blackcat | 019bcd286332c9c6f6c1591a3199cbb535c941c942d1a41be848264792731f95

Analysis

max time kernel
1195s
max time network
1202s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
23-09-2024 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

__monero_chan_monero_drawn_by_freerun79__sample-c27ac21e4c771729d224f96a865a76e0.jpg
Size

306KB
MD5

b4c10bd4dd5d40369ac98bc68f9b3de6
SHA1

1af7ece19cf5a4e769393a12b7a58f8d0e77a465
SHA256

019bcd286332c9c6f6c1591a3199cbb535c941c942d1a41be848264792731f95
SHA512

f667ea52dda31c71853e7fdfde662cc1d5b393ac8ab0a6151405b23c8ed3235af77d9e20dbe8e8a39ce8831a4ff1708b8e98a556d3ac426d016dd5817cf2f04e
SSDEEP

6144:MdR+WYCz+sFopT//HqK/sjOKqXrQwZ3oAG8SsubPBztiNndSOiOf:MdRetXxJ0krpZ3RG8buDBwNnAi

Score

10^/10

blackcat cryptolocker troldesh wannacry bootkit defense_evasion discovery evasion execution impact persistence ransomware spyware stealer trojan upx worm

Malware Config

Extracted

Family

blackcat

Attributes

enable_network_discovery
true
enable_self_propagation
true
enable_set_wallpaper
true
extension
cvz8n37
note_file_name
RECOVER-${EXTENSION}-FILES.txt
note_full_text
>> What happened? Important files on your network was ENCRYPTED and now they have "${EXTENSION}" extension. In order to recover your files you need to follow instructions below. >> Sensitive Data Sensitive data on your network was DOWNLOADED. If you DON'T WANT your sensitive data to be PUBLISHED you have to act quickly. Data includes: - Employees personal data, CVs, DL, SSN. - Complete network map including credentials for local and remote services. - Private financial information including: clients data, bills, budgets, annual reports, bank statements. - Manufacturing documents including: datagrams, schemas, drawings in solidworks format - And more... >> CAUTION DO NOT MODIFY ENCRYPTED FILES YOURSELF. DO NOT USE THIRD PARTY SOFTWARE TO RESTORE YOUR DATA. YOU MAY DAMAGE YOUR FILES, IT WILL RESULT IN PERMANENT DATA LOSS. >> What should I do next? 1) Download and install Tor Browser from: https://torproject.org/ 2) Navigate to: http://gbxbwicx3x35kn7n73opnpp4kkzjcra42iv2akoo2dcjinf6jf6qbuyd.onion/?access-key=${ACCESS_KEY}

rsa_pubkey.plain

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

BlackCat
A Rust-based ransomware sold as RaaS first seen in late 2021.
ransomware blackcat
CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker

Modifies visibility of file extensions in Explorer 2 TTPs 35 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	reg.exe

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh

UAC bypass 3 TTPs 35 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB8C4.tmp	WannaCry.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2d3ee778.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB48A.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDB4A0.tmp	WannaCrypt0r.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDB8BE.tmp	WannaCry.exe

Executes dropped EXE 64 IoCs

pid	Process
2088	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
1696	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
2724	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
2244	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
3212	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
2064	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
720	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
4548	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
3076	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
924	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
4744	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
224	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
4940	3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
4564	NoMoreRansom.exe
1012	CryptoWall.exe
2656	NotPetya.exe
3924	CA80.tmp
3140	Satana.exe
1988	Satana.exe
476	CryptoLocker.exe
780	{34184A33-0407-212E-3320-09040709E2C2}.exe
4528	{34184A33-0407-212E-3320-09040709E2C2}.exe
728	WannaCrypt0r.exe
764	taskdl.exe
760	@[email protected]
4636	@[email protected]
2820	taskhsvc.exe
2532	taskdl.exe
4872	taskse.exe
4840	@[email protected]
2368	ViraLock.exe
436	vyQUIUck.exe
2856	jiIkIYQc.exe
5204	ViraLock.exe
5412	ViraLock.exe
5712	ViraLock.exe
5244	ViraLock.exe
5160	ViraLock.exe
5936	ViraLock.exe
5868	ViraLock.exe
6080	ViraLock.exe
3840	ViraLock.exe
5968	ViraLock.exe
5668	ViraLock.exe
5760	ViraLock.exe
5652	ViraLock.exe
5596	ViraLock.exe
5152	ViraLock.exe
5632	ViraLock.exe
6032	ViraLock.exe
5456	ViraLock.exe
6092	ViraLock.exe
5424	ViraLock.exe
2968	ViraLock.exe
2156	ViraLock.exe
2368	ViraLock.exe
2848	ViraLock.exe
5392	ViraLock.exe
2968	ViraLock.exe
6112	ViraLock.exe
3784	ViraLock.exe
2052	ViraLock.exe
5384	ViraLock.exe
1808	ViraLock.exe

Loads dropped DLL 8 IoCs

pid	Process
1940	rundll32.exe
2820	taskhsvc.exe
2820	taskhsvc.exe
2820	taskhsvc.exe
2820	taskhsvc.exe
2820	taskhsvc.exe
2820	taskhsvc.exe
2820	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4532	icacls.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*d3ee778 = "C:\\Users\\Admin\\AppData\\Roaming\\2d3ee778.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\xinooffmkqlv074 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d3ee778 = "C:\\Users\\Admin\\AppData\\Roaming\\2d3ee778.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\vyQUIUck.exe = "C:\\Users\\Admin\\rKQIwAYQ\\vyQUIUck.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jiIkIYQc.exe = "C:\\ProgramData\\TewgwIAA\\jiIkIYQc.exe"	ViraLock.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\jiIkIYQc.exe = "C:\\ProgramData\\TewgwIAA\\jiIkIYQc.exe"	jiIkIYQc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\vyQUIUck.exe = "C:\\Users\\Admin\\rKQIwAYQ\\vyQUIUck.exe"	vyQUIUck.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	NoMoreRansom.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\Run\2d3ee77 = "C:\\2d3ee778\\2d3ee778.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*d3ee77 = "C:\\2d3ee778\\2d3ee778.exe"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
135	raw.githubusercontent.com
210	raw.githubusercontent.com
273	raw.githubusercontent.com
8	raw.githubusercontent.com
32	camo.githubusercontent.com
211	raw.githubusercontent.com
246	raw.githubusercontent.com
247	raw.githubusercontent.com
272	raw.githubusercontent.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
137	ip-addr.es
275	ip-addr.es
384	ip-addr.es
529	ip-addr.es

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	rundll32.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCrypt0r.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3140 set thread context of 1988	3140	Satana.exe	307

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/4564-4284-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4285-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4288-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4286-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4411-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4451-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4497-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4516-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4546-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4579-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4608-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4647-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4671-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4719-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4751-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4819-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/4564-4850-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmti.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\1033\FPEXT.MSG	rundll32.exe
File opened for modification	C:\Program Files\SearchLock.asp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Complex Machine.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\javafx-src.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Windows\SHELLNEW\EXCEL12.XLSX	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.c	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jni_md.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jawt.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgePackages.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Sign White Paper.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Bus Schedule.pdf	rundll32.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrome.7z	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jvmticmlr.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\classfile_constants.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCalls.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.PPT	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jni.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\jawt_md.h	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFSigQFormalRep.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileAcrobatCard_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\HomeBanner_Dark.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Welcome.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\jdwpTransport.h	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\AccessBridgeCallbacks.h	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.PPT	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\StandardBusiness.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\Words.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\MobileScanCard_Light.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Acrobat Pro DC.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\Adobe Cloud Services.pdf	rundll32.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip	rundll32.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPP.VBS	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\ENUtxt.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\java.settings.cfg	rundll32.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\dllhost.dat	rundll32.exe
File created	C:\Windows\perfc.dat	NotPetya.exe
File opened for modification	C:\Windows\perfc.dat	rundll32.exe
File created	C:\Windows\perfc	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 9 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Satana.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2560	1988	WerFault.exe	307

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vyQUIUck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Satana.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ViraLock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
5200	taskkill.exe
1492	taskkill.exe
5144	taskkill.exe
5128	taskkill.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{212BCF29-0DC0-4350-A4A0-6FB096C06756}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{717AF03A-A893-4BFD-876E-E483DF14D74A}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{08FE2DAD-E5C9-447B-B18C-7A2A9081A01B}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1287768749-810021449-2672985988-1000\{6705A5D3-8FCB-49F3-A2D9-8A2580EE37E6}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1287768749-810021449-2672985988-1000_Classes\Local Settings	msedge.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
5892	reg.exe
5740	reg.exe
5232	reg.exe
6052	reg.exe
5200	reg.exe
5304	reg.exe
5732	reg.exe
5380	reg.exe
5788	reg.exe
856	reg.exe
800	reg.exe
5260	reg.exe
6104	reg.exe
5716	reg.exe
6036	reg.exe
2052	reg.exe
4960	reg.exe
3892	reg.exe
5768	reg.exe
5568	reg.exe
6052	reg.exe
4384	reg.exe
3144	reg.exe
4148	reg.exe
5432	reg.exe
3868	reg.exe
5560	reg.exe
3416	reg.exe
6108	reg.exe
5444	reg.exe
2680	reg.exe
5136	reg.exe
856	reg.exe
5724	reg.exe
6024	reg.exe
1600	reg.exe
2872	reg.exe
5416	reg.exe
5228	reg.exe
1608	reg.exe
5992	reg.exe
6104	reg.exe
5852	reg.exe
880	reg.exe
5704	reg.exe
5424	reg.exe
6048	reg.exe
5152	reg.exe
5752	reg.exe
752	reg.exe
5716	reg.exe
1700	reg.exe
5604	reg.exe
5708	reg.exe
5712	reg.exe
5576	reg.exe
5856	reg.exe
6056	reg.exe
6044	reg.exe
1464	reg.exe
4452	reg.exe
5360	reg.exe
6104	reg.exe
6116	reg.exe

NTFS ADS 27 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 472831.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 492559.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\ViraLock.exe:Zone.Identifier	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 506093.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\MadMan.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 811764.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\VirusShare_089d45e4c3bb60388211aa669deab26a.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 29953.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:Zone.Identifier:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Quasar.v1.3.0.0.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NotPetya.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 160044.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 592717.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 892911.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Emirates Federal Competitiveness and Statistics Authority.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 809557.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Satana.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Brainbot_v1.5 (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 897075.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Brainbot_v1.5.zip:Zone.Identifier	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1756	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1988	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
2436	msedge.exe
2436	msedge.exe
3076	msedge.exe
3076	msedge.exe
1536	identity_helper.exe
1536	identity_helper.exe
3460	msedge.exe
3460	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
2032	msedge.exe
2032	msedge.exe
3252	msedge.exe
3252	msedge.exe
480	msedge.exe
480	msedge.exe
3364	identity_helper.exe
3364	identity_helper.exe
1216	msedge.exe
1216	msedge.exe
4680	msedge.exe
4680	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
564	msedge.exe
1656	msedge.exe
1656	msedge.exe
5084	msedge.exe
5084	msedge.exe
1016	msedge.exe
1016	msedge.exe
1788	msedge.exe
1788	msedge.exe
3164	msedge.exe
3164	msedge.exe
3488	msedge.exe
3488	msedge.exe
3756	msedge.exe
3756	msedge.exe
4200	identity_helper.exe
4200	identity_helper.exe
1608	msedge.exe
1608	msedge.exe
1952	msedge.exe
1952	msedge.exe
3056	msedge.exe
3056	msedge.exe
4564	NoMoreRansom.exe
4564	NoMoreRansom.exe
4564	NoMoreRansom.exe
4564	NoMoreRansom.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2324	msedge.exe
2324	msedge.exe
1088	identity_helper.exe
1088	identity_helper.exe
5096	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
3456	Quasar.exe
4376	7zFM.exe
2464	msedge.exe
436	vyQUIUck.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1012	CryptoWall.exe
3348	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4100	WannaCry.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4376	7zFM.exe
Token: 35	4376	7zFM.exe
Token: SeSecurityPrivilege	4376	7zFM.exe
Token: SeShutdownPrivilege	1940	rundll32.exe
Token: SeDebugPrivilege	1940	rundll32.exe
Token: SeTcbPrivilege	1940	rundll32.exe
Token: SeDebugPrivilege	3924	CA80.tmp
Token: SeIncreaseQuotaPrivilege	1056	WMIC.exe
Token: SeSecurityPrivilege	1056	WMIC.exe
Token: SeTakeOwnershipPrivilege	1056	WMIC.exe
Token: SeLoadDriverPrivilege	1056	WMIC.exe
Token: SeSystemProfilePrivilege	1056	WMIC.exe
Token: SeSystemtimePrivilege	1056	WMIC.exe
Token: SeProfSingleProcessPrivilege	1056	WMIC.exe
Token: SeIncBasePriorityPrivilege	1056	WMIC.exe
Token: SeCreatePagefilePrivilege	1056	WMIC.exe
Token: SeBackupPrivilege	1056	WMIC.exe
Token: SeRestorePrivilege	1056	WMIC.exe
Token: SeShutdownPrivilege	1056	WMIC.exe
Token: SeDebugPrivilege	1056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1056	WMIC.exe
Token: SeRemoteShutdownPrivilege	1056	WMIC.exe
Token: SeUndockPrivilege	1056	WMIC.exe
Token: SeManageVolumePrivilege	1056	WMIC.exe
Token: 33	1056	WMIC.exe
Token: 34	1056	WMIC.exe
Token: 35	1056	WMIC.exe
Token: 36	1056	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1056	WMIC.exe
Token: SeSecurityPrivilege	1056	WMIC.exe
Token: SeTakeOwnershipPrivilege	1056	WMIC.exe
Token: SeLoadDriverPrivilege	1056	WMIC.exe
Token: SeSystemProfilePrivilege	1056	WMIC.exe
Token: SeSystemtimePrivilege	1056	WMIC.exe
Token: SeProfSingleProcessPrivilege	1056	WMIC.exe
Token: SeIncBasePriorityPrivilege	1056	WMIC.exe
Token: SeCreatePagefilePrivilege	1056	WMIC.exe
Token: SeBackupPrivilege	1056	WMIC.exe
Token: SeRestorePrivilege	1056	WMIC.exe
Token: SeShutdownPrivilege	1056	WMIC.exe
Token: SeDebugPrivilege	1056	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1056	WMIC.exe
Token: SeRemoteShutdownPrivilege	1056	WMIC.exe
Token: SeUndockPrivilege	1056	WMIC.exe
Token: SeManageVolumePrivilege	1056	WMIC.exe
Token: 33	1056	WMIC.exe
Token: 34	1056	WMIC.exe
Token: 35	1056	WMIC.exe
Token: 36	1056	WMIC.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeTcbPrivilege	4872	taskse.exe
Token: SeTcbPrivilege	4872	taskse.exe
Token: SeTcbPrivilege	5752	taskse.exe
Token: SeTcbPrivilege	5752	taskse.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	5200	taskkill.exe
Token: SeDebugPrivilege	5144	taskkill.exe
Token: SeDebugPrivilege	5128	taskkill.exe
Token: SeTcbPrivilege	5796	taskse.exe
Token: SeTcbPrivilege	5796	taskse.exe
Token: SeTcbPrivilege	3036	taskse.exe
Token: SeTcbPrivilege	3036	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
3456	Quasar.exe
3456	Quasar.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
2436	msedge.exe
3456	Quasar.exe
3456	Quasar.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
480	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
3756	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe
2464	msedge.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
2464	msedge.exe
2656	NotPetya.exe
760	@[email protected]
760	@[email protected]
4636	@[email protected]
4636	@[email protected]
4840	@[email protected]
4840	@[email protected]
1492	@[email protected]
6140	!WannaDecryptor!.exe
6140	!WannaDecryptor!.exe
5352	!WannaDecryptor!.exe
484	@[email protected]
1000	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 1704	2436	msedge.exe	83
PID 2436 wrote to memory of 1704	2436	msedge.exe	83
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 900	2436	msedge.exe	84
PID 2436 wrote to memory of 3528	2436	msedge.exe	85
PID 2436 wrote to memory of 3528	2436	msedge.exe	85
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86
PID 2436 wrote to memory of 780	2436	msedge.exe	86

