fantom | hxxps://github[.]com/Endermanch/MalwareDatabase/blob/master/jokes/

Analysis

max time kernel
646s
max time network
644s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11-08-2024 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase/blob/master/jokes/

Score

10^/10

fantom aspackv2 discovery evasion ransomware

Malware Config

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>Y2E3RKmTBjCkCTotSGMEjAQx51PmQCDahgLApeIgTkf1/IxTCZQ3hE2PIPaC2ZihA2A0x0OJRAgarlT6/PBy5DIwxRN1GaOvSXWbWhbPzOcAmhI3TIy8FF9paPwrGRxXNNa5snY+seRf6Q9AtOy3lWBoXSjq8/YpRZGvy4jNS+rt1jI6RwAQynGeS7uG+gmgnFyki6WrgeY5Nr+DZu4sd+z65AFNu1pgc1O3apezB63DtYE4npblUBhlzfKfSqmsv8WetKoJyEed4u0UbQaW88budGxJ+Ch7TDNBY4uCCAkv4gw0Sp4fz/ltpPUr0+DpVkkySboj4Ijqh4jsuPQ4rw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Extracted

Path

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Ransom Note

<html> <head> <style> body{ background-color: #3366CC; } h1 { background-color: RGB(249, 201, 16); } p { background-color: maroon; color: white; } </style> </head> <body> <center> <h1><b> Attention ! All your files </b> have been encrypted. </h1></br> <p> Due encrypting was used algoritm RSA-4096 and AES-256, used for protection military secrets.</br> That means > RESTORE YOU DATA POSIBLE ONLY BUYING decryption passwords from us.</br> Getting a decryption of your files is - SIMPLY task.</br></br> That all what you need:</br> 1. Sent Your ID_KEY on mailbox [email protected] or [email protected] </br> 2. For test, decrypt 2 small files, to be sure that we can decrypt you files.</br> 3. Pay our services. </br> 4. GET software with passwords for decrypt you files.</br> 5. Make measures to prevent this type situations again.</br></br> IMPORTANT(1)</br> Do not try restore files without our help, this is useless, and can destroy you data permanetly.</br></br> IMPORTANT(2) </br> We Cant hold you decryption passwords forever. </br>ALL DECRYPTION PASSWORDS, for what wasn`t we receive reward, will destroy after week of moment of encryption. </p> <p> Your ID_KEY: <br> </p> <table width="1024" border="0"> <tbody> <tr> <td><p>AmL5CdIx1aXs+xZlBAPJHgpH2wUWhPbMlRMmto3PMYWEotC0M0hry2YQWmlexy2RU0TjZv0AN5IOuE/8jNBrdlgDxHzEnMKdN4XZSqM+hg4946sHzAfUXcB5Ot08qr/d5eS5m90sWN9GCXM/p7deGGFuZLdIW4DaLNrnOL1vIA/8RahN+WGyI0xmAwbnI0SrR+nANDtO6RK0gaUPvu40nLGvDI4sAHCcqSkNgUYRYFKqCAOYnIAeL5sELIivD/jqLxyzUKOnz7w6HXDDQvpbVAOQ2Dc44NPYdEHIJwF+aooMPpB25Feu6IsUwyviTn36wX0mj7i2SqKgcVHhJbwjvw==ZW4tVVM=</p></td> </tr> </tbody> </table> </center></html></body>

Emails

[email protected]

Signatures

Fantom
Ransomware which hides encryption process behind fake Windows Update screen.
ransomware fantom

Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4280 created 3284	4280	taskmgr.exe	154
PID 4280 created 3284	4280	taskmgr.exe	154

Renames multiple (1025) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Disables Task Manager via registry modification
evasion

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x000b0000000233a5-400.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Fantom.exe

Executes dropped EXE 10 IoCs

pid	Process
4864	[email protected]
4076	[email protected]
4088	[email protected]
3284	[email protected]
392	[email protected]
2312	Fantom.exe
3652	Fantom.exe
1364	Fantom.exe
5476	Fantom.exe
6060	WindowsUpdate.exe

Loads dropped DLL 1 IoCs

pid	Process
4280	taskmgr.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	[email protected]
File opened (read-only)	\??\P:	[email protected]
File opened (read-only)	\??\U:	[email protected]
File opened (read-only)	\??\W:	[email protected]
File opened (read-only)	\??\Y:	[email protected]
File opened (read-only)	\??\G:	[email protected]
File opened (read-only)	\??\I:	[email protected]
File opened (read-only)	\??\M:	[email protected]
File opened (read-only)	\??\S:	[email protected]
File opened (read-only)	\??\V:	[email protected]
File opened (read-only)	\??\X:	[email protected]
File opened (read-only)	\??\Z:	[email protected]
File opened (read-only)	\??\E:	[email protected]
File opened (read-only)	\??\J:	[email protected]
File opened (read-only)	\??\K:	[email protected]
File opened (read-only)	\??\R:	[email protected]
File opened (read-only)	\??\T:	[email protected]
File opened (read-only)	\??\Q:	[email protected]
File opened (read-only)	\??\A:	[email protected]
File opened (read-only)	\??\B:	[email protected]
File opened (read-only)	\??\L:	[email protected]
File opened (read-only)	\??\N:	[email protected]
File opened (read-only)	\??\O:	[email protected]

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
69	raw.githubusercontent.com
70	raw.githubusercontent.com
126	raw.githubusercontent.com
152	raw.githubusercontent.com
68	raw.githubusercontent.com

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsMedTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\StoreLogo.scale-125_contrast-black.png	Fantom.exe
File created	C:\Program Files\dotnet\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\casual.dotx	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\SkypeMedTile.scale-125_contrast-black.png	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsar.xml	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\AppxBlockMap.xml	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.deps.json	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\System\ado\fr-FR\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png	Fantom.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\TextConv\en-US\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ja\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Common Files\System\uk-UA\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WorldClockLargeTile.contrast-white_scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-white\SmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Store\LargeTile.scale-150.png	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\zh-TW\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\FPA_f3\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsnld.xml	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\AppPackageBadgeLogo.scale-125_contrast-white.png	Fantom.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\AppxManifest.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\SmallTile.scale-125.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\LargeTile.scale-125.png	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\VisualElements\LogoCanary.png	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Windows\PCHEALTH\ERRORREP\QSIGNOFF\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\main\base_jpn.xml	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ca.pak	Fantom.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\bg\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\ipsplk.xml	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppPackageStoreLogo.scale-100.png	Fantom.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\oskclearui\oskclearuibase.xml	Fantom.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	Fantom.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png	Fantom.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\WindowsIcons\WindowsCameraSplashScreen.contrast-black_scale-125.png	Fantom.exe
File created	C:\Program Files\Mozilla Firefox\browser\DECRYPT_YOUR_FILES.HTML	Fantom.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000006\DECRYPT_YOUR_FILES.HTML	Fantom.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	sdiagnhost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	sdiagnhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sdiagnhost.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	sdiagnhost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	sdiagnhost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0c00000050000000a66a63283d95d211b5d600c04fd918d00b0000007800000030f125b7ef471a10a5f102608c9eebac0e00000090000000	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616257"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1"	[email protected]
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Pictures"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "2"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "4294967295"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\LogicalViewMode = "3"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000050000001800000030f125b7ef471a10a5f102608c9eebac0a000000a0000000b474dbf787420341afbaf1b13dcd75cf64000000a000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000e0859ff2f94f6810ab9108002b27b3d90500000058000000	[email protected]
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1194130065-3471212556-1656947724-1000\{62F7B617-AB17-4F16-96E8-AAF76DA38BD5}	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 3a002e80d43aad2469a5304598e1ab02f9417aa8260001002600efbe11000000b98ea471d7e4da0180eb8be8dfe4da019c64638fe0e4da0114000000	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "6"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlot = "3"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "4"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\ComDlgLegacy\{B3690E58-E961-423B-B687-386EBFD83239}\IconSize = "96"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlgLegacy\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "48"	[email protected]
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	[email protected]
Set value (data)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\5\Shell\SniffedFolderType = "Pictures"	[email protected]
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlgLegacy\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	[email protected]

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4356	msedge.exe
4356	msedge.exe
3692	msedge.exe
3692	msedge.exe
3864	identity_helper.exe
3864	identity_helper.exe
4660	msedge.exe
4660	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
2516	msedge.exe
1048	msedge.exe
1048	msedge.exe
2576	msedge.exe
2576	msedge.exe
4088	[email protected]
4088	[email protected]
2868	msedge.exe
2868	msedge.exe
1648	msedge.exe
1648	msedge.exe
1088	msedge.exe
1088	msedge.exe
3008	msedge.exe
3008	msedge.exe
1372	msedge.exe
1372	msedge.exe
3980	msedge.exe
3980	msedge.exe
4128	identity_helper.exe
4128	identity_helper.exe
1752	msedge.exe
1752	msedge.exe
4704	msedge.exe
4704	msedge.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe
4280	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4864	[email protected]
392	[email protected]
4280	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of AdjustPrivilegeToken 44 IoCs

