cryptolocker | hxxps://vipsolara[.]mysellix[.]io/en/product/premium-solara

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-08-2024 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://vipsolara.mysellix.io/en/product/premium-solara

Score

10^/10

cryptolocker discovery persistence ransomware

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7b63d646.exe	explorer.exe

Executes dropped EXE 4 IoCs

pid	Process
5892	CryptoLocker.exe
5040	{34184A33-0407-212E-3320-09040709E2C2}.exe
4356	{34184A33-0407-212E-3320-09040709E2C2}.exe
5260	CryptoWall.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7b63d64 = "C:\\7b63d646\\7b63d646.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*b63d64 = "C:\\7b63d646\\7b63d646.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7b63d646 = "C:\\Users\\Admin\\AppData\\Roaming\\7b63d646.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*b63d646 = "C:\\Users\\Admin\\AppData\\Roaming\\7b63d646.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
203	raw.githubusercontent.com
204	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
211	ip-addr.es
213	ip-addr.es

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4182098368-2521458979-3782681353-1000\{BF546D34-139B-40DD-8F19-C7AC680BC32E}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 587825.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 150917.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4980	msedge.exe
4980	msedge.exe
728	msedge.exe
728	msedge.exe
4872	identity_helper.exe
4872	identity_helper.exe
4564	msedge.exe
4564	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
3388	msedge.exe
1228	msedge.exe
1228	msedge.exe
4760	msedge.exe
4760	msedge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
5260	CryptoWall.exe
5300	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 38 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe
728	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 728 wrote to memory of 4392	728	msedge.exe	83
PID 728 wrote to memory of 4392	728	msedge.exe	83
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4892	728	msedge.exe	85
PID 728 wrote to memory of 4980	728	msedge.exe	86
PID 728 wrote to memory of 4980	728	msedge.exe	86
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87
PID 728 wrote to memory of 5004	728	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://vipsolara.mysellix.io/en/product/premium-solara
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe65f046f8,0x7ffe65f04708,0x7ffe65f04718
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:2
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2632 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:4244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3612 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4836 /prefetch:1
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6784 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6712 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6856 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:5188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7072 /prefetch:1
  2⤵
  PID:5388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6188 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7128 /prefetch:1
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7424 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7488 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1768 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7504 /prefetch:1
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7932 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2792 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2196 /prefetch:1
  2⤵
  PID:5564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
  2⤵
  PID:5828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5972 /prefetch:8
  2⤵
  PID:6044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5532 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7680 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7664 /prefetch:8
  2⤵
  PID:3948
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:5892
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5040
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2867621174069104489,18418168752823130015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2836 /prefetch:1
  2⤵
  PID:2072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3544

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4252

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5328

C:\Users\Admin\Downloads\CryptoWall.exe
"C:\Users\Admin\Downloads\CryptoWall.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
PID:5260
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\syswow64\explorer.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:5300
- - C:\Windows\SysWOW64\svchost.exe
    -k netsvcs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0b8952f5-23a3-46f2-9c14-0afa08ea1de0.tmp

Filesize
6KB

MD5
464509bc6921df980c4850cf457ed1f8

SHA1
51275662cea7851361b48e242d71726422254999

SHA256
6d8429fa3e0045efb9fd41ce1f30baba4b98f138f5589c78e4fa9800ebbc356f

SHA512
ecfadd64c6ed4f1d0b2c6473d1982964abee4f31dbc62fbf695d340c4a4db8191ac7e9727723366f10af835401b850e2eed2ea85bb7f051b8bf8cb9a8ce3528d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
30KB

MD5
d1ac99f22b8d1149ba74efd60d894819

SHA1
29a846bd46ecab2c9fa87d1a86fae6c08e642b70

SHA256
4b87080fbb2db7330df4068005d45c3339a603f29579731eca94ed8dfff88ddb

SHA512
67cf99b90dba66196ff724f2c4d6fba333d88cca9cc42312530973f2f145cc24b3669178ab7c32e254d957ff84078edaf4fd9918ae2631f75e5cbb2fe10cf416