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
476	attrib.exe
4876	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\__monero_chan_monero_drawn_by_freerun79__sample-c27ac21e4c771729d224f96a865a76e0.jpg
1⤵
PID:4928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xe0,0x10c,0x7ff8e7453cb8,0x7ff8e7453cc8,0x7ff8e7453cd8
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1936 /prefetch:2
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3424 /prefetch:8
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3868 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2928 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6528 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2624 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7124 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7252 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7136 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1312 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7436 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1020 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7352 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6800 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7268 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,4107715331801181612,10641457415175277837,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6264 /prefetch:1
  2⤵
  PID:1776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4712

C:\Users\Admin\Desktop\Quasar v1.3.0.0\Quasar.exe
"C:\Users\Admin\Desktop\Quasar v1.3.0.0\Quasar.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e7453cb8,0x7ff8e7453cc8,0x7ff8e7453cd8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1908 /prefetch:2
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3960 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5744 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4116 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6292 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1096 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6336 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3636 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1940 /prefetch:1
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1892,16933584513415997110,9478849352101685662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7160 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3140

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Emirates Federal Competitiveness and Statistics Authority.zip\Emirates Federal Competitiveness and Statistics Authority\fcsa.gov.ae mailbox passwords.txt
1⤵
PID:4376

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Temp1_Brainbot_v1.5 (1).zip\readme.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1756

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:2088

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:1696

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:2724

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:3212

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:720

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:4548

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:3076

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:924

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:224

C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe
"C:\Users\Admin\Desktop\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.exe"
1⤵
- Executes dropped EXE
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xb8,0x10c,0x7ff8e7453cb8,0x7ff8e7453cc8,0x7ff8e7453cd8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:1164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5336 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4200 /prefetch:8
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
  2⤵
  PID:1320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:3032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6308 /prefetch:8
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1864,13723970185528765238,18181039912284599882,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6324 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3056
- C:\Users\Admin\Downloads\NoMoreRansom.exe
  "C:\Users\Admin\Downloads\NoMoreRansom.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  PID:4564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8e7453cb8,0x7ff8e7453cc8,0x7ff8e7453cd8
  2⤵
  PID:4296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1860 /prefetch:2
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3444 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4488 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6048 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6584 /prefetch:8
  2⤵
  PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:2368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6372 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7196 /prefetch:8
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7164 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:552
- C:\Users\Admin\Downloads\CryptoWall.exe
  "C:\Users\Admin\Downloads\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: MapViewOfSection
  PID:1012
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious behavior: MapViewOfSection
    PID:3348
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1964 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7356 /prefetch:8
  2⤵
  PID:1700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7288 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:4532
- C:\Users\Admin\Downloads\NotPetya.exe
  "C:\Users\Admin\Downloads\NotPetya.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2656
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Windows\perfc.dat #1
    3⤵
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious use of AdjustPrivilegeToken
    PID:1940
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:41
      4⤵
      PID:4712
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN "" /TR "C:\Windows\system32\shutdown.exe /r /f" /ST 16:41
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1988
  - - C:\Users\Admin\AppData\Local\Temp\CA80.tmp
      "C:\Users\Admin\AppData\Local\Temp\CA80.tmp" \\.\pipe\{6C89CDF7-0BAC-4610-9C65-B00061ECC348}
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6936 /prefetch:2
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5988 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1976 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:640
- C:\Users\Admin\Downloads\Satana.exe
  "C:\Users\Admin\Downloads\Satana.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:3140
- - C:\Users\Admin\Downloads\Satana.exe
    "C:\Users\Admin\Downloads\Satana.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1988
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1988 -s 416
      4⤵
      Program crash
      PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7344 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6508 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7484 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2968
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - NTFS ADS
  PID:476
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:780
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000023C
      4⤵
      Executes dropped EXE
      PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6900 /prefetch:1
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7140 /prefetch:8
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6100 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:428
- C:\Users\Admin\Downloads\WannaCrypt0r.exe
  "C:\Users\Admin\Downloads\WannaCrypt0r.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  PID:728
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h .
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:476
- - C:\Windows\SysWOW64\icacls.exe
    icacls . /grant Everyone:F /T /C /Q
    3⤵
    - Modifies file permissions
    PID:4532
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:764
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 223931727106043.bat
    3⤵
    PID:3228
  - - C:\Windows\SysWOW64\cscript.exe
      cscript.exe //nologo m.vbs
      4⤵
      PID:3184
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +s F:\$RECYCLE
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4876
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected] co
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:760
  - - C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
      TaskData\Tor\taskhsvc.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c start /b @[email protected] vs
    3⤵
    PID:1548
  - - C:\Users\Admin\Downloads\@[email protected]
      @[email protected] vs
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:4636
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
        5⤵
        
        PID:3416
      - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2532
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Executes dropped EXE
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:4840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xinooffmkqlv074" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4272
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "xinooffmkqlv074" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:2872
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:5516
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5752
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1492
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:6088
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5796
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:484
- - C:\Users\Admin\Downloads\taskse.exe
    taskse.exe C:\Users\Admin\Downloads\@[email protected]
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3036
- - C:\Users\Admin\Downloads\@[email protected]
    @[email protected]
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1000
- - C:\Users\Admin\Downloads\taskdl.exe
    taskdl.exe
    3⤵
    PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7472 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7552 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7312 /prefetch:8
  2⤵
  PID:1808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2688
- C:\Users\Admin\Downloads\ViraLock.exe
  "C:\Users\Admin\Downloads\ViraLock.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2368
- - C:\Users\Admin\rKQIwAYQ\vyQUIUck.exe
    "C:\Users\Admin\rKQIwAYQ\vyQUIUck.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:436
- - C:\ProgramData\TewgwIAA\jiIkIYQc.exe
    "C:\ProgramData\TewgwIAA\jiIkIYQc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:2856
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
    3⤵
    PID:228
  - - C:\Users\Admin\Downloads\ViraLock.exe
      C:\Users\Admin\Downloads\ViraLock
      4⤵
      Executes dropped EXE
      PID:5204
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        5⤵
        
        PID:5372
      - C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        6⤵
        Executes dropped EXE
        
        PID:5412
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        7⤵
        
        PID:5672
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        8⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        9⤵
        
        PID:5996
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        10⤵
        Executes dropped EXE
        
        PID:5244
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        11⤵
        
        PID:5304
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        12⤵
        Executes dropped EXE
        
        PID:5160
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        13⤵
        
        PID:5668
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        14⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        15⤵
        
        PID:5980
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        17⤵
        
        PID:5312
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4876
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        20⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        21⤵
        
        PID:5172
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        23⤵
        
        PID:6092
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        24⤵
        Executes dropped EXE
        
        PID:5668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5204
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        26⤵
        Executes dropped EXE
        
        PID:5760
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        27⤵
        
        PID:5312
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        28⤵
        Executes dropped EXE
        
        PID:5652
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:5848
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        30⤵
        Executes dropped EXE
        
        PID:5596
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        31⤵
        
        PID:5292
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        32⤵
        Executes dropped EXE
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        33⤵
        
        PID:5200
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        34⤵
        Executes dropped EXE
        
        PID:5632
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        35⤵
        
        PID:5656
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        36⤵
        Executes dropped EXE
        
        PID:6032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        37⤵
        
        PID:5408
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        38⤵
        Executes dropped EXE
        
        PID:5456
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        39⤵
        
        PID:5788
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        40⤵
        Executes dropped EXE
        
        PID:6092
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:5992
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:5152
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        42⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5424
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        43⤵
        
        PID:4960
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        44⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        45⤵
        
        PID:5836
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        46⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        47⤵
        
        PID:6028
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        48⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        49⤵
        
        PID:5608
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        50⤵
        Executes dropped EXE
        
        PID:2848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        51⤵
        
        PID:5244
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        53⤵
        System Location Discovery: System Language Discovery
        
        PID:5252
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        54⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        55⤵
        
        PID:5836
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:6112
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        57⤵
        
        PID:5380
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        58⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        59⤵
        System Location Discovery: System Language Discovery
        
        PID:5636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        60⤵
        
        PID:5524
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        60⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        61⤵
        
        PID:3220
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:5988
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        62⤵
        Executes dropped EXE
        
        PID:5384
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        63⤵
        
        PID:5252
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        64⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        65⤵
        
        PID:5656
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        66⤵
        
        PID:6044
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        67⤵
        
        PID:3460
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        68⤵
        
        PID:5612
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        69⤵
        
        PID:5404
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        70⤵
        
        PID:2052
        
        C:\Users\Admin\Downloads\ViraLock.exe
        
        C:\Users\Admin\Downloads\ViraLock
        70⤵
        
        PID:5976
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Users\Admin\Downloads\ViraLock"
        71⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        71⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        71⤵
        Modifies registry key
        
        PID:5136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        71⤵
        UAC bypass
        
        PID:5708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUswsUwE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        71⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        72⤵
        
        PID:6016
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        69⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        69⤵
        
        PID:5248
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        69⤵
        UAC bypass
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kmkgQcAE.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        69⤵
        
        PID:6140
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        70⤵
        
        PID:5416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        67⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3168
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        67⤵
        
        PID:1600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        67⤵
        UAC bypass
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\FwgIsYko.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        67⤵
        
        PID:4532
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        68⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        65⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        65⤵
        Modifies registry key
        
        PID:5568
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        66⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        65⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5788
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VggYQUow.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        65⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        66⤵
        
        PID:5652
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        63⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5704
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        63⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6116
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        63⤵
        UAC bypass
        
        PID:5732
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zugosMQA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        63⤵
        
        PID:5256
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        64⤵
        
        PID:5072
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        61⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        61⤵
        Modifies registry key
        
        PID:6108
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        61⤵
        UAC bypass
        Modifies registry key
        
        PID:6052
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:5500
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\kYAQwIQw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        61⤵
        
        PID:5972
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        62⤵
        
        PID:5300
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        59⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        59⤵
        Modifies registry key
        
        PID:6036
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        59⤵
        UAC bypass
        Modifies registry key
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QAMEoAIA.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        59⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        60⤵
        
        PID:5884
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        57⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5604
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        57⤵
        
        PID:5632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        57⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\GwQsYYAM.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        57⤵
        
        PID:5292
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        58⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        55⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3416
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:5800
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        55⤵
        UAC bypass
        
        PID:1700
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\caoIkIIo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        55⤵
        
        PID:2084
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        56⤵
        System Location Discovery: System Language Discovery
        
        PID:5192
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        53⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6104
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        53⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        53⤵
        UAC bypass
        
        PID:5988
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tYwAMIUs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        53⤵
        
        PID:5500
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        54⤵
        
        PID:5716
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        54⤵
        System Location Discovery: System Language Discovery
        
        PID:5408
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        51⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        51⤵
        Modifies registry key
        
        PID:4384
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        51⤵
        UAC bypass
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\duUMcYcw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        51⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        52⤵
        