description	pid	Process
Token: SeRestorePrivilege	3780	7zG.exe
Token: 35	3780	7zG.exe
Token: SeSecurityPrivilege	3780	7zG.exe
Token: SeSecurityPrivilege	3780	7zG.exe
Token: SeRestorePrivilege	1636	7zG.exe
Token: 35	1636	7zG.exe
Token: SeSecurityPrivilege	1636	7zG.exe
Token: SeSecurityPrivilege	1636	7zG.exe
Token: SeRestorePrivilege	1932	7zG.exe
Token: 35	1932	7zG.exe
Token: SeSecurityPrivilege	1932	7zG.exe
Token: SeSecurityPrivilege	1932	7zG.exe
Token: SeRestorePrivilege	4928	7zG.exe
Token: 35	4928	7zG.exe
Token: SeSecurityPrivilege	4928	7zG.exe
Token: SeSecurityPrivilege	4928	7zG.exe
Token: SeShutdownPrivilege	4076	[email protected]
Token: SeCreatePagefilePrivilege	4076	[email protected]
Token: 33	1984	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1984	AUDIODG.EXE
Token: SeShutdownPrivilege	4076	[email protected]
Token: SeCreatePagefilePrivilege	4076	[email protected]
Token: SeShutdownPrivilege	4076	[email protected]
Token: SeCreatePagefilePrivilege	4076	[email protected]
Token: SeRestorePrivilege	4248	7zG.exe
Token: 35	4248	7zG.exe
Token: SeSecurityPrivilege	4248	7zG.exe
Token: SeSecurityPrivilege	4248	7zG.exe
Token: SeRestorePrivilege	2172	7zG.exe
Token: 35	2172	7zG.exe
Token: SeSecurityPrivilege	2172	7zG.exe
Token: SeSecurityPrivilege	2172	7zG.exe
Token: SeDebugPrivilege	4280	taskmgr.exe
Token: SeSystemProfilePrivilege	4280	taskmgr.exe
Token: SeCreateGlobalPrivilege	4280	taskmgr.exe
Token: SeRestorePrivilege	1500	7zG.exe
Token: 35	1500	7zG.exe
Token: SeSecurityPrivilege	1500	7zG.exe
Token: SeSecurityPrivilege	1500	7zG.exe
Token: SeDebugPrivilege	2312	Fantom.exe
Token: SeDebugPrivilege	3652	Fantom.exe
Token: SeDebugPrivilege	3464	sdiagnhost.exe
Token: SeDebugPrivilege	1364	Fantom.exe
Token: SeDebugPrivilege	5476	Fantom.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3780	7zG.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
1636	7zG.exe
1932	7zG.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
4928	7zG.exe
4076	[email protected]
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
4088	[email protected]
4088	[email protected]
4088	[email protected]
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe
3980	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4864	[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 4416	3692	msedge.exe	84
PID 3692 wrote to memory of 4416	3692	msedge.exe	84
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 3340	3692	msedge.exe	86
PID 3692 wrote to memory of 4356	3692	msedge.exe	87
PID 3692 wrote to memory of 4356	3692	msedge.exe	87
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88
PID 3692 wrote to memory of 2664	3692	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase/blob/master/jokes/
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe950746f8,0x7ffe95074708,0x7ffe95074718
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5560 /prefetch:8
  2⤵
  PID:3280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
  2⤵
  PID:3084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2328 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4832 /prefetch:8
  2⤵
  PID:4900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5004 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5636 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3448 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:3204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1308 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,10241980346677801407,16269872205962967886,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2988

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1820

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1048

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1195:88:7zEvent22232
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3780

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap2644:88:7zEvent18442
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1636

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap1611:72:7zEvent7071
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1932

C:\Users\Admin\Downloads\[email protected]
"C:\Users\Admin\Downloads\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com/Endermanch/MalwareDatabase/raw/master/jokes/ChilledWindows.zip
  2⤵
  PID:404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe950746f8,0x7ffe95074708,0x7ffe95074718
    3⤵
    PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com/Endermanch/MalwareDatabase/raw/master/jokes/ChilledWindows.zip
  2⤵
  PID:3244
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe950746f8,0x7ffe95074708,0x7ffe95074718
    3⤵
    PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://github.com/Endermanch/MalwareDatabase/raw/master/jokes/ChilledWindows.zip
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:3980
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffe950746f8,0x7ffe95074708,0x7ffe95074718
    3⤵
    PID:3456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
    3⤵
    PID:1868
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2704 /prefetch:8
    3⤵
    PID:2812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:1844
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
    3⤵
    PID:4344
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4128
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4104 /prefetch:8
    3⤵
    PID:1876
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
    3⤵
    PID:2828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:4424
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
    3⤵
    PID:4840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4392 /prefetch:1
    3⤵
    PID:3396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:4040
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
    3⤵
    PID:3348
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
    3⤵
    PID:3972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6008 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1340 /prefetch:1
    3⤵
    PID:3200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
    3⤵
    PID:4364
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,9841560856585907932,16612223794498779854,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
    3⤵
    PID:2228

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
- System Location Discovery: System Language Discovery
PID:3976

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap3979:90:7zEvent14997
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4928

C:\Users\Admin\Downloads\[email protected]
"C:\Users\Admin\Downloads\[email protected]"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4076

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f4 0x15c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1984

C:\Users\Admin\Downloads\[email protected]
"C:\Users\Admin\Downloads\[email protected]"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:4088

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\CookieClickerHack\" -ad -an -ai#7zMap28483:96:7zEvent20359
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248

C:\Users\Admin\Downloads\CookieClickerHack\[email protected]
"C:\Users\Admin\Downloads\CookieClickerHack\[email protected]"
1⤵
- Executes dropped EXE
PID:3284

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap18073:84:7zEvent3068
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2172

C:\Users\Admin\Downloads\[email protected]
"C:\Users\Admin\Downloads\[email protected]"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4280

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\57177d48efd94c4ab63c0039b9e318bd /t 4972 /p 3284
1⤵
PID:1192

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21423:74:7zEvent26368
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1500

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2312
- C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  PID:6060

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3652

C:\Windows\system32\pcwrun.exe
C:\Windows\system32\pcwrun.exe "C:\Users\Admin\Downloads\Fantom.exe" ContextMenu
1⤵
PID:1648
- C:\Windows\System32\msdt.exe
  C:\Windows\System32\msdt.exe -path C:\Windows\diagnostics\index\PCWDiagnostic.xml -af C:\Users\Admin\AppData\Local\Temp\PCW8F25.xml /skip TRUE
  2⤵
  PID:696
- - C:\Windows\system32\rundll32.exe
    "C:\Windows\system32\rundll32.exe" C:\Windows\system32\pcwutl.dll,LaunchApplication "C:\Users\Admin\Downloads\Fantom.exe"
    3⤵
    - Checks computer location settings
    PID:1876
  - - C:\Users\Admin\Downloads\Fantom.exe
      "C:\Users\Admin\Downloads\Fantom.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1364

C:\Windows\System32\sdiagnhost.exe
C:\Windows\System32\sdiagnhost.exe -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:3464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fxgm41ey\fxgm41ey.cmdline"
  2⤵
  PID:2188
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92FD.tmp" "c:\Users\Admin\AppData\Local\Temp\fxgm41ey\CSC332DF62FE57149A68B5C769D3183FB7B.TMP"
    3⤵
    PID:4680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\now5jvzi\now5jvzi.cmdline"
  2⤵
  PID:4728
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93C8.tmp" "c:\Users\Admin\AppData\Local\Temp\now5jvzi\CSCA8096D4F10544BEBB0F8E0C6BFE46823.TMP"
    3⤵
    PID:1432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g2kivjmf\g2kivjmf.cmdline"
  2⤵
  PID:2340
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9F90.tmp" "c:\Users\Admin\AppData\Local\Temp\g2kivjmf\CSCC88F83F8DE24413588956327653D4637.TMP"
    3⤵
    PID:1832

C:\Users\Admin\Downloads\Fantom.exe
"C:\Users\Admin\Downloads\Fantom.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5476

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
d706c2bc4529cc4961438e51fdaadeff

SHA1
c32d56f8579889d6d2727a4717a88847724eb59f

SHA256
49055ea2e1cf1e05ddc38a49acc0405622127f433912e3e47d421cadc1313109

SHA512
204b94bac00b8484ee650529ac45ee40b3e3976971c1d8b5575eb903f8666b7508639d1dde0b75b43f52063beea443441424b0034255567fc1d843197d189dd7

Download Submit
C:\Program Files\7-Zip\DECRYPT_YOUR_FILES.HTML

Filesize
1KB

MD5
623e027e6a8a74b97dc13a19f70f0b20

SHA1
bd49f8d96317f2eaa849438a324dfd0dbb8309af

SHA256
d5bd5d598d944836da53500ca34e0963d83c480884fc85dd5a24596226ed9706

SHA512
7d30fd5a8b4f8b7fb9d97b54a97fc8f417d227c456597ac8da47aabd588918e568f16dec7174e240e882d2816c9f9db69ab7c0cec4a418ca401ba0f779adb3ad

Download Submit
C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\win32_LinkNoDrop32x32.gif

Filesize
160B

MD5
7d916326ffe0d8a1838946b4c065adf2

SHA1
2867366e9ab4ee875bbf6dea4664006957537dbb

SHA256
f4e6a7f62da1a45efb41d2f1d84b7b9588da6251e6807670f142e2ffe760c237

SHA512
870590c80568edc3a4b220e9e2945861bd408aa8d9243e83c01952eeeec045411628bdcafd05a9a91620a8c4f61acca890dcb259a1aaa603e9b7549e028175ba

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt

Filesize
192B

MD5
0b9fe489d250ee49e3476be61cc45f95

SHA1
1d238892625f13aa95ea732789e1ea93966fa20b

SHA256
db231ea4a89641aaccfdc946d86f2722c1220255ff9d75157387a856590b7416

SHA512
fa9f41b5677ae1e5becf82254c53fea3c4e51558ff9d23340a4e0dfdff17e62170070b449b3d2354da4b10f2e2d942087f56c34403bc5ad0c1d5f19adf9454a0

Download Submit
C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt

Filesize
192B

MD5
381a388c3d5c934da4b2bb6b0b847c37

SHA1
b19355a09ec43e1d5ca25e1f5d66216665ff07d6

SHA256
18d0ac9d6f130042f28a882c926c30995f2375f89a27fbf92a3a916ac8ceb66a

SHA512
aea6bb79a8e52dc4ab18e8b3f198d37146857d570d800aa8fb1be54833561ab2f2aced50652f7701e03833f3777f9d9609a574f05db34821c4607d59454d1ea8

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\directshow.md

Filesize
1KB

MD5
ae64d87056b78f75a7df0ac960e3bb45

SHA1
45de8fcb324b4f2dcddf8040bd3067dfd6a842aa

SHA256
385f41632eb2537d29ffecfae7e984b68ea7b8e4d4a3e4f00855162258ac80ec

SHA512
667dacaaa585e2b029c7a5245df6ccf00d15b5aea2e9bace9c2e617cf029258794d476ca49d9390ba7f13c1a07847c009f5f3bff367a87c7255b3ac4fb32778e

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\glib.md

Filesize
31KB

MD5
92c2306c6ad228adbb856a68985be88c

SHA1
88eb7e7abfbc32dac93060bda20c728ae1ea9867

SHA256
b66e079d5dea616ffcaef0ac3175ad4871974d4250630931254f58ac390b1125

SHA512
3e4d4cc1b3496a4520513a5aa5d96723abb3b7725fb59694f9777f54a230fbce4699756499006dca5b93004441d867689b44a013ece95c6c1946a444ce8e36c1

