wannacry | 4932eefd4a7e0037008f10b3e45623cfb9cf54943b2f09e0762d7a0facd28298

Analysis

max time kernel
922s
max time network
924s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
20/07/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Untitled.png
Size

258KB
MD5

25811860c5ee9a5d25be24c4bcaeb34a
SHA1

2c80b6e3c27ede1837e589ef67ecdb4da70fd5aa
SHA256

4932eefd4a7e0037008f10b3e45623cfb9cf54943b2f09e0762d7a0facd28298
SHA512

eb1910e1d3b68ce2aa49300a6f692f839813a1bd8aa8a34234a5c529f0d0530f1549b54727ee7b65a61be52c5b050132b3e06a0c85eb19382c0bf3745f70888f
SSDEEP

6144:jR/mp0+VMP4Dbk7GotugGS8yReMdBFhq61YQBjRWzq1XWdnyNA:jE/2f7Go1GS8GekBFhq6OaRIq1XWsa

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD446B.tmp	WannaCrypt0r.exe

Executes dropped EXE 57 IoCs

pid	Process
2168	WannaCrypt0r.exe
1140	taskdl.exe
5580	@[email protected]
5884	@[email protected]
3684	taskhsvc.exe
1432	taskse.exe
5200	taskdl.exe
2952	@[email protected]
632	taskdl.exe
2780	taskse.exe
4040	@[email protected]
4324	taskse.exe
5468	@[email protected]
4888	taskdl.exe
1720	taskse.exe
4792	@[email protected]
4672	taskdl.exe
3060	taskse.exe
4952	@[email protected]
5292	taskdl.exe
4400	@[email protected]
2068	taskse.exe
1992	taskdl.exe
6000	taskse.exe
2704	@[email protected]
864	taskdl.exe
2040	taskse.exe
372	@[email protected]
2952	taskdl.exe
5424	@[email protected]
5944	taskse.exe
4716	taskdl.exe
5004	taskse.exe
4792	@[email protected]
4672	taskdl.exe
5872	taskse.exe
5732	@[email protected]
5592	taskdl.exe
2312	taskse.exe
4800	@[email protected]
2480	taskdl.exe
828	taskse.exe
956	@[email protected]
3904	taskdl.exe
4588	taskse.exe
5388	@[email protected]
2764	taskdl.exe
4084	taskse.exe
5352	@[email protected]
5344	taskdl.exe
3508	taskse.exe
5020	@[email protected]
4504	taskdl.exe
4016	taskse.exe
4932	@[email protected]
5564	taskse.exe
3532	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4828	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nwsykrss037 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
163	raw.githubusercontent.com
162	raw.githubusercontent.com

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{0AD73A0F-9264-41B3-86A9-03E08E6B1277}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e8005398e082303024b98265d99428e115f0000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 3a002e803accbfb42cdb4c42b0297fe99a87c641260001002600efbe11000000b89a61c808d2da01c57e7ccb08d2da01059d3dcc08d2da0114000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-701583114-2636601053-947405450-1000\{413558C0-052F-4529-BCC8-2FF65F233299}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Generic"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1212	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 616179.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 200426.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4968	msedge.exe
4968	msedge.exe
3168	msedge.exe
3168	msedge.exe
4292	identity_helper.exe
4292	identity_helper.exe
5752	msedge.exe
5752	msedge.exe
5584	msedge.exe
5584	msedge.exe
5400	msedge.exe
5400	msedge.exe
5292	msedge.exe
5292	msedge.exe
5292	msedge.exe
5292	msedge.exe
1128	msedge.exe
1128	msedge.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3684	taskhsvc.exe
3204	mspaint.exe
3204	mspaint.exe
5148	msedge.exe
5148	msedge.exe
1172	msedge.exe
1172	msedge.exe
5880	identity_helper.exe
5880	identity_helper.exe
4228	msedge.exe
4228	msedge.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
5584	msedge.exe
1312	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 37 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4192	WMIC.exe
Token: SeSecurityPrivilege	4192	WMIC.exe
Token: SeTakeOwnershipPrivilege	4192	WMIC.exe
Token: SeLoadDriverPrivilege	4192	WMIC.exe
Token: SeSystemProfilePrivilege	4192	WMIC.exe
Token: SeSystemtimePrivilege	4192	WMIC.exe
Token: SeProfSingleProcessPrivilege	4192	WMIC.exe
Token: SeIncBasePriorityPrivilege	4192	WMIC.exe
Token: SeCreatePagefilePrivilege	4192	WMIC.exe
Token: SeBackupPrivilege	4192	WMIC.exe
Token: SeRestorePrivilege	4192	WMIC.exe
Token: SeShutdownPrivilege	4192	WMIC.exe
Token: SeDebugPrivilege	4192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4192	WMIC.exe
Token: SeRemoteShutdownPrivilege	4192	WMIC.exe
Token: SeUndockPrivilege	4192	WMIC.exe
Token: SeManageVolumePrivilege	4192	WMIC.exe
Token: 33	4192	WMIC.exe
Token: 34	4192	WMIC.exe
Token: 35	4192	WMIC.exe
Token: 36	4192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4192	WMIC.exe
Token: SeSecurityPrivilege	4192	WMIC.exe
Token: SeTakeOwnershipPrivilege	4192	WMIC.exe
Token: SeLoadDriverPrivilege	4192	WMIC.exe
Token: SeSystemProfilePrivilege	4192	WMIC.exe
Token: SeSystemtimePrivilege	4192	WMIC.exe
Token: SeProfSingleProcessPrivilege	4192	WMIC.exe
Token: SeIncBasePriorityPrivilege	4192	WMIC.exe
Token: SeCreatePagefilePrivilege	4192	WMIC.exe
Token: SeBackupPrivilege	4192	WMIC.exe
Token: SeRestorePrivilege	4192	WMIC.exe
Token: SeShutdownPrivilege	4192	WMIC.exe
Token: SeDebugPrivilege	4192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4192	WMIC.exe
Token: SeRemoteShutdownPrivilege	4192	WMIC.exe
Token: SeUndockPrivilege	4192	WMIC.exe
Token: SeManageVolumePrivilege	4192	WMIC.exe
Token: 33	4192	WMIC.exe
Token: 34	4192	WMIC.exe
Token: 35	4192	WMIC.exe
Token: 36	4192	WMIC.exe
Token: SeBackupPrivilege	5820	vssvc.exe
Token: SeRestorePrivilege	5820	vssvc.exe
Token: SeAuditPrivilege	5820	vssvc.exe
Token: SeTcbPrivilege	1432	taskse.exe
Token: SeTcbPrivilege	1432	taskse.exe
Token: SeTcbPrivilege	2780	taskse.exe
Token: SeTcbPrivilege	2780	taskse.exe
Token: SeTcbPrivilege	4324	taskse.exe
Token: SeTcbPrivilege	4324	taskse.exe
Token: SeTcbPrivilege	1720	taskse.exe
Token: SeTcbPrivilege	1720	taskse.exe
Token: SeDebugPrivilege	4932	taskmgr.exe
Token: SeSystemProfilePrivilege	4932	taskmgr.exe
Token: SeCreateGlobalPrivilege	4932	taskmgr.exe
Token: SeTcbPrivilege	3060	taskse.exe
Token: SeTcbPrivilege	3060	taskse.exe
Token: SeTcbPrivilege	2068	taskse.exe
Token: SeTcbPrivilege	2068	taskse.exe
Token: 33	4932	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4932	taskmgr.exe
Token: SeTcbPrivilege	6000	taskse.exe
Token: SeTcbPrivilege	6000	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
3168	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
1172	msedge.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe
4932	taskmgr.exe