        PID:5600
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        49⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5712
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        49⤵
        Modifies registry key
        
        PID:5444
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        49⤵
        UAC bypass
        Modifies registry key
        
        PID:5360
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DaAcMsgw.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        49⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        50⤵
        System Location Discovery: System Language Discovery
        
        PID:5528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        47⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:1700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        47⤵
        
        PID:5848
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        47⤵
        UAC bypass
        
        PID:5744
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sscoAUMo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        47⤵
        
        PID:5256
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        48⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        45⤵
        Modifies visibility of file extensions in Explorer
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        45⤵
        Modifies registry key
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        45⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MUUMgIkc.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        45⤵
        
        PID:5784
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        46⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        43⤵
        Modifies visibility of file extensions in Explorer
        
        PID:4664
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        43⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        43⤵
        UAC bypass
        Modifies registry key
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\NIcsYIAI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        43⤵
        
        PID:2236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        44⤵
        
        PID:5304
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        44⤵
        
        PID:5524
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        41⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5360
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        41⤵
        
        PID:5796
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        41⤵
        UAC bypass
        
        PID:5192
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZWsEUscY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:6084
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        42⤵
        
        PID:5576
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        42⤵
        
        PID:5020
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        39⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5560
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:5340
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        39⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BmUcMgME.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        39⤵
        
        PID:5240
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        40⤵
        
        PID:6128
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        37⤵
        Modifies visibility of file extensions in Explorer
        
        PID:696
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        37⤵
        
        PID:3220
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        37⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:6104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eQAMoUks.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        37⤵
        
        PID:5676
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        38⤵
        System Location Discovery: System Language Discovery
        
        PID:3112
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        35⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5880
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        35⤵
        Modifies registry key
        
        PID:5304
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        35⤵
        UAC bypass
        Modifies registry key
        
        PID:1600
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aAocUwsU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        35⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        36⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        33⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5576
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        33⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        33⤵
        UAC bypass
        
        PID:5492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IYUcogYg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        33⤵
        
        PID:5468
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        34⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        31⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5708
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        31⤵
        
        PID:856
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        31⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:6120
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CWIscAYo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        31⤵
        System Location Discovery: System Language Discovery
        
        PID:5176
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        32⤵
        System Location Discovery: System Language Discovery
        
        PID:5496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        29⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5892
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        29⤵
        
        PID:5728
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        29⤵
        UAC bypass
        
        PID:800
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RScAokQU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        29⤵
        System Location Discovery: System Language Discovery
        
        PID:5480
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        30⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        27⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:4960
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:4392
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        27⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1464
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RkwYYQEI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        27⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        28⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:5388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        25⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5852
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        25⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        25⤵
        UAC bypass
        Modifies registry key
        
        PID:5992
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DUIAQUYI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        25⤵
        
        PID:5212
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        26⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        23⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:3868
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        24⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        23⤵
        Modifies registry key
        
        PID:6044
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        23⤵
        UAC bypass
        Modifies registry key
        
        PID:6052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EYUAEwYQ.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        23⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        24⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        21⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        21⤵
        Modifies registry key
        
        PID:5380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        21⤵
        UAC bypass
        
        PID:5392
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KMEQcMgY.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        21⤵
        
        PID:5732
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        22⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        19⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1608
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        19⤵
        Modifies registry key
        
        PID:4452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        19⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qIAAEkQk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        17⤵
        Modifies visibility of file extensions in Explorer
        
        PID:5124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        17⤵
        Modifies registry key
        
        PID:5228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        17⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5200
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yOQgcEoo.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        17⤵
        
        PID:5244
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        18⤵
        
        PID:5620
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        15⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6024
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        15⤵
        
        PID:6028
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        15⤵
        UAC bypass
        Modifies registry key
        
        PID:5716
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZosIYsUs.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        15⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        16⤵
        
        PID:6136
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        13⤵
        Modifies visibility of file extensions in Explorer
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5752
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        13⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        13⤵
        UAC bypass
        Modifies registry key
        
        PID:5416
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BUwQcoME.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        13⤵
        
        PID:5812
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        14⤵
        
        PID:5856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        11⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5152
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        11⤵
        
        PID:5452
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        11⤵
        UAC bypass
        Modifies registry key
        
        PID:5232
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fCscYkgg.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        11⤵
        
        PID:5472
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        12⤵
        
        PID:5584
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        9⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:6048
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        9⤵
        Modifies registry key
        
        PID:6056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        9⤵
        UAC bypass
        
        PID:6064
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SkAAcMMU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:6080
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        10⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        7⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5724
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:5732
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        7⤵
        UAC bypass
        Modifies registry key
        
        PID:5740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AIEwQsUI.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        7⤵
        
        PID:5756
        
        C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        8⤵
        
        PID:5892
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
        5⤵
        Modifies visibility of file extensions in Explorer
        Modifies registry key
        
        PID:5424
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
        5⤵
        Modifies registry key
        
        PID:5432
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
        5⤵
        UAC bypass
        System Location Discovery: System Language Discovery
        
        PID:5440
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SMAAkMYk.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
        5⤵
        
        PID:5460
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
        6⤵
        
        PID:5608
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v HideFileExt /t REG_DWORD /d 1
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Modifies registry key
    PID:856
- - C:\Windows\SysWOW64\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /f /v Hidden /t REG_DWORD /d 2
    3⤵
    PID:1456
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /d 0 /t REG_DWORD /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:4148
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dQQYUUAU.bat" "C:\Users\Admin\Downloads\ViraLock.exe""
    3⤵
    PID:3844
  - - C:\Windows\SysWOW64\cscript.exe
      cscript C:\Users\Admin\AppData\Local\Temp/file.vbs
      4⤵
      System Location Discovery: System Language Discovery
      PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
  2⤵
  PID:5684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:6136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3904 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1456
- C:\Users\Admin\Downloads\WannaCry.exe
  "C:\Users\Admin\Downloads\WannaCry.exe"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious behavior: RenamesItself
  PID:4100
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c 104331727106110.bat
    3⤵
    PID:5136
  - - C:\Windows\SysWOW64\cscript.exe
      cscript //nologo c.vbs
      4⤵
      PID:2052
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe
    3⤵
    - Sets desktop wallpaper using registry
    - Suspicious use of SetWindowsHookEx
    PID:6140
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im MSExchange*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5200
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im Microsoft.Exchange.*
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5128
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlserver.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5144
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im sqlwriter.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1492
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe c
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5928 /prefetch:1
  2⤵
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1848,3310247999445835897,1691935808857113045,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7644 /prefetch:8
  2⤵
  PID:5576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
585B

MD5
9f392b85cffd672dd684a7d9d8b10851

SHA1
6c1f39e7ea20d11ad18e716a15ab029f9e750b7b

SHA256
8edb527cda65b94e13e5977b3a872f5caa2e08c07e7634dae0a6d1f7a1c23b54

SHA512
016823750e231604f1dac7c36275078cb644dad1b805c0f35c7657d2c8e80c388f822b9082f076e270fbf0a6f140ddfc9361a9a5291903adfc0311411809a168

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d30a5618854b9da7bcfc03aeb0a594c4

SHA1
7f37105d7e5b1ecb270726915956c2271116eab7

SHA256
3494c446aa3cb038f1d920b26910b7fe1f4286db78cb3f203ad02cb93889c1a8

SHA512
efd488fcd1729017a596ddd2950bff07d5a11140cba56ff8e0c62ef62827b35c22857bc4f5f5ea11ccc2e1394c0b3ee8651df62a25e66710f320e7a2cf4d1a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
935db0b06b083eaf58f12d2d45d1f77c

SHA1
04205a852f67e9d76f42a505f6210d46c615beee

SHA256
2401ae20707a297dfd451ccc8254c28c69af23defc4873dbbe35231d6306888d

SHA512
c62bc9ac68799b9eb70510b69fa47d1052b4607b65e222e2c130e43dcd6ee6806f3a8df2810320b4ce349b103256077dd6a101809f72001db3ac90b847ffc626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
da9227fffe648cd4d0e224a8a2e09e34

SHA1
ec8303163087c7e152e1103d590dcf0443aae2e6

SHA256
58465ffbb9eeb7d4381d167e5dd8641f49453a39679e8704a3821bfafbf31c02

SHA512
ccdf71630182412a742bfdf47e21e94a53f39e7dd92eaa7a2de8ae3cfb18eddac1f65176cba12edcb00b51f39dfb167c385c156b51e8d975346d044c414af192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
03a56f81ee69dd9727832df26709a1c9

SHA1
ab6754cc9ebd922ef3c37b7e84ff20e250cfde3b

SHA256
65d97e83b315d9140f3922b278d08352809f955e2a714fedfaea6283a5300e53

SHA512
e9915f11e74c1bcf7f80d1bcdc8175df820af30f223a17c0fe11b6808e5a400550dcbe59b64346b7741c7c77735abefaf2c988753e11d086000522a05a0f7781

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7f3ab95e9525786ebfd4a0b86a58439c

SHA1
ebf1e07e2476724016693ec61bc126997e7d574d

SHA256
57f2c2a3f8913b60fde5ae6e1d40fdd8066ea9bf0924c937e134ffaaf55db27a

SHA512
437bc191fbb89c4045a1369f31dab740a0dc401541fb34c673058e4577302b86d8322f4746d87292bb7092c2e17d8c1e2be27e360c2ce65ef069d8d96e977d77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34aa97f6615ff4dba856402908bc00fb

SHA1
ef9ce6d4b3697e079af829d585567a333804bcdc

SHA256
845c698ec58b2c09550e01f929203cd4f4b88afb1890c7f6ea489ffa36e98d66

SHA512
c8c7a3fa61ff825e7e82987186170e9cabfde335e589e76350816b0fd41f16e5e960f4a4c4f17c1e6ee5cccda68905e870b8d930cc2a3d8477e5c8ca244c6e50

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\4a4d5f24-712f-4f71-babc-4803bf9f8634.tmp

Filesize
2KB

MD5
b10e056dcbe67855f27048467b6df934

SHA1
2ae217e44d7cf9bd110bde66127f9ae851ea8186

SHA256
4657e192572a244c0014880bf5d0b51efccc7668c9f5e5a58d16e866f444bb6b

SHA512
f74b4766956ab0ee35e8bd36bf364793d74699cb77e2bca37d3b997d953d6a8bcc9a75fa5b0cfc674b5ce3d8b4eb7c5ec76d58e3b90702ad56d3b07a90b671cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9717854d-a4df-4d76-beec-74c953050350.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
41KB

MD5
3fa3fda65e1e29312e0a0eb8a939d0e8

SHA1
8d98d28790074ad68d2715d0c323e985b9f3240e

SHA256
ee5d25df51e5903841b499f56845b2860e848f9551bb1e9499d71b2719312c1b

SHA512
4e63a0659d891b55952b427444c243cb2cb6339de91e60eb133ca783499261e333eaf3d04fb24886c718b1a15b79e52f50ef9e3920d6cfa0b9e6185693372cac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
9f235d9b385be059b1023562d3223185

SHA1
316137fd5baad10c50bc60151a46b62bf858066f

SHA256
b2d73b848810cd703bbac41f67073c38e6420b5023a9439cd2a1c1c920f03310

SHA512
aa31dce9fd40cec5a519e700aff9dfdd3bbe23fb103ea4ec38cd74ef8ef68cd02762c963093c40983c814e01862450b6cdc3bd93d70f9ce8f5e24f08630abf93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000075

Filesize
64KB

MD5
add9dce7c4828801f845ec416c87e8fc

SHA1
8104424a0917352036ef9b6fe8dc103b72222147

SHA256
db35d419b0e9445f031d0fc0532a5d177f3031d969cb6dec1b1ebbcd3b418f23

SHA512
df2cb96c1b1277ec9ee1a56e3e378183659193e9c33923d5fecea04acf2d3c74f95ab3bdbdcd310a87493d92c049826cec65842daa07c9c8a80d2aee35e5bc1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000076

Filesize
21KB

MD5
56ce4e0d4dc8a777fab10a90cc5b9ff0

SHA1
c9b4431178167058befc71b3b2d8ffd9b27b82fa

SHA256
3888c952dfadc79b7515e7f9da88f8fdff23a11b0957f670481c33440046a67c

SHA512
d4cb4c242acc72d2b5238b5216694be685aae99d51bd74de5b4da2d49282da90f8ec2a1e2b0d56e7ef268650eb6c84b0933dd9af1eb7693e58201e4f40b5330f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007a

Filesize
20KB

MD5
fc13bb2fb95cc68da8d57b4ae461a1d0

SHA1
8ac473686c7064f5af471559dadca237cbdfae30

SHA256
0f98978c4a28e066c60854b0fc0b7cda74af71654ed938c4ad52818564d8121e

SHA512
58880dedfeee6b92fe92a8f50a8ff416069bc53d2062d7e27813722f148fedd86a587b6db9bd9e67be51fbf69b45ab9b0f81a194facadbabc4d86313c71b7e52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007b

Filesize
18KB

MD5
115c2d84727b41da5e9b4394887a8c40

SHA1
44f495a7f32620e51acca2e78f7e0615cb305781

SHA256
ae0e442895406e9922237108496c2cd60f4947649a826463e2da9860b5c25dd6

SHA512
00402945111722b041f317b082b7103bcc470c2112d86847eac44674053fc0642c5df72015dcb57c65c4ffabb7b03ece7e5f889190f09a45cef1f3e35f830f45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007c