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
34KB

MD5
118ac39cff9e828be993490f864266ff

SHA1
ae5df00b1ffe0cc28ff84dac418a866540267d8b

SHA256
4a81760dfecd6b4890a7ad37ad772d15a7dbc8cc409fcb48a0501ee75cd55767

SHA512
88272ad598555ff57f316466c7625f53b07bcc5e65f11f44573712dcd6144a4ac2e32b11c7547b06552168299b8b7b01dadce6dfb92fc99289bb9ca562b621e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
126KB

MD5
54ca114ea864897ae81bbe5c494f6d62

SHA1
462353fd3b7db697af3703dfe570321da38b8043

SHA256
fa87bb0c1dbed4df7772a7d382bd14c7e01a27638af4433272f9c70875d43ad6

SHA512
ab36a3f62d4b12aa9e17bacc787b02a9c17c4bd3bef10c04c569959d90c800c5561fdb8803d1e044b919d8bd503a25e4dfea33d632c4494b62fddf24728f2b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
210KB

MD5
48d2860dd3168b6f06a4f27c6791bcaa

SHA1
f5f803efed91cd45a36c3d6acdffaaf0e863bf8c

SHA256
04d7bf7a6586ef00516bdb3f7b96c65e0b9c6b940f4b145121ed00f6116bbb77

SHA512
172da615b5b97a0c17f80ddd8d7406e278cd26afd1eb45a052cde0cb55b92febe49773b1e02cf9e9adca2f34abbaa6d7b83eaad4e08c828ef4bf26f23b95584e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
6KB

MD5
5537018a90242157c1249135f84262c6

SHA1
9dc3a5d413fdf30497c68664f8d7372541575e30

SHA256
9c8d77de13287360f56715e758f273628f9ed8a1952727d635d248b219c0c869

SHA512
0b097e8902553b2b3d803137decfe4dba63590df9435985ba9f905d3f85e68c42d9ea2f009bf2226b7bec6c4f57a3f14a0cbb79cdbbae4b424febbba587ac54c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
03ac8f2d9b3635a56b8867e19451e590

SHA1
cb3b5906ee22ca065f583234eedf74da6b091724

SHA256
e6b6c9efb04ba69e60c6c1ec57fe5f0d526e5798410258cec92bd2281f3866a2

SHA512
70351dc6b06f7738b6197a05483b65483817d8160e38d363742ec11318871486c0ccb10eaac80923166ae086cba6192df2d6fb510bea91de1d2540f5ae7c6aa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2be7c0f24875f61919d41fe01c9d7046

SHA1
50176301fefc711fe4d7bea58166c3b0d12a8e1c

SHA256
b28b7722036059abb8ff3e8421228337a64a29a0bd8ea1ef71d6505fa4e93123

SHA512
1f7908f8ae3d3eadc31737fce4cf9fc50cc5b0f9532b35c369136c6dd0bfd31a7e54495f2d9d95152ca6fe59682dfcbd88450a4ff5d2bfdd6b2ded198272df0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
52f2332846861cef095793be0ca4510b

SHA1
7b2d5ed72c7a82f6e834bf66288a7a9c4926b9e1

SHA256
6bbf35a4e7f836171cc71a93fdc6a6f0abe69ee0f218e4c9e2ddde586a9442b1

SHA512
32848acc0eaa106ddde3a20b6c9bc03ca4e842a2236a1315458df10b8d7e6374b04ec6982ac5547ea6a0e9744a577c9599850144400c03a61155b648e50a4571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
89f03fd252291ebadf9f5b85acaff55e