Suspicious use of SetWindowsHookEx 41 IoCs

pid	Process
5584	msedge.exe
5580	@[email protected]
5884	@[email protected]
5884	@[email protected]
5580	@[email protected]
2952	@[email protected]
2952	@[email protected]
3204	mspaint.exe
1136	OpenWith.exe
4040	@[email protected]
5468	@[email protected]
4792	@[email protected]
4952	@[email protected]
4400	@[email protected]
4400	@[email protected]
2704	@[email protected]
372	@[email protected]
5424	@[email protected]
4792	@[email protected]
5732	@[email protected]
4800	@[email protected]
956	@[email protected]
1312	msedge.exe
5388	@[email protected]
1312	msedge.exe
1312	msedge.exe
5352	@[email protected]
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
5020	@[email protected]
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
1312	msedge.exe
4932	@[email protected]
3532	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 2740	3168	msedge.exe	99
PID 3168 wrote to memory of 2740	3168	msedge.exe	99
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 1576	3168	msedge.exe	101
PID 3168 wrote to memory of 4968	3168	msedge.exe	102
PID 3168 wrote to memory of 4968	3168	msedge.exe	102
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103
PID 3168 wrote to memory of 4948	3168	msedge.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5096	attrib.exe
5980	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Untitled.png
1⤵
PID:4716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff881df46f8,0x7ff881df4708,0x7ff881df4718
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4292 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:8
  2⤵
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5664 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:6016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:6124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:5152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1308 /prefetch:8
  2⤵
  PID:6004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:5384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:5520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6592 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6724 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6892 /prefetch:1
  2⤵
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,10007974717614875146,8848701324083897990,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1128

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1684

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:628

C:\Users\Admin\Desktop\WannaCrypt0r.exe
"C:\Users\Admin\Desktop\WannaCrypt0r.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:2168
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:5096
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4828
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 95451721500070.bat
  2⤵
  PID:428
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:5692
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:5980
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5580
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3684
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:5988
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:5884
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:5600
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4192
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5200
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nwsykrss037" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  PID:444
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nwsykrss037" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1212
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:632
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2780
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4040
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5468
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1720
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4792
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3060
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4952
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5292
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2068
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:4400
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1992
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:6000
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2704
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:864
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2040
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:372
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5944
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5424
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4716
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4792
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4672
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5872
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5732
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5592
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4800
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2480
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:828
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:956
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3904
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4588
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5388
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4084
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5352
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5344
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3508
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5020
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4504
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:4016
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4932
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5564
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5820

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\download.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3204

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:5900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff881df46f8,0x7ff881df4708,0x7ff881df4718
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2568 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2544 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  PID:5896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2344 /prefetch:1
  2⤵
  PID:5916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5404 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:1
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2068 /prefetch:1
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6412 /prefetch:8
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6108 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,3007441150545322322,16826741296975027498,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6260 /prefetch:8
  2⤵
  PID:5320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4804

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:4932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f37f119665df6beaa925337bbff0e84

SHA1
c2601d11f8aa77e12ab3508479cbf20c27cbd865

SHA256
1073dbff3ec315ac85361c35c8ba791cc4198149b097c7b287dda1d791925027

SHA512
8e180e41dd27c51e81788564b19b8ff411028890da506fbf767d394b1e73ec53e046c8d07235b2ec7c1c593c976bbf74ed9b7d442d68b526a0a77a9b5b0ab817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e3a89e2a42de982970178ccea85d51db

SHA1
7c763cc899fb3992998ee46920f80d8812bda0e5

SHA256
080c62830cbad3ba39df547db96a696477535f57bdf7f47ddd27532fa5a5106a

SHA512
c4202d309d453ff1b94673afe8e8ce87d434140e2311918de8cfa569fc9bcea20609cdb56b54e643e8d8c3b9be62eaa8483036634cafd7c09ee471a7f63c9ed8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d406f3135e11b0a0829109c1090a41dc

SHA1
810f00e803c17274f9af074fc6c47849ad6e873e

SHA256
91f57909a10174b06c862089a9c1f3b3aeafea74a70ee1942ce11bb80d9eace4

SHA512
2b9f0f94b1e8a1b62ab38af8df2add0ec9e4c6dfa94d9c84cc24fe86d2d57d4fc0d9ec8a9775cf42a859ddfd130260128185a0e2588992bca8fd4ebf5ee6d409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\169d6159-25aa-45e1-83d8-7e97a9da9289.tmp

Filesize
6KB

MD5
204f3c1b9205ba88aec258001a3cf370

SHA1
e606639223fa5e49d293ebd8ac9c52321ae8a91d

SHA256
0fd3cfd0e653cd7dd8a5c5479f4d47cf17e2c840f661cf90a43e00bea67f0a19

SHA512
f4c5741c6d8b1227d3599e6fdc22ebc2273e117d997db44e689052cdb111f399d98c226d9e1bc7843179c0ed728475f820786eeccd8c4869fd86ba5ea0d828db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
67KB

MD5
1d9097f6fd8365c7ed19f621246587eb

SHA1
937676f80fd908adc63adb3deb7d0bf4b64ad30e

SHA256
a9dc0d556e1592de2aeef8eed47d099481cfb7f37ea3bf1736df764704f39ddf

SHA512
251bf8a2baf71cde89873b26ee77fe89586daf2a2a913bd8383b1b4eca391fdd28aea6396de3fdff029c6d188bf9bb5f169954e5445da2933664e70acd79f4e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
43KB

MD5
3e4c95c68f28bfed38f6f12a8c2f197e

SHA1
0e29b9a92f4cff6fd69522f4b972d7dbf000f306

SHA256
256e9bba80d098d0a90f0a4e9f6bf7ea0a6a50a4847caf5e5954a921fdceb8c7

SHA512
01edfcfa99b35c1d60e29c0299e800c47163b4382c5144351b6635f4a6092b5be87ac9b83893724b98653acf8af1277fb794da4e7c9f5b53df00eb7b4f43378a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
1.2MB

MD5
931d16be2adb03f2d5df4d249405d6e6

SHA1
7b7076fb55367b6c0b34667b54540aa722e2f55f

SHA256
b6aa0f7290e59637a70586303507208aca637b63f77b5ce1795dfe9b6a248ff3

SHA512
41d44eafc7ade079fc52553bc792dace0c3ed6ee0c30430b876b159868010b8676c5302790d49bed75fa7daa158d4285e236a4be3d13f51ff244c68ca6a479ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
1a63642cbd7194cd68461b1520647b77

SHA1
fd17510bcf20cb0e8d169fcb2bbd2ccae9d2f2a9

SHA256
be4feeb521da9824eb07749d1bc388bb8202383cd831b13e6306fffed52416aa

SHA512
cc6d52cef77a476e1bc9815b290577fa6acb522058e8617df533ee60b1b1b9d11a083fb5286d704892f485b8c8e7badc703fc69602f261ad78d2588ea7d3f17d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
5KB

