cryptolocker | hxxps://youareanidiot[.]org

Analysis

max time kernel
270s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://youareanidiot.org

Score

10^/10

cryptolocker fantom discovery evasion persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>LtyJmn5HikKzBPo/6pl02tWpnvqDVMmJGQzD/TRqfo8BYmIrb5nYx+9oJyJFp9NaRs6yoxmnaOmjDaXZfOxdFw+RM7MEf/cpnNcJI/zNGJTzxN66OuHCOj8p9PeWrrwh3YEKzoLKXOPaHrHKImkGUWKkhkqMNHPrigMjLgk3z5K+gFjjcqChT24lL7Uqu2w3YVrcV67cLaaSjiL6Fg03pQ19hdVkogFbvEn5jo6ywX0uKkkpqQKKXHGFfEtFeOFIkIWiqqn7l2QeSdkqAqZmpMLIygPPuc+uQlyiqXnpaY8fkJLAg34BtANrdcsett7L0UUid+PAIPjF6VFQyaJuSw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\Common Files\microsoft shared\ClickToRun\DECRYPT_YOUR_FILES.HTML

Ransom Note

Attention ! All your files have been encrypted. Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets. That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us. Getting a decryption of your files is - SIMPLY task. That all what you need: 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] 2. For test, decrypt 2 small files, to be sure that we can decrypt you files. 3. Pay our services. 4. GET software with passwords for decrypt you files. 5. Make measures to prevent this type situations again. IMPORTANT(1) Do not try restore files without our help, this is useless, and can destroy you data permanetly. IMPORTANT(2) We Cant hold you decryption passwords forever. ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. Your ID_KEY: mmHHuru5PyvvJWpzUjlBjFl7W1DfAHlnzS/TeF5B/ujBqGwhB7QB9lSEZzOrlIXIwo+SY+ZNxa5csnSlkuEjBFBVpAOTxswD+1tEu+gtV46E5WiWQhZB78MhScyAeYXRbPvfcrpUJIUk/BJAS9Dj/2kJYI0ns8w1+9IRkULGJgoQYc91goG+7I8+wV0kofiXaSecjFRO0LH6sEX0SLG2Ga+4AS/tDOX2dbxF33H4pWiBnNBVs4WmZ+6OKHGN6/XAxGR7Ajq0TvdC+5RjOGNnZhgUwpGLNaZMW0HTE0/R+SRvIMNzKczLC3IcTE0vCQzcWcY9t7WVjX3wzEMSm8RpEQ==ZW4tVVM=

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>aKoNP9rr5IdDHfQqw/pxQvdn+EeV3gCmUJWxxVymvQtg2yrwzE/6iU2nlSFPB5kPw/eshGBfvNqxwCwKyAK8uueGwHuHA5LZqnki9sdt+tmAtPnRuTdzRHg/cD1F9k7u0E8ngzzkRZvFm9Oidybyo3b0Psk9+o3YyGF6yegCZK6hEgH1BFjRUzFSaGDtWaWL2uO4pbOY0tWAStZsUfPWwVp2s9lqn8pnDyEQ+sHtKGwLwWweTC5pV2dW1HHpcX+23g8PZJXXI9RnV4Xxyobh2VWTZXrLtQU8VkH15tVr8SSbqV/2mzeKj7Yn8+OFSeR7XfQARpI6PyXtLSyvo1r+sw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom
Renames multiple (1028) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Fantom.exe