Filesize
18KB

MD5
8eff0b8045fd1959e117f85654ae7770

SHA1
227fee13ceb7c410b5c0bb8000258b6643cb6255

SHA256
89978e658e840b927dddb5cb3a835c7d8526ece79933bd9f3096b301fe1a8571

SHA512
2e4fb65caab06f02e341e9ba4fb217d682338881daba3518a0df8df724e0496e1af613db8e2f65b42b9e82703ba58916b5f5abb68c807c78a88577030a6c2058

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007d

Filesize
20KB

MD5
a82edbe82752de7a1b357101a9c74bf4

SHA1
fc9b908c47df6079f8a24e5c8e2e876de9e69ebe

SHA256
595eda242d9bd7dc6ad5c21064fb00694016122d62a4485e17cca825c3d8d9a9

SHA512
2afd27840557a40ccc0b087bc0b99ccbf8ac4a6b848be59b378b97ec5aa4ea9e2040a9fdacab6b775753b91996d21e78906aa4efc2bdd74baea95887fd406cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000099

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009f

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000cb

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000db

Filesize
16KB

MD5
a2edb5c7eb3c7ef98d0eb329c6fb268f

SHA1
5f3037dc517afd44b644c712c5966bfe3289354c

SHA256
ba191bf3b5c39a50676e4ecae47adff7f404f9481890530cdbf64252fbb1a57e

SHA512
cc5644caf32302521ca5d6fd3c8cc81a6bbf0c44a56c00f0a19996610d65cf40d5bae6446610f05a601f63dea343a9000e76f93a0680cfbf1e4cf15a3563a62c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000109

Filesize
73KB

MD5
6269222832374b9a248de949eb3db370

SHA1
0382db45545e13fcce0f1587a62f8208474e2b8f

SHA256
d350d2aa4b52283ed9c3c9a322c16fbf9f0ec7e2dcde4b658236cbd9e81d3c39

SHA512
a3a16346769d93ef45a081c1945460e250920926fec8e4428913d9d6b24cdb529829985f450250208a01ecb7d8499d88bfaeeb0ff9827c6a300ad589e80e5b47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000124

Filesize
18KB

MD5
9f1540a672e96d68624d90671ff94460

SHA1
210bfb650b424b754644afbb6f5c075a47257afc

SHA256
8c9523774a27390fb41bc7a2253f1c2ac89952327d08cb153f5fe00bbb5acb9a

SHA512
5c932c3e0fa1264df98bbc1ed75bba7860d34f049b442646fbde02b10f2cf8f5c4616b95f35a65ccac21116175f897716240da39c7e59cb4c5274c20934caa28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000146

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\006c4454671ad153_0

Filesize
1KB

MD5
37e9da24e3fab81d62bd28df6c8b3c40

SHA1
14374da5e929010540d7bc1e50dbac6701dea4b0

SHA256
3d149f599d0ed98ba429922dc78fa9c76099c7d776c926de8701cc61681550d6

SHA512
517c893e464202e8e6c2c919aa9db719940784764fa72f4c00890c17c69131276ec9beac04478215f9fd44cc46808a70ed858c82967de695d776cb44f9d69478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\036c3b95e25930b1_0

Filesize
2KB

MD5
c6ca0ea4d9acf9c45326e1cb3c190f34

SHA1
cc71fdbc006cf98bb6ba9b30f2f410363ca2f035

SHA256
f68d6c5dbd125e2ae63b743118ac090996d7a00d402b6271a9b27b45011d0ff5

SHA512
837e137467048581e51a142900cfffb98d77552c5a4b9771989a3a83266bcebb5cb4815f94e0f1c5c31a0b7a3abe92f6e98ef53f093842c88214879176660664

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\039b8f09f146fbbe_0

Filesize
6KB

MD5
394865a56fa4330280ef378bf63f3e43

SHA1
2aaf830ddd723bb0421d7ddb9343be10443acaaa

SHA256
43ced45592009b6122d4dffe6ab13f701dc956dde3e8577fa60769578c7c5c8c

SHA512
ce166cb231f426eaf7e618f9a7d0eba1605a1f362f8cd5ea4b76e5d29fe59074311e1a117c4ee18734be27dc1e245095d8943ef302359a9309d88dd0ea8baa6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\07f4c7604bca779f_0

Filesize
2KB

MD5
0693632df9b9ef917e12df0732fe90ec

SHA1
d178a07c89df806f214c90938c97a2eb311eee27

SHA256
7e9fc6d008e1f0c9befbdc1b131e56cacf5995f40cad4d80e695482ca705614e

SHA512
a6bd9d62675b32943a2b81c18047912147820a9157487bedb732c8c61e4155da47abd10be47bbe02e2f8dc3327f36ed2b8602eabc2da7064cf113afedd2c1b21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0801ae6bacc06966_0

Filesize
1KB

MD5
4983792cd49b41943dfbb8105ec6d03e

SHA1
5827f14e1b9b06bb9ae6e7dd5bb98b81e36ca767

SHA256
27071f2516c4ee1a6f371e9d082ed9f99bed73e051396c4653d893337e8ba6cc

SHA512
c8e9636135112d3cefe79d62743dadebc526253e9123bd76b7eda6e241a6a7702c9516ee9220261d6d8d6e3f3db99b10e44d618959acdf9eec06ea7d4be011f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0a1cfaba407c18d2_0

Filesize
274B

MD5
c3d0d3c1b3b2982456ad85d1e7ab937c

SHA1
d9ed1df92e88e22af922f0613ca22fc29f3aaacb

SHA256
408a7d0ab84e25ce3abed7d90520f6299bd0079054feaa118445fd5392645082

SHA512
bf515418e2fa169031f1eb4585a6de803b3523f3ea800e496ace5c12f20374aa99ec8411440e6274f991fc59b59bd3e83ef651e433061d6a4981dcb412ef10f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0a1cfaba407c18d2_0

Filesize
322B

MD5
c05dd99bbedffbd9a7011983e8e36282

SHA1
dcb60cf01fe8aafca0b36057b458d4176f3d195d

SHA256
41c7f0ca6fbd9e8334a63e914932a4f24ca83fd2d1463c5fa6cd076939b47033

SHA512
68476d4a5125ba10d899bc755ad5de6da704f8799306e6c69fc986ee3a647fbdf398c907ac18a8f2d8699390c10ffacb82fc0b78d2c9b80c39bf17415edb065c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\1a45e8e9cd3da5aa_0

Filesize
1KB

MD5
11a235dcc2c370050dd1180f0d493aa6

SHA1
4a039b6cb39858ce53083e7de4003a1a160d942f

SHA256
fd1d104751ae0cdcad9a60b32fee08bfd5a4afa8714eae474bd3fd90c093abc2

SHA512
050270304cb5d7a830f869b7e6be0e3bd35dd5ccc318e4129f720aab86aa8d229534dd9147e6a1b4b58f28465d0c28b65ec80f9bbeed1d1600c1357025c5e946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\24994319ce0bb02b_0

Filesize
2KB

MD5
6b181e7c328b8588816f32d2e1defdfb

SHA1
95b5f35fb3f5f750c74031a58ec1f5a0c9130e19

SHA256
ca76cf4b11a06c94069de1735bf632a14165c224abc8ac5fccddb430c318b415

SHA512
6c61021bc915b78f24c113e43f5cc4ff54f3bc6220b22f05470b3b4e20b6a47dd8b6e7e8c5b2398b1f149e34f364902c9af30d0a1b000bffec9f8ec1d74a6170

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\24f31477fcd83d46_0

Filesize
2KB

MD5
5e99a0cc385d29e2ba0ffdb8c75e70c5

SHA1
921427f3486eb5f9dfd6f421c0023cb372fb04fd

SHA256
75d75af53af2c5dde37b98ba2a8fcc00958d18dd10c910bd7fdc9a76fbcd8b72

SHA512
84175eef9d110d91ec2476379db4a54b4de9293a9295ff12c5f21a2add7febc8131939d39725700dba9f394d57d1890115619c179022f7c1b7dbdaef9b0fdf16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\308a49132d2247a6_0

Filesize
2KB

MD5
91dd8b79c6ea3381be2928b9ebd1eab0

SHA1
5a3d5e6ea34b5ec909423c9d2792e13cc44b5fe0

SHA256
439842f4f6d3f313aa1cb5f73dd1ca01e301ea3389924f0596831b006562f454

SHA512
8bddce84d4c0bb01ae0e734ee86d1431576e2b734a1b47e317a9e0c91956f95de61b88cf9a0afcb840d0ea61029cc2a855c7307842672db8de97a6e55e93991a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\3fce2772ba8b623b_0

Filesize
1KB

MD5
280193c874a6fe2a43f4d87d02b82799

SHA1
e3dfa0526de8f2aed82771273cf0cb2fe6a58933

SHA256
628f7f3b8108f68d0d30a59cdad9c7e7bd2b21c3d6067c53de9232674d595f11

SHA512
e7a473a88e9302715bb8b4d3f092e0857a1d0fd9f972ae394ea1653eee4c65f9c4bcc3f26ebfae5663a704bb71c09b54405df355efc248b23849e0d51bf25518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\46d8cd6b1d80e472_0

Filesize
29KB

MD5
6e61e63fc74709c25f7210d02c3d8357

SHA1
b54b3257be44c70851abc5eecf712975a5d18ae9

SHA256
2b268532bcf6bab849300ae878e92977bb835fb624568a0cd531452ad4ea4123

SHA512
41e833af0be4bf988e56575139ac9f2b16ef6bdec1bdd823bb00f97de7f2099e29d244d922af92d2cc28ef1efe3f31991ac524c115b7a2c58e488728f86e58ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\46d8cd6b1d80e472_0

Filesize
29KB

MD5
5150c92d9bbbbbc33f3014e29e753e61

SHA1
db3646402d99b8ad723b3618a54d78cab82d01ff

SHA256
34b208fc5937dee333f0d8404389c063fa779bc6aa709fcad75a6d4c0b2535af

SHA512
b2b5669ee2acf9d1a05c35ccc93c23b07c4ab2b9d5269c063eda9f8314dbe621115e190cd54a302b3dfaad7d5c5abf4c85d48fa1c8ae0e11477b7f09dfad9cee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\4f8ff0be2abb7aba_0

Filesize
4KB

MD5
e8ee8eabb2d8cea1b06988af063e6a53

SHA1
616b0b2cb72192a1ff0c4635738ce3b4940d8f3b

SHA256
1e18f090ec79386e68b3094108c289b7a517954e93c95c42368ae1a23a93a182

SHA512
1ee1a3384e7ff950f25b91dde22877d7586a1bb8048b4fadcda049dd91f3290cd49f1aba8365331d3b69a8d003a318df9837e8aa394338502127566be7e93591

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5c320ecb51df85fa_0

Filesize
266B

MD5
52865eb3541f6a03f5c3af6a4867c850

SHA1
53f192db2e499386447f90a280cfcc3ae04253a1

SHA256
e071bb9cd42789d4b72eed1aa3d77eab87a9d59fc1f1b53724abc74d42f01ab1

SHA512
108d2013c34648659151ff5e387a8bcc096b1e6a08b716b317f78d97b7e9614b566a55857e544599fc8e4c8a782f21b87ce0806278e3cdcc8c1db387ca9d1ae2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5c320ecb51df85fa_0

Filesize
3KB

MD5
ddeaddd22c48ea536188591e60c3986d

SHA1
8a0675f2b331bed0926572864cc95503109b17c1

SHA256
b8f6e01018b13cf06473c95b0969a60caee968e00a86df4ac13124d58096b72c

SHA512
c83cd18d41eca3f995e9db790c6754b4c0893e98e094c784e228d71740268f812102210add0f4c77f55f14d534e8d13eeb9ff5dc2f9118de18686001dc028090

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5d60a838cb5a54e9_0

Filesize
244B

MD5
ab9d279f6959a3f82e9bcb30397fed33

SHA1
9151309bac90c59364bd253b914115f6ba78ca1a

SHA256
d459d9b5fe933886490baa6b4b8918ff13f1392aa9cbfe9f0869f189a170a306

SHA512
e00b66bc3af9668d22313d0c7d13bd80bc56249c8e09101acf5a3e293ed1355fcb98b8665ea1b7aa9a6236ef90b6cdff0eea55fd6821e80c3c741fbc2de12e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\5d60a838cb5a54e9_0

Filesize
32KB

MD5
346ab15a934aa1691de4722a4dde803d

SHA1
b67ce2ce7d9ba99c98fc2d22d270703414057e70

SHA256
669ee2256063fb0c7724b420748c038dcbe9b47afe28344a08f88f56a6a0a10c

SHA512
518bb59d23e9fcd735c45e57aabfe9515e860f4ab61d5563796e04b8648a422dec8cbb8ede6a506dfa17e294524747a7f9c67071ea89e24f8ad3a3d4c6df7c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\78bdde6d488d8d7f_0

Filesize
359KB

MD5
437c8a21bff87fd10c9f11e72f193686

SHA1
d4889b1359270937ffa23ec7653395b6901f64c7

SHA256
84124ec138f0411a0917a5646e01df63112d7150e244e4c612e8373fa2dc0fa6

SHA512
46d58ff59f9aacfc25cf20313a4e3c635601245eb502af28c5f45d2cd9f360d2be0e47d0471a0e48b3592be53eb1226a6d9c5832cfca37cb5c33e4bb1ea0a260

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\7c3094013c730abf_0

Filesize
1KB

MD5
dc210b21793d2bbd6025b8aa516cc594

SHA1
f38f540d729d3795af9f5ea870e2324852f5aebe

SHA256
62f03b48c3aa3fdb2e701b7d8abbf38d2f5925f3346f568389d230d62ba6280b

SHA512
2fc4bad4f2dffc86debd854a6ef04aa4363848bf9f9f5d20091b4260abfb1afcf695d5b5078c31af575c0b5b107ced83ce007616025119ec86edd69b72044b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\894d2725a6d5934d_0