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\gstreamer.md

Filesize
34KB

MD5
e2eb6334a90fda13f7532baaabfe8c46

SHA1
3557725aa785255786c75c7ca085880d9c9aad77

SHA256
1e1592a0ec2139204363fc7d400057c83b5fd34d9f2ea1bd9997b8ae4a245391

SHA512
b1cc8a8fbef99a3ef8088e020efcedac9d1de8dbecc6700d0bda9f0454c5f37cdb04e7f1541c7b27b5b9e9d0b0496fe6b2753b3ea33685eea60e098fced5d52d

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\icu_web.md

Filesize
23KB

MD5
9bf8d3909da0c4c77fc4c5f2717c390d

SHA1
2d4ddd6b52ee1b5e245f8d58163ce375569ffc78

SHA256
10f656509f48375e8b7a590b376767af4ebd353f558c1c314d0597308f0a27fc

SHA512
9e927e8e3f3ba3b957f6aa6a70a7781ef3f08dc7e1f99dbf5b0dee019270b9fabc0a80d7d148673554b9da650ab340ab198aec7aec58f515296788d7eff3df29

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\jpeg_fx.md

Filesize
2KB

MD5
6ee3d43794a3bf640914d355179054a2

SHA1
cf62fa9331d35838091498e3203bb162de9b43b4

SHA256
33ab56d8d365b1e87305c452332cc4ac1fdb2ac4aef2f46071369e642a5b3606

SHA512
46d88d57994128589689e8bb3d043710b4537b667f0c612add6147e6afcd74f69dbac225d731a9d32d03aa6906184fbfb07d9ba4d0a0ec2073f516f2781edf22

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libffi.md

Filesize
1KB

MD5
ee5ce19e000cbceb1596783ccca84f9d

SHA1
5e134a24c25775d3d96809425db457406ed11e04

SHA256
6854566495d14a955ac87d19b709d9b2826a3ff34ab8e2c3bae765fafd8b0d35

SHA512
49aece91d8097412279202f9cc2ab9cd365ed8a851d30deb3056a688a66b9515b164dc1533e3b57934c7a83e9dd22be5eae01dc4b7183622c3fec568eee50b37

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxml2.md

Filesize
3KB

MD5
ff38274cd200ec20e7e8f3db5985ed48

SHA1
605c10a6065d38a1fa7094731e3a59ce375d0001

SHA256
8a2bcf6e6828c91286271a305d1460570d7a4811c7d10d29f88a8825b4b68540

SHA512
9698ebc12819a8622b6672d80448bc0cf5a774d521c11a8a197871c3e7f0662754fb9bcf9a6c36e293bebd34cdbf5e145a854b2c468f9743cf41312322194100

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md

Filesize
2KB

MD5
7a3cbe589d2929e7bec2e1167bfccfdd

SHA1
97cfb426676a564980da7c873b7278fda58d5a68

SHA256
0f3e8bfb9c1abf560a86bde1aa65ed87d63e40d95f1d4de952c7e07e03c0ff71

SHA512
adb75f0f709bc466c449aacedbef38c7044ab10458fd2eb820e15ea1c192d513101399e81745262cc0c160cfc675954a9ec4f3869c6bca790ede84f29a7ada60

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\mesa3d.md

Filesize
5KB

MD5
98bed69eddc2d6cd9811ca1e64e971d0

SHA1
d7928e9d8cdce406ac53e73a19e59136b2da11c2

SHA256
045ad1eeb42cfc034aeac80a046d5e6ff1615d8064bfdc1befd222ca0000633d

SHA512
e60ac3776ebce4c22fc26fac5083c893eeac5e93c73a52e7178228418272ca348de3eb8fb42972556d987d7d252cf5ac9085349360108eeed640b7627faa3da2

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\public_suffix.md

Filesize
17KB

MD5
40400981a13b6104e7f5fbd618c3f023

SHA1
e9d7c8c3aa6040a159e14a7f124fe542ee338891

SHA256
a71c14d7c5e918b6057a7111febf66e9a141b8df11fdef3bedaf969626aeaaa8

SHA512
ea38aad35b35c21c3e4f9c1e086c1045f7b7f9a205e128e82f56c0cd80041400bd3e360d387dd881361122bee9cc1d3ca2663cf10760f8a4a6d8257e2c6e2734

Download Submit
C:\Program Files\Java\jre-1.8\legal\javafx\webkit.md

Filesize
320KB

MD5
beb16d675e839b20351b075441db4c98

SHA1
24f1b863cf895256da71a6d4b80e9b7d52abc6e7

SHA256
719ad0a07f682cfa348981aa2efdf2eb6a5fab4e4c91fe97327bd906fab7ceeb

SHA512
d588027a8ed19467a6f7ced37536c42d34a84217a9dd8b0c806b963d6465398053c42473fa18ffb22d891b8d17f1e7fcb45aeaed9252aeb1a1a65330843bb11e

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\asm.md

Filesize
1KB

MD5
f36c4372f4c8cc2d975baf30ab593066

SHA1
3a31c6799e039f4701d5f193882e4f8842cda0e0

SHA256
71fd0110ea44a13a340e48cf54461566afcb81433b8fa01172b9024fa1bcccef

SHA512
ecc4b9ff4309c771232d095c9b56f5f191484593feacf4f2c97059cf43572f42aa20db15b33950571590a82e2f25f99167abc896f83b7cd0ab42f52a5e75dfd8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\bcel.md

Filesize
10KB

MD5
bfc252756f43374a7e57cc9b8726d3f1

SHA1
f2b58cd320f2af6e44705ec7d4cf1314535c1f63

SHA256
69d56014b66f82b069f51b6fd09dde6c01032ca712940e9a466747b29abd1eda

SHA512
cc5c6be0e0c101fcbf3a7f708574f704ebd805e72a37a9645eb2fdf7ed9ab4eee6bd0a774b4b8599d137fee5a6c81a32dd19a6796bbb3ca8aad1a88b701b0174

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cldr.md

Filesize
3KB

MD5
c1569e62287a09bbeea5c7b2bdc86455

SHA1
b070f26e5b6f3b2f0db6e44d18797d8344a549e9

SHA256
8578dff6b64432387e018fffb5e46535cbdf0485b94341730ef352a34cc72308

SHA512
074e4bd9ba3f541369594cd029ac6a7e837915145c2beb247c91c514ca3250893d7df8fb05562fabfa1de7a340276e86cf6c353caaedb54b418da52d4642b1a8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\colorimaging.md

Filesize
176B

MD5
150805dcc1992f269427ec02bf2d10df

SHA1
588faff5ab3320e221db7ee175cb569f72592971

SHA256
fa271d88a0cbaebbe7d02973d2c7f5a13ec26d571b9c719b28cf133db4698aa7

SHA512
285f6869d5b73e12762eeb66399220aad253a553c94ec04f822c11699643e7c50f2b1d2d26c60d07ea510b51e36474c4c2ab89e0fc665dac9392231478420e16

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\cryptix.md

Filesize
1KB

MD5
559706377c90e2de8c28610c4dba614d

SHA1
a353820b433f06e7468721e1eb14111c71138c34

SHA256
2a0444f662655c5c4537937f644bca12bb1cea223269faac2d94d25b91f8976f

SHA512
af31f38b6980ba0d18633ae13509eaf4d0fd3db44d17600417f1ba125311a838104bdce2774cf812d5fd22f041ea3410070c47cb66221a6a093dd041841eaac4

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dom.md

Filesize
3KB

MD5
1ebe54982785f4882807340c5ff9fd24

SHA1
40a4ade6701569be6ec19e55eaa0ad1400253bd1

SHA256
805235fe235b147e5a9f70c7e5e51131306adf84b90eb6c0f2969c97a7ced96c

SHA512
0dba4c8bd1864b4dab4de1696bd8556e61f9c997dad074332424f6f0ef08256f4bdf66296c7321e9a297247b8e1ac43acbc75f2f08c17016c1646e78ce42dd71

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\dynalink.md

Filesize
1KB

MD5
c161a4f92e2da0831ed92ec9f8892ed2

SHA1
8b8504980819dc25c545358dcce72e58888bb0b8

SHA256
eb640c277c2ed5147ac1c44093e4728c353d4fc9cf46015ea341dd47a593f291

SHA512
a301d994d275b2640915e0e2841f9416896c6531336c3bcd4907c953c05814f58d06db35d3a20798d4c65442ef91f9e8bf636b2b3d7efb4a75e4026d26ec7ad8

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\ecc.md

Filesize
28KB

MD5
41fb72bcb30061e42be7dd11f161b46e

SHA1
575d79570c2d4dfdb146dece6381339d1a320c6d

SHA256
849148be193b489df41728adef9b6cb6b234ac9772a634784b1155931c094fc3

SHA512
0904bc9ba0d7e2f8637118caa28e0e2637464507e8ed883bb20539a28c67f657716051b8bbd02b2a5fbd2a47ed1c9563840013afa66d8656b00a05b54c99195b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\freebxml.md

Filesize
2KB

MD5
fc4f465ee35216756c4ce7b550796c69

SHA1
c7ef13f51b2ab8f888ed5c248e9e8b4ddfc3909c

SHA256
1ecce2dc0a814b55552d8d947e59024fab2909aafd7e385016326d59a6e5c319

SHA512
a7ec32c14347c658f9d9fec88e4f4ac68d928c8a3f6a19c96971c89fdb96d5640f77b0c6a7b49d648e50a8998de47a89993265f9728cf73cabafefeb8876c073

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\giflib.md

Filesize
1KB

MD5
b1e90acadf4ecd712580975afda28266

SHA1
41ebaa49ae2ef5e83ad09fda8ac00f8c40f3694c

SHA256
7cc6ba5d3301ab509e92e8abe1c5e32b7d757466729a0a081bc0c73a6940d83f

SHA512
a6c9d7f2f915ca2b6183385fae38209ee63569dbfa79eb39d80518574b8c61c93e033ef658b954d95673508e265a2be242db9ae83d7c6890a524a6b56746f1fe