SHA1
9d9afffe11316ed41bc3650a5fccf1fc31756bf1

SHA256
32e57214a7051a0c9e20d3ea26835bd37063f8c69251adaab1e1b91886b4cdc7

SHA512
308ffad17a010ea36f7a260ef5ff2fc8d20203b75d2c13fce293b532cfbb4f28b8eb3a16c419d74a12b01909c9287289f0785382f59aa95e8ed11b59332df2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
dce9097b44521eb6fe16c6a9e349a10d

SHA1
fcdbd0480012a31a45b138a94f8aa4d3721e1b31

SHA256
5e4b13255b0a06a2b551702eed8addcf2fc46aa43c9ee4ec3a90626ed7448def

SHA512
16e3499fd43a04bddba6e418e63e3dd8f31743e0395a52792d2a5e45d736abef82f37fbea10d8dd08cad52739382e38133f13f0831d43f8481a79c96a0288999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ba0ded80e095b569c0cb485061bc69a3

SHA1
8572c0add557283bcc0873e833268e3e770aef56

SHA256
04d2f8cad1d3be7b18a5d262b1580ca769c73e39a9ee7c102793e8520c02680c

SHA512
d09e9ed31c2970e6abeb8f9bdf86fd7ce1aa7f46b8088203daa7a79b738c4cc1e6a2ef6f3eeb564aa106c6ccb46313f3502295250ac0db468c8f621876362351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a9060e69eaeecde21bfb1a0602799149

SHA1
047b5464ed4b46577d4043a8012e64cda5d29743

SHA256
8915a6f51c1c7cc68821f9bc5c9f1b8631254502cbd7d558f2587a9b9f099dc5

SHA512
d7744a6a7b929c94a807a79d416d75fc49f243bc36fd6a2de58081b55403ab62c85ecdb06b103e33c520528ab9223a8eb3e6fe50ae321b092705243693c02169

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d0ac3321f352c6195c873b724988eb95

SHA1
4292e9c40e231684b7ef51d71afe4e129d76d44f

SHA256
b2823aceb2419be15bebf01891331dc178bc5b70b317ba2f19b68ed090329302

SHA512
f9c63ff969bd44d223b2a63aaa54b200f351518ec474827d53e9169dc5998aa49315e0a6e5317f3a8cc3074729d65c434b3924fad63e3b60ee6568fb7480e768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
ebb787b5fb6abf906811f1eb9a058a44

SHA1
d15a32a3d775924c9b506c3e6154a3904e1800c2

SHA256
86e71ea63ab21ad31a906d529818a52ca97d0c0fd4fe94c3625e3af35a970366

SHA512
a451796837439e28441437be74f72c5128e308dd39ee0abda400b54fd7c478d3fa637df42f671753977356e832799514513d1189da47eb1a6dad158dde59a30e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
0969dec4346987ce7e917f8503cbcdf3

SHA1
8ffbb9446bd78ed106461424966d8b64d4e71a7f

SHA256
c01eba463601afcb169bc9fffcad76359e988e5c2011294fbcff24f4d66f7cf4

SHA512
15129b1fa7e659d50ab4bd8bbb3b8e079aa97b44c1fb1a607d3a500845ab095cb374cc38c20ae3a0332a25c032dc30340b7c9191812304dc8ea4f6dfb1c8a1f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ef5b9bb79c93ea4969811868e2b93ddc

SHA1
d66c809f6541285d502b1b95df738d0040267779

SHA256
f3e178e0188d1121292422f1f8d4c02bd21a6a1defad575af3c283ed405de3fa

SHA512
7c74587409222faf1e97e3622b4746d7f8c68f46443c4c017394abe9361c1cc937e1766636178690ad9cc32d31dc7a28f02bd8f988fd5cc4f3088fa4a8f14af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
02dcb89faa41197e153327cef5e2c4a7

SHA1
69ce53dd256b011a0d9b24d621070c00487c659a

SHA256
3376e11fd0aaba601c43de328dc5375d6472c3afeff4abdbb6911d9c3b4ec6cf

SHA512
3c6abe1ab8331bb79ecac9788360ae821fa81bc8ad47ece4141987a0bf88af55c56e54dc792357dc10fa7305b3ada4128d158aaa8171ca1be34436ce9f419686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a8a95c92d5f24aa005732042c66ddc86