MD5
8c18d51f1c276ba1330dd4ad725a0790

SHA1
5a3271f937ad2268bf5bf7cb3a8955569a2fe5fb

SHA256
0122fd3a1300664c653fade93fb1e450409bf5ca3ecdc14401f387eafdafc69b

SHA512
28d568b8aee8887dbe50096bab7400a87abbfcd5b8fa367b5522b988ba1eebc39eafcf08aa0fd17fd8a78d623926b0403629c1ab472b270d7d611b2a0d7443e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
b33b46baa0503d6044d8cf036ca7e506

SHA1
878bba21510562ade56d1fb34944a80dc58b70fc

SHA256
4036d06b97ff9c511c57172b555405d1eb0fc194317244b0b20546abf925a080

SHA512
e31417bde4fd8a4fecaed467cb6dd1e9d628c407c9239c3a6938d962213d3a4c6a0c30aa744ea45022cc4cd6ec8c93bb46967bb3d62f32cc5c81d094dc54ffc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
cde8e426aa9392a01bd7cbf6cab30cd3

SHA1
efce6ed7703ddd0ab06736828194167f0ab38cf7

SHA256
ce2a5498789b4837310e699f5eec89345c49af5981b30710708ccce25983014b

SHA512
99b79481f91041424944e58b380e97cbe75480d17ea539bf56e869215c762c799c80bd1b46b235696e1b056a73f155d0df74b66d99aa6815b199d52ad3f9fb04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
729c301179b9c0a8178549747687c4b3

SHA1
01d05d6ded2017dcfbc575249cf4e13ffde4f237

SHA256
224fc458a6d81cfe2e2d7977a3198736773ea442ef1f15e9ebfb0c8f85966ad5

SHA512
2601573bfe42e94b466e5ef1c00c81d02f976fe276e402c973227a7e13603344f482f4ad84c4afa578016e7775d16ed9fd7433b5a501e9fada8682576c396337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
fa6768dd1126041142102287cb2f3fbc

SHA1
58a5ea53213a77ebf003e815bad70922058049fc

SHA256
8466b8c490909e9feccf468488fbb5af4568b48fc97989522dbf07a27b001c4d

SHA512
34638953b2ee68589c5144a098baacf7c002a90e2abd7139ca1fb9af1b9c000775d40a6173a3899f0af826b3a56dbd1b742b5e7f9c055c55530d7bc6f87081fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
30d2c64a5c46f3626be0a343b550ccf4

SHA1
e2471891c101dfe45eb216a2ab261763a5e320b4

SHA256
0e68897d753d7a6f233e16fbe50f6a50ed2cfc3ca5e4319d435fe03d77f2b941

SHA512
dd502f73311e392eef074b8139d96b5a8d16d7805ac68d05e71fcc779fb6fbf796c4249958cf82fb01a6d160f29e199a1beb8f7fe2e33a602e44818125dccbed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
e4d56e8fca503ea232b50854fe94da8c

SHA1
fa050ef8244d53a2c45b708544cccd5c6a23d90f

SHA256
d0f98d5af040d82eb95dd7dff470f50d3d41ebc9301f1cc0c7dcd5c21207b3ac

SHA512
a594627ec7a5704953170783348a11254e14096e25e04c19c7a5437074184076b5828af71838fc8b161232f84ff82b04ebf2ccf09b7c04a574734b52f89016c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
7c645887bebbc9200eb1043eeedc08b0

SHA1
e07eba1a4170573599368f0cdef20717973d9e22

SHA256
ea50cc3e03c0701409915fff45227b87a81cd15dcf4ea12c7e9ec09448d16427

SHA512
37f2f3edf54060dfa545d7ba51e8583121691e560806042cdbd9be7024bc2e9fa6cddbd417f41bc3484cfaf645f18b9c1fbc551c847dd17b4aae0163c89e42b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe6a8214.TMP

Filesize
5KB

MD5
835e53de2745458ed16f5770ae999786

SHA1
20e2a56a4e5e523095d312b11d52098c8d95d2b2

SHA256
f54a567582b7a76782d54e3a1e665be80045da562a64eecfe71f6d729e032b17

SHA512
989d901604b470e4c0e5099ea36637ce4eee498cff7faef47611c7005c466be5a4ef4277b6711a0d6b9659581ed9e9db5e968a9391e73d36ce2e74cf9934e031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b63cba9284d6feda75b3087dfcda5333

SHA1
0866f6b1b33357a1120ade6b4d85cb7abb15f810

SHA256
64fef7e3a2164e8ac0ca9555a6c5d5c1b0a989e33f425530de4aa17d8389c4e0

SHA512
737cc6dbf4f05265d01ef2f8a96f3efcea710237d182b18ad3b5df54c35017d4f1723f103266f7ff0b88b784f145e13f2fc23f0f5eadfe7fdd78122000a107c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b6b386a3930e975e07b3c0d677c2d163

SHA1
42c78d2398ba72e3147a7a978278936dc7e62a7b

SHA256
187c4bec14abbdd7e7c3760befd6e8e7092cd3d29b6d465d5eb094a150425bb6

SHA512
51eab829ef828f8349378dda58bb5726654248012e7a623280779ccdb29c8e6e33d68f991acce7fb3601fe3cfc662e4d0a451e0515aa24e0d932e850fa9825e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
1f1ba995ca2a068de4b4a8d67459e336

SHA1
c8ba84f4d9ae2583e2f1cdaa7a4eb93bdf67603a

SHA256
3029feffea8a08c47d25135595a628756d0b9af4e02a3044a56ab579b5272b05

SHA512
d9d4ec99e22641e441f9a3708de6feece4481413086f39618877d589fa78a636a1042431e69d10ae7d60d201ba64e7103e8dae6ffb5afb6f33a2df4210aaf48e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ea5ea4e8d5cc9f2dd58c0dcda788fd35

SHA1
7e3974a050e31dc90168abfa227f46c9425889d8

SHA256
c16922ddea02d0da12f9f2d638d8c8e3ebd45f0a0d083bd56cf1001fb969cd49

SHA512
7a39979eccfced9d8e7aaac8853265ac084c1f744b63de1ede937729b05e6b3faf840dc7f0687008ca99c03b093e4a0496dc86687569aa62bcb4eefd699367dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
77ee33a8e7f01e7d089a6c95000cc932

SHA1
7bb537a299c592473b8083a96de66e9f7bff5334

SHA256
485314b2a828ba1689df0ce2d1bb1eebb8ce6965bb2e2282ffcc85a6f85445b5

SHA512
a0be3ce4dcb0470573e4c808ae7fd92639bd9a8bad96707eb234408a893df6825bfb1496ef08115bc46b0a5e5e0040741b3c29f8e03cea6a64c5588f54ed52d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
567B

MD5
29aedf1bc48aa6102f82623cafa465e5

SHA1
dc898892c8632dec1d13be0df5544f716d4d30bc

SHA256
be7a6c20f6b340233bfb6118a6cb4b602799bce63e0e4a74f7612174706b924a

SHA512
b58f934a95fea1d3a166779c05382bf00f7c515b9c3ed46419c75416b34af5e092b4e9808b5c9d43c84f4f0f2e3c753533af233606c278481c7da79ce14fca64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ee100ed7f598a695c45f54259fe264b0