Executes dropped EXE 19 IoCs

pid	Process
4920	CryptoLocker.exe
3944	{34184A33-0407-212E-3320-09040709E2C2}.exe
4116	{34184A33-0407-212E-3320-09040709E2C2}.exe
3372	CryptoLocker.exe
4032	CryptoLocker.exe
4236	CryptoLocker.exe
508	CryptoLocker.exe
324	CryptoLocker.exe
208	CryptoLocker.exe
448	CryptoLocker.exe
4012	CryptoLocker.exe
3808	CryptoLocker.exe
4240	CryptoLocker.exe
1160	CryptoLocker.exe
1052	CryptoLocker.exe
4452	Fantom.exe
916	Fantom.exe
2084	Fantom.exe
4512	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
115	raw.githubusercontent.com
114	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\osfFPA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\StoreLogo.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-72_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Win10\MicrosoftSolitaireAppList.targetsize-96_altform-unplated_devicefamily-colorfulunplated.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jre-1.8\legal\javafx\glib.md	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SplashScreen.scale-100_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\archives\archive_manifest.json	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\Square44x44Logo.targetsize-32_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.targetsize-16_altform-unplated.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\osf\miniinfoblue_16x16x32.png	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\1033\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000042\mecontrol.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\LargeTile.scale-150_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\1x1transparent.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionGroupSmallTile.scale-200.png	Fantom.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\javafx\icu_web.md	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\playlist\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSmallTile.contrast-black_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-60_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageLargeTile.scale-100.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows Security\BrowserCore\manifest.json	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\WideTile.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\contrast-white\MixedRealityPortalAppList.targetsize-48_altform-unplated_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Dial\Thickness.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Wide310x150\PaintWideTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-black\OneNoteSectionSmallTile.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\sr-Latn-RS\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\MediumTile.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\165.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\91.jpg	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\WideTile.scale-200_contrast-white.png	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageSplashScreen.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppPackageAppList.targetsize-60_altform-unplated_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\tinytile.targetsize-16_contrast-white.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\AppIcon.scale-400.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\Square310x310Logo.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\3DViewerProductDescription-universal.xml	Fantom.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\TimerMedTile.contrast-white_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\GamesXboxHubBadgeLogo.scale-200.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.scale-100_contrast-white.png	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\keypad\keypadbase.xml	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square44x44\PaintAppList.targetsize-256.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\2876_20x20x32.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\GamesXboxHubStoreLogo.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Audio\Skype_Call_Reconnected_Loud.m4a	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Assets\GetStartedAppList.targetsize-24_altform-unplated_contrast-black.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-black\PeopleMedTile.scale-200.png	Fantom.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{6A3014A5-200A-4E36-A6DD-0DB9DA69E666}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 4 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 203545.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 393443.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 768271.crdownload:SmartScreen	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2888	vlc.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3100	msedge.exe
3100	msedge.exe
1028	msedge.exe
1028	msedge.exe
4024	identity_helper.exe
4024	identity_helper.exe
4524	msedge.exe
4524	msedge.exe
4752	msedge.exe
4752	msedge.exe
1784	msedge.exe
1784	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
2632	msedge.exe
2632	msedge.exe
4452	Fantom.exe
916	Fantom.exe
916	Fantom.exe
2084	Fantom.exe
2084	Fantom.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4284	OpenWith.exe
2888	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4452	Fantom.exe
Token: SeDebugPrivilege	916	Fantom.exe
Token: SeDebugPrivilege	2084	Fantom.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
2888	vlc.exe
2888	vlc.exe
2888	vlc.exe
2888	vlc.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
2888	vlc.exe
2888	vlc.exe
2888	vlc.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
4284	OpenWith.exe
2888	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1028 wrote to memory of 4212	1028	msedge.exe	83
PID 1028 wrote to memory of 4212	1028	msedge.exe	83
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 1872	1028	msedge.exe	84
PID 1028 wrote to memory of 3100	1028	msedge.exe	85
PID 1028 wrote to memory of 3100	1028	msedge.exe	85
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86
PID 1028 wrote to memory of 224	1028	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://youareanidiot.org
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9a7f46f8,0x7fff9a7f4708,0x7fff9a7f4718
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:2
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
  2⤵
  PID:3284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1932 /prefetch:1
  2⤵
  PID:2500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1936 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1784
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3372
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4032
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4236
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:508
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:324
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:208
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:448
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4012
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3808
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4240
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6396 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:2272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6552 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,14704553850602990708,13491244562702786942,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
    "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
    3⤵
    - Executes dropped EXE
    PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4056

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1920

C:\Users\Admin\Downloads\CryptoLocker.exe
"C:\Users\Admin\Downloads\CryptoLocker.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:4920
- C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
  "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3944
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w00000228
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4284

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:916

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2084

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\WatchFind.mpe"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
89d642bb03bfa485067669e821dbd887

SHA1
9a7c2bca6c892f2148ce1d1c3574c474f28dafe0

SHA256
d06726517ad3aab7559f7bfe2f89e4492c88bcc884195f50c402bad8af6a04fa

SHA512
8f79b73fcbf67622dbe9574c4390e24af540f861fc84a9780e2838533e486ab76f3fab3bedc8a9f1ac6bedfbde2bf454f98eb737bf4c2ac04e0806d61d938373

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
e67aa075fe61d4376490ce0748367305

SHA1
1d4cc82210d025ed6a0baf292f06ac8663002c86

SHA256
e051bbfced41db8f9ffa2192faf3c449275e6d1f462b45f8d962a3431b8a1e46

SHA512
85dbfdee22dbda875e0f0f8737a7149e7691fc16db4bcd0cc3f94b19a584fcda00135121b4a47aa6446f43fc8774b902ebd1d2b8c58bf4f8fe2f9d3b221df9da

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
ba075635ed0f77ab6757abc948446bf0

SHA1
11f13d97618ddd1683fff7d448c2fb6f0fb60f82

SHA256
3f2041f598f29abe471e535ef82de22ce9dc9067fc5b3696790241d2ff6e2ad1

SHA512
60a0f8007a419e1aafdfa94d49671e1399d3e89f0ba1b1b4b1ded5944170ec49f24b3366155134f80d8b9b96e827f307b1838bf717edd3852886b0b44e7402c4

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
accda58d0b1b51203b431d503ac29a0d

SHA1
31d91ed4efe498bb003ff8205c2fa78a4ab7a7da

SHA256
bf34e40b754d954701de50656ede05403eabb48e1176a6bba3b2dfcb6d85bc83

SHA512
06e4048bf9a7cc6e17ad2fab4d5cbd53e83277d7ba1721f4db92b841dc55e03b20a059110fb8d2f396971df5ff31cfbd02b4a4f00b4a0e771e758751893f78d9

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
abafbbfb97ad28808753c2d315570c9a

SHA1
c283e6b332e1ea59dfa9ebfda8a389c3dfb9a027

SHA256
ce462513080b826787ad89aa7b6fad845a7b61070b797dae8dcaee3cb6d944a0

SHA512
a7ef40af8d53871f7516e416cab2b1e2106f11a1d866f5f8f1ce247e7f70989193579c73e63dacf5568f783e4dc11a2e7e714fef2a9a4d6fff01db5343b17505

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
196b9451355e9d187078d1b911b0bf32