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\icu.md

Filesize
2KB

MD5
610b39e9f4f05bc5845b8e478d2f25d8

SHA1
b1d8ec0781721bcaf646a10b1a3dcadf280c0c82

SHA256
0bcf27674a61504061ff61341a785ba160f0cc1e4b5278d13b7be6f8d2097c15

SHA512
0ce006c5283bdc92bb05b871f77bcba4f489cae00eb01a76f70e2bc1007c5ff27d8ed8bab357188779297446daed6fccd5ff31fe3c0754219557da714224422a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jcup.md

Filesize
1KB

MD5
2fce2d7a2a1889c0dee847b1468dbe99

SHA1
412fd071b93c1b477f76f53a65cc3b02ea0fcee7

SHA256
4b157c6789ca8aa12a965a3aa21a84f97ff1f511d95417590a7e87b58ce38bc3

SHA512
6b51dbe6f8d8c39c40e839eb2ac66e4f6656e289346e1c425110de8d5c1a27a5dc6d2c72a3504653f84fb6d280647fcbfe5afc4cc3e156a10276a7fb6d130e48

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\joni.md

Filesize
1KB

MD5
676d668436df9759684ac956cc25b5e3

SHA1
60e6351f9ba51e559920ac15efeb987e1b19082d

SHA256
65eba3fbd9dae2e70ab1306e123eed5c5d9f8b74997e0f3b5bf0875e79515b82

SHA512
c5b4280605fcf84884ee39836bcc6687fba7372a71b05590d37ad9da740b50d350dd0f75e610dd2a878deb4b4d30a1fb1831a73e093c4e56b999c749c7280412

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jopt-simple.md

Filesize
1KB

MD5
e9d4e046fc08640ee30ee3f7c8ae2392

SHA1
393e530318e31db687b9d5647035c07c66cda875

SHA256
f120b10b2b0c9e85519e259c93eada6798b1ae978a3c854f2d27402e5d197c6f

SHA512
5d4b85da683f6e0b6dfad8fc1556effaace56bcf731dcc777716e5eea53bf5da7f57da0ab778b2dccb48ea8c964b74ae7e3789a7ded51da4919b1acc365a04d1

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\jpeg.md

Filesize
3KB

MD5
67f3795a8936ab3ba81643ae114dd5f2

SHA1
c9120261278ad3b4bf0d88609cc58d22fb7c89ce

SHA256
78ebcc97bf06e9ab7ff5194743216d3c15b70a4497e103427bd4a46ac69d8a25

SHA512
52d90ac813fba723b15109f91ff665ef697749d160625acf6093640e821999aaebb865b2311a061dfbe69977f1c524b2f022e54c46042d003526cea984e7d474

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\lcms.md

Filesize
2KB

MD5
a9b0cc74fd7cfe3edcd6083e8ab823c8

SHA1
974f894bcbb5403849ffb3e3477b9e1f0d60019b

SHA256
197ac69879e16fbee1d154cf3f8ee23d82a196342ca100aea3bd5f452e9a3866

SHA512
54732c28e181b0e696df22d6894e39314b15792fbee6f6e701c888e8fbca74c392347e3fcce1afb033ab98f04630153dba0a5f8333d9fea15bfb0891ae7a28a2

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\libpng.md

Filesize
6KB

MD5
f3e3d164a98e503c724680edc378ca95

SHA1
544cf7758bd49010de09fc3fe5f3b210ec12e727

SHA256
b5bc0b2f86584481fee72a7bb385f1651cfa6130116f87c3b50ea219d2d30df4

SHA512
9506565a3f744785d3313bc248dfd0b2c9e5ad8ce76960bfb0d31bf6ae525f4d192ff62c577177ffa1f3bb8458aafc451b4616adc65cbdf45614ea2b613eee1b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\mesa3d.md

Filesize
5KB

MD5
a6b253235d5d863cc52a0cd0bd123ef4

SHA1
46bbba6ac41510f973b55ea58ad12064aa9a5092

SHA256
be94a25d37039124358830438b66c92781ad1a5793dce51ba9ecee56f6a5278a

SHA512
d9aa317ca961629bbc6f7259a04b138b021d8f6f5eb512e2e3b8c63a4aa41fdeef00a3f9626f3e251bdb9f85490c71e31997e623297f6f2013f160fe22ff77ee

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11cryptotoken.md

Filesize
3KB

MD5
f661ea5fc6c77f4a2844f8a9f942bb98

SHA1
02d0143761f6ca7a9bb804f0b04c74516c3dca26

SHA256
da2652114c1b84039796cccacb29e087f5893f0c16ba6a6bceeaf5bba4164c03

SHA512
505f3798d7e9977e0f27620518d674c5dc8fd71c2e6ad7f9a328b4c538b957dda1ace6983c15c61e705de64c8dc40744ae04c3eae8e53c0cbe6cc10f60a32eb7

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\pkcs11wrapper.md

Filesize
2KB

MD5
b7e89ad908ccbe10f7f44d89b7f25474

SHA1
7a4c04222bc5b3df125aceed09c4d787f225d07c

SHA256
698fea5d6b8f850894afb55e3ae379cb672aad0261ed26b048ac34b2047990a0

SHA512
7730b190869353f0cd469fa25cad9649f659b718c4f0a456824f539507b3e59301eae624aee56141ce14eeada4764dfb35ae7a313890981cbe518a537d576f20

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngcc.md

Filesize
2KB

MD5
90736098fda24ff6b8179f5a242d4f8e

SHA1
8148d5c1f0d69cae4417c2735b53b07422e0e55e

SHA256
697d975c31d69121dcbfb28fb6a77b37de4849cef8e7a5f177dfafc593ca6601

SHA512
41e3b85af3d7d6772bf3f5be42aed3d144335b932679a8300935b3e890d62ca712279c34870d23fc404f58b4dbe305a981e58e9887fa7ddb8a47ac151d6bac44

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngdatatype.md

Filesize
1KB

MD5
a9bd0a820f006d2392fdfe12226e9a92

SHA1
831703fa12f84cc59293bb60c2ead947b9faf91f

SHA256
c81bfbea74af6ff87341c61c845ab83b6a50c49c87073ee53c303024ccfc1694

SHA512
c0f6943d050ff0b7491235845c08d255d9bcdcb91c6ec06efbe2c8e32284f0f29a2c7237e22306569256a0b5d0403cc91523f89478766735965fad615066ae0b

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\relaxngom.md

Filesize
1KB

MD5
3b8141fc59271a879e284d6cb4a63be2

SHA1
04860ed9e260b981c82320517dd2da6cb389dde0

SHA256
3c0456f0c9db4dc906801d7a533469f66f9391824d0157d774079ea4c0f807f8

SHA512
5fb3a541123a2d358d04bbf668ee1c2ff8cac31971979914787fa6d720a3e74b1fe91ad816fb7bdfdc32953b171540e8d44fa2fb80c5aecd3cf97166c244af5f

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\santuario.md

Filesize
11KB

MD5
90c601f2832c996ccee0e0d2cf4c9357

SHA1
14a4208d94b119d6145c1679650f414a047e2182

SHA256
3065cf238f4e83367a9e9a8f6ac588240f7c3784605193d612b504d5fb9dfd60

SHA512
485908f8a527cd793bfb4b190d4767e39b8a3a93380e17b28b388113806cb3c92530bc406be33389efa560fc09fa1d795c8f90d2fb1a07212c93927b4bc2177c

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\thaidict.md

Filesize
1KB

MD5
24ce1c320ece60432614f0d608de9acf

SHA1
4ce43004b3d8c40975a424c06f1c02219ea6573c

SHA256
964bc413b738ad8a80600c29ac692bb00af19bd24d5a5c142ea0a5c0e3f5fa0c

SHA512
8e0cea7385ddf09ae5f9ffcd529962f2a09aa639d7192d8a68c81aa72c2a9c57d7459a8147ffce192d6178f7c7d2447ee490c2a37b6da8eee0ee9a779259029d

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\unicode.md

Filesize
2KB

MD5
fb8f03e94645c2013219ec09cdac19b5

SHA1
18be05f7ab216e544632f122387155fb0265efed

SHA256
9f3f3b446b97c0ae99ed71c907afd342eaf71bd2ee572c16f2fe6c9d795d20e4

SHA512
1674bbac686cbc26a5fd44fcd4bf2a559815e2bb651c4541aecf83e691597fac13c6608beb8ec8683283ff0fe120b3976aa36df723d43d0df389fda40e64faaf

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xalan.md

Filesize
11KB

MD5
62ff48c58af61d21401a07fcd8e34a8d

SHA1
63f8a5920750502b4424732b8b51ba9a5a509edd

SHA256
5a67ecf4ba77b541e969992b3419028d8640244f4a2d5d50487252f844919129

SHA512
6ddec0ed9d4f45ad26c35d5ee11fd535b79df586a3be802f1ad25270764e7a0c9b798f79c9afa4b1ff564dc131c573eec3906582c9a72fcc2bbae3e9573ff091

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xerces.md

Filesize
11KB

MD5
0eede69ae4e65f1cec6f3d9802165ed0

SHA1
6138fc62c1c456eb424ad7cbb74e9e365303875d

SHA256
67a3bba2a40d57acf947d8e62f9bb38141528d0cd9793874e2a698860dcd77d5

SHA512
2b97b3a9d6fce565e9b2f3b44218a90ce61b4a748711a2a16d88878e41783b8b7f268bf4221ef02c4c234fe5f9d5aa0b1de073932d1875543aa915ba5582640a

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\xmlresolver.md

Filesize
11KB

MD5
e36747c54aecece37867402f8f8d77aa

SHA1
8bdddf39a6f3d8511c4e0cec129b14f096d9dc2e

SHA256
c1779a4aa72011b754aa6a065f072a9bbcab8bafa04028e261d37dcbd43da782

SHA512
07731d94950d5eb642d4ea4194fba72fc25ffdd62447619df4460863d0de3f2f1a5efd961b981d7bbee046b4575d3612e293284b87467696be1b3f62f64cd206

Download Submit
C:\Program Files\Java\jre-1.8\legal\jdk\zlib.md

Filesize
1024B

MD5
d563b6361f170952dc76e7214770a14a

SHA1
7c4de1a09926263bc907f98b0ddd13a09541dbc5

SHA256
c18c084843b7fe6c1087296946244b497fe6487c1904e88bd2aa68bfb0d2963d

SHA512
8c9f83eaadfd45825587c263e3b631eb12d1bcc7ee34f518c53be3ae1d66be959237c37776df7a43cef4b818de4589962a7b0cb1199c4ac7703d7c50b189a498

