18357ca58a327534b4e9a2e87888272b4bb31ebf5c5cb594b5930ccb7d

SHA512
6ccf1037619563fd952c0ffcf8d29d5e44b38d0eff7ef54fb73994b113c7db49605a931ea131ec928d170fcb4b4bcb6276ed7db0688b0e20d9540618e755c08a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md
Filesize
3KB

MD5
52db093eafaedcbbaca7e3ad2da6afb4

SHA1
0e800b73a131af50b644e0af84439509e3a6c2b5

SHA256
6e34a10cdca0b64c3edb80787b0f3749e03cde182da0a1c8598e0339245547d6

SHA512
ba3ec931635dbabde7ee8410b43e8b8351d4dfee1986074fd661db87a930d760ae1fc30fc4a12fe7503ee419f194bbecc6b581be61ad3a4038e808c6d2421fcf

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md
Filesize
2KB

MD5
5660b5f6d3880dc5af6dc00365cb9e48

SHA1
3eb0d020657343c02e7f66d285ad3b262e7fa34a

SHA256
207066bbe6e672b73975741b157f4f2c9d7a132b3d252c6233a9d6a9e992c917

SHA512
573893e0fcf897f6a9a2b47b6fc2a037a2c6b9fa9f381fea18d65e27d155d017cdc4cda1461603f6116b4f28c0c034a3085808ab200e71c5bf475b9b1b1d8b2a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md
Filesize
2KB

MD5
4294ee6a0d064acc031ca8f384a5cce6

SHA1
b5e38469152fbfd6090337d06088db63cbc36602

SHA256
9c5ea53df6c51f787cfdab36505de6a8beb602649da9c3e6190957f51a1e0add

SHA512
222689ee2a8c1815078d4146615a88fa10313f763f167c610ec69b15ddead36edb53a3aa391487076d3eeba13e1208114dfdd9b49dca3a98a3cda3c467144704

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md
Filesize
1KB

MD5
e263f80395b00382afe25a811f8cca60

SHA1
136c1a503b91f428f23488ccd2d6e0dd529b7e39

SHA256
75a3b532f644cddbeb701673948dbe3bf1a652db87d1b85feb86318758f11be8

SHA512
b339519fda8bc3fefaf2c862881f7f863f37cd42f2d05b32fbf7f291170c9c25ca0072006a0ead1f99cfbdca04f8a935027a8fb92668879f3ecd7b0f27c8e4d7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md
Filesize
1KB

MD5
344759312f32938c06f4c7ec853ccaa7

SHA1
5c7bf2e94202959232586ae846610c10b5979246

SHA256
ebd79a1c819f784ca4cf7056d4621be33c7666683e5e2f1617911e6aee220914

SHA512
8e0eae7c54e3af2c96f6d6318ae9f0f6bac7de391d30a73630fe2b56b5f52f93b2c9ebba4fa6eba2ed77fac36fc62fbf8a82839d4f3ae8caeb50523dfcce0520

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md
Filesize
11KB

MD5
136382db17bccfd56d71ab5a30e9933a

SHA1
1cd0de80b587f61207e5b6c70cd39da679a4dc2f

SHA256
c00f0cccae68153a93a838f875bbda65505a1a18ab662259158efd352779c52a

SHA512
b02ef451b71ca130c558f933b64fb33824680dbc91ee812c8cb63cb8c7e668af76e485d1b5c1ec55da5c729e6fad1a1c7080547dd8ebdaa16742096ca1ff902a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md
Filesize
1KB

MD5
f202f219740e8051e8160ca6d439a3f6

SHA1
60551861367ffb802b65b9e00d29c9ffa4d668dc

SHA256
3f9c59d00e5a287018e87277d8c996214eb1b81064ccb98874a704248ee1ab84

SHA512
1c8cf5569c28b08f3db6a2a7191af7c3cd350d62244ce6d3a2c3b4bf5e5b1021663c9eb37fd0cc35f3dfc0ddfd8c7b61eb20e983cbadf77241c9ea7b03f5b222