SHA1
dc86a6f8835df27aa4b44eb47fb92798a8107265

SHA256
c43d5133e8bc4ceea4278d8f62c67934042a19ff33f36efefb04b34f65520c13

SHA512
0d6d42290cff6d11d91fec37b78a279bf32ed82741558127623aab098094b658ad14d6971093c7eceef5791f434395a036e4699de01f8f2eb453e75c260a685c

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
f941e681e93803954ce1f4bf6e939d42

SHA1
dc039105a44f2c181776e28f41edce0417ebebcb

SHA256
bb5e90c27714d79c401ac9a8997d3310cbe842c2996294b596e192c6a304dddf

SHA512
6741e2c252bef1550490be6e000d3ac2ce11b250ae7051b0c3997fc704255ea5bf84a803f944aa068bdca0e19d501933dbc798523f39f9a6dee903c0518b54ca

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
23KB

MD5
764fd729eb624088781c9755711aa6ad

SHA1
da1189600dc58d45fae7b44b5e4c99cbd0ea51ef

SHA256
31d81aa6db09496f829f44f8032025f4ee1b23fd7f207612ee713097b7da7184

SHA512
3c141e2ff5abb90ebeedcc59f3c2e19afd7b7e4b3c53203ad8bb702371216a6051bef2e796c9d04530ac8b18a2e1ffd2203acfef41c9c9e51027bd30ba418c09

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
34af3198288b72b2268df7c3ed603221

SHA1
5c01213309b2c85946ea1016cabe02519ac1206b

SHA256
3e1bf39161838e720b288da9a5968c6bfaf790403a57898fdbae6c99cf7f2c2f

SHA512
35ac0231e24c9da39cdc95482d0a789cfbc37f6761942ad6bf5bdf8dec3b7b2fd496092670f6ea24ad19f66badc6b5eb775fb2b838eebf242e9a14385f34a85b

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
318d3126d134065d23a7ffee2eb213d0

SHA1
2361ba3a746e44892d1d3ade9199d50d118490de

SHA256
fa07a4adc3f242978de1c65fd0138325743b96c556f43e5443d164191de58ee7

SHA512
4aaa5214d43f9a019554482c9a982e4cb12fb6ab2f4861948093e50fc0105d5f2b45c289aefc17b1b677495674ea017f8293fd06ef73762672cb6aba7affcd87

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
c1a825799693294739584832346e352f

SHA1
9d4a5294cbdf44953b691f2756d2eba6d236d13c

SHA256
8524304852da5409b762f106a8f2c4c65a821311efb86a079b38f48748daef30

SHA512
0b9f917b7b9908624671ea010f2c1aaf3334c550941a355872f93109e75a5ba146db988efd6ddff2d545b6cd45f79e656f2980173ae3622ebec0ab14094efc49

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
ea60130129235185e31f81c3272af134

SHA1
2d80ffe242d39605e76615475eaa3b56ef5fec4a

SHA256
b0ccb8d08e0dad8a65edd336f6dbc4f9aef3b3435865df856063de66bceb0aff

SHA512
a89a253c6e271122930289c5e2173a25e2d2a43b79d17fec84b01122bf3a092e24308f9803c2b773280bd439834430a5d79bca0cd4f0381fd0a79fee718dad74

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
ac1ca9580273401e8505a710aa73d71c

SHA1
0fd82c70bc2dd6d7680fa8d7639d111b3a589b9c

SHA256
e8b5c2413108769f6ad6bc40c1924e8f20583429e63b4ee6d91a8c714723be26

SHA512
b1005b9b289a22887722a76f80578c2279325782423e0de4c4ad3dad851277b34ae39de6b94a4ad3ae312796bb614e7fe146d84d2252d798046cbbaacacd8450

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
5a032bf29cfa4514b842a46250f19d23

SHA1
0787fabd02b6f5aebe11098fc7d36d16520d2ebd

SHA256
d8d00c20499f9a8519b98b7494de21c2d021247c4b4fa66391f4c94736301cfe

SHA512
6b83b37bc51da20468d9de091296d1d7fd7226d2fa24d5d8be580342f14a2b61302b2bfd689eb8e17178b210b87db1782c48fb51d99d0ade0984fb40bac63921

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
0d4d7afaf5c92707800103140f846a7c

SHA1
ce2cfd339e2258c0d27abf1b901d3bc5af172224

SHA256
c1cdde00fdfe20cb31079e30c777c9ee9095a8b0983e64ba65290118bdf22b99

SHA512
270c5e6cd51b800548ef83e4dd3c7db414cca39cf8f46e1c5a05e530b114a21ae265f52658d68e951fb788a064d443340dad10fa60c6f34ccbefd92cbaaf27c8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
015938d181de45191f0e82b8e4be2baf

SHA1
5fe386290cb0d495e885a4a835ad23a74d93223f

SHA256
c9a2a103a1735fae1f6cfcd69f2f736864db97e69b5f5c852d96cae8c901c918

SHA512
82e5474224800784cdecb7075a8e846529847822b068e7c237cc46ee27e34fcf828c85381b8dfaac61b03da57df7776314115777937e73373ee9cf1a0c41271c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
176B