Filesize
275B

MD5
d0540de60d5483e35a861f1f3cf0946e

SHA1
367e91245dc220a87e6a70781852970fdbf4157f

SHA256
f01f375fa5dd9635ee61b613a974e653fda7cda6c0af9e281c470a7781690b4e

SHA512
9b76d3e1a4763635e64a81b2e758795bab191d5ba7e1314c2214972c40ec48b0e9e04a774e167aede48af38e6df7413db33311696e79386f27c4e88847eb7287

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8cb58f595cbcc46c_0

Filesize
249B

MD5
1824ea95196a3a6004cf503ebc40786c

SHA1
801836ef257e358331c968dbb11f772d2d2d2ebb

SHA256
9ba21a21be97f2c3ec9c4ea2c2b2d817ef3b862524b243d0a6414a0e7c37f138

SHA512
2aa5a54d581a45bd7d67c33af05c3c0332c8ef48a5aab0c7ccec561e601ed75a9b1c5df5e7b2b400a5d8a9df1a7b36bcb55ab1f199df27b95f5ddd247762cf12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8cb58f595cbcc46c_0

Filesize
55KB

MD5
28469e53160b9f99de071365df5be2bb

SHA1
e36bf41319a8b099d67cf4e8310f9d0e86110ebf

SHA256
dbca5270f98b1f3b9853096523f67d59c41475939a34093e4c74ac30d11c20ff

SHA512
5d8f3f48143b57a7c32a877a90754142e353b09866d033dd8f32fd13e8c2b2c83536371f8e9df6921f42633301ce24a51389803d3eaa868b062db2841b214ac8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8d4f8f68d6429324_0

Filesize
255B

MD5
3c85b773a2e737c057c7c61cb1c40fcb

SHA1
d23b0c42144b110e38bb106273a597f7a9c0bd92

SHA256
d05ada1395e64f22a89b5b2999a72d4f2ad3972e092ca72f307ed9a2b226b624

SHA512
fa7633d22661bd5088552288fab770de64d68ff6e746315adaa1951cd7356ceed28f774fc3753c4d3ebe4d32624518bb2c56bf53c1801d06aa8b2de10e792241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\8d4f8f68d6429324_0

Filesize
3KB

MD5
9a43a0678c6b4b711f648f9e2c21391c

SHA1
7611488ba7c6540d85401ecbf1da54fcf37dbafb

SHA256
fe7f4e6693b60561a0e21ce14c75a1b90f3bcc7aa63b5b9ab73b8e69cc28aca2

SHA512
ab6099aef31980eb4d2435b2c8bafa898b7962fa39ade2faddb006bb325d0e4ab6497655f61e1f43dc17bd3fa1f73186afd2b4d3753570c0e841ce50a0f51c27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\91643b0c4cb81a1e_0

Filesize
34KB

MD5
d94ecc347d5e57a20e7ba1240d7b1e34

SHA1
bab42b38414d5f1e65046c1c4ae42d52d6f827a4

SHA256
562b15bfb17b35dc0918b5188476d5bde683aa4d6ec67b9133d49008cb86f7a9

SHA512
f6c1df43b99bc24c72559add8b6cd9b309240fcf7f0a4047579c2ad13d02d28c3cf8ecf00aa68be2c89f4eeac0202e70a89865cc0c68dc6b3a694d2d1473e854

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\956fbe57ae53a736_0

Filesize
23KB

MD5
d6ba2c0dd5f61df374be14588cbae307

SHA1
2ee79567fee547bb12414a5889f8e1e37dd1af08

SHA256
de07690e0e2e4863b2cb1114fca05032716b91dfdcf67cca62431c6172b7d2fa

SHA512
315ec923d68b366f34a198470e7431a8b0c741ff2bb88829d972007177e9006857c04b1b7ee51056ead94cbd02dbb8a5ae96b7fb190a0e378c96025716c857e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\993ed34522264b7e_0

Filesize
1KB

MD5
9ac1665f856140caa384a4d434183a16

SHA1
af8ed5e8e7ec9a774a26703ccfcf14f0bdd82fdf

SHA256
f7c34ef2eb076156cebcdd74aa80e16397e372bfc1e33ef62600ea42ac9fcc88

SHA512
591cb7db80091e79eae3a313649d980140a01f46b80fd38c3a42f0cb85d92383a2697d2eab0e675bde742bf2a26aee007e2cc989168ba0c24e8182c600ce59f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\9fb6524bd780e80c_0

Filesize
999B

MD5
80342cb2c0c7f3d4a6a3e845aba41b54

SHA1
b2d50eecbdba348ce16c15cf126993034217d9c0

SHA256
2841776f44e047fd8048dededc4521212d054e4d8db7123eddc4f56c4d68e29d

SHA512
9becae3dbb782c6cff4de2431e7cee42c343dd435bee359e8d969782c6593940d4a4919e0e74bbd1f76b9c8450b3ad35d9f07efa552e1cd54ea0f174c69906ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a7e7921c6642f313_0

Filesize
1KB

MD5
f18b57bc7f59639c91531e72cbd86d51

SHA1
1d6bd8bf60bc5320ffa229a56da97231a3244a63

SHA256
f35576a68ae2783a5b7a41435138475220d957f5ad2d05943ad3358684de37ca

SHA512
ed4f1a64d921c1607ee4c15777ae9b529e6b3f57a3b2c031f5bb2e4861f87b37d3f2c7a412c48354baefb032dcb23c2479769eb0967a7e271806826f6dedc18e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a9dd2cf485e500d0_0

Filesize
14KB

MD5
1e3211072187b2dfbe505e3bdeede214

SHA1
608df72991f3e58341f1bd658fe8fcfcb6759153

SHA256
45824190b22e1fe1cae21ff543cf6f2b29d3e6440903fc68ddab43a704a679fd

SHA512
02cee68444412f3bd8499f559cf4227ec7ff6f7cfbee03ef0f42e560f0dc3761470c47a1247b2fe52865e68c5196d508c1d55ca5308cdd37fbd35fcf099c90a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\c388b37efef57d7d_0

Filesize
1KB

MD5
de6fe3602d20419a25530eb0fcc4c4f8

SHA1
7f07520f657e38b4898d59e35682f7083d4ca91c

SHA256
732e941d7ada85976f86d5af70e39e3d887520043942d78ab0122638504596ba

SHA512
72e3d44a1dd4005f431be7d1a58308714ca2540336cd3b6f40e03fdc8c6d9b203854a425b9a47964e2bcdab727b11f6df15dff4b58cdca4ee8bf388e4e229edd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5787b0574c10ffa_0

Filesize
1KB

MD5
440644388198f69618efcacc4febd13d

SHA1
c3ec120c79015d61adedecb1a6e0f172a1b561ff

SHA256
6c74e1aab6feb0956d574d1b53fa64eaedadf7244272d015bfa319ae8f477898

SHA512
084812eeacb624803124014fe6b501c26054b49d7c71282b67c40316ede52224986885b02f57a5b8216b3287d387992189b952c94cfe0d7b41d9e86fa759bf69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d6d7023b2dc4c342_0

Filesize
2KB

MD5
e38048ab420c616447b22991c79b29cc

SHA1
9d5db9f0ee097fa2474d61675fee0fea15514c55

SHA256
152df95703b6049edb2a297e6227814c20187a4bf1900c5fc1f0e9cdf7b1eb7d

SHA512
9966b5e519f289908a5e15f95ef06bab9c546097d4d4aaf161641ffd0bb41b545b4ec6fcb721dbbe2ab137c4ef81f7e9c932ac92e4f713f10962db8aedcc865c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\da874dddbd61a6ce_0

Filesize
68KB

MD5
ff8f661b9b07bdc381276a6eb1124ba5

SHA1
78ecf9dcd3e3a98a237f75629aa1ecee91c1e424

SHA256
f964d83ecec8d42b50cbdb3c20e347331d596aa395d178031b417bb5f4761fca

SHA512
7325e6b1c2693d07d4ae61308ed5a76ca8afca9cfda97846896fa50e11188cfb4e8a4bb1ba8e19265fa6afd200e97e3d98a8d4ad085ea1b40a8ef34473c28a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\df53bad28ea1e322_0

Filesize
255B

MD5
30e342909a8a147327fe6d108e843aa5

SHA1
069fa228f8ab9b03fe324600e3e79febf536ec11

SHA256
d793e30ea8396a55de7677ac9a811aea7b56fa912ac7ea3cc6dab035a39c116d

SHA512
28df9ef077e8c6138f9ec249b79aa51153ab794be8f432eff50b12a629577a1d3bdcd63b30221aad921bf3b0fb73efa38f270e479077bc1170a052569ccd8bf8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\df53bad28ea1e322_0

Filesize
303B

MD5
5e3e395571eea0e9c3a306e6499da055

SHA1
a3536235b95357a8ed2b905ce2dc9c6af9617eb8

SHA256
f55176b7e084bc2a5e68406f2158a62dcb5bd6cb0fb430e5ef24c2eb2db70f7d

SHA512
b87ec8229fcfccbdc98c42957ad72243cae25203ab0a12f63d317cb806ef189212493bd2382e2a6adc7ad91708fd497432b4456c68889474f9bb745ba53fbefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e2c1e7379c7f5721_0

Filesize
3KB

MD5
2bb7e484d1a33e34fdc1bb026ccb6cb3

SHA1
75e8feb2d09ca50a3e833cad5d271908bb841f34

SHA256
ca5c45573fb074a2355f277e72830236457a9ecfe4de930632710456b616f892

SHA512
b3df11089b397ff10ab40a8f574a831143a3618c95c9eac686c7be04202589be095a17b5507cb6ffaf95d897ecc696f46c4334e71d47c42c95c7b107ebfc0a1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\e8348c928038d225_0

Filesize
2KB

MD5
996fbc60b478ee7cb73283f286ac2684

SHA1
bbe68b8e5b568580a883155e234eb2b18ac445cd

SHA256
1a9fc61801dd115038e24fb91e6a194f829c0091c47062d413eef285a37b4fe4

SHA512
b099c35e09fca929a3c990533e40a962da89701f79861b32fb6a812c43597f9ecf1c275276a301bd72f785378e27ebbc0b8db0c5ddc6f9630576687a4fab4c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f0ba9a113477ee66_0

Filesize
5KB

MD5
daa55960c6a8aef1877e8071c2dd0b94

SHA1
6538d1f961c89379f016910ebde3dbcf946e3b4a

SHA256
22684dea98e4a07ed02702057f83756a1b614935199a2a0f91daac1cf2823e46

SHA512
34169dd58c0acd82bc2f4f37f127dffcd0b787318675cc0e425a14ebdcd3c146dd2a19df365ce8dbcb1889179d0ea0c0cf537b1ef4641cfdcb661c3e3090e994

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f21fd1ee99514bb2_0

Filesize
1KB

MD5
1b45360bad2939c0e263ec7ce2e7d162

SHA1
76667f82e3ce60a6cc1a99fb306399c96efe60be

SHA256
9afaa10aba6416efb9bcc46c56fc0784e1e0c1143880efe03ed28735f0bddcba

SHA512
096853a69129ee0a6c0ddd62f3271a448759a854ff656035c1a186f20d67d62230c9e48897daa31a809e0546d1a1ddb9be501148630645c6bde3a508abbfe480

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f21fd1ee99514bb2_0

Filesize
1KB

MD5
7bad3b99141b4e23be32a5cf9547e281

SHA1
1fa64d6cebbe69d0faf576f3093af29ee8b22df6

SHA256
b037f7059bf85be5c7371d81a9329b98907e90dfe4166ceb16d414848a5d7119

SHA512
28e518bf2fc165f37396fb46642a706c3c621d376f0cca0850b4f33786aba6507161248ecb512f8c4569a74ca4b60b852e2dc044bff704ecb2c99065dd2c027b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f89f85018e266e90_0

Filesize
109KB

MD5
dc08b9d52de7923c71049a88fc4e968f

SHA1
457b19ab6e97acc02fa5bc639aba42cfdff7489f

SHA256
2cd05492bcf954d6a434528654593a52c72a92736cf86a69af62b842e6d6ce76

SHA512
7a1ff8c7bf3c4148f6934e9b67e5f0059c64f097c92b846d218740d4edf25e6c85916d024b42d32b31c250013dd1358fa6b5bf67e72dcfb463555f11bc6bd35a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f9a1ab66be5670f0_0

Filesize
2KB

MD5
093be084f2d36870c1fe708a5468f7a6

SHA1
d3afb7c024ec048cb0a48c32d0e6c145808fb721

SHA256
235166737bf36529f3cadf008e5151c69b335c7b3b1e21af724c249c12124f6e

SHA512
6c78633365c9a7f929317d3e552bbe6775735c9c4f6a3bfb11e9477c0246189b35b84c5354854e3193d6d6b0a43496095a34dde56ceeb5ad9a72e7ec28d8db97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f9a1ab66be5670f0_0

Filesize
2KB

MD5
808812736c654a24e60e05d4f7e42ace

SHA1
55942b2c6bac9f749ef1beadebf368accb5632f2

SHA256
5424aba88328ec324f529660758150beb1866c392c377878f760de01ce5fc57d

SHA512
15c3a179d8b86303323266287fe0ffbc0c5c76c2504a1456336fd40992f02e8ff92240c7b05cbee862aef74259c227e4ac3815e5bd65e6343f45f5894d77da49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
f89db4b8763fdc71613ad65b2a470d24