Download Submit
C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt

Filesize
48B

MD5
04698655bd6e3e36547af579c4fce91d

SHA1
1fd474ffeb0d1ad35be4a1bc52cd2d1af25cc0c9

SHA256
2181657934111b9ef75b0a5f7fcacbece82e746ca163d052295d3538ed926831

SHA512
84baa61ca7675647c777a3355fd3e208add090b7d2cd2cd5c9a46d65334e4019e5bf85e5eea1100f0145973d14322d89b7748e89983d39c02291afd5d1160f57

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024081109.000\PCW.debugreport.xml

Filesize
5KB

MD5
b6562991b42f30da20f6a3a0fc24b166

SHA1
3d11a7387c3c560258cc411739583de4c60a8d5d

SHA256
9885cb3578e549c6a1b48cd1d35df9b81e5c6cab0b08efbd0b11bef330a5dfb3

SHA512
b08dd06197de6941f91d062abfa7f7c560c32ca532fd64c3099c05cad665302e3f3b372f8e402594d18005eb840e52e840e7fa07c3538d0fd5deabc945ba93b0

Download Submit
C:\Users\Admin\AppData\Local\ElevatedDiagnostics\733862231\2024081109.000\results.xsl

Filesize
47KB

MD5
310e1da2344ba6ca96666fb639840ea9

SHA1
e8694edf9ee68782aa1de05470b884cc1a0e1ded

SHA256
67401342192babc27e62d4c1e0940409cc3f2bd28f77399e71d245eae8d3f63c

SHA512
62ab361ffea1f0b6ff1cc76c74b8e20c2499d72f3eb0c010d47dba7e6d723f9948dba3397ea26241a1a995cffce2a68cd0aaa1bb8d917dd8f4c8f3729fa6d244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\120e43ef-cc04-481f-8ccd-c4974dea7df3.tmp

Filesize
12KB

MD5
c0f649eee137609342554840f98470fa

SHA1
d879b1460d40b8f6f5a640e1f6302e30e6d88ffd

SHA256
c52b780d3f30d13ea891aadf129b572fc868a6353d1a6db4e1a848098b00f684

SHA512
926bab4eef3c1026cd77910c20e688288665352f446e55d3a56e1f5ac04e6a3eb625ae584a4d94d1dd6d177706a53707838bb67ff1a97024cb8074f9fc8e82fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c075495049be81b9ce2815c1bc009b36

SHA1
1befacff91d652f8376955358af77de55a2bc7fc

SHA256
f556c7856e80b0fdd93f4c0a6ee721a26722c54cbd32a8133cbda0e8dd91babd

SHA512
138e988324533e3902abac1676c6076d1ac2db868e5f26eb47736e9fdf572da11b3db798f61660f3eed582f89f3607d8b7192bdb2f959bab96eaa2fd410ec307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4a1ab2983887cf515db757fc3fad08e8

SHA1
6b41e50b19438a24ec150bac5d3b660fcd5729b1

SHA256
7d9cdccb9a9056b1a32751d0908b9670a7f400fe93a056d28af072ab9824bb5e

SHA512
a97cb76c849e6d2eddd9bfca90719d08114e46d04dcb57ef867b2435f44712de0f7995b57ee72d1df04ca2a8bb7d4a81554eb8601c2f77fadc1761a8e367dc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
60d05791f93f243f1773f13164aa6d44

SHA1
dfa81a75935102a24fa274c43b1e137fe893a508

SHA256
654be93ef0341283baf4bd5614c9d004db7a30b4e65e83852b11e5b8469cf672

SHA512
8d6ff2a5c89159ec673f766ab4938ae094649be94906cbec90857dd0ea4b7a79ca33588eb8d2f5d318a4ae1468157e913855ce8ef417c1edba99e2f91093ba4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
82bb4751e6f44a9403e9b4c06c49d6d8

SHA1
95214818fbc992c8b2ebd6a26af522437171f255

SHA256
3b04a61b879a6cdc5cd1f7fb3dc49283640fbbd9239764d62b8e97b854baa6bf

SHA512
3df1d7ef883f92e0b1993360a97e7aa188715e8f6d0dc9c76be64509b802a113a68585cac961f820e1520d5dbab98f5864d2744902cea5d889738386c812a599

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
8c9a222cad2e677893b0f30888d1b0bd

SHA1
d4e89527414efa6e723a8bfb287dadb796b34964

SHA256
93c1849c280e8a44952d50638e8f306350b4565a5797fe5e35cbc7b0d885677b

SHA512
4ce8029ae69d67472dc45896bf2a51fa5b7d7a011cb86d299f3f760c1ef6e13c71c0091d46e3efc11871ddcf2d565bc93697e0b95b3974e4adcebb20a182a335

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
396b18975fe2ca82dd97968e292fd9ab

SHA1
b7679c7724c203055f0868e766ba30ad5278a5a7

SHA256
1fd709c714cca0de0c548221faaeeaefd4ae098ee57a6e825acc4c2f4e26f101

SHA512
2f957463109bff342bf4f4cdca3ff4882366f3968539fca3614b4f5e58c27fae7fa1104e29b574cf0ae8caf09b285068c6ab3853bed0a675d9342f00e4528bde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
3KB

MD5
409d44f6f0f1bc68ef24d960d1caa4f3

SHA1
63ceadeb6ea4bfb87b5461c97ca511aee8dabbdb

SHA256
9a5c905d80d07fb3e055ec1d559c3b6eed89b4cd1431a5b6f54c31cd3e70cc7a

SHA512
d4367f6c3e78a07b3bf74f48e4f5999f8e9ad38853c02bf9fe74ef5c36ef26a1f3761cdc839ed7efcd5ef68d4d41db9019716ad667bcefd0b004cb8c352f7ebc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
5ef59011f3f0ddbba6026548a2017352

SHA1
fceabf3454b1f6b146574b57f1c44a98b963a5e3

SHA256
1556a1ebf558c4f75366a6fd03ec967f9275a1e7b2f257e38679480481707771

SHA512
b56204d9b5e3387709bd95b1c8d65a2c9487d924f2b2fe28972e0147299e5395b2aeb545bb77e0da4aba2c1d7a6aa34f07fd3096775b801a560ae0bdfe98367c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
5fd5d7de56255486f74457fcef59bbce

SHA1
2fbbff4a192a2ecaddc34aab743b2458d78cdc18

SHA256
0646ccd62b9e7866b62c459ef1f0e746d7bac2bae1de0099faa8e99b990a063a

SHA512
2bbc3b5a0bd63b337c1ce4e2215fa929481e060ace570d4627f3e5d57cbfc2690087b5e209b9a9fbe7f38d8821ee7641f4cafa0c1a89652de94667eb4f0f6766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
063746392c478e1e6799cd20a728a0f6

SHA1
626b0dfec68db75de04c7dbfd20da933f892d009

SHA256
1a145cdfe59cd4879618a381ed243ed147b0f24d97db52bbc3d9d3bbe36e47fc

SHA512
5b934eb7d4f288fca458c33c24ed39d3f2816580f070f137e2a3e2dd38362af18020f52c49f21c154529705086e82468a16276d371fe00430533907764c2de63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
858B

MD5
c5efdf4875bbfcffa42a7527ff3d3462

SHA1
66e3b390e9b3257bdbb4b461b9d29d52e74b8df5

SHA256
0753ab8b93b685d9a1bf9d18643c98f36e09781bb3ad30eb5117b2eac5784735

SHA512
2ef500f57e522108c0ba7cf1181a826282e07d8b76632dad60552a5e861fa41a62b48a5a35dc7ac46b91618b3079ff718390233762334d0deb14c81f28735086

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
c8c2ec7b015b8c56bb9009addc654661

SHA1
f86cabfaee30831bcc01b3e1c21045eb370f9243

SHA256
66bbe325bc7569879fae6f9fb8db36fd1908eed6741e52ac9769b0199f0e9ac2

SHA512
a00d6cb8afab8e5985b95dba92b861ebb3a159356fd367ab429893e3f0c449731cd565c1ad382fdb109bf2b355e1e35f3cc4eb0286008d21a3ef668cecdfee0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ef434fa551af71353114778a366c7b1

SHA1
9b9ee16320e331834745ba818ff8a0d99eb40939

SHA256
ff43dc747c608f1174c787deea41ceabad3c6af910e2b8bb9f066412068364b4

SHA512
350fda1fa2374a4df855421508a89a92f52b755a47bbfbfddea97230a0f80d9504b9aaa873e7ae00a143f7518ffd9c236cb950e214baa03eb5d7d22518d2d0e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ce2b5259b8c015916b1a928ca889dc9

SHA1
d61e3c01fcb50648f2091acf3b798d9dffafb372

SHA256
58746c5f0e013aef1beb981bf385d7d760d1348325a971b915f947234fe45e7b

SHA512
530cea8627048c1aa8749ee6a68ea443bfde1674b3bf677e307cd9d1bfb82d732a190dbbe8271976cfbd7e97ddfd912b182be99a4d6a03671a895fe19c840c41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0862734d6c76f4a6d4c71d464fe9a566

SHA1
aeaa8fbb8359ec8af3b4ee8bd782ee86c6bc9fa9

SHA256
8a7aac1fe725f13ee9b6c974a16f12820e3618bce986c31bef9524cde484adde

SHA512
30accb8e5b3b9c29c4c4ab6088521d0f451bd7e6b7c7da8aa5ca6fa26f3fa5701db3bf55fcda38421dc58a20b46fc3e8a2b3093a024d4317731811b5d94b9af2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2d827443d83c2bfa0bba67e4f085d19e

SHA1
c383f0ae40ac0deb6619eefff5e0dd69a11841f3

SHA256
8cbf75689efdf1d73e5e1c70483b091355bbf12765b7f4cf5f3bca8a3910b22c

SHA512
02ca57a66245ca89fc2838964cac8ac0ef4acd8c3f35cce295268c78d62b104052ee1ada9283f8942201772db137b77d98f0b4dc5d187823d5481f94f671c9ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
400761c3f9857914a05afacfa94e82ff