MD5
c277f480a017d08143ff10dc5a3b736e

SHA1
c0b179825f19fb43b51888b4b9dba6f7f7af4909

SHA256
c727ab1351a72b60d4c11979820e0487099fa3d40597b2e6793275b0e74367c0

SHA512
5fb525dce901c0bd12eec79d8a838e46a5363223a408149b98f33063b395aefac0bdf6d9e94125a866b39a68ffb03ec9385201b15115d8cc1e76f61339ba22ed

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
c971746951dceac073319e6d279d1f2e

SHA1
c234914bf05ab54ca78a67caf419a91552567dd0

SHA256
ef1709ec816f671cd91f72d98a9e0dbd1b8c408a7aa02d850cd6588b41cd5d6d

SHA512
9ad410eede9992fd0d7f01151b072916926a83299a283715c51b0c441b2d7339c97e53ad9b01778e79c7cb2dcabc716137003967147bc962c2ad8ddbeaa0bea8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
dbd147c9b321e5c2e68aa46407b231b5

SHA1
cf896232c95e5a8c4823053b021d818a361fe0e0

SHA256
5671e1dca7bb09430c1e01d147ed053d67b05fdc0d42cc6e95672e43e1c0fdf8

SHA512
d80f25ea9def427105dad9da18d3886d35be824d2a89b1f9f10d706d7435039a238394d24697d77c727ce23bb73d86c004aef1db72945aded3b2d442b5f4e6e0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
65c94cbe0ce38af337acac850ce225a6

SHA1
cfcb9ae42d3d78419b827020f9d67c266b6d9e5b

SHA256
38cd5194afb13da529877bb8e8b08fcc009340caf80080685c26d8be015e5b84

SHA512
183a01bd8ae069844a533ac783527bb41035ec9c252b44e3be928b3b311d2712661e1d1c3bc6916f523c8b3a4aa058fc86484f1c4afe4154e3f12e03434571eb

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
8beca225c8e901184d8cde185863d227

SHA1
57a7abcda9a4df364114c7b5968716dd747fbeac

SHA256
9fa743525954ec76c8a7fce8c987f98c82f38fad17ec4c7cc3bfc8a12176302b

SHA512
c8ff2c822e1c45f636e84f2980d13ed878b26065ba4363cd30865d6e91c2baef53d2372f90af10bd18431d47da39edd98234cbdc5a066c95ff0e88144c366041

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
31b58dda3b16876e67b8361da11ee135

SHA1
42e105fa7b636eba79e786dfe125e33c011e1a52

SHA256
6eab9a32f62e273ce4f60995cf537e74629b41c422bb63b9bc2033add3d51b0e

SHA512
90c3c990cd92357e6b3613e233ba32d69b4231b2b5484c0fc5392209b9e14c3c7353db326787c7ade8268eb17b3b1b3b0b1c2d362d3f589e9876810980fe1963

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
92fd3ab21eb5e400df94de89e51cbb82

SHA1
46566a00f741758d6e98c4f2e1b813b8ea8c4026

SHA256
ac2f4d73236819dfa457bf89c8da9a873157ba3cd88cd54b3e24ba0882e1fc5a

SHA512
9a991b06c5343dcd45694d5e807016628722b01178bcd24246ac035f3af8a48e998b451eb980b3a960d30ce0ec46875865e2f43c217de9eec74ee36b101f31a8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
0d8468a58b9f2eb31e94b42585588079

SHA1
6327ad20f1c892b0c5653016cb6dfb483569d229

SHA256
d9b98aa5949daf6b77732bf8d222702fd9e22fe13f10d5f2eeaa5504c746e82a

SHA512
eeb34c6b5e61888bcb6830a2ae28916774bfb23f185efdc38b36f7d06fcaa8f0a53c70e6a0c67e3c6cad3dd5b1367c557c5979dbd13be1c5a47424fd318da0ce

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
d8b60ac8df9bc355ee376cc7f0ac6007

SHA1
8d55fb91c178d59a887ac8b9e869e647de68f5d6

SHA256
a307d6978277c326d978ffd37e53a67c36063eb3d6111252a7f19519e2eb94b2

SHA512
33e8cfc389481efe0cd5afaa07ec3035e32564dc2b8d2f56a0899c291a310e111d4b84f43d09373bb701135771a660a950a227b9cdf147fbdad2c4c572b59104

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
79f3a194ca6acfc42c4794a74fd203e0

SHA1
e7d7627d155253a8f42483fb7f11f74c190ade89

SHA256
583568fb3e8d96b24e3f5be435f568b97750630a1d0752f1f452a135ae1405b4

SHA512
01760268cd879426a37979758ac0fdde530b79a07704593fada65d9517538dfcb43fe7ec3281df8700525900b20908b5f0b8f853f1a75de7f7832292e5cc2f8b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
45fb48ed22f4b949339ef92426839945

SHA1
83ec6a08fd04333aff28460d02669efad529f266

SHA256
1d18e5fbb4c301f57ff1bf3eacca4131460f4d753cc9bd8d265e305c1c8dd88f

SHA512
94d15053dca7a3327ab5636351b8d494f7ec15834996b60da782e94cf0e76d0b9b5d26ee0ee17ef93b8052ce380c8347b26971261ad412d828f41e39858eaa5f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
ae66fd8bd2de2d8d2571acaa4c5430dd

SHA1
fa396b8ad372037f168d56b4eb0fd082995df48a

SHA256
170f2262b03660fbdccd2932856278042149e429d312d9e095af78955ef5154d

SHA512
984a17ff396210436726d632eb1aa7998ed1a1cd6be2cf151177b122ff823d541985968cfd7d379dfcb0bc079b1805d482fc6d5277de69ed8e655243c6d5f96e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
3df038a2c8a00224f53d63e31d73bcd6