SHA1
540a0dc7d8a51ebcea321232ab2baf01d9b1bd5d

SHA256
3c8c6eee17716519621d87fa5b5a8af31b91b299b91a94deab984f93fcf371dd

SHA512
438035588ab7a88bc4a8ed9c60889a5eb42dba33326c51893b1872f01565ca5f614f0803b655314a57174c73eb2c8aa757bc6194218eba61e092a4783de33fdb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
f8083c7720055a0f08d79b48f12ab623

SHA1
6f3ffa27df7ca96b75307f92ca2726d911f48f73

SHA256
1dfd2270b01b1578ddb7ba2de21342a90e43640ef3cd18d8d8a01f719a1965ec

SHA512
5f1adf8648da0d558c215444cc4bab281dc9171ddb885b5243fbcd38db8e4c19399fd4fd478882de98ed345e6c2023c15c5fbd039f3f1e7f9920a0e5461ee7c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
3e6409e7dd4241bbfe4e07ee57a1927d

SHA1
3e938fc084f0e21f04bae0388a4e21842c2916a7

SHA256
c0bb8538465c6164792e96fdbc46e0022ac0b295b3cdd1ec2fecc293bcdab609

SHA512
062d4667fd26d1a1577f9103d95360294c699b637f09a1447f494fe28fe14d00816e51c2216be2a9948ff0af08c192ef1acce6afa7d397a77994b438ad10c79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
d367e8eb4fbb5f1c4a64ca7785b7be0a

SHA1
d0245ea27722adb12c16dec01970a4c7c3429d6c

SHA256
475970efa3f33e9cdaddcb4be5aa206ea50aed6c4e1851760f9638c4601d0d0a

SHA512
f81d53c88b387fad4204ac59a0b23b88390b80e7667610cbf1bb3160735159a2ca3c63333bca7d669d107955d5c4dc53afb4b7ca15663193a288099cfb31ee76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f405.TMP

Filesize
1KB

MD5
83a51532e5cc77d260efc9dde7149d44

SHA1
dd0420e3e07bb019d4d378ccdd4c428023bd6b6b

SHA256
30052e1b28a9b706b9a30713384452dea24da820596de54c83789cd0908af7df

SHA512
681cc72582d9e1a6af0c8c4d6331c6e91b3d5c74e70d854f00179095b8a942c2807af881d76d33e3b138f1dfe36efaf632212128ea3900e6b150e071c79e3e8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bd518229ee22a39dd91d592c632f51a0

SHA1
b13f40cbfb95c83dcd6dac9baaed625813d20f83

SHA256
7ea9aad58ae8915b7a3b05f307073dad606da2a84ffbf026b6136256b42d48ba

SHA512
af5786b5b1ed69e386a0fc64986ff97cb545ffe06856a7b8d7ede6839aaa4de144258f82746745a38f1a49f771712aff9a1a043e76ed38f7adc5bda6e0ee898b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf337eff2c860e7869cefc008bed7fd0

SHA1
8d90c86e914107016e81730099a341f2b12acbd8

SHA256
e19bd14aba3cac3a59db2735b094d03314b7380e12b4c2010cdb791fbebd7c90

SHA512
9277510a423f1de4f85886412a0b77751559df0f6e107f9f20755214e12e65e952c150ace6569620f20960a054e6d62153918c9b9505e9612dbd456c6f4d2764

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 150917.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 587825.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
memory/5300-1139-0x00000000007B0000-0x00000000007D5000-memory.dmp

Filesize
148KB

Download
memory/5300-1144-0x00000000007B0000-0x00000000007D5000-memory.dmp

Filesize
148KB

Download
memory/5316-1143-0x0000000000700000-0x0000000000725000-memory.dmp

Filesize
148KB

Download