SHA1
d2c17e3e02d981690d5c05d35c30c5e697339360

SHA256
09e0b8eee439a9ac6d69cbf30f49b7ba09f76adff13ccdf4db88a1421511357d

SHA512
1be498f1c6e150df0e5f6a3a0816ddbf94bb48c57ad60e4a59c9d927fb2b6d550954aea9d46129accfef1d0d30128fe186d495a9bd9d76b8911d513ddf01da84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b2c588b4c9a045d38a76b9ae7c862e13

SHA1
24beb595d61e85d7b425f4291ca70d4fc0c3e65e

SHA256
296bc592d6729b20642447ea462f5c771b61b50f57af31c2c036b0d82bd5514b

SHA512
9703813675d0e7bedbc3b1fb9211813b2f0933a58f1603eafb0343c51c243046171a50f442803c1cbbbdda1f22f53c3c505bf26ff6c1134107946e49a7042f67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b86b18502f7deca2817892d38fc668ff

SHA1
7f07d0ebaab2a887fb5f1ea40e68be50b3306383

SHA256
c7fd02f3e863271f7ed5c9d8bdcbcd4486ccbd72d5b63b7905f15c98250d5238

SHA512
cb7a14b3a3f11c85e1a3a15582b92ac3b42195ab5ab6f4a0535444203af97685205bbf1ac0e1be1583a5fef39856c84c57ee5c55cb479c0477d9ad6f9c9e3267

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
65314fd52c5ca303a191244b09aa3e84

SHA1
c963c1de0350a91dcdf341fad09dd1204e7a8924

SHA256
faa8a933a7a9a4c02af82d7d617d5ae9588f7487aa966b1b595b84f5e3fbfe66

SHA512
27d3b924722d44a6401401ec188622bd53cada4c61235e9ee2d7ece69df85505a9e7b122d37b2076845c153608bd9409cf0a5aea092bac1c97fd97d985678a9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
08a6cd7bea5ae73f441edc778f3bbb1b

SHA1
c0f3328f34850e49b902ad2a072df82af1135d5d

SHA256
4b448cf44f327c1417f34ff2a5c9150cf25eee809de9b4effff154378e5b7407

SHA512
5dea381c12049e0fcef3b11c6608ec26660a5c83d069ba71d4889b8ac2f8796b0b45fd842b6cfadcd8b32f9d650ee63cae0286f5b2016b6779860593b47373f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b489a6fe35e2a96338696551332070e2

SHA1
d167e960cfa174828be95e41ff61293154491a68

SHA256
c9e9096fe92030bb273ef742e18aa5b06c9d8e04131bc3353537ca075c85fefc

SHA512
5188295de3580a837c41b68eee777162b52e81b2bc06bd7e41d19b807f3cb10937475a81a085f54a43b2212f65c8cc824293d74547005a6c5933c1baa0fb6023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
19171e92989484430d412ee07e84dbbc

SHA1
f7f6fd78ca2c5f433f803dbb9f701987f1cd377d

SHA256
46204bac1e95df6bd14409de2bb902afb9fe5a23e0d70541d4a8bb5b1fc5f334

SHA512
e41076a92e7fe43d13903df217edb3adbc2cdea46777f25c76cecc58766e75dee5f1541c9003a26270eb37dc33d6936210074b04440bf35f96b25ac58618b402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9c837a349ff07b299df540f8dc60484b

SHA1
7a2f70662f8f63c5e15a5f43643812755155fc7f

SHA256
cc241ebe16431dc6a278428ee65c1309bcb4f5c2597f13720d1139bfe6ce07bc

SHA512
2d9bed5f9e0729983c5d16a5a2362b74daf731f340fbdbdacaeafdbdf19e55be12ed2ecbd94c8eaa2e1a9acf3a01888e11ee3851c6b1b5e1c67afcefaa3dd0d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9282364f63199cc133288fcdc29fcb94

SHA1
5c5ac33eac1de92fa7500d1d9be608142a17bd25

SHA256
150e09424164bea87fd88d18a88bdbac0256d3ff070979dfcb07a6bf36df65fd

SHA512
c52d7d594243bfd49a3f2f49c3ccf6859163cf68b242e186b3e2eb245381bcf3889077a28c1727c2bb43c36beb4077b223bcf07ee03769a4f36dc19608a4cb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
91d0f277f3b78953c0ac6014e91118c8

SHA1
f5467a9912b91d4f064f83111738f8bdc053d807

SHA256
74eab921541f52b1a8ce2d24a71534ee9f3ba3e3a7ee37faf959fc31dc9fd7c7

SHA512
92ba0da9ad7b37612e986dd6efe7a4b4a0161f751c396ccfbe8e1762911c24c268ac68cabce0a5b263bf590834bbd40c65e0cf4d61b1b2bde0fbfb4ddd666bc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e179fd27db257316332b9170874c65f

SHA1
5e60a9593a750c5363f34b51c92674ca6dc5ac36

SHA256
031aa2044e26fc95fd92aa6ef113a5e34b7a5f79453ff2254871459d7419de8b

SHA512
d89e5a0703dfbfbab6b66011b2c5c3679f4301452e7299c59e1f9bcd2e8851b4aebc79be0d3ddd77351466990b77c449611d2ef9d65b81fff42e2376e9055d29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
480a067cd439899f1a2b43cb5c9fbad4

SHA1
1fc43c0391d6349063bb122e3394601eb6dc9565

SHA256
de5387b367ed31e50bbdaf37d5adb4d24f4a7edaac77605aea6258ecd4809a9f

SHA512
38d43562771d20c13c1daf667441cde0605446a53c854a60c2e7bb63042418e0c4a5034becf8447929b559bb50cc259a0c81a910394c47af89feef832b3e959d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
af9448ba72b72823e2e3d71f1ca57093

SHA1
7d90ee961311dda4dae20f33c2e765e6be99af10

SHA256
6e693789eb45f8395e6795c30f542893a7238eb12f1dcc4440607b48c8838f60

SHA512
dfa8f1bf977dd6cdf559ac550a314678117f92f78b2a2f0550475f3ef0dbd38a0916ad5e484a9d2088b5f8da0014a840cdd19ba4e50f90bf2b56eb6a0f78d5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8ec9caeb42a5ccd49319d9341ce504bd

SHA1
9c8fff89dcce0459d8fb2ef3a739a8f9e819ad52

SHA256
26d9c3f94e3b60cd99e61ac41f7eb0e102677bcb59dc3d4f35b01633d487277e

SHA512
58053b971388b28f4d926f65a45bc32216eb4b7d3a29f5215e45f77427aede6702e4ef22545d77b5d4f007b5200e467cdbc62cfaa8e1a8d4d496da9a96296240

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
57a56a8c5cf2b08eccf6b7663b8a915a

SHA1
bff1c4c9aa0b26b996e37c43c4a31c1beac580ae

SHA256
bcd5f4c4a21071069b3342b832458dc41007413f4e53710e8ffcc50e6d92e357

SHA512
ba1378f1339995fdc9b6f9feaca19f8752d069b1666f02413a3825ca6b59b1818eaef89de99488308eccb951a5abc0d98eb47da59218da69899f10c720d7297b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
1be7eb7b8ad7f2f4f0b3e2652dc89291

SHA1
18f7e37ea0ecdb0d89aa142f5c4dbd530108a5ff

SHA256
1bc8c64ce8d49808fb44e47de97157378364747d0c8704fcbaf47570d1650c1a

SHA512
d1d187cb658dda6af2281fa34fe02a1053f53ba5ed9987a0df3dc23a730be187945d320d7c36ccec4a3b473fd1f4c041bf160357c9a07c02d4b66de99a808718