SHA1
f9200e2ea2429743e34d50b0210540bb35369fd7

SHA256
4e4b3015ec8c681036083215b1f8a4c400c527d15e756be348f6e48a8c89fec0

SHA512
3e59eaa1ac75eab5883c3741d874e1bc4e0f4c81280117c9eca4fb498ff6552f3cd24f5b98617a6968c842bf6930aadc7da9a2f2aee123f50ddeb883d89a24c0

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
00211086d97e08ce4ee7c7250acc0836

SHA1
284e94394c9347d39719d3d871b91e849b95d1c5

SHA256
38b3142352b363bd8847fc402d18addfb335f84d1388eb170c530afd9ac6957b

SHA512
49d20eadff253f79945b4e0f500d013f6dd194c63b365b61f213d3607b449ae839c87fad142c55ef69f4673cfbc179a36e3b967fe8e7310282eeebe56538822e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
6b33a66ff7a587c99ea4287c2b38121a

SHA1
110710c7205d429fc313a2d3b2deb03705f6a666

SHA256
f39657ff442c9d4ccef7e9f523eba164c357f43ac9cc22d7d147609d09ae9d7a

SHA512
8092afc6ac9944691ea6238dd628f49d23528089990261404d4aef710122dfb09c515bb95a3138a698b4d5b635f6e56e730624c3790dde7c1b2c009858b6200c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
8c280f17324fb06938804dea33ab91b8

SHA1
fb676fc705e57b735b54a8d4828ca36a6cfa04dc

SHA256
dc6c2bde8b8de15020e2a09f1da526b4e9d95e295bd7c302347324b6a475aed1

SHA512
67e4c64ac89dc54d9769db4c2754f1984fa5e09b558d5ba4333be0f3d0b635b121e30f21419e67e15b78242cf3e360e753557ce7de80f709708654791c1c16fa

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
4b43dd0ef12ba474edb8551ad574819d

SHA1
ba29215f490a149187da3abfa1d4a28ea3d4bdd8

SHA256
b2b9134c086ed8c71151f0b9bcfbfd8958aa7723ef8c7fbb63d225615836439f

SHA512
f63a9be3babaeeb9283f78f3d2a9d0595f1400178f330d39a1cc47fba403f5d1469442fccf19f454d2cf1af6024ab63ce92121ff3485bf922efe2e63e70eab11

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
41e4e93033ddb265360db19dc306c2bc

SHA1
b416d8c47f50589b7245d96ac9ad4a982f8f59d5

SHA256
7d90e179a1a6844da4dbdcb15f3032ad719cf038ad34fd3a1453d401f00074fe

SHA512
573d18119c8cf1125f6848b605504520df0a2cf3b3f6dd626d202214d1b34ecdcc4ca43ed044943414b80c75b6c05021973ce7477a51bc51780a698401bef94d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
04301a54d49736a4f036c039187c1365

SHA1
091db38607d6bb43444c594937ae484bb0039c6d

SHA256
4639d588612b07d0ba82fc0cffd9b739eb4b22b970e35ead407cd0f5a79a8caa

SHA512
3260ee8188f5b64629972d2eb1210996651b10a85ac5eba158717dcadb98bc95a203718aafddf6f953bf6a6f026c8aae7118ef5177b7060485cea844e61afc12

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
aa7266e6f5c89a348cf495eae3c25ac6

SHA1
07d027f4e8936c1275427a2ed9980e27f1166e0c

SHA256
f8afa4de6334e4daa075c52dfa61aeab324f5d6699ca6b1423f9af83ab2de2b4

SHA512
27abd0f27a9f3468457126365843be289f9aa2f1b3bbbc59e0c721296342e275cf86be9127c19a39c727884a197f76ce06ea3725b517f7207f1c73e827dddcf8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
cf84dbca70d87fb2261f7ae4194f24b2

SHA1
cb783243551e40b98ad9a8b24f60036188cded5b

SHA256
63b1384fdff6af4ca1fb0150740b61a40cbc77a7c59b180d4daa3fe7a9a7d20d

SHA512
0c5d7fb8cdc05698b3379fd00b05694d4a1c132040b4cd4f9f2014161bad70b61d74f8a26b9e49426f6a0bc816854324ba69771b85d8e881dde68a6f8e225e63

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
361a98ec958a8047e537d1968d2174a2

SHA1
f65573c4a31320b0858c7974da7e3d49bdacb32b

SHA256
34fd761516c62f8e39a1382b3c9f2a9c5ef2d9f46daea3b1abaa90c6a51921b8

SHA512
67099ba627af03c6795845e35c799d0eff543415828712cae1d43bf7ac1efff83f0e8c64375ed4a68a949c925d544fc5caa559936ef5c829e3dd2eb7639ddd18

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
79e3fdb4053cb75f595e59824ac7edfb

SHA1
c974f8868ce15a70d1b34b989024dcb5ae978d67

SHA256
7b99bbfafae8f5b2f10b54bc990cabe0470b6273601df7a6c20406fede1a3c03

SHA512
d2623b43c6c8ea4c4202b5fafd012aa0d97fc27076bac2a5dbc7d3e8849cba53c37ca7da1b1bdd0f41681db2178ac8bd4d2c94405ee0687420590801bc562020