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md
Filesize
2KB

MD5
d1351639e55711d2cfffdf4a9af24c46

SHA1
25e624f7b0945aff1471c79fd5a9316ec7b12c4c

SHA256
049dc4c708f23840e9c1047f11d9ae6f97bb508f7b1a9a5f2cce6615dbf8c297

SHA512
1d88a27d4ba3fb727ba926093562016a282e6d6dd89b3e90f17bafd1f7d6eddaf04eb9bb1f9aaa1188a4052ed8e3310f0d47479fe465f6f8c05da95471a88613

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md
Filesize
11KB

MD5
9a18d3357a1219531d3081e814cb577d

SHA1
4776a4bfc11f5e94c48e746a5a4c015d2dc47381

SHA256
f70d9e85e1b1867663d55df55f15dc026249a9f33316d3b99a49ca4f20ecf137

SHA512
fa673afb0957a8511434f545c9ae801ebb04f74764ba245b9d7f1f5ba78ee04e9bd170e3af2ef8507d9f3972bee083c090ba080631f4b0c053d5b164b5c1b668

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md
Filesize
11KB

MD5
dbfbcd85a375a24d644456b0c8f3f2c5

SHA1
bf53b2c86b768a2c29c51145bdabd09ce7f9e883

SHA256
a0a7bd878d8a377a2cc53ed5601826cde9950a78342c67193ba61eeb6026fe8d

SHA512
dda31bd22fa164dccde490e0e648799640aa2a7a3a5b955472977594055bf68541616d913aae93bee9d3cad9a6940775cc98e21e5e39dadd13102d849bb53896

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md
Filesize
11KB

MD5
ead1bac6b35d466bf7e9b03fffefc6a1

SHA1
166b87bb29f92c807919e87a0c592271181bfec8

SHA256
7684498392c3ae28aff4b867b3bfec382d21e15eb693395dc61125d5d78b4d59

SHA512
703464847d85c56ed09c47a1a71f1ea5e548ebe299a1daf58b4e7b47a9d9ab2425b6d4397afe790d11c1de865b140dee7bf0d2cf7baf55c28518b9302151a4b1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md
Filesize
1024B

MD5
3c8d38dd995c5abde284830dde981f24

SHA1
1f5ac001fd83353574d6143884667dec446adb52

SHA256
3042eb3c43d096a2b42e7aca55fd03ed7fc4e7abfd0301a405a6aa8a94cfc972

SHA512
6bac86db8581bd60e0479727dea81ea5a33ce9eb1f63a81f8ab9ba2675da9e39cbc13724a5586564425ea5598fc5c0d3d3fb54ce7b3082c93e4eed1795dd266c

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt
Filesize
48B

MD5
f60fdefef307c5e2b5e5f3034eeb0b27

SHA1
b6bb9c8a8deea37c30d707660916595c85df63c0

SHA256
bfc2ded5851d67217879b8af8e95491a9762a88f99512ff24c9495e779614a27

SHA512
45bafcfbcb64c137884faee22f411de57c1ceea965636a3ce477e97a7ad6874f3a0fcc44fe2567816ad1491ac81ced78fcc7f9519c0992ad5d2461bedbdfda6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\6a474131-a4ca-4a6f-bb72-1c9c1bdc36cf.tmp
Filesize
6KB

MD5
adcfb19cca4334bd04a4d90ddb17b5ca

SHA1
d291cbeb0e9956c37a621c218f9eb1ddfe229440

SHA256
929b1dde6e4049b76188cb18a7df3219f9744b60ea8e4c03cd91e73b02d96fbd

SHA512
5994a0233c54a37db48f7f41de8bbb192c985be168a15e99c0130f9425444a0fd21f65992315f0019a69c38a55904b46a97913fe21b9bd50c0f3dba5d9fa71e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
ce7bf714ee62fbd53ef11c40f4201ab9

SHA1
b83efe650a883d25d4f8bf3bd629ad7a64f06e7f

SHA256
0136124986827b7f393252136d2db733a79d3e86bf5fc4c430247a0d32c5a516

SHA512
523b676f6d36aee2b095092da3aad11109a7b06c7bd24554102a2d80e8223bfd9ca4289789e9a00063841e27fece24a534921e9ae4d7e325a22b7b2c1be18ddf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
120985212435bf4c6ba96280dddea3b7