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
439f19e5f390b9ab5595601fece52e72

SHA1
837519582de401216917a571717126b5f2a3a4b6

SHA256
6017906bfcd8d367e671a39d942132c7866a87e3d41f0412d716555edaefab9c

SHA512
151576aaa28730b4d1220851569c82cce36b8139965685fd90045583950a607ca87d6f1d00dbc248194a7924721bb5c544dd09c7e3f8b8a5241409956ad6c271

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a61349a31b8ad1f251cfd6ba315c0d08

SHA1
18ea34d022e8c6bb6c8fd853bb065eb77a0a6190

SHA256
07f9fa277311dea0d9dad1e080565e8e3a834b821a779cd34957dcbde68bc0da

SHA512
afd3b076bddaa4da41c6858130fc56dd251c5efeeec17045a67f337e815af1af39ea1b00c63e3ea141b0272098fb9858a6ad2c7ef1c2a7ed74ad7928be979468

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d8bb99cf4cade45f90d0e13d1cbe28cf

SHA1
053272fea4079d27eaabc477865e9e702ce86e31

SHA256
c51afd0d83be0ed24ceb040bff5d489d90b300081fc87661fc4394b2cf427e5a

SHA512
16fadf6fe580951311d4616e44c754767363492adc63d4198be2a67afe57e8cf22bae0ba02425d8d7f845b162339a1e0ed59000ba8225936f74f3235123fc1e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
980920a6649bed3b72d7ad7cd30820c2

SHA1
a384c8c58cd26f8398d38d210545beb7b2e62e4e

SHA256
4474d60e8d1c9c811764caf726f253f0baac4c7f6a4e98257f0b972b66e56996

SHA512
6e5ab28c0360191222894e0938fdcf286c098d305747074dca11743c82e19a402ae077cf223ab3ce25528bd61f75309eecb4866d3e80a9b917cd4ad6ad921ab9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
53789396428a7d7ca3beeb3065b53b57

SHA1
b8f53fbc8e14cdf4ac0b4724a80e385df0bf6e44

SHA256
055ff6386fe1deec2715834404964316b95d65d15d830368d98955a74147aa5e

SHA512
734145896e71098d8cee1136d288871360c95aa9ffdf528e55dc5856a2368fe31e96a5d1b96b82ff65075757b24ba42ff0720a39389ac266b4ada09d133e685e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ca12be6f41f24148cadcae1a916eb6b8

SHA1
f01523ed666ce2773224cbcbbf0de00eea96d979

SHA256
c8d27ed856af09cddddd865e5b69c2ae8f9b67f689727b4916990ee8b9aaa5de

SHA512
daeacc614dea105b45de747cdc238c912e180d3aded5d779abdca32ec0f1d9d9135eb0a208a9f73e40305e72d52a903ba9d9944a4dad444978f1a8d6b97562e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2a9e0c58486b708e0c279b2932e8f35a

SHA1
fa0dd7ac99b7157bcdcbbd61b8b1b87e386e6330

SHA256
cb43208a6402e9104378b8d8477c388fb4cdc64ed64d44d478ae08653d01b26f

SHA512
972cd93594f13c001c05602b627e4e3c49670ac73a5879d2eea1bf23932828c69fc53c71ce2dffdb588a41564bd8e08f64dada99c8ecff4c179c3085df27f190

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0661c3c92d6a79fa55ebab3d836facb3

SHA1
d13aee9f46ea5881ad37ede49446a19532451019

SHA256
6019a1f2bd9db666cd6dc6ca3f865f87085cd584b3808c625fa59afb6405efbe

SHA512
723ca05c343a83b0747727cc79bae43a981e972819d3440de108fad2b1ee22f77e45a4e0ba3676907565cf102370eac26faabf2ecc3c586d6c6cc6575067d76a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b766890f0fa6355150800926583ab256

SHA1
7123b94de3f71f2ae2b65e48a297bd4be706e028

SHA256
0ea7b6169f5fe6a7f89f07aaea5654e007f40267ad3d7e767ee67a786e3900db

SHA512
5bda9a3d009cfe2a935fa5268f79fd5c2428d1d15012ed7fc59ca3e1b29e3dfbdb991c0d66518a6a1ee75f63fd630258e9236c8164eb7e3e7c03d31cc24dea3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ebca88276df07bcb04d961bb902706c1

SHA1
c3241742887c3d6114926fc5e34dd060f5166ac9

SHA256
4b0b50d7f305810e0e08d29fc90061b98e8d13b892ce331b7933a449963b5428

SHA512
4946ce8689dfdb06abe04ca1e0f52242106310b6ea4734ce59af29ca95af8754a47c9881d9a42e862ad535fecd7d7e4c9b424fb83664cb79718c4ebac574e1ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe645257.TMP

Filesize
536B

MD5
779b66f2111762702fa81631d5c6ee56

SHA1
a850289bce2ab0cd609159b6172e1e79959245c1

SHA256
bcf0334275b6f32c00b33fa4eb9c9252933414087678f1ce0313cc598429d35b

SHA512
489fe55175ab55a276e784c17f4a7d428d6bb82660973affc5a813d0fb76fadf928ec99613d2cbe1d9dd325e8319ac6f06be97e53b4dae8b3167758d1ffc63c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\b15cbdbc-700a-4e8a-b0eb-69ac33eba958.tmp

Filesize
6KB

MD5
312cc8c8ea38bbd21fe0027dde0e0991

SHA1
d4ac7a0a6fb3d0d5e7610fe06f8e491f21a3810b

SHA256
a2bf692fe533a8ad2cd470639545c202ed49ff7c0263edb3778e74a90024378d

SHA512
20373cb402c10b9d3be888aa3f681c51779a271b277cde0b4b95c3ba4f1aea939de0adbfdc3fdd1bf7b80c34d358b8ddc266e264153ae379d86d67836b0cdcc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
93f08e59ec4728b1d7396d1d217ce845

SHA1
dcb8d99b5e4b9ceb47a7c21fc6ee440b066f632d

SHA256
3efd65e5960eb3c405b67915941e3d1b58b78f66b62d65daff1ff0a678ed557d

SHA512
fa855f86a1c5d6af366ea33bf6cd3b58d244afc81ebb05ba2ce6730a07e36a4ea11d3687060a4aa052e0912f01a28530e170c57ad6ac734846636a25040df2d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
61d4fab5a2bc9ba41da595dc672347df

SHA1
4629c49ba34304ac418fb9ddf0e9d68568c507ca

SHA256
09857c7dfee7e1d6d44c8bc2c19df2b6b7f7efe102f3a0eb0d3c1787d824dbe1

SHA512
02cd8de525bdd9cba12017018b755c5a862bf805f41de5f03a030a50ed33a96e6fc77a7101d295b991c511e71a2c0f6b72944ce03431ba7437f7626a2e204cf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dafa12abbac114409fac4d7b08b4eafc

SHA1
9c838b7a9849f3c2d7a9ffd2372b3b3abf49efdf

SHA256
b81335b5608a9d01287ceb64670dbc60e54a9f6b5992d82411c27c01148a6b16

SHA512
5f41da3c1ee5517197e6e2a4a747bb8a145f69419c8cc640498db2fa3681f1e9a009d17f862f638881677f62f9182c3e65644d723c65329c246412926e2ef95d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c6fca8657a417dc31e8597de549ac0e4