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
935905dea60519cf19e5b8ba36b93209

SHA1
6fcabd819b31e0a94a8936de4dcdfcbfa894df09

SHA256
666c86f96a0b2149317401e6365ffc35ba77be5ea6ab27add35f9893b34ec1b3

SHA512
32198ee8418f7f1029ee26cc5ca1dcc28dd0a3f63da2b1a6f02cf572c7a31f44291d34954c783116096a0d4ef4801553a53733ec35ce5727c2b7025f2feaef7a

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
a560c6bff6d93c856557f6c0c096504b

SHA1
9a300c364abcb93a69aac917b6d2eceea8fcb63d

SHA256
fe275dbe705025b0411d54f45b87ddb440cda3b7cfcc7086c4fa40a80a78c193

SHA512
f4dc3c1c46dc5c5b09fa897511319bf190ef1b577d221cbd8c0138bde6be200fd878fa459cc429d55adcc653039edb818941326012f6ff1aa26070a66494a2d9

Download Submit
C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveNoDrop32x32.gif

Filesize
176B

MD5
f5ed4b20b2f9ed10e642428416abd2c1

SHA1
f9b9b0331e4897b87a28f2569b3ab797842998b7

SHA256
c0e40188d4024f6d33c7ea98a8f1058ee61c1c68f227cd9bb770cdcca6f6928e

SHA512
5def34afec365a246bd8d1d3b1eb14babce7c5a7e631402d71dae1135765924f360c7e6161a579e00503adef1076209b296c9038ff9ff8b6c642cb19087aefe3

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
b3bf5eb1e345bc05cd25a93edc199489

SHA1
97b04f13f6661bb352c1afbb275ce1e58545b86f

SHA256
ccf7941f179646eb1d9f07fbe680a022c773b30bf985320cbd0a175541c0c94d

SHA512
0d170269f198c8e05478e7767e9940c5d86b0246f518271a47aa22b7ec6cfc28550a4ac4d578fd29c0480b2e10a56e83d9c57f69f017f4c1c432ee29a52ed3d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
7a63a45a038230ddda63b8b6b2ca399c

SHA1
a482509b2dcbb14721a010d4ab9abc363def4694

SHA256
72d1fe033c071fb8de456cbd140cd65a674dd3781dd6491b09da294cccdf9684

SHA512
af37aaeb605b535442116380c6dff02e518c1cbdfb1fa17d242673957a0bc61c2fb8aadaabaf4ef6c8a7e1319759099ae7b771b75f9c7ac8b4543b334dbd5e00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
86608484c60aebb1261f230b6d02c0d5

SHA1
6269f8e5d7f175f172328f74ea4dc00b1dc020b3

SHA256
c2eed508ef75103cb5b876456b58847caa6fb5daf0ddd3bbd138b8f78370ab2f

SHA512
ad36553df198134f8aa36c034fdcd48153c9b1ae1fdefd9be755a15bf23873242a4b924db3066adb1829f98818cb579a077b9ae3b494fc292c553024d9457b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
857B

MD5
bc41147b043463ed4ec60d25a7b4c519

SHA1
39f3959928167a645caffde94d0dd1e677cc3433

SHA256
7c83c73e2de9dacf2a66563c7d4fd0c9e0e1b609e81211097d0a3d248c81f8e4

SHA512
861cffb0a3bed2c3cc380e4db2e05c42f8d9f3e76aae16477a7c340a49f88c867f9ee4bb33c3b60bb23319781d16afe5183b680000ea3cff038325cd095c5ece

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
19f24362ff1bad44be01b5b63ba4c7d0

SHA1
ddb3697b1f19970e60dadfbaffdc480f06d87bae

SHA256
8ad503291e9f2355eac67423b12f1819e2b7a827cbf918c73ea83cf0cb460a85

SHA512
de28a57a323845510467c80d2c6e0d41460feac8b0235eddbe548eecee1fd4e9e432f055fa6c3ddf52acd2157c8cf4dd03d41dbdaf5800e2fe8bbbeaf5ec462d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
19998f1528c96762b555965f61409c46

SHA1
443999f8ee0294d5bbb2a392e27b1d6bb7c8d126

SHA256
176a497b903386e1bec75d0575e9e45511844c32c5a32a2d59160110e57fe97b

SHA512
a4574a6553cec0258b3c8be80d1cd59031688688bab4953038bb864c1b6e28d790d58be0fff6fa212d696b241add25fa64c43c9eda1315047b83d32e98603da0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2de14081eb124327fa2cf650015f614a

SHA1
f89c632e44bae482687192e8c8541de1223dd19a

SHA256
e08d0ea8502004d3c99e98b8a2241b6f0da34991530fdf7eaa3d64152400023a

SHA512
0a7b0c810916e386a2019b5bec633bc1273cd708536b55b28f5638d8ea4b1b538bbd8ea81ad69b00042d29db9d6e87ead23364aa13b09e54e6e41ad619ce2d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6d0312d291e8a006eee6f6c9e62fed59

SHA1
d309d6453602d8c4b0ae21ec7e0ae99e261375b8

SHA256
180ca47d91e9107473ca47a167a60240799b9774ac8d17a9ab8f005554578c6c

SHA512
401c74196a7fb41e42c6cb5bb1d08aace8aef58b352ce08319313781f898b1a1cfb619675f7d54dbda6cd7b589bb57d8703f972850ad3b3a3a25806e25486910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d2fb85dab0d052007bfa0f509e72f552