SHA1
8a45fa3665525d4b0c7e27ee6801bb228f2dca00

SHA256
4e9a420ebd3542f8273b468d3fa908ef8e11a93f5a7b6726ba00f753f881d963

SHA512
50bbe6d7fc5241a9a11b95a756623fb4e8a196c5125f88a1dd1b65a670d0a34e0a55e01d8bc8fc32c0a7ed6857bbf0fa5fa3eb835d0b5c4d1a471a89df237cb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
676B

MD5
954b614b078b6b528b76d3c0943313a8

SHA1
bc0eabb522f0497b1cb8e7d4538c83ca22a19dd2

SHA256
88cfb24317cbf7ad2a072cc4c08cd138ab8c07f91134e63f1b1eb440e597d139

SHA512
10286d9bd3461b3b6183ea3ca7ba94770ef3f54d9252bf332b6a447015293fa79bf06b732dc48d8b539af33916f67698528b6f390faa0c1152ceec6aabaa400f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
572fe38c223a93c489e1b6620e278eb7

SHA1
d1d96c0c26d93407247cb5afad7c1a1754cc413f

SHA256
2fd0936d73625d327a3a40863a962fc2a1295c5f50261c4da59c62c795e58c19

SHA512
b5686658e14f45f2ebe5310c109cbd1ad63b2123cfdfdf35fabed1ae8d88188621fbe5dccaa9b15ea654f8691a824055dd7ba977136bd9e9aa484920b764f73b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3e959e872c227495a329cf3345cf77dc

SHA1
53e0823aba374f30a91aa6c51ece2833c70725a9

SHA256
0ac8e8add04d32e4bb47f483455be24961f02b556e5a0d0ff227d340c8cd3ef0

SHA512
5d922581673c4bd6222b27a2a77ca6bc2f97bd2e02fcfbcf1025bd9f8c6b731c7e2769d29cdfd96308a02cbd40cac76a6a8455476dfc9ad9141d2f3a0f5aefea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b1c48fde1d623b3b6a77f9061a515ce1

SHA1
f879d953fd6b3b3e8e57045fb9122205e7b7fc40

SHA256
691303b0a7657779eee216a21df56f0c52491d5a2bbf88b741a98d69c3639131

SHA512
211f50b5aa40162cf97b4be0f16fd82b855228201f53ec3caea3052134f5117e3210c086b43a0f9ed595bfd02060557ade24ccdab19232347ca00aaa5f0efdfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
971bd60cbed3f83c19260f4dfe8f3497

SHA1
0de19eac345dd6c46b389a376050abe7bb7e5946

SHA256
04bd1ef5f70d20d85093da2eaf81103c04a8e0a2fd44312d9d8a89c452049a9c

SHA512
67c28e6170331e8b62ad5ced89de6fa38b915e1481af84afc9292bdf7e1ee629b197f187a4acb32053e35bce58f0a4d55e601f3a293d20e85e3ede4a8295258b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
3e9b25c0ee11aba08c9d4242ba11df2e

SHA1
eaffa2079a034070b5a4b0d7597f2f3089405faa

SHA256
91e5a3a68fb796dd62b611f67a4aeb8d0bd2269cafcdde9af2b7ea028eac66ef

SHA512
b0bcb723664b3edb1aa8b7821c678e162697c0db786b982efacd9049418dbecef5c25f92d335cf8efa8a3ccc515eb04dce22bb6575773a2ec403ba366075bc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
bac46cd7e72917aebd84f1bc74f56df5

SHA1
3916f6e395cc74461295fb06977c4be6b8425fae

SHA256
adf8cd0bdf573a77f17393d594949b14130104b6e4c0337c850122fcce0e1a8d

SHA512
7340dd09d88599a34117483782d50f80887ba04fdcaf699a048a395ec46c676cfa8afffd091843b7a12e83023f112560cab4e77478ec456823d320ba5b9719ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
24e63a842ddfcf0b8169b1b38ebadb7a