SHA1
ac3dfb6b0ea149a2ab380b41e6499012cb24f885

SHA256
4b6aa7915e33ace6e94a668255e1b1b92771c2df17f11d501da1876d78aa18d0

SHA512
cdf0e4044cd2de7bf80084b47fee787f9122487b936c038dbfd036073ca839bd9be9e5ceff7e9bada7f2731c7edffbf8710c100874ef66055e8a3cb4db392689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
8a12586935a0d166e918b8a4e1c2e8d9

SHA1
83070f581a72937ac937228f0d8cdde09400b747

SHA256
972b372c9efd8783280b183d15bd899eb6daaeceabb64dd9b3d0f0c15291bcaf

SHA512
9c50b40a96bb07bc8eea11c7b3647e1ce7e75386207757e4562734f3457d7259a75b395e2e8199176b27f13e5c970d11e1530c5115b178f43d31402416d37629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
f4e384ea6b83ad57b3ee046e57056d48

SHA1
3a144ebbe571ae47ed9ff129455e414f6ffe6199

SHA256
1806a8bb301bc057bd9e02d622750ff325fce031f59c05c4adce18fbc672b2c6

SHA512
0be99282935ab078fb4cefae8f9db0e08a8d2710ff04a377803bf8e04d50d8e52c41a2b1b44dca391e59ebac8cd60784554ee8607da2782363f6ef1d48439b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
46a326df6168b58053119612e5dbd801

SHA1
9806156592c3d5a3b8b6dbc522d3f1ad7aa2e4f2

SHA256
c004f673fe196f1fc0cc0ce0630782008a23ec4a6dd859f2df962c2346851517

SHA512
fc131fcc354076579556ed3dfe7f7bb2e772f4025c48cd169df561bb1063bcf69de40a5462f29eb00fd58f05868f3c77c2e31879306e78a9fe70b75a3f4ac948

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
8KB

MD5
e32bd59a085299ad4c0fce009d3d44ec

SHA1
f47f0d03dd946e6ad4566df45c565bdd30855dc7

SHA256
91141a92a5cb149e2d561fd22e077352efdcb3d3db1374c9db77fbf2ea7c100f

SHA512
8abf2090decdfba599c035c41549fb0d45f73d40d8ddfbc983a1badaf34e942a3bcd03e4ba59d58a69d79d84ed68e13064e1b3e39b9d894184e106753dcb2816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
82ba5624662c170cefb08900b6cfce49

SHA1
0897e52ba5f085720b991f594de3044ca1cf592f

SHA256
540f6e8be3309c226821f26f031519432d8dd3280bcb7669fd51d49f4ce10c3b

SHA512
8f885a4a41d7e77405ba7c7127b5d16f807b4599a56c7fe95cd4092041f97c0600284869bc8e3a9113cfa3bdddca3f088151233a3560208383c0171fd236ac06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
2c13471a30303df0a8f4b52996cb52e9

SHA1
8549374fba4afd5a582558d87be0a265e1ad6519

SHA256
fbd5b35868028e1fb87fec7c4794927fed705c80dbd9e329206ab837cc3f9794

SHA512
b32fcd0e1d610c5729a4da4582595bec5f2ca93fc046bfc88510f778d97495ccfd9f83ac0e72d0e59ee860692d8af919be642e506a6cf3567ceaf20abe106511

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
6a87da1d614ce44758568d3d437e4aca

SHA1
b31a31b58715d74014b09d09261ea6d5b82c6fd3

SHA256
3a755a9ceb5b956839ae3eb185dfc18325d7636cc6950ec7ed9e5754bb3f719d

SHA512
d3b252736b9a094af64c5b45f0255ad39dc3ff001f1042f4a7831d73b2e1dccfc3b86b7a63a712e07585d852b430f3acf9904edfcab906c288101b2f686c3f5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
b4705ec2763fe7f4c5cae3d92abeb60e

SHA1
fb03bf471cf19c21d36c5d4673333c9304ab21c5

SHA256
373ceeabe5a1ac94f859197669935b0691e0c7506b91c2f3be109b19a9682287

SHA512
b015cbcae7d796c3a5e8722a082272442ef2cc3465a6f3531b4d647f107f92294731634754f05589dd0d07840d93e623a93b2ce3bce6049b8e388dbb7337f05a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
660204ddcbc9fde68819366e3cb1423e

SHA1
44f766197623d6cf8023ebfcbcea4367c47074db

SHA256
32fbbb4dcf07939a8a96c2f942535a51b4a2d2ded7fafb9eb6f1ec3219556b62

SHA512
122bc38d30dafd745c236baf1f7d54a24bfcab3c362a95b610a4f131af54babdaa5542a08e45e478970489f7c7a286216c63f7639f60390a35e005d8423c14f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
30c0d3608ad7b99166ba7289e4fbfaf1

SHA1
8c8522ff10efa337cc9e9867a0aad3bc1679320b

SHA256
380b1b73aafd187b1f415ac438c658c4546ac54e48ff363f68b7708b8ecf7ca7

SHA512
ba678050b02d1dc0c3e1929362fc01d07dbac8f305af538e1614b36b680b952e18017540bd1eb27dc4c54daa3f2546a0b4cc15567289076fb5cdb000610eba51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
a0e0666054e729a4e173e25f8682407f

SHA1
d38e16268056501459708931f6d84a6ad49ccfe0

SHA256
bc025490f52f1cec568b660a41d49ce701069327a3ad96cf886d65e99147ad43

SHA512
680368b9378d85bb28ff7bdcd80ab24656f9bcc1e5978c91c8d6a3b6f13bfad4c9c35938114a395b9dbb1998005f55b78a433c3e45403fede816c6ea15d600c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
8e31304684ef770bb27ba1b74d0da03a

SHA1
8950ac5b69acf9f22bdf48a0a4084c9e66b5a47c

SHA256
8447f7996787e4fbbfa697a5347af9df0f6186b8973e3dea3e4d7d62e45bfb90

SHA512
41f3608f502dee21ffa2e8afa66a033fdd95b0758ee3c1c669ca5d57e19f226f432e3cf2b20115b55a30bec98639da6fd6ebd248b39948598f71d243cb63897c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
b1cc77a70bf6df6534fc77455b241ed5

SHA1
25484c70bed98edfbb47514e0cc27e53735aa6bc

SHA256
c22737523ff18dbb2910486eb5afe7fb8a1ae6f0c768a592d4e6d632d9fd6315

SHA512
252e9780903bbe50229ac698d0cb1ccf2f998749d2b9a4ecc14b548c74339e61dad990b0133bc40188eb06949cd2774025349f9ab9b76b09222e2c2b145ee1e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
e4f70cf40a3373565e7f93bcde67dd99

SHA1
b4a7042de06b01a362b53790f21e0d84ede1077e

SHA256
3686c8792ebfb191ac805be0a4f499f4bf4011d6563d65bfd8a10924ab53a6c5

SHA512
d5a75e55dc4ecb6a7d4b9ee30f4ca69a5f80950172e6a84c287eb9b57bbaf01bff2a26472116239625b12012b6e9f039895984cdbf621f3a725d5bde19a848d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
86ac9455040a6f658b29d0e9484ed5a9

SHA1
0ede0e3e42c11c9f45e95b4e92f8bfb0f5b40b43

SHA256
872c5349dedc7e2d6ed3477c0e1047c29d1f715a89a4583419143ada02b79cf3

SHA512
2b58cab44bb723d6dea3a978452bd94cbf9e8bd8fd62727c75d8e580b823b876adc98306fc4a01d913c672364c3db4de857e123fdcfabc4890a4ec7ae4032721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
9KB

MD5
174ca1ab51ed59d4e9c66bd8dc38f226

SHA1
e2296d7ce49547e25eaacb0ca0385b14da4e8475

SHA256
ef006be07211fd88f2f0a72d9db311f828118335171a4ff21f7881ce7d7b07e0

SHA512
a2b91168618af3cbafb432eb961852aee9d267b59b776aa10a8506947cc02a2515a892c6e75a9c49e9e1348d4f862307103fdc4efbaa528396be05cba55d22a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
48KB

MD5
e3d31b65ff1e368df6425130c041c7c0

SHA1
0aec5b3d3e31a98632ec2a1eb0a4ffb066a69e16

SHA256
0590b3b04dbe0be73cca982ee00bc7ea80949473de4fe4a6c4043f2119827ec2

SHA512
0ca2f9c6d7a24761fef7952c1aa1b20215ac0297d7970364298875a0374fbd8499d029e08fd7f671d1d205302a77506e0c357a239d2d7e5fb09da6e0219a0f8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
8244e1c883f3b437ef98da6f97d942ed

SHA1
4028ef675e3f5dc0260f060233d57727a8e84bb5

SHA256
f430b4c3b7f9963fe5212f1296bd26e143d73f2aeed9083585d38d0786ff3a49

SHA512
4e6e20b80b5b9f5eeb58c47240375fb7975a49dd1bc958d7761b153c9eb0b733e2ee40ad114f7ae7f7d2d8e662b039e54e2b7d5be3601324f21fcbb453c8736c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\JumpListIconsRecentClosed\f225bb2c-5b5e-40e8-9c3a-3ad44db097ea.tmp

Filesize
25KB

MD5
21f4df4635f9a2d9e8035cf315ba5192

SHA1
d00f54f18d424650aa9ac330588d96722e42bf8a

SHA256
cf886afb161b5fcafa4da3a11244970bc82cbbcc901f36b4d6bed44dc14ec034

SHA512
57feffbc2ac512011a62abaa638016afc943e0b366aed9bb86233ad2db588a1701695ab935d4a0ffad8c47857b9d72c8013451f0cf2b605dbd706c1eff413754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
c2786ec1e9c496665a016ecf13376160

SHA1
d7486f352dd7e461eca461ff181720e166da2f67

SHA256
d4320675a1963218df00d1dabce5cd81e660b598b6243f070c78332d42f8819f

SHA512
b7737954be3942f4c1cea9c4c02873e5c2fbaad57ece14569bfc5f7524ba0519eb39c888ec3bda87253c3b5bfdb39a482fe79452c529aee0aba3677e6e3c11b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
08180e1ae0f54274eb3f3e92908b94eb

SHA1
b291fc64fc7a53170c510e740ab399a4c3d82968

SHA256
7a7b991e399b9cac85e371a71e59d4738348b0d1dd7031033e48913176919147

SHA512
f211be2212f440473058f7ee5af481a5eb06b58e949afc5627b032922ba1515bd2a4696bf4c3eed4d391db2a451d2eaaaa7598bedec29cd542e8e719f68bdbd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
5ff9e8b9e72787dec37f19f12108c65c

SHA1
8f4af2367629bbaea1e8861ccd93f04424dbdce0

SHA256
49d963ed36f9b146be73c1f5cf5a48b7e84804e6f27e10cedf3d3a86b38801e3

SHA512
4012459274183e5a1f0807ccf14643823a0566f70e970d0a1012d48291173a2153dde9e49a85a5a1a8814e46bf42e305752a580747d51d2b3a68ed47932839af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
9KB

MD5
447cc97c9ecf6ba250e597ea1c4fa4cc

SHA1
d773e2373fffb90145c6074e4d35e0bcc9bb08db

SHA256
588eca6e237ae4b58aa7050e8ec77c68fd65124c9b60caa3d2a46c36f465f6d4

SHA512
4343c39e18db6e7420d4ce15b4f0a5b29cd8056eb13e16bf23078d800b364f926d5cfda6efeb3faf34bf4f67e5390a3225a0441be73ed7f4abf274c54eef5440

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
1af990580ecf12a9635610eaba0e4c68

SHA1
14229317ff11e12602bbe2a26a15af8889984648

SHA256
5ebea83fbc084b4b3d4933e4e0cbe29c73d9e77be1d68f979ad9805612bce0cf

SHA512
340cb58aa2be4517b7982b60ab81cea25d308fdb4145087b13f5eb00a9dcfb41c2ec6c663de907e4f0a54eb237d1d261de409c8de6c8f398a6fdf992667ff739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7ed1527301335db6c7cc3f27aa006f9b

SHA1
83828852b02412aaeec7d1cdb85f48455fd81d0b

SHA256
033fa85dcce354b5e3f1abe6decc3c8205cd5d854aaf766bc3e6a82729d4a877

SHA512
4d798b716d868b71d4a4c463e7446ef278f607da8bf574fa9a551182b309a015f02edba58ce23c6c3bf9cd79a2b2d3af60636918b45f5f0baf05f03396ff1d57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a6f83f7066b6b2a782b993e06150dec8

SHA1
0d19d7eaaa140ec0adc2e5d917accefb3cea816b

SHA256
00e86aee5c77389330c4382b652b870994f13b761b203a36042e3be46cb9ec18

SHA512
1d56d39c411df491d557860c35405536b8f239efbdf203dc2639ba99c89ed95f0e7f305dfe5339e552b145ad9ef85aaf845bc0fe0e0f0d3ed3249db277bd38e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ca4e5f0dda06bc8a80bf1f9d87801f12

SHA1
d09ba23a8f145b5abde9d06ece4c841119a70d28

SHA256
d6e471f20d8abca79ff744068493b2a6674a1dacbc00a750179351d6626d3677

SHA512
49ff4550c9bc99a2831849570f1cc111fa8c9b3a19041df959337a98d4b2bba6a82bcb78c83407b42f431fab27b09611e30917c6b633f7878c836774dfdb9dd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b31deb24dbdafd22d7e1fdcae4f9463a