SHA1
85e85b1d183e9273cc12a0d3f20168654a93754c

SHA256
f2f15455a76e98e9aaae37d6dd0e07de65af41d00e78fa9fdfbc8d156494be31

SHA512
e8203c6e673274a54168a23f0ead200f25af15ea4c4e20dde7fba0af7d116ec2e41f90ac992b94aa2e1d5b9544d81a293da4a466ce66b559cff3d36a131753c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c08b77acb738486f1221f6dccff3b70b

SHA1
a30d8a2fb9868f85c410eaff4d1f1427249c1cfc

SHA256
e7800fd8837b4a89671a7c4791a0ae5fca4dc1746265013fbfeb78f369baf096

SHA512
1398cbd335ac1d388edc466c22c423893d485e0030bbb5f2c6c85824815c86f590da6d1ad528ee4db88f315ce4ca98f0861897a5655eb6ad9187ac4019aaada8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ee965b5aed7c1602e4c4195f7828ec35

SHA1
93835298b034755d5ff50aabde2e37240e4842e4

SHA256
a194404f9d971671134af614a8fea7399cb1c33b43876b4abb5ca21a8faf6ce4

SHA512
24abbc0c3841043c10ffd77b6e0f1a0045a893cef4de5266d247467c33a4c5bece7e61b1860f51e9b014b627e886cff95d803eaf724f53fd09680ceb3383ac63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
93ea9585d7892f23217bf3c95d523733

SHA1
5669a70d4a3aec45b76350a2dc970a53dc8bcb05

SHA256
220500fb0acc94e6fd47c6b06771a7497c2ab1e36ae8a649dcc5976a37cd37b1

SHA512
59715d30773fe6adcec7bbaa004a27dc4919f3436c5db5ebcd6c7b7901ca4abd550b2aa0412b9d9452a0c831d14e181c4938f70f5af65b7c0ceb0ffcb012fa70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c9624fefba9f6daf7b35c7fab3e9c1c0

SHA1
bed2ad0e9451eef0be799a829592e270ffdbaced

SHA256
a31aac5efbd7cf4f6bdb54a41d514e586febe99e69e54f8fe3c2cb0f955768f5

SHA512
cab408072d51c8a08fa9f407ba3b13221632846bee59e9a52caf5c45b48a09c6ceed3d40f9e778c20a13e8927a3f5aad1bede19f22c5f72eb3d08b19076389c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c2966b250496a550cad044f1c5f39829

SHA1
2f9829092652da7387ded5c3a7d7883bbad8ff36

SHA256
7944b1ab262eb602804be41140764ffff01677123c6360ec1c9770ea8650273e

SHA512
5c0ca8b98217fe9cb12864a554be153ad9ea51de4e3517316d6a0dfb53e6842cf099ebe6fad3de6d8265c6efb6eb05a206b747148e4d22288d2ddcff44ee7c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cdc0e9b85d7a9aa78cdc926521c79798

SHA1
a7014168084f09cd4bef9847e6d0cf946ddb76e8

SHA256
5381a1e97a9495b2e695f996912f9643c4b070a0e69181c2cf1e62ebc4277d89

SHA512
6b1c5afffe14a13c455ed4cec79345121240ac34dfe6ddd34e14114cd36c8010af3de50024e935c1100d6993c373c4a19276f4eccfd058f60cbca4b8a738b0d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fdbe45583b166a4a32e0434e7abc1755

SHA1
77fd0f04b8c30e3c1b29cd05546ded008ce66f73

SHA256
fedb4dfef890a4d08178709983253d2d9c1e058f3b0aae49c09a09b6475ce3c5

SHA512
91c5db8c3540e0947eec1bae9faea85e2c44218132dfdf145b150a5eb26a90c8d47cb3683f38ea912422524d85d556ded1d99fbd30b9e999a5d754307f23d4d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8bf65ae4abc57cd7cc073970ea09ce53

SHA1
988c605bf56c20950708d99886619d8afb125bf6

SHA256
fdccdbad0c7e929f0242cac02bbfd36847a0ab426be70db53be107821cac865f

SHA512
765b5ac66515d87f8aab2ab8010a974288961381c5fecbfeb43eae451edb238685907c3fe8edc1ace2b995848a3597bfb93307fc534db6c51a4e552842faee5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e3d28ce2db0891d1b41460bece3ec8da

SHA1
437b9dbeefe3c7dabeb4927906370ad824bd6047

SHA256
f55b115f202db207bb2f3d59c76ac3d05def1dfafe7f4f70210f8767a2d15889

SHA512
bb1ae8ba3850f9967fbb39554d240e4b4f3582fd1ebd46369ff5cf67a122523b7fdda9e2c36d7f7a14a0a109de0abc820f51dabf35cc246080318267e3af5df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
00cd718d55a9aacecf3df78056fddc13

SHA1
5d640ff2d2111a7e79960d727cccd266ea07068d

SHA256
1f85156bfe2b38a1df23698e7024d8da24e25bf5cba389c4e652a4d4988a82fb

SHA512
ec3fcc0b0f193f309e0c42f348e8f3e6075b5388962ba635c3a77a3bd1864f6110879106288c571cb98cb68c0e80ef42ba4541cf10ea17ef999909254bb7dc38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aa510162124c1870fe3f2a6707c80a46