SHA1
6bdc03518b46acf178f34f561aa9d5b89f63b85e

SHA256
7b81ea0104853c25539029d4fe5d7b684e89af3555d83a4e6f1ea58c5ed58ca0

SHA512
23b44b1b16b1b49287cb1ad37ad8a9ebc7b403296a1e790434038fa51468eca1508d8d26bb30295e5fb211fb80ff7148a0d6f89fc6d305e86892698a0f27c16a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a447b76a0de40f68ac2b8eb096b8c2db

SHA1
fff682c406b0aeab6453b3e5daea23977515642b

SHA256
ee9bef5ec5d7990a3ec2c6114621c5737bf713112a5b5b83bd213567ffca5f5b

SHA512
7b49f6353a5afb416a46703c349aef1346a505d8d082e4130908c20bb66faca4a5928562fb96c3702b411bde7e05a47b4776eaeb948cb2ccde7c7ac76cdcf4f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7590dc3661f66b0ea3cfb5d4a32a5907

SHA1
e1478cde2a6c544ae07093184398a39b0ed04e53

SHA256
5fdf438b11d105e390d72bfc9ed06b47f6b77b690027925a4975e5ca57e3824a

SHA512
1a977e8dda24d6b6a8c782c8e8b02fcb243c1616b5727e44ea3f83ddc2e89b3aa6ad930a109221727b89589ed1740d490b90117b637a3a12a10a82e51449915a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9fc13bd3d2ae589419cfcdc817bcc681

SHA1
486649e320e74459e6ba9d6825bbea9aa5e6990e

SHA256
fecee7581f58726be9224040bfa7fa2db49c98cbc80cc358bd62ceea2f1cbbf2

SHA512
33b6c06cb8995b293576d87a5ea2818c6682048ad9d882317c355c7a404f993faebe47943ff01175a07a1e7d12ac41a632b130d9db34b10e70c35ad13161028d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c6952071aea83e85d604fa619e6b68f8

SHA1
2504f021bdd8ac55805c4d57deffb1489e01c183

SHA256
8a0b2084c0a90ab3bb2015cd340a0ba29b2b023b6a76c4eb67ebbb10a6c271aa

SHA512
db0d20893356b0845c89fae09917d2cd4cfbd4efaf64e3c2fc04c0131feeeb3f38f46e26392d34233363b6d041396cb0daca5dc2ae2fb8096983c04a89539e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
882cd1abfffb0d22b7e1ba0c4f232e5d

SHA1
ebd32c3f3930667aa907afef742cf928f5abc118

SHA256
424dc43a854c1fab927eaa6ee9efe0e9a953d9f0767c340c1adf07d9295c9fa7

SHA512
53266568c0a1d5d32619b873d6af1dda7b413e814ec407d738ec2be7fc60bf3be03177a981b7fe7c94f555f2eddb1e4f1cef02fb5e01f472936369e95184d6ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

Filesize
1024KB

MD5
4ddb698294de0a803ef62d19f6656fba

SHA1
921860b92feccc90e8cbfd0b7ca3e7627a1f03b6

SHA256
7a141c590a3f8e57ff620bc78aaab25bf45373bf04a910c46c04729e3fd3ca62

SHA512
4f7232fa6a94a85d82415d329e62b635303b7e65f6093b3da7ceb12bbb04650d7d9ed421cc6b3bc036461a389d895ec6b989bf9740645afe0e6b5910b25b1490

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
5.5MB

MD5
529d2e461c5bd440e15247e35cbcf42c

SHA1
2fa48a583fb07dab6c9c03ad0da065453a5feeda

SHA256
cee694e4cb5094155b363d75167a7dfa386cf441c8b2c49c7364815b61747020

SHA512
68bb3ec262fea834e21942abb4037c79fd32d5d58471bfb345f7093ae22df2761c8dfa30af03bd0c6b7e0721df6071331540dc64eb6c4212ed4c97b568fcf6f6

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\Desktop\AddRequest.wmv

Filesize
537KB

MD5
0a8799951df800696532cdd457a9fb01

SHA1
fa58317ac9a9faf1819f349bd418784c8d28ec90

SHA256
fe64f84571c36b246ebff6b4fa00e9c0a2f1a0de28ef77033424d6b76a19fbf4

SHA512
ec8f858b6c33ce7fb1c762219b81643799c166128202a8d1cfce4c06de24af217c16cf401c5f672899938dbe3a3ea83fb4d7da66021242debd54d58fa9647ea1

Download Submit
C:\Users\Admin\Desktop\AssertRegister.csv

Filesize
943KB

MD5
b2e92d923fa8a1446e4e662a3c86e3b7

SHA1
043bb8ed0a2f6f7c3372971a511472a1658b7b92

SHA256
c866d311c459a3454d4ecd461e37bf1a13dac7b1ea45c4e149d87d3fc1680d04

SHA512
ed917bb559c0bebff81dad53d837f087ba28e60f60c17de4cda3a50a433f3833f5974c8e6b0c8c7464d0845e6dd4ed80e7b72b3317f5f0bd51ebedc3dcc5b5bc

Download Submit
C:\Users\Admin\Desktop\CompletePing.3gp2

Filesize
1.3MB

MD5
01809c96095286ec956dad4ac1e6bf19

SHA1
e5172185c2e6dfda0182e691607400655d9c63c0

SHA256
04f4aa9e0bda9a8be2eea8b0a7f7e4b892e41d8531e42d3018e06dbed74d7b55

SHA512
5b27cecb89d842e17bb238c0e461b23504cf1b2fa1e3dbb1b7f33aa1f2c2ad36f5e53fe25f7a59149d95bd8417f25d23bca7f8106e5a854708a217157a2f5d49

Download Submit
C:\Users\Admin\Desktop\ConfirmUnblock.AAC

Filesize
595KB

MD5
ea1a1c8541a0558775dc06d1ca97741c

SHA1
a904e45adb3057204c773843ff4812abfc8967eb

SHA256
2437657ad468f48ce4da3b9451522abd03376b442516729a1997f8b9edd9616a

SHA512
cc892ecc5098c7f3d79c20b618eafbb0e325801875b3d7338aca00fd99cba6a1d2b6fb1ea1e7b7e9a4b3fcccec9edffb19fef7bd7a9d433b5f3996c168a60f69

Download Submit
C:\Users\Admin\Desktop\ConvertToCompress.wav

Filesize
914KB

MD5
9fd51d45bb82d742c4c0d268ca39b0eb

SHA1
feca2446fb1feb289c23c094b430c7cb598013bf

SHA256
fa376e66f275b28d84202cad70769115161e7e924f30b54a52059aa0bbb30045

SHA512
c5f3972f6f9997a3106200b722ba3e4be70833390a5df597f4b03cb17df91eaabcfba0c18f16adc7928a07e75d7049b0f2811ea1bec27f21bfd3f2d272809911

Download Submit
C:\Users\Admin\Desktop\EnableDisconnect.emf

Filesize
508KB

MD5
e1d2f9ecd3a09cf01c07c8c418d4fb5a

SHA1
6e838b0afaf3a73ac25921f70fe923c44e77ce21

SHA256
4bd688baff1016d4a8b815d41aafa597664b5510a0e13b6b37022d32ab92e2b8

SHA512
200d2262f72cb084a05456a9f6caa0fb79ec717343a07c9466e4aaec3c5ed54bd48e957373af0914e0773d6c949a7a1f26a16fa5fa6979d4351c45b9264b1fdf