SHA1
c243587ec4996a930a488232196b63335ef08dd7

SHA256
b7c8a876a6e50fa072d98880620aac2fe168ccbde64e115e837d79ebb3a845b6

SHA512
5fe0d723ffa744d932a98ed1e5bbb1efc9b4d138e8e3fb77920f102d41f48478ac9c7e434256cb80909893d64a9b97ca25a8c2932aa32c68713bdebf851dc4e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f2761acf2eda5bc9bca462a3d75aac71

SHA1
e4b88f17d4ba40a8f3151960b0dff7b192912f06

SHA256
0dce86a8bffa34a90f28074cc7dddfaee1d66ef91c8d49f892feae8d77307061

SHA512
4ea1bdf08d98ee64e4ef9a68ab899e92796d44160bd02d7c6a89020c66527822dee1c4fd8aa7308fd3a911ddfdf6d2461d782beda4303f6e02a2ce3b2550a0ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e92a0cd641df9b11d776db24caa0f20f

SHA1
af59ef3455b8112849197188e844fd91b3442ea3

SHA256
e06387d66267eca5305b7c07144083d1533f1edaf789cc38fd15616668588c8b

SHA512
211b523f93ff88d42a2d548e040c51a359c6350538aee77eaf73c1012df5dec286bdc1a9a1ce6ea6fdae8f396a7675cb89e6dc26602e95ea18c329172b143ba6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9270cb03d1b03f14d76e0c441266979e

SHA1
82d9ae5597d16cdc309abc5cda71eb00a7334400

SHA256
3c6350bd775033ff7ca075f4df126d0fa6db977f6f8c6374b920592660c1a773

SHA512
85a045de1f6121a5a2fbad22fa4ba7e6caa74fb6c254bd50f661c584246bb060cfba8bc085ea4bc61b538001ca7fc0f0670890af40c2cecd77ab1a3d142f5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13367842500376299

Filesize
15KB

MD5
46b22f02666dbfa77930fa0996a2d426

SHA1
b23f9fbd4c1c1cc09b5a14f778b55ad6dcfcf6c1

SHA256
4dceffd7f18ebba54283993e00f87eac16c6e146121430e1db5d6cc5b7b9dcbb

SHA512
dc2d0045335481dce7cfd2200543b077284b56b206070cf4c79d514296fe6a44e0037f55e08eb98050ec2ae97f613d960f6f094e6f6fa8206ba80c10e25ea0bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
083cc1530b43effa7e47ccabd2bc2c48

SHA1
5fb4a5c01acc30b4050fb390c53b01358811fb36

SHA256
48bd1104aae32ec3f2ac0b219b8eba51450fbe99a6bbaf6715e7be40eb452eea

SHA512
edd4248f9fe4d8230fee64409f96cf623c976860d60a51a2ba4567286a6bc201a3f870ef8ba8451777d275244502f747a5bed05a5ae4c42874dc99afda16e2da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
7d89286215f3061e7eefe107e23cbcb8

SHA1
e01872db90c9c65e57cc1a43232ad95dc4e3f6e2

SHA256
a035b668ba21452a697d41247840d12abbc7553a88e07166d2504d26392370c7

SHA512
ceb301a26c605d1218acb48298e367c66812a80fd3f96cc3b9d94d5f0070c2a455cf68a093491cd529672e302c05dddbebdc52363c65bc06cf8d93b6c649c941

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
cfe92933758b18c03db0b93d1daa43c8

SHA1
19a282c4b191ce634cb8c46d302681b6c3fba824

SHA256
b385703a0f6f32f4fa27add255aee8ea9e358d93e6724a659e932e1cfe51ed7e

SHA512
a61ce37202cda61201a29ed1d57c71ba33c7112b7097ed2fd3dfd7681015fa5a49eaec604516a5b5ac19a4c40906e6d5d0f0e037e91182c512d44a9ec7d43db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5469919d9bbf8dab6ccc48fbb63ba7e9

SHA1
136454401619b68123d3757a0d7025900898f44b

SHA256
b8bb3b7fbc04166bad95cc678c36cdaa002f9c9b775a3ec23d87139c2144c756

SHA512
91fbe58f5bf6815995209f1ba499522a461e5a8b415d5f808fb3e856d9db504d0a46b45827baca39c3e621110209099973f2835ee9f983427172d179c5a3418b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
615ab370a95984f32b9cd62cf898eadf

SHA1
3b98658670a0991100e3f753d55c5768c6dfed54

SHA256
b6da886358fa6019d502b83be73a559ceadddc0e321e02f8d04cc4984ee101c2

SHA512
277afc06921c8282a86f479dac8cbf690836b578b03b1acfe5200778b9e082a6513af7dd1dffe8fbaebf64583d49a05e0ff276c78cd40db709a3a2eb5006f9ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aaaa3076fe1205a251ffa8f6d2b784af

SHA1
d592eadeda391ed86db45c644a4cf83bef932cca

SHA256
415aa8b635440e4750ee860d42ff13f21a87cf0964cc58c66e95d0115e279531

SHA512
8dc54545dae082e12e8d3fb38479a424d8e7ead7a8dc9b51348a4fd6e39288cecc080ffa6a1be0687a27d4503cebec1c5848ed65c1148acc2b3512adc14f6c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c562f55d24a456ea5b8f40f5e72dcea

SHA1
20f11aa3b7bc76fe194fc3a1c258f386c34f96f9

SHA256
7f044e02e90d0944c3c74e2d489c825814aa8ef24e854bcfc44e7ac3c70620ce

SHA512
531f2b02eb910a7d09c03edc51dc0578e9bf884c665bbf51b99119a60f23c58a8365b455564c6827712b4c8c46765c31a3c8ddd2957f6676afd8d7bb796bff18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
06d81c050b9d111e89cd09a9d927671d

SHA1
f7898cb132983fc08ee03f31210934211806ea5c

SHA256
c0c0c7fe3c0521b20e9c6185ce95da0d847e57552435aa66b93607f5552922ce

SHA512
c59b601546ea5de24db3f0ea117c57a1df08b5e0b2fdfbe85ec4a9f053999300f4e25177ab8787ec01ff63130e0de5d8ae54776b21f45e17a40b0801fe78183e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1393c4666d8fd837e36cabe1f2d33447

SHA1
00f4f1adefde0ba817b5230d48fd79ef53f7af62

SHA256
e11f10325df5bc99f0e7780ee077778b399b74bd72486efd0f60c167dde4e241

SHA512
8af631e8af15a9bc10e6688d36dd02241b08dc930f83a6ab372476e821dba2e8074f03c2507a16270c98fe609ce28e41180264c7a6614a09e2ac3389b6e94b13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dc5b75ed2849e79ddedb0d2fc6689b4d

SHA1
0b874fde9e40238f04ffbcea69f8c82421b0d8d2

SHA256
2a5392e0b33fd5b476050976ad344c90178b0e53376d73c9d91462f63d8a6422

SHA512
bfe4d2faba32f96efcc8fd73e129dcb614b41fc998832f70ab918bf05cdd4f5a8558b389a397fe049232ba02b8a40f338bdcaf88b040c4153b4e6387a6df5fa0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
289609c72f5a60c393f917aa8e824525

SHA1
9b56ffdac59d227e4ae8219a2b06928f4f16604b

SHA256
92c5e806610d9b9c8543dfb3d6c8da76cac6d6101cdbb3c2add5befbb4d49cb2

SHA512
1de6531e5ba0da9991a74e0ceb1c7e4c20a7707f57aa04a084b7d5ffe891325dc4139ddf705267206ae8f87801128ac8d7e8f9ad08147c4c4770227e99d79132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4f614510b1a76de5b6e2ff3a192b2eb3

SHA1
2d46141355e375ae288a5dfec023308b8cc94750

SHA256
f9e73c21b371f0db8013da52dbd5c5d95af91f29ae4005a550f7b036c92bfb4f

SHA512
c4e0a6ccd7f072e1cb806009419c4d4f6619f93c69ea60253ca789dde32fd0f974efc65430add97d8b106102468ecc276787f21ccbe8ced7ce6bcb277031a836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64ae4676b0910d14a6d6f21d36fdbfcf

SHA1
7a8b69ba232f99311cc619c17d6e95ede2ac99ba

SHA256
2364ceb7512fdd97be6816736de6c48aa3d5cf06bba19d54402572f26cb3c0dc

SHA512
242468988a5b0f3b6425eafb2290850ee274a7a763c49818dd2fb81bae67d18c83e81e0a9f7de0f66bdc13fec55e732fc2421f743061ce7d3d49fd1cd33272cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac04e6337d1e95fcc8aaf0ec6ee2eef5

SHA1
a4d0da76c5823d2616477d1c1da50b67c5079f43

SHA256
c8a9ab5f58eb59983ab839231f8917ee50ebd09f12381a2f1a1caeceb283cb24

SHA512
6ee3d40340dc2a3ff790292343fea73c9864ba95a26dad4e2913c772e499d413f0eb1f9662c0e7b698b23c0b0449a337910b5bff6df7b365b1bd02ba5b86de57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6444fbf3c34706ccfb76c347bc1870c5

SHA1
b4b94c1d548945a825e32eea6141d13c3575e915

SHA256
3c233c4b3adb8efc472af39da25aa734ba2fb392e08c1685bc320d30c52f3011

SHA512
fb7962d46b2d0a5b6118218d6ae60840121404f69c2e27fdb3236e86b0543d0a2978511e355d1f62740e1c4c53a495242af9bc0213c6870bd4cddb8904b1bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e9dabe5d747f5a2ddefd3a472545d6d9

SHA1
5ca031b9fde36d1c91eeba61dc8d2bd111447ce5

SHA256
7f9872f9bedc5d68008f8257b4fbd6a36cd323ac3fc39cc973165d7340e76cd7

SHA512
5ef9d3a935df265f4b87b800ebfd07a4fb7763836de9ba43d1fe727853c2424cb05f00c31ce47faeb17ffee91a6b7286eb634e48df47c1a616ca001ec46f4bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
279a67fb2f4a3052c6337f748d6b8c99