SHA1
66a18dbe4eec02b1f380b5c0b6b8a02586942c7b

SHA256
6d6eb0f7e51fc0249162469dc23e5e5d2b711f13687f25230eae4ac6c364b98d

SHA512
ce17fa6f32a3bab574477f4fec733067ba12e77111f7a22a7e5e3da33651d17613e9b9d8f39288e4c4039bbf653cc7f48442163a6d13525960ce5f1ae61d38af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
9dcd3c38978ff87f438ec410558dfc52

SHA1
691c07f2ceea6cf6dd2a1315b391fdf71abadd50

SHA256
2c3fc530ebed5e715eb84a1ec1876d8b3aab12ada5505dcf499f805bd577768c

SHA512
32ccee94dc72d000cec1413c324f22b195499f641d6f35c183c7a0c4e5b8679bb67549aa0b32bd6a99327aa2d0ff5c7a1942458022a060ea0e34a8a2d8aca803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
0658d6080115fef8ba7127fcb714eede

SHA1
41d22abf007b3be436e24ed19d0e978e599c18a3

SHA256
cc68d883025dce13120d47084ea8925fef5dd6918e6d1eecb83d60523ed095ad

SHA512
d6c685c9564bd453e5ac6d692a0fbab1c915125ab5734af97a0a1c311cf2fa17dbaf3013c99f5476cfc39af9c338c480af72b2e2c2352a38ba10102e77a7a93b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
972dd47ad1d9467c63b5f8bfd8ecce2e

SHA1
cb14514a6f7df4dbfc8a993c562613009ab6c06d

SHA256
7f05ec629d91032063e7cee055a741d87ef28c207dccc9e9718e7ce558a0e57b

SHA512
14ace7dd6b14303cbea474aeaef4edfc263c7a23c3641a094d63d815b88a2f1d8dcd062c159b9d3e2b3f9b254137bd57debcca0e53a8527e813094a3f06283b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2d33b503dd3b32d9a1fc17416e4b5d16

SHA1
0d665ff9cf36776293f414b7ff2c43070c9b752d

SHA256
3810138868b39d3e573ab95f93ff729d258f5ade884c7b90d6338848de95360b

SHA512
e1278ec79ebe4efe2d135933fed9c764fb0ce0a7e22bda0caadfeef516fe057330071d1ed42bc9d505e9f30f90c13e3f1ef824bb5f0d99d2feadfcc9eebccfeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
49dca71dffacc19bb27553e364474d6d

SHA1
98f0203db15473c09ca17d239edc4ce7a97790e4

SHA256
1d09ebef9142e7ee5dd86b203889528b07234f82b75477d673641825843c4edb

SHA512
e568bd745449c4b4b5cef8c047e970d3bb161f9fe6ae235d15ca894bcadc6cce0101c8fa5a4f796ef998bac9b934eb5d0cf56cf6f28c98ddd1d83f4ec0a9d946

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
9e1cd3d576e0ac74e06e86d3794d5a3c

SHA1
75525e0fec87ad8e8bf4718971d9dfc2942bc004

SHA256
aecee0c9b88ef0e6e5308841ee8c287f86452bcd5b02650abdd01550f32a600e

SHA512
a0613d027337f9346bed0b74e063ef167d1d3ad21d61c4bbc9b40d3c31af79fb3fcfd877333353baf79a19dcbfc470c7a4ad2a8b541842baa6283b93b7f87c3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
007d03f212a0c84a929bdfd8775a47ce

SHA1
b69529f755e8928c1c1f4a79e03b6657a38125a1

SHA256
7a32b36db0bcbffd3c7377917bb6f6543eeb9a8082a634ff80d666eb9bc125e4

SHA512
da575453f4916e2d7fd12966be67f9605fb30baa5713c9bf4c44290e80d7248d4fb71b0f0ff947332e33adc6cadba895406692f8f2b17b3f38f285da701e8fec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2c5bfc01ff5533d43bcad2f4437d2cdb

SHA1
0bed730df6e29f8f8a50577243a71143224dbed4

SHA256
97f2aab1a960e37672869fe3c290c39a2c97620224bd5e878b3aefb12641ec20

SHA512
28c19136e8d5bf6757506778662c4fa8325bfd6c0ab8dd7fe406e0ca3bd51e8205252b29cc7ddfc1fcf3b7d0f92ac899b33d632276b7ea6f907d9ba2f3f681c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
4ec262b8ba6b0d491f0454bdda6dcf12

SHA1
f7285c48be3fd0f6e991f565a8e86dd3dd1373c0

SHA256
1ef861a7b6a06a84ec99fb46ed709e76a0c7d2dd7007774598a6c9bd5fb29d10

SHA512
a22c2487e07d284fa8935b34558e74c3039a89e04d8a10b6fbd5c23109bff108848e2b805eb5a53bc49cf1dea2237d48ec5cc70a0191aa2e202a56a82e45c745

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
443e8cdc4bc7ae73ef8888c65ea338d1

SHA1
c1be503912eea8df7a70b34e26e5eb5f4f0fff1b

SHA256
90168add7555deaec59f98907c080f585a04e3c707048383f8a33794aebbd32c

SHA512
67a430afe6f17a243288edb5fd7a66ec4304e17eaa5c2c61e64500bc85ffc8dc90d7754ca598bb1a7c0922af4c42af2eb33ed03b5d5e20885a81382ec6f5ab6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
8bd2d5fc30b9bfd7cbdbfca9417f0956

SHA1
347d5bf3babea325f67f0bd9df1033f8280f7357

SHA256
19a71cffc38805846c7851c14de49764c0521ac504858a38b5f745dfd29d4ae9

SHA512
cc80ab59b0a6e0d781cce6bf6f693faa9481e7ec4d2d8a43040d01cab5bebc73e0e53a8e06cf7c2eda68157cd786ca42333127c1cdeebd101107bf7c8c4df8b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
889d3728943d6b94182f4e8e5c097af8

SHA1
b017c312ce5cb5c8cdaa3a8e84562c1cdfed594a

SHA256
35d6510942d9988f588168dc1af65dd15d97ca7c0c7d47db2ff20a43602779a0

SHA512
f573dc5288832ca413fe66c9fad4e7996d21eb21da006409972d5b475b5034be74519c10e395477132198e2d790d0476c3f025a12aa97657a974e6095ad75c09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
5ffbee7edd33e772c8a40054946e5c2c

SHA1
54142c5bece24ee8a837da71ad9d656fdc6b6d16

SHA256
f6c51dc213758e59261c96eac691b1a7fffad9b38b3b1cff18c75baa588fc4d3

SHA512
8f4f61a4d3ef42526fd38c8af692a9c43b80a5a18ce0ab999d2611821fa4de9ba57ea140cc5ee8b3785d973e5b00e2738fa6d61cdbbb293534292444cb6ebf5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
cec2f2b52e57214012ec9fcf71114023

SHA1
ab2d442decdf56c14f53a693904eea49f300f2d9

SHA256
d0d36e042087e6b67e6e83986ac4c1941adc89e673685ab7a4da43a5e0a0974c

SHA512
f13afb68d3464330d566e4e8ccdde384b685c484c29792ce4c8632d29a67d02123014a63acc4da755d13bec60abd5c819191659de059e823cfc660288e5582e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
13f44a540bdf1bff438c71502595b90e

SHA1
1bfd4a21fd236e448e0af1a42836d94bc5d838e0

SHA256
c6f0ab76886c469245ede6d6a91dd7fa2e014c5f76ecf6b5e842637943708d8d

SHA512
eaa15d8ff1cf29bb08c1e3318830977a7f6ad88726abe30c0f0652645e0f159a4c138b0ce0d5e3678cde53c28d3bb7b58f1453fb5fc530200df415d521137cfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a8b6950cd5d2283e101055ad69e1a826

SHA1
937dd23a85fddbbb2ad31d6ad4158c2d7bce7598

SHA256
9121957851e0bb5e8ee0b1583a42e5be177aafb79a552d53256126bddeb3d9d1

SHA512
419f81452c0e89e437164274cb41357cd63bd941874d769c78dda6bc46133066bf6691bbee6f635452382f82bfb18b22449a24ec695169bdb411c8f599ffae85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
cc02ff02bbea8f5238dcd02c7bda93bd

SHA1
f64ee7d68ae9dfa3bd3e0528d7078710f9419698

SHA256
d3299718014293f152254cfe9d25d280644dd8a896f282c00f53a90b1ab6ffa4

SHA512
ecd1615c3c27a83bf68a56e1253a91ebfed06c4311e7f10348f23bd5a2310b3ff3b509773b861f5d404579f591a9b4ec656e35677d0237422702b195a91d6731

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
f35043196fcd9df16948e3c77d3e7c69

SHA1
6d54ff6f3ffebba478c22022e2ef4203907482f2

SHA256
b9a64d510ba0499fbf327fb377e3579937176353c9739b62c4585d2058e5eb21

SHA512
1bf0968e82f1ada85c488a3922b58c27229b2c6d075dd29d454179a8f3ce65455472e791b8e0031e54755f14bbee5b8b58499b5847e4fc84cfba5c7cf023854d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
3696bd2fd013b77e0cc9baf23729f4bb

SHA1
d471a2a298c0aeaf161ff1134e860fea00657e9d

SHA256
c24fab2d9c75f8c183842e87316ba296d46bd9934ae3f7829cefd9407a3910f4

SHA512
6f379aa546733ad6e88e4892cac548bd4004d7f6dc4c078a1ad742d03780cfb6c162d8c6429780b551850c4b2629b9ca0423d7a0c631ff2994ba48f88eb58b45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
349e6e4403cb8872765563e5c6692824

SHA1
7935e24de1c5236213e40ba76d940f77e092098c

SHA256
efaec083ea15d3d8a4cd5c44d2621fa29924cf22e47aedc1e01f5c4468775d58

SHA512
ca0a5c8efeb3b7ca9fb7c935a7fb10cef9d821943cfc6037b23e69bce112698fc81ca315416a1518771058499f8097f6be90faf5a296e059d5607d4c1f27b227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
675c2165bb5e0dc57148d99b9a095f95

SHA1
d99d8c9f89585a01f6d0bacbaed42c44bdfa0ef6

SHA256
6ca4cfb571047d9ec78fe3cf8e052001aceb581b66360a34915f1dd948b41dce

SHA512
f0ef9165cff0949017ba9ec40831a9131aeace76a61097805dd13489c0584a102827bc85ba3672ba8f87cf0b28b957981d66e22a4e99ce13f21458c44cbfbf9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
4bf8149fb8fd852bcc39b56cc86bcd85

SHA1
92d2969b608d5f166d3f74288837bda244a8339b

SHA256
ce0d29a1e865e63610252072597f80db39d90affacdd70baa848e4f2a4e081da

SHA512
3ed70631453e0148ba88b4ece9bb8e4771df9b3520b500e26f6edf81a4175a8ed0ea7bb7b1e1f623f65a34ff5a44717cb7cec9876746a7099ae6372653f4bb18

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
a1101b0201eefadc816b992735b9a665

SHA1
cc0b0862540750ca70cdbdc4185c11e0404ec5f3

SHA256
0f9031c09b1aef202c4631dc9a72d6e83557fba20219636cdb2801c2a5abb8ac

SHA512
0be28773cbda53ac255ca9096ebd7b83619025cafb6d611b9b6b42d3f86e11ff2eec97466e1314a636d1351ed131a5d4110760d2785e34d69309c77c9f52ddfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
0c8c821e187604879e3bdc7312d30c07

SHA1
76fd350859a3918a9f6b89958c89d01dd0931a93

SHA256
2955e3d9a907b519a1670004b434cc3704c3556a1831b9367f5228c807bca543

SHA512
e50547f9e85f8cd268cdedd9632df489478ac802d7a33b57e7b47d06d490cb109494bc5c1ca6dda603d2110699294d2bddce92475dee26bca571eeece0f4bf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
58d14f40337a3deae7b7a8d7d50604cc

SHA1
3f30c4d32e7b441326453660a56a1bcc6d07547f

SHA256
940be2b8ca1011ee2b606a61b4d8693776e2ef9bd9c81b886b26b663aba440ba

SHA512
05cd2d09877f52e054185e0854cf07a973c0fc0a7eb9be5f1064935327c6bfd41f840557971164876c395897128355e59f3867678d70bdc077f986fe3881cc81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
12b640dcbc05830befbd5916920a9783

SHA1
68f7142f0fdb82e2804fc708be1528e80d9bc084

SHA256
5b99eaac7b9fc08dc91201d528daa5bfe45e1c20ccf77a5e4761fd3eb3c2126d

SHA512
ad0cc7772f74f4472035cd7c999f2e85ec9d75779da9c3b6f10e08f40a2adde6b9f06865637a73f79035bc5a8aa7c2fd28d0a767c0a6e335cb087f9c983e808d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
9c711197d1af996b3f26d03e5ae55c69

SHA1
d0807607b412e93aeb9a61cec91781a1cda113fd

SHA256
43603a4158cdd1ed45bc6c2f6452411be8a01cd5d57ac307049f8fb77eeaa2f7

SHA512
0121abfa1d7190a62765db35f5e4ca759086a0f803364b0a87e0ebe2cf1cbeef50ca441a1f618a9c8b984575477a92af8cd3c40d8b9f467592760be20b472ae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
9e0628b555d229940439fc1f104e9c3e

SHA1
e0b2d64510fb092caad573b4bc046ca84f8e5464

SHA256
42a2c41d74ee23cf46ef176346a1930552f9051e5b0762f814ef133a4d179d0a

SHA512
557754ecbd239ae3151b3e9df933741dd6d889571950df2061a21aaba3121234335043efb3e9f4a05abf8123102a41420572b7548a2ca5536cc7637b45ee828e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8845dacef50292f92cd454ddfd831eb5