Download Submit
C:\Users\Admin\Desktop\ExportImport.vdw

Filesize
362KB

MD5
a715bc0b96daacdcefa05cbdca920ddc

SHA1
dfc64350afb234cfb0ae05fe8e436bb4de028057

SHA256
0b40e5a17c19df48c8772fe1914d09ab151dfbdcb4c4c30a0d0ce39f4cdb734a

SHA512
9d4686c59e4685363d77ded5b62ffb9907181269a66eb2a7c2700cc7c9cd8d11e47575b995a92b1909e5e2a3162c71ea900f46b6c169c498c0511588e07e9f41

Download Submit
C:\Users\Admin\Desktop\ExportOpen.m4v

Filesize
421KB

MD5
c87f1f1f3cd471a06917669dfb4f81de

SHA1
7d234d7551eb99cfd65861652e526c3f98bb898d

SHA256
94bc94da54c1f308a06528da50b2c432b51aa3245f3ab1612e9841e2aa008e2d

SHA512
2b61d5862490b2a9e7ddbaa71070b83de752046dfbc6a65650b7945f59f187c8b3ad9ea100a4f725f48084afa88c22f7c4edc2ae76dba2ee91d1f9b59301ebfc

Download Submit
C:\Users\Admin\Desktop\GetMerge.zip

Filesize
827KB

MD5
8c84b30b61495a70074682cb70b30eed

SHA1
5f7595bf88df130a7217315d331f87787211e226

SHA256
595ac64ab09842e19ba5b236b5528a3900dd8ab2908d8faa635b65b034e44c4e

SHA512
0e2150f15974559ec149057a46b1c38d979513f6ba632f3864de9fac53c9577a7d12c8eabce115c62817c6206b294aca78344faaf30b08ee8b6ba6697f519d5f

Download Submit
C:\Users\Admin\Desktop\GroupMove.vb

Filesize
653KB

MD5
95f9b285a3628e6a66198d2e4128f74d

SHA1
60db7e9ee91fd87008cdf689760e276974d1d358

SHA256
10890239e599946b4ef13be3e4096806a5d0ddc75ba20b4a1e615f67ec4a0787

SHA512
bc9468fcec9a17ed8f0c4765556f49fa345b557646e7c51340ae5f9bae2e452ccde8ceb2a52ea6a32cc347df8818e10ad302f3f5299509cdf77780b2f96dc311

Download Submit
C:\Users\Admin\Desktop\InstallAdd.wmx

Filesize
391KB

MD5
0468678dd121a04903071aaa690de24a

SHA1
adcce68342202721866077dafa1094056fc0e91e

SHA256
baaf682d179d0465091f02522f71d955a85274d647bf63b7072a6f191a41c82d

SHA512
6d62f65216d99b8e47b9016681687c4979e6b149a6323b3ad74dec8d885be65e78c03ee822f1b95febf7d4403b9a3161b10d4c0542ffb0738f57ae76b5826f94

Download Submit
C:\Users\Admin\Desktop\InvokeRedo.dotm

Filesize
566KB

MD5
293cf971a7346305dd500184fb2bfeb1

SHA1
c7af817133a4dc47185f67ff3b3ac2b085204306

SHA256
cb18332ac0c6f722d9aff285263a1adac38b33c7e065656d9b6be0bdb28cb42e

SHA512
0e5ada486160dddaed893b80c9486fa10295514b428e5250244447176f5c5d825edf65e227615905705dee8cde348b5122c04f5d94295cbd85ef18d2033f706d

Download Submit
C:\Users\Admin\Desktop\InvokeSwitch.wav

Filesize
450KB

MD5
cc3abe85dccf3d2f83aaab343742e5c4

SHA1
0ab4f137e0e65655b05627d34acc877ec5538042

SHA256
b459bbbbf5a7b81e15c1d8003e00968710c812b4cc13a61f920ca40a6a333a78

SHA512
a9e59ed29bb1a8b04a4eee3f619dcb306069d942c1e7c338b4e5082b53c6e8c448ca612f77609cbbd54903e86eaff869def870919288a8536378e703d096aa3b

Download Submit
C:\Users\Admin\Desktop\NewHide.mov

Filesize
798KB

MD5
233fc8fec472704faa6a3771c97bff97

SHA1
74d088d43005e30eedfb729e727ab722cb7b6c4c

SHA256
c4724905053c1e07cf8f975d0db25388bbd541d087e6e265d53431ad7ea12ef9

SHA512
4db4a19c9fb8b447261f91fc9f9fefdfce919a1ed28f6ef2aa6322615dcb3f839bd5e9c484cf191585a6129438b145c12b0bdd7f385dbbad10563055e478f68a

Download Submit
C:\Users\Admin\Desktop\ProtectImport.xhtml

Filesize
682KB

MD5
d6d0ff7a3861c86d3919516ba0d97a1a

SHA1
49126891bb48e1cae90ed213ae8bb36c86c21414

SHA256
9759ecdfb17f98166c81ba63377051e318366a774287972183aa8308a5a295c4

SHA512
68e5320f97173e87b363e555923cd4d1009d4aef6140cf7d04ec8b27df54f504e85b4e17d7b732483c6e02f89019f05fa5e7abe3bc2f989434df0acf924b0d90

Download Submit
C:\Users\Admin\Desktop\ResetGroup.vb

Filesize
769KB

MD5
f2426a82c4d4f3eaf0dae3e211a6718b

SHA1
da026ec5393fc36058c01488b912d6d5d7b1896a

SHA256
204bd969dd434a9be9574239da7cc3f6acd833b49e5f1a36ced10561a788fd08

SHA512
2a3866947d71f2df69d6b405a20a15921fe0e9f6075bef0b54c5681e0a1237addac29aa611c125b40192bb051ea8a6ebb5d02a930f624475d12704af2bd282d9

Download Submit
C:\Users\Admin\Desktop\SaveDeny.vsx

Filesize
624KB

MD5
5e04e7f6c487d1efec527d4e0d256552

SHA1
0bc8159b60afdd87c0d6f0bc6f5037abd2011c77

SHA256
fb98a0e3eb29d0475e71709bc294cce0d1c266af2fedb1f4673ee1bd323957c1

SHA512
7b9ba7348b0fd896dcffe4507fe253fd99bafcec0ef5ed0123de0478ba07b13133bfb875160520b859cb40df1bf738539bd0191ce0dc2578d86ba36d96014117

Download Submit
C:\Users\Admin\Desktop\SaveSend.temp

Filesize
740KB

MD5
bb4bf980d59876d615b7dffe54abac92

SHA1
9131e086b12f49730601daf48f8a26130b59ddc8

SHA256
bf99aa459930eddd1715a4117c7ae7b8226ed05609b6c7f274e758aa59eafaab

SHA512
2bd4c042a691cf432d08f9ac055368cde9d9d95c56f9c5ef9367e80d6cf4c886fcef0371f43839a0af83884cca1c330e367f73d3a2f55ec7ca7469ab06c37c42