SHA1
9b8edd790b11061fa510a467720e96c1b059324e

SHA256
91a683a75b36673623cf2ef46ba32ea3eec88a649a06dc5ee6937a5088534ee7

SHA512
3ae6de93f5bcf6e2fac87e0ece55516b9eb10b07c63e6ab0d4dc2400b3098f949ca4e36a5aea50767f45df176bc7a03a04a2fd8ffbe0e1be6d1b79db93ea4563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5a413e675b50042da2162f05b83021e0

SHA1
094aa52a4b1cf1b4e0075a281bc711511e69b61f

SHA256
9b340f5a794fc6be47bf17333f9105e3ced63039b1538605804a4cbd8091ac40

SHA512
2efcf69b093383952f6e3fc889d9d7dc90e0c55ac62ce46d73fcac46eec25cbc667c5a1c6788f23c1ceb249ce5a9838a60ded8e211fef4ffd20be4f9a4ad1c08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
fcfc6e997b193889ab3db5594c7cab57

SHA1
39c559c476c9bfd0c700728892b08f782725aec1

SHA256
a3ab5550fcb43ca3fe775a32ca04a9c54fc9973f44923890b84a15d200120bab

SHA512
b066614040482c673692a369ad5d9c300a136c909a3faa97af275272caa077cec324f2a07b79acb32da20a4a268fbdeda2a840f62f1234672269b739580d497a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dfdc782ed42ddb7375884765fc74ce08

SHA1
7689114b14b18d4cd488772ae2138b0c87404f8a

SHA256
50431a71b94f91494923f3583430b2a25f8d7cb94ad7b1262b99d899ca444c09

SHA512
39a92d5d138aa9d0d9396ebf8dca6d0e8e1ad0c819c48b029db1f77692d69fc382ac7c95b94015d835af5fe5eb2651a9803e76e2b1b6bfaebe8d3ae15080ef6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57db0e.TMP

Filesize
706B

MD5
3b01613f914771b40ea591b27293f272

SHA1
320a8460190334c516e49494d982a2d1539242e9

SHA256
d024f3997eda2c62e20ba12c4c1cf3e5fdfe8d955b4d44d52326b385be3a1f97

SHA512
b805cb453e5ad44991d9a8c5260ff8b9cd72126b6d1c2c1e85040b4b30eaa50285a85e8a5b6b2122fc4449d6941aa6b3778d4072b322519e0d55d3bb2a81005a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7dc140cc24e2eeb5e2ca736b40145f79

SHA1
6ad2323fa19efbc68c64557475b38a449a3b3e93

SHA256
ccb0abbf8670ce6a7695ef537bddbe65e259d892a7bb5c026157799a643e8717

SHA512
3ae68f6b5409421d0386f5ab3174e36e057cc8fb314d8b6e09a91a4387b5251e00aef1cb17f7bcc943885dbae6d64ccfe47f0aa2ea50837149cffe49726d53b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bd910af8a6183ca9c749ef50b5297d23

SHA1
a221a8cde2558fd93d2c708cd0d58f79d6e05e27

SHA256
744232c92e98119038a11a94211b238b1261376654a9540b533b7976dbc4b597

SHA512
9f5a2c16079a59c412ba85b02d685dac809eeda0e57fdc0745d7f8a54fcd03200dc643c7dc4a31974eaa1a9d0243786e4cc3ae1bf967afa4171ac2cf587d43a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6289d9e5e4e6b37ca2e216020a8947f

SHA1
02990b2a32a2c8b6799a3e00cb947df5199dee08

SHA256
7314a157e5109ce7e20bb35f91183e74e46d8292aca3f03b052cb83425f58753

SHA512
0f4a2e8793c5f5f4d20b1549cfcc2b851d90d0d6b57b18c26be97a0dc22d99d32e0c15ee224d9def1ea7222008bbe4a11872a50ff7b87a13a1192ce256b78698

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bdc5371f7b46ded3398c32272a5c23c9

SHA1
fdca6db8ad516f21322b7da491bcf22cd628dd88

SHA256
be6bb7e33e882afdc9fc1ccf9a19f0aa407a4e671e69dfa863143558d363b4d5

SHA512
9b291bc8e51463f2fe78ac863bacc2202fc609cdbca94892e77151a5f1f67e0c54e49e6313d9ab8a05f105bdcc8e0d2c844cacd9607d01e3dd0ee8f24d903915

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7698af2527dd21971ec949e6c0eac5dc

SHA1
b62eef57feacf5720d591c33a9c131ef6108255e

SHA256
a0455cdb305cd53bcb24775ff0e64e804a210329ebd5822fb012bf38eba4e075

SHA512
fbe29b9ba218f1eab3af3cbcf218194942c70f03ce1c64ff8575c1da1ada5d42d378f60eb3a297c985b2f3b58a17fb0662cf5d6fc94fcb29dce2f69126259341

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8c02929d0b687977ea82812c90b7d311

SHA1
09985f975f8d10c68f2c16be18384dc454d656da

SHA256
8fe618ee346dc2147cbebb67c6953811b8ca38a48529518804fcbbe3323ac915

SHA512
96df7439e53ebba00530e26af3e8c8e91a76bcfda765f2df485f3a30d90a3e56fbfa54ac236e19f936277f8b5fcbc6dd2d98990c8d4604a330de4a5dd9b71c45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
75074ddce23bcc096724bacc2bffe576

SHA1
6355129c3a01d2320b2ed6c3d84cef4db4a81cbb

SHA256
e36ca060b7a56e4ba6ee8ac3d29f58e0eeb9eccecff48148445867846e9fb055

SHA512
ea040e1c5473c2fac367f523cfb049f1c8a8e9c7795f5c8d7d2ec41396bb9b7635374620237ce1a914a5bf8d8fa1556009cc2ec39fb3b2f5bf9c31138ed473c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a45244533244cf15453a80bc460df58e

SHA1
ef0d1c86f1c09b9c29d72d5f5691b6820c938067

SHA256
c1f4f3b8e06bf6f12700b134c84ec33d8179d09b117685826232ab139ab86aae

SHA512
158e1442278049f82a96c419caaea6e418f491b0304d91ad68d5de67be7fd99747b554a099d88e7aca7a771dcf4372b903223e39c8fc731a2266c08ef77a6946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
510e185b4212d871092d87c2627840e7

SHA1
571646604c87e7b93f5f8a4880060357795f19d7

SHA256
94797b0511b8e11ddc42655de8289c95b4f25d334e18d39eed25c22fb69bf3cb

SHA512
ba8c7fc26cd6b8d4611e42b273cb089bda746ff658dfa76f885d4699937ec595415d06bbd3123eb5e3f8e5856fb35fb17266940cc54e5035f0da1a173b7ac201

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1d20f00b0c575bf2bce0dbeab461b693

SHA1
63e05358ecc137fb6f4720ae96d4b81e02b23f8e

SHA256
7ffceb9c492ff2d3c718d0d8926c469ce9c26ea70298d8309f39c1e24fbd1c47

SHA512
839c6810bb24f2cd0f68978fb848994d9bff39315023cb3af8b099e730a690690ddcc13416f91530d0adbd1d9f8e27dae044dac0dffe526a01c5525419716145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
db92b8350de90af59196eaaad15beef5

SHA1
42ca1eb15d473d1401128b21bd954bc510445814

SHA256
15e31343deb73311eca71eac02bed5f41812c530d689791cc5fadf5b088f44ba

SHA512
d9de8d6a52061e6d3abaae3e87d1727d438388238cea260df1b934c50f3c80a2e3aad4a40a75eff95e3d71690d6449d8c933af81e2c59994590f617c03ccb0d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
e0f51ff504ab6ca58a3924046f39ac83

SHA1
f30ba01ea815ad1dded60fec62935e33761e8934

SHA256
1dec46ba0d8c6564e1ec5ff71f05a7958f9b3eda7629fc18b064262f7285e019

SHA512
27089966337ce1fa86396f248b7b952a8228dd272e9601deffcb7e8398da40c56c07397a8fc2dfcf0556517b2be8a67f27683411b6bee88ec92ed76f2fe2b64b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2d95338a952aec6fce3d3d7e7f43b52e

SHA1
d769cdc0e0b49e502e141b0a6b6b47ff36e901b6

SHA256
3a420eee663a2a6276ee99cc25323543e4de6367f1f471e2a948760b779f7f11

SHA512
b2298cb94b8de411bfa43e72cea1355c33143b9ce91d974ce94a90cd23f4b563bb9dcf01e04399e9cd095addbc93642d3a5167161e4b4195b326b74664f536de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
576KB

MD5
fa1716dbbda2e591decb09d6ee3e23aa

SHA1
3db8b0eea5fb8b4be598957f36ecd5ad36f94ac5

SHA256
233e05d531b2320af52de13c93d0165b355c40b74d41299a1c9e29f1082034c9

SHA512
2a1d7f99674f77333ad7cfa89cbbe940a578ebc1116435867d86c8427f3caf1743dc7f05f667b5b9f048d517d79743ea12ef49bea55a560763bd5cbfd5646dad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsUpdate.exe

Filesize
21KB

MD5
fec89e9d2784b4c015fed6f5ae558e08

SHA1
581fd9fb59bd42fbe7bd065cf0e6ff6d4d0daba2

SHA256
489f2546a4ad1e0e0147d1ca2fd8801785689f67fb850171ccbaa6306a152065

SHA512
e3bbf89cc0a955a2819455137e540952c55f417732a596ef314a46d5312b3bed644ac7595f75d3639ebc30e85f0f210dba0ef5b013d1b83bafd2c17a9d685a24

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_egztsqmh.d5n.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ChilledWindows.zip

Filesize
4.2MB

MD5
5806c691583167135665b6aac348d3b8

SHA1
34d14feafac0946097fbbc03e3be2b235392587d

SHA256
00cf66b0bab94b1ae74d534160a801315df8a7efea764cda906af49f99be54e9

SHA512
dbcda2362ba5aaba904087a512e3423e2356f0e824e4bd4de99f277316afb32e03d6f8ea109d4d046ba9f14fc32f21a5d80cceb982fbce529c6f15abd7c6fa7c

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack.zip

Filesize
20KB

MD5
a7bcca47b5413eb92250a45f86d1ab75

SHA1
915ad4c18ae188da9ab338ced6862c4efb670091

SHA256
b7f82523253c3a1f18de5c649a96132820d89274cdf7a8c5cd3f47a79e76ed39

SHA512
4a666fe25bbaf41ff217a07bdd19fd9e2f57dba228511d9ae92d3ee75adaeb952fd91d4d4472e0c73babfb86806d54ddbe3d603ae124545b89ebdf570db19d87