SHA1
c09b650ecc56de846c7276c96d72952c6ad98459

SHA256
bfb73175c8b9ef965bc47fe35bddb6edacb7cfb22d758814ddcb180711d9cb08

SHA512
28d2e8a09df441de2abd84a112c27f9a2a6a4d24875418853481f56cb5333367f3f68cb58405be6efb45efddebb90c9b4bb17d10b55b91daabecc1c09f6edd80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
a208639ba623edf54c425425a8f35a48

SHA1
35034e01612fa383e0be88a541c33e498dafec3e

SHA256
af69aa4d127a076efaca8b1d95a2f396f65155d0dd0696814a5d11d1282996c5

SHA512
4eaed3343f2b2e3a90eec24db72a12c2044b649a5396e67b0a11c54680c04d59be435b0cb250bc758e2feaa2ed57409409bc2e50e590c1f205ca07c985f50a26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
874B

MD5
40797116299f8e37c30f6b7f5d1a7b4c

SHA1
581aff45cfbf04bfc44ff4a3009e9c0cb6be92c2

SHA256
d5ca80d33182249a7587c407f19067794c1d2fd82a180ccd6d441bff8685ad78

SHA512
f25455a5f6db739df9bd06d27c710676fa574ee15bf5a0601475ebf97708e17894d44ac63c6a9a3103783f77bce7fcf9d11013d2c326a012f6dc26cac46782ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d8fb.TMP
Filesize
706B

MD5
3ff6578732d92467f1420730c5a90d6f

SHA1
17e515e8c632cad5e93c85fc445248d17947649d

SHA256
cef78d02f9e4c985d84bdb0f36bc1b15e817b6623d752267adfed530e0381139

SHA512
093cca09fef6298061400fc449504e7fd446314d7be8c0112011ec8fddcdbe90ba2769598386b26910b79dcaf2f60a5b12f04079530b7c43df018daf7fdd8955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
07cf72e4225738b2f637cf68d3fcb7d4

SHA1
99305ac03c8aaf1307a9c58f36ee9254d7a4f7ef

SHA256
c7be9ee5b5f4fcaa3fc13e61494aa43e468c9392bb66c983b32fa56416eb2e3d

SHA512
39719d093312e257ec8564b26551af3644829b9c814b367efb4a9252a17bebb60a4baec41030e6ea5eea9ab75045dbb1f8880ad9921dd4ba7a8ab98d3d41f8c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2dab694775e210c0b3b659c2e7f276fa

SHA1
6cfeaca75d791219753783b91e6c09f8ce1e586d

SHA256
0e13469ea791210871baf1052688ea6b4366fcac1fb83d78b1b39dd339d38826

SHA512
30b971387c9f5fea092a3364d3315a51fe48eb93f236c3f0fe5eec5857aa560959d5a601fe3a9247683d1b22de62b74f762fa1b61bff942aff35dcdc12aa3f2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c6d62a50e9f3c5db78fa88ba322245ff

SHA1
e9be2d0a4af028357d822ea497b085018f85403e

SHA256
cb35ecd4259c06d291cd632b8724fccb81b8207ae5b363065484deb4d08b9a4a

SHA512
c3352aabd4ed0a5706bf0fcdb0ab6efdb74ad04d4558f019509bbdb4a12be8da2d90f1d4b27dd479720ebb77638d83230c124e6dee6a2405d654e68c26531b8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 308837.crdownload
Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 87363.crdownload
Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
\??\pipe\LOCAL\crashpad_1868_QTBPVNBRZQHFAYVD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2864-515-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-479-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-620-0x00000000060C0000-0x00000000060CE000-memory.dmp

Filesize
56KB

Download
memory/2864-584-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/2864-583-0x0000000004B30000-0x0000000004BC2000-memory.dmp

Filesize
584KB

Download
memory/2864-582-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/2864-458-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-477-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-459-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-491-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-505-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-461-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-519-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-463-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-465-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-467-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-469-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-471-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-473-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-456-0x00000000024D0000-0x0000000002502000-memory.dmp

Filesize
200KB

Download
memory/2864-481-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-483-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-486-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-487-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-490-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-493-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-495-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-497-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-499-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-501-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-503-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-507-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-509-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-511-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-513-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-517-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-521-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-475-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/2864-457-0x0000000002500000-0x0000000002532000-memory.dmp

Filesize
200KB

Download
memory/3268-632-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download