Download Submit
C:\Users\Admin\Desktop\SearchSkip.mov

Filesize
856KB

MD5
f0004df682ced19f1be5653a093bde2f

SHA1
6638eed5ac128769d3c3654fc66c9f4163025752

SHA256
e3c93bb3d7b5854494cfddb9e4fa8ba4263973a76101bbb770464201df92d70b

SHA512
f453d41f1f31adb37f12c98ecf12179064cfd0fac0962f50d7e2b6ee26b46180d0bd93182425d816f70a0eda840d50f636682dfa51d967359852506478ba777f

Download Submit
C:\Users\Admin\Desktop\SelectClear.wma

Filesize
711KB

MD5
323ef157d0c95e1b61ed20550db5161c

SHA1
b2346303655f6780f1039cb2de4d6d01a757f37f

SHA256
0a2e6dae6c984958a7aacd82f4cf5a3ee4daf73d55418e14222ce16ed3fd4e3c

SHA512
0d2963ec77faed234d82a20a59632cbd21a42bea7cbf888e7a2d8a8ecf8debc39f14c8a734f9e151701832097a805db33655ebfbfda1fb83b9256dad86175e97

Download Submit
C:\Users\Admin\Desktop\SplitAdd.m4v

Filesize
479KB

MD5
a67a4f0e8ae203ecf4727462b13f5002

SHA1
7766523460de2d13a3842db54b3379fd7f1c8e2e

SHA256
e7ccce83d67ec10d099396245c18deb85577ec7b52e03bbdddf53771007d8997

SHA512
8151481518168093fe979c3a5c66574545edc3f10e0e3d5d0ecd5d59959b6de9a67dc5731b35dae2e282fd4c1685e2d6ef5058137bf6203e1b819d6a29c7b3bd

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\UninstallHide.dwg

Filesize
333KB

MD5
01f0d80a1df73da4fbe1e9b0c530bdfe

SHA1
ab4ff6e33bc7f47462ee8252b96656ed6573f228

SHA256
1ff266c1e6cfb8839132166d504d43f9b1a0cecbd6a9d35bcb23c86492298903

SHA512
fad05dd9fcfc66569993541007459bbba14f96f9fdc9e779040980e710a0ce292828fb50740e35caf504408603d6f2322e30a90ad78ee992607db9ad6e172763

Download Submit
C:\Users\Admin\Desktop\UninstallInitialize.ps1

Filesize
885KB

MD5
14bf072d10d4f10d6c60fa6bea7a3f50

SHA1
a5a7ff23f297ac33c9f2e12243cd853f089181b8

SHA256
ab0e63752ef265839e421360403b830ea7796f9bf166cb7e37465afd424e45fa

SHA512
5b5328e03d5ad653f672da35b3b00b43f6fd90d0cbc1ff3a6ea3d2ceedd8f87a8a4d71e69a336cf33bf6256df4a7e781f7d1a82d13d524de7152875f4f04b40d

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\Desktop\download.jpg

Filesize
15KB

MD5
27e626cd2de3ef44118d52c4430e248c

SHA1
e3c5564f146fa5281b8281b5690992f483993f00

SHA256
f2d2bc3ce533bd8a5150ffe340b9feb6f9656de71ba1428b530b8ef0b7163ea7

SHA512
ce0b0fe7b2d9dbce7d6d03f49796995fab22dc25e5a4514c8512f8fa72b60d587326fbb71d9cd62c4cabb02143922d722f04c5a746e6c723354af5397d439fdc

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Documents\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\9828888f-46a7-440d-923c-81d2cb4bdeb8.tmp

Filesize
51KB

MD5
ab29d7a89c5dd74b8efd651084ea9d76

SHA1
789291bd9b71fa4364cd2bd868c3dc2aebae4df0

SHA256
0d868b8e8f305fcea60cae1e1ede65b817f62545e4308793bf0417bcd56b4a85

SHA512
75cc0448d669f02d8f1debd4b06d847fd308e85f966640bf089c77319f05aadf9a1b73a91641901bf1b39c989978531f6d6cdbd816d09c7144b5496f3af71b88

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 616179.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
memory/2168-1180-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/3684-2629-0x0000000074320000-0x0000000074342000-memory.dmp

Filesize
136KB

Download
memory/3684-2622-0x0000000074320000-0x0000000074342000-memory.dmp

Filesize
136KB

Download
memory/3684-2714-0x0000000000130000-0x000000000042E000-memory.dmp

Filesize
3.0MB

Download
memory/3684-2688-0x0000000073FF0000-0x000000007420C000-memory.dmp

Filesize
2.1MB

Download
memory/3684-2682-0x0000000000130000-0x000000000042E000-memory.dmp

Filesize
3.0MB

Download
memory/3684-2619-0x0000000074370000-0x00000000743F2000-memory.dmp

Filesize
520KB

Download
memory/3684-2620-0x0000000073FF0000-0x000000007420C000-memory.dmp

Filesize
2.1MB

Download
memory/3684-2723-0x0000000000130000-0x000000000042E000-memory.dmp

Filesize
3.0MB

Download
memory/3684-2623-0x0000000000130000-0x000000000042E000-memory.dmp

Filesize
3.0MB

Download
memory/3684-2630-0x0000000074290000-0x0000000074312000-memory.dmp

Filesize
520KB

Download
memory/3684-2621-0x0000000074290000-0x0000000074312000-memory.dmp

Filesize
520KB

Download
memory/3684-2627-0x0000000074370000-0x00000000743F2000-memory.dmp

Filesize
520KB

Download
memory/3684-2632-0x0000000073FF0000-0x000000007420C000-memory.dmp

Filesize
2.1MB

Download
memory/3684-2631-0x0000000074210000-0x0000000074287000-memory.dmp

Filesize
476KB

Download
memory/3684-2649-0x0000000073FF0000-0x000000007420C000-memory.dmp

Filesize
2.1MB

Download
memory/3684-2643-0x0000000000130000-0x000000000042E000-memory.dmp

Filesize
3.0MB

Download
memory/3684-2636-0x0000000000130000-0x000000000042E000-memory.dmp

Filesize
3.0MB

Download
memory/3684-2626-0x0000000000130000-0x000000000042E000-memory.dmp

Filesize
3.0MB

Download
memory/3684-2628-0x0000000074350000-0x000000007436C000-memory.dmp

Filesize
112KB

Download
memory/5900-2677-0x000001BA4AF80000-0x000001BA4AF81000-memory.dmp

Filesize
4KB

Download
memory/5900-2660-0x000001BA42B60000-0x000001BA42B70000-memory.dmp

Filesize
64KB

Download
memory/5900-2664-0x000001BA42BA0000-0x000001BA42BB0000-memory.dmp

Filesize
64KB

Download
memory/5900-2671-0x000001BA4AE70000-0x000001BA4AE71000-memory.dmp

Filesize
4KB

Download
memory/5900-2673-0x000001BA4AEF0000-0x000001BA4AEF1000-memory.dmp

Filesize
4KB

Download
memory/5900-2675-0x000001BA4AEF0000-0x000001BA4AEF1000-memory.dmp

Filesize
4KB

Download
memory/5900-2676-0x000001BA4AF80000-0x000001BA4AF81000-memory.dmp

Filesize
4KB

Download
memory/5900-2678-0x000001BA4AF90000-0x000001BA4AF91000-memory.dmp

Filesize
4KB

Download
memory/5900-2679-0x000001BA4AF90000-0x000001BA4AF91000-memory.dmp

Filesize
4KB

Download