Download Submit
C:\Users\Admin\Downloads\CookieClickerHack\[email protected]

Filesize
68KB

MD5
bc1e7d033a999c4fd006109c24599f4d

SHA1
b927f0fc4a4232a023312198b33272e1a6d79cec

SHA256
13adae722719839af8102f98730f3af1c5a56b58069bfce8995acd2123628401

SHA512
f5d9b8c1fd9239894ec9c075542bff0bcef79871f31038e627ae257b8c1db9070f4d124448a78e60ccc8bc12f138102a54825e9d7647cd34832984c7c24a6276

Download Submit
C:\Users\Admin\Downloads\DesktopBoom.zip

Filesize
513KB

MD5
14e716c9e9a4e370ccafbfbba4c657ca

SHA1
0aef4c04766d1a39925917e46fc011ddf36786fb

SHA256
666bdf8c339fc5f924f4d31e1ed57e6ce3f63c487cfb218a9b4d7a087938d5d7

SHA512
3ab23f8dc84b39e8444d3b85ecf0e1b882786dd17578e0fed34d43994506101e6034f5e95f6e88b494c989f40ecb3052ec695adbb457662c1864d97c9255eace

Download Submit
C:\Users\Admin\Downloads\[email protected]

Filesize
4.4MB

MD5
6a4853cd0584dc90067e15afb43c4962

SHA1
ae59bbb123e98dc8379d08887f83d7e52b1b47fc

SHA256
ccb9502bf8ba5becf8b758ca04a5625c30b79e2d10d2677cc43ae4253e1288ec

SHA512
feb223e0de9bd64e32dc4f3227e175b58196b5e614bca8c2df0bbca2442a564e39d66bcd465154149dc7ebbd3e1ca644ed09d9a9174b52236c76e7388cb9d996

Download Submit
C:\Users\Admin\Downloads\[email protected]

Filesize
1.1MB

MD5
f0a661d33aac3a3ce0c38c89bec52f89

SHA1
709d6465793675208f22f779f9e070ed31d81e61

SHA256
c20e78ce9028299d566684d35b1230d055e5ea0e9b94d0aff58f650e0468778a

SHA512
57cdb3c38f2e90d03e6dc1f9d8d1131d40d3919f390bb1783343c82465461319e70483dc3cd3efdbd9a62dfc88d74fc706f05d760ffd8506b16fd7686e414443

Download Submit
C:\Users\Admin\Downloads\[email protected]

Filesize
373KB

MD5
9c3e9e30d51489a891513e8a14d931e4

SHA1
4e5a5898389eef8f464dee04a74f3b5c217b7176

SHA256
f8f7b5f20ca57c61df6dc8ff49f2f5f90276a378ec17397249fdc099a6e1dcd8

SHA512
bf45677b7dd6c67ad350ec6ecad5bc3f04dea179fae0ff0a695c69f7de919476dd7a69c25b04c8530a35119e4933f4a8c327ed6dcef892b1114dfd7e494a19a7

Download Submit
C:\Users\Admin\Downloads\[email protected]

Filesize
760KB

MD5
515198a8dfa7825f746d5921a4bc4db9

SHA1
e1da0b7f046886c1c4ff6993f7f98ee9a1bc90ae

SHA256
0fda176b199295f72fafc3bc25cefa27fa44ed7712c3a24ca2409217e430436d

SHA512
9e47037fe40b79ebf056a9c6279e318d85da9cd7e633230129d77a1b8637ecbafc60be38dd21ca9077ebfcb9260d87ff7fcc85b8699b3135148fe956972de3e8

Download Submit
C:\Users\Admin\Downloads\Fantom.zip

Filesize
198KB

MD5
3500896b86e96031cf27527cb2bbce40

SHA1
77ad023a9ea211fa01413ecd3033773698168a9c

SHA256
7b8e6ac4d63a4d8515200807fbd3a2bd46ac77df64300e5f19508af0d54d2be6

SHA512
3aaeeb40471a639619a6022d8cfc308ee5898e7ce0646b36dd21c3946feb3476b51ed8dfdf92e836d77c8e8f7214129c3283ad05c3d868e1027cb8ce8aa01884

Download Submit
C:\Users\Admin\Downloads\Popup.zip

Filesize
364KB

MD5
fceafeb5366fde06752d7249463fbdef

SHA1
4a4663496aa3a84ed23df76cd1ad6b6582c7130c

SHA256
dbe313c710acfb75149045d93887aaae8b62cf8932951baa82b2a995fcf6fefa

SHA512
de03e23d7594730b42897c0afaacaddaa181334efad4a35fb7df21fa0d25e834b391b20ab4e612a4a17a1b0c54a1e33d9be3d1efed4170a86de81eb67ff98f93

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\Downloads\WindowsUpdate.zip

Filesize
603KB

MD5
d39389492bab27ae228b7bf147167ecf

SHA1
652a4ab9f09826964925f69b951813c29ba0f7d6

SHA256
1c7476c3a7a83ae1afb6b7c00a34c0e117bd31fa4ffd7b0f890e0c90587a95a8

SHA512
d731cacb28e6982667efde3b161fb02ed87609cddabca5552bb59de3eec6f51f7041bfba99a0d1dc52d4fb5c943b5042395983104953ba4370b6eb4c93f60ebe

Download Submit
C:\Users\Admin\Downloads\chilledwindows.mp4

Filesize
3.6MB

MD5
698ddcaec1edcf1245807627884edf9c

SHA1
c7fcbeaa2aadffaf807c096c51fb14c47003ac20

SHA256
cde975f975d21edb2e5faa505205ab8a2c5a565ba1ff8585d1f0e372b2a1d78b

SHA512
a2c326f0c653edcd613a3cefc8d82006e843e69afc787c870aa1b9686a20d79e5ab4e9e60b04d1970f07d88318588c1305117810e73ac620afd1fb6511394155

Download Submit
C:\Windows\Temp\SDIAG_d4d26da3-04d0-4660-a746-af0d76df01e0\DiagPackage.dll

Filesize
65KB

MD5
79134a74dd0f019af67d9498192f5652

SHA1
90235b521e92e600d189d75f7f733c4bda02c027

SHA256
9d6e3ed51893661dfe5a98557f5e7e255bbe223e3403a42aa44ea563098c947e

SHA512
1627d3abe3a54478c131f664f43c8e91dc5d2f2f7ddc049bc30dfa065eee329ed93edd73c9b93cf07bed997f43d58842333b3678e61aceac391fbe171d8461a3

Download Submit
C:\Windows\Temp\SDIAG_d4d26da3-04d0-4660-a746-af0d76df01e0\en-US\DiagPackage.dll.mui

Filesize
10KB

MD5
d7309f9b759ccb83b676420b4bde0182

SHA1
641ad24a420e2774a75168aaf1e990fca240e348

SHA256
51d06affd4db0e4b37d35d0e85b8209d5fab741904e8d03df1a27a0be102324f

SHA512
7284f2d48e1747bbc97a1dab91fb57ff659ed9a05b3fa78a7def733e809c15834c15912102f03a81019261431e9ed3c110fd96539c9628c55653e7ac21d8478d

Download Submit
memory/2312-2064-0x0000000006170000-0x000000000617E000-memory.dmp

Filesize
56KB

Download
memory/2312-1420-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/2312-1418-0x0000000004C50000-0x00000000051F4000-memory.dmp

Filesize
5.6MB

Download
memory/2312-1293-0x0000000002590000-0x00000000025C2000-memory.dmp

Filesize
200KB

Download
memory/2312-1292-0x0000000002410000-0x0000000002442000-memory.dmp

Filesize
200KB

Download
memory/2312-1419-0x0000000004B30000-0x0000000004BC2000-memory.dmp

Filesize
584KB

Download
memory/3284-652-0x000000001BD10000-0x000000001BD18000-memory.dmp

Filesize
32KB

Download
memory/3284-653-0x000000001BFD0000-0x000000001C01C000-memory.dmp

Filesize
304KB

Download
memory/3284-651-0x000000001BE70000-0x000000001BF0C000-memory.dmp

Filesize
624KB

Download
memory/3284-649-0x000000001B2A0000-0x000000001B346000-memory.dmp

Filesize
664KB

Download
memory/3284-650-0x000000001B840000-0x000000001BD0E000-memory.dmp

Filesize
4.8MB

Download
memory/3464-1725-0x000001EC5C280000-0x000001EC5C2A2000-memory.dmp

Filesize
136KB

Download
memory/3464-1742-0x000001EC5C5D0000-0x000001EC5C5D8000-memory.dmp

Filesize
32KB

Download
memory/3464-1760-0x000001EC5C640000-0x000001EC5C648000-memory.dmp

Filesize
32KB

Download
memory/3464-1751-0x000001EC5C5E0000-0x000001EC5C5E8000-memory.dmp

Filesize
32KB

Download
memory/4076-505-0x00000000211E0000-0x00000000211EE000-memory.dmp

Filesize
56KB

Download
memory/4076-504-0x0000000021210000-0x0000000021248000-memory.dmp

Filesize
224KB

Download
memory/4076-503-0x0000000021160000-0x0000000021168000-memory.dmp

Filesize
32KB

Download
memory/4076-491-0x0000000000450000-0x00000000008B4000-memory.dmp

Filesize
4.4MB

Download
memory/4088-583-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4088-601-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4088-1200-0x0000000000400000-0x00000000006BC000-memory.dmp

Filesize
2.7MB

Download
memory/4280-1194-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1189-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1187-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1188-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1199-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1198-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1197-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1196-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1195-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4280-1193-0x0000018B2CCA0000-0x0000018B2CCA1000-memory.dmp

Filesize
4KB

Download
memory/4864-415-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-427-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-950-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-411-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-412-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-414-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-581-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-416-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-902-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-558-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-562-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-767-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/4864-900-0x0000000000400000-0x00000000004DF000-memory.dmp

Filesize
892KB

Download
memory/5476-1939-0x0000000002660000-0x0000000002692000-memory.dmp

Filesize
200KB

Download
memory/6060-2074-0x0000000000320000-0x000000000032C000-memory.dmp

Filesize
48KB

Download