SHA1
3d50941d9bd9384caf0d2bd6c7adb54b7fe6badd

SHA256
d8d66564c8f9bd24b2325fef51b8ccb37a11a6e13293af908571f928ad54bdfc

SHA512
ee17c5dade0cb69d42543a299c29145caee9576f63ff56cebee076b45f8b3a7eab5b40f6c8ed70f35a7bad63e41ee1dc1fe35b571aa2925ad580582af769c502

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae6751d9f9bc0c2b46c0400626491717

SHA1
df58cfc6c66114b960f8bd2df624eff21b5cf36f

SHA256
6c0fe7095fdb05a7eb522a7c424aeff5b5ac01d83248d604fcb8d4634e6b67b7

SHA512
bdadd61d1dbf73e184e769027deaafc9231d455e27fa533aa0be9422708abbfc83f230931419b65cfa0fb75aa6239a69b076e9391b89bb91e85c17793fee8106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5866f2.TMP

Filesize
873B

MD5
b67e1846008ac86481eb8a170dc7a6b1

SHA1
15e2287ef6d07dd8a6ba1f577fbcec2b98116edf

SHA256
7888835b415672c1094381a96cc20cac0d19d65484dac8be36a153e79e03b09e

SHA512
ee0d52f2f0fc7222f16270a4953c4642b057b1f88d7477255c14f27f0789f5e1c9ee46dad8d9d65000dccfde0e230bfc31226c70d91baa19c7d4da7d7afffc4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7ce84ad784ddd485f43dfa23df37fcf

SHA1
4f232039762694d0c5f5a137f224d8e6fa3092ea

SHA256
c91527bf561e3c129a5db1154190a8fda858b6562b787df00b88d965d98a8904

SHA512
1fd2cbe51415fa9772a3fe0ff6b2ceb8eeebfed0465ce2a772776d82f790331636be28f81f873cbd33677285fefb191a3be2ce6bd237a6368e1957ccf329e6cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f6b6900f9259f6aa99bd04046371b7b3

SHA1
bb5a4e848ac15b8cf469e15259b7990d30703b1a

SHA256
6b1be555caa5447b075e46023a7d9c1eefb64d654f27d7de5d5d0e22fd6d01a6

SHA512
ac6afc687b9223c03f6daeb1c812763cb3aa7e19bc260b4baa741b4bc81443a3c9300c9853f000d00d4af187b672bcdbf3b705e941a5746fc30082eaf17a20c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8576b7b3469e332d6e7a3aa07c74eda2

SHA1
84b002eefc9d57ebf559697e220c21858bb225ef

SHA256
49c58d4a91b97db1b9c1b1484636e575a9e1164a2c9f748bea62e027cb92d910

SHA512
a89b90f0748007fd5d223383d2f4e15442b91921324549c02de4615fae1322e9d85f172617f61012ccf0346cedf686d4dd276b9d559e45177c65d070ebacb288

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b3bf38965aba3c359133e0fe5fb0f33c

SHA1
189f716024836cdb907f258cdc745e98ea4dc9f8

SHA256
670ab1783e3867d1c9f6eabc3eeceb50f73f1e46ebc13cab1ce13df27b3af8e7

SHA512
cf6d948286d777cb7c65b41c9894e075ad3f76428a2043cf1d9dbd7a7f9fae6490f2c39ea78f713dbc4696cd134099a8ee979237aef39f50938eae6121830cf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5e2038390a10048fe8089b79ddf97f57

SHA1
b98bc203a88f865837ab5fc3dc1c148aaa456da9

SHA256
6478a94c26fcf25f27ebf323a716a49ecb8a531485977fd0151e965dcb35f9c9

SHA512
55a6616b97eaa84487fe0be723381e25766552fcad88e9413b6d67031e0be21af477c031845dc38a3a3b880a208836457ceba56a55d95c6322b151fa9f60bf64

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 203545.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 768271.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
memory/2084-1012-0x00000000023D0000-0x0000000002402000-memory.dmp

Filesize
200KB

Download
memory/2084-1011-0x0000000002260000-0x0000000002292000-memory.dmp

Filesize
200KB

Download
memory/4452-747-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-762-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-1169-0x00000000054F0000-0x00000000054FE000-memory.dmp

Filesize
56KB

Download
memory/4452-731-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-732-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-734-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-788-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-794-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-736-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-738-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-742-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-744-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-748-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-750-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-752-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-754-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-756-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-758-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-761-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-729-0x00000000024D0000-0x0000000002502000-memory.dmp

Filesize
200KB

Download
memory/4452-764-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-766-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-768-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-770-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-772-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-775-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-777-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-778-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-781-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-782-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-784-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-857-0x0000000005280000-0x000000000528A000-memory.dmp

Filesize
40KB

Download
memory/4452-787-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-856-0x0000000004BB0000-0x0000000004C42000-memory.dmp

Filesize
584KB

Download
memory/4452-855-0x0000000004CC0000-0x0000000005264000-memory.dmp

Filesize
5.6MB

Download
memory/4452-790-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-792-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-740-0x0000000002540000-0x000000000256B000-memory.dmp

Filesize
172KB

Download
memory/4452-730-0x0000000002540000-0x0000000002572000-memory.dmp

Filesize
200KB

Download
memory/4512-1181-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download