SHA1
f1d6b5c24223be5b390ae6ec9741e823f903b006

SHA256
036f44400952ebca142672f51772814df73b08ab131a967c2bf7b22636fb8ba5

SHA512
caa6c456c71dace2458a49a432e88ca27537ecc1e4c3221a6f7a61ff1e75189a41366708e4efc7375bb35b5ff7094c761e69a3572e474a75ddf5e1f061d57f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
74274e780d5ea72a007a719868b7e0d1

SHA1
c532f4cd1443c085be679c7ee8dbadd234b39b13

SHA256
ceedeec36d4e31cd53a77275c107ee7862c0bc3c111177a334b48324a3d335b5

SHA512
eb888275789fa4624d8ebc7078709058d747d0a6c15f3d72c069a7a21de71314c6d418ad6aea04f379942ddb5ef6e46f2b96762a82d27e8e6c9b20ac021274f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
be51f2455f7fc1a315ac4d1a5597ef30

SHA1
bafcd1fe666122b17c43444e261ae105f482f1d0

SHA256
64047824ba3f675cf8a412c38116a594d805be5558b5662e27395f4a5f206bce

SHA512
c26c93cfb6090d23791fb75a8d8ec5c99f0ab2f80d28d212747ed3183c93bee3af60a9eda1907a150ace307ab550a3fabb4b83c49211c00daae0e5ab11bf1b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
df494960d5ee38e3b9b7226c3cab6685

SHA1
4f221908ef805fb36028e816cc28054f6ecfac8b

SHA256
46b1dec8b27a7cec6d5b4fe8247a9f13c9d23e58b1c48f325d056021e271299a

SHA512
5bf0b48c71c8ff44db897d97e4e5e2f9e3a9698aac880b7941fc66c7f475c535b37412e7f13af99da297413760a51f1a6454a03a56d87848368cf1d75160c247

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
25b47559af642c06505e098d1d3a0912

SHA1
4a686aa9d280e9bf81179b9e800a5c912c1d2620

SHA256
8d67ea97ed564e5697a5ae860a36de92fbad4f24e96a1b243de332ea22f77cad

SHA512
871f00f1928aa94b9c30d85ca9b2803be6f829cf04dd7a9df09681fdef65b1fc0a3706b208a58d5a2754f8692a2db78b261ad2c3392fa4c453aea05612f58b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
10KB

MD5
3973549a9da420335a88fa6b3adcd802

SHA1
9ccffa2beaed06f19d2fd02b2f11befa1b6e0592

SHA256
92ad608e80091db98a1d948d1929f68f198c689cad2b484c013a13da1f79646a

SHA512
785c277a2c1e90049dc5ae9e3d7bf3e9ad417ec2fd6a6547e0f74d094faa51a610374d408aaa6122c4a3d562f5c6fcedc8e3cb1a22e348dfcdc9c2d0c1fa5c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
5191025655424aac5472eebf59994f3f

SHA1
031401c105c24b92ee7e3666c5744d12bc6a44ee

SHA256
744dc51f636b7ed2ddf0d043e8bed94096fddd919cab350db5762a7c14c670fa

SHA512
6636aaf849e4e9a13104eb3bc5ae71ec82c6a701f7521c79a00946b90d48de28529d456cecbf7404026e26d3eac8c2b34f34794b53262fc6936f4210ba2d6f01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
52d77e6f98c772e621e6ea422144899a

SHA1
ffcb957beeb5d3e598ccd53a4472f58c00110bf7

SHA256
ba6b2e3b3a93c9cded6350eb3d9b9d3f0ce416610a6a4d458792c4a94bed4f87

SHA512
e99fcdfdb7c3a1785049a60339ccea645edfb624e74fbfa0e10964ec51716f834ff938f099f087259f98a64da9381355d02fdbda7d3472d56d4c74023c2e9920

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c847e1fecf0fb1c7d752c3f4dd47679c

SHA1
27e91bb2e789944a4deefea8df51244767d6cb03

SHA256
bd9b2de1b9ae84f14acc6024744aab6127d853de6dbb2fd2a739f49754454246

SHA512
5c1a5ae0f4e05429937d39f06465ed356ca933e2d504d30ebfd10866d0264bea6e21c9aa4039fb864f1664de3a8841207c4f90b174df11677f0253b7795a88f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
858b27556920ae3eba70b5d52253b260

SHA1
ad49b654f876d7c4815b35e5097dba770540f784

SHA256
057bbabafd2e9a8ad3e8bb5a56c0c6cf2069e33166752d4fdf9c11a819b46187

SHA512
6c333bbd285ca71a62d1d15e5f1c3334a5f0e14b9e4647a92d19b8a11b2d60625c17430dfd6957823d3e861b6eec87b04b25014d1f9e1b8e1da5c118e4571e34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
31f22776fe1a1719d57de90fe86a4e74

SHA1
5edaf8675d59a8a5baec04a91232f11b870b7c97

SHA256
5ae3b2adc8a015d3fe3e81a37631bfa08c44d6c10f9bf51499b09ff1287309ae

SHA512
e3de5e74b8be7b2baa03bf329278d53a9e25dbfdbde103ee435b76997d5e3b6f9ab05ddc006ead7843e45908d0251358e5700a1bf32f95cb97ecad9cd9633517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
98c4b24db62a3455809c8a3cf3340a7f

SHA1
d60a8fd1fe4e014fa114e368014b670ba07d1a12

SHA256
544a9d77b0a14f01112d17278e582a598d875031449c26ed7c081c29240436a0

SHA512
1ff39405c4df761ba76211a0ee2993a11e1a9b8f5a821f0390601bfce9a41f1a04566bb9ee4934f7b78cffdbcd8e71d766d8ec6bd351e1779ae58dffd6736d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
562dde44418894b442c1ed633a6faf09

SHA1
3b053db98cac15a5d9d8bcc301b1b2cdf3480465

SHA256
da34468878d5a0c5a481567d042c5c001a4bbe666f08655bc3398babf55a26d2

SHA512
9a29d2e852a166e14c96b261133ee23a8eee8506559e60d1c9cbf08490dac7cfd2035a7eddd6b7249e799fbf712eeb0bf8005e4c9f7fe9bf3fdb8df20611cd5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
8b0b0d9c8781c16d20d5b5da3e4f0ce3

SHA1
80138cb57086be22c764cc29ff4b9d15ed538200

SHA256
abe9e2c734c5f0d5a6a395d942e5965c1b241d87648f7716240b40fc94fff511

SHA512
d452afd7b2d2d6092b430b130aedb282711a7e2e61006c6925e50881acd799c65af63cd494fee34d599147946c6a26c7d37d717d136e18903d15f62d2091305e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
2808d948c59ac1d9285f1742c7b141df

SHA1
41e058971c413b1462fd6a617fa28dc9a9413560

SHA256
f9965e7f1229de6b539db6d2fae04d1e6feed5e85449456c85a9c158aab95e1e

SHA512
ace2963427d341d92cd84f8d62507d4272e9f8181eaa56796b62785619ff4875eb9ef62054a213d3b6e78e555eeb0d3ff4bed5294493dfa223162ce5bbad61b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
c17829f5bb955abcec10d7b64d65b066

SHA1
8acd4ccaa84434677c8b2b07987278ed4c86e27e

SHA256
25b24fe3d892fe66ae55c9fd27b74e4ed79ecbb76cf4c9d85e33009a1f5413d9

SHA512
4e4da7c5a488553970098cc11b93b6746abfc5bc44c6466d45ff52ee1a0418aac0d0bdc63dd757caac6bf541a148e70de8691f92925be48c6fb44ae4ad732397

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
1e03fddfd1a3e622da35896849d2fd34

SHA1
347bf5e997455ddd9a3b70f73ea8596041fc49c9

SHA256
c4834256bfe1ad2ccc491d8ac746e93b418aa140defb1302b439ecf1c3b1e124

SHA512
015fa9560f00f0bcfca13009ef9b660452694a5ea0d1f4257f96f40b2ee4f8f044e685ce361877cf6a3e49dd88fe1884a66be5056f5bafe769581aa85a56e6d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
0043b6a460ee69a6668fc5130a03b58e

SHA1
60642e126a534c8857fed989e752d742b519acbd

SHA256
3db868e3716cab417a3c8014abd0d5e2d7d51636cda1da18fc8cbaf28965328d

SHA512
3426143279626fda84036d15ad2a358af8c80a953c502e2044ee729caf4640d65dd48e7e261b12ed2f747ff476cdd4e613b106b77a158d015181efde9bce24c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
58de87d583f0f8162a7802a7971b36aa

SHA1
1e496055baad8c2536eec741eea083fdfb62e941

SHA256
6276d68c27ee93b7779db08dc09537504412e05250e6b5ffc0eccb0bc246b4ef

SHA512
2246b1648f69aebab04fc605670bfcfa0b869c4cb467b4f2b75916cf497bb190f8c88d95da19c824190c691c0d71c65b5609265b4cac7a7f4f45e3f6251d675f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
4aafd85e8cce8b4f47bca8ae9e579e48

SHA1
63cd5bc4340ffa475d99a8378ab5121c443dd72c

SHA256
e114a399ed2dedef04f5d18cb18b568728ea0021d9259348abe7f789a11faacb

SHA512
e13abb9e3551425aa43db4789d99f5b83d8879d16af04239da40c09ad06931370d32d9a6cb233e16d1ac9b38664e0584424e8cf1e3b808b0561263e78239f92b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
b719a3f46c494369f082f9d65b701048

SHA1
ae653f8bc8eadc36a70837842b5825ba4b4fbb47

SHA256
297440e62e91c54a6f93bab2cb0bbb0e16ce7109ecc64e74c700924e5f8f8ac8

SHA512
aa109332d3641c9ea2a04ce84306fef6d5cff7246ed141ace37b3379ee1b90a18f4801721358dfadcbc8c5b5411ac79b7c35fd84b8bf16982808b40fcae072d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
976cf93d5df97f6bf633609c9d6bb5f8

SHA1
b0907b51a5fd28c94adb9d98ef69a9d3b8baafa2

SHA256
a1ed8d51876360f3851a6c8d6f88f1dca6b07f86cfd24725fa26f79dbcfe1efb

SHA512
fa1be5c486cddbaa216e57de2b9d345cb00642ac988f6565b685a436e46312775386eef50be229f7c9ad591e4f31b53990b91bba00fbf556766e7c5364026a91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
92ecd05d91b63825b346ba8bc0dae702

SHA1
9157c7214ac4edb221b7b15cf8d445254c06e283

SHA256
3020712fc44ea36e8fe28c67ada544cf4806098ddf17c969d5d0e0f214181398

SHA512
7adcb4889873c88215e740eb9b5c2150b138e62451df341d0b18274f50dfa8b38d15f853210ca357d52dff1f07a9ef2fc344f1910bb484daaedb72f37c2c5ddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
9faf28b3ecd3a96ba2de29568b9fad95

SHA1
4a372f24762372cb82115379d467a6a2bd31611a

SHA256
b2288e2f392c6e041eadbb3f8b96a8e50c36fb4476b2293f12ae381f69b7dfd6

SHA512
88a8e907327ffb9a1c81a0b20137638ea24b5873a0228cc9d5e0852e1726d0d4213ff1b77a2118eb22521f75deb8b9a915c416cfbc759199ebef559518edba92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
f14045653e75c57bfd611de24d2115e7

SHA1
9c41bf586fbf435fd56e748a97807d2ba39ed8bd

SHA256
b24774a6133bbc5766f3192d81ee6239a105e972eacffed757e65dd4de685a1f

SHA512
07cc701941ee65c3a794a3cfba67a98ba043f1a4a31581e9c1b3868e4a6caeb8865e3a9fd3ba95c0f8162ba147bbbdb839b2b5f413974c34d95c52e7b81ab09b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
a3b0478d9c27c10340f25c197f6a5c02

SHA1
7dc6982ebd771353f72d005264467764cc79a39c

SHA256
1eb6b5c80161d8372c21ceed3bd52db292c941455bfbc835e08f17fab9402a3c

SHA512
8b1061c2febae9d1d48a302841c4eeef91cfbeb9a8221f832abace8c3b9a5b0416ad23777b2480fa3cae16a5593155487b639cb6a5f5b1aeb2933d74df6c0f99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
520d92100d1910eb7feae059a1bc4f09

SHA1
88316d8a258a491ad41088cd7833650bea733344

SHA256
d20c3e3b7a7fb0f452ddcae83a30e0ea20f22e85715393d5e0f157516c31f970

SHA512
8ff76c5e07e950ea4c67d069d4ea9d7ae9c65792fea77eb1c9364936beb0e6c505c588cc0cde035ea79b609e9ff3b465f78bddb7d9567ab6d2a4586fbfdeb237

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
1b56f1893075610df0290fa86f49739f

SHA1
98dec99e06ed8ac556cd8e712a6db142d4118d79

SHA256
f810d50868820b240c89a90da10258f4ba5c8426cfc09d7303d7793067f4906d

SHA512
cf26badf4207d198ab04072a6539f4eb6cc66952e9b7fbf4d92e0dd3c76fe983f9061b899b10626adebe6bf5f2b30893bbde5abcc1dd3db7b5d0f03a94742860

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7f7833aeea2d50b5f12ef4f45e990e29

SHA1
a77eefa6926d79a8acd682cbff45690c19e33e7b

SHA256
09757b3f5afe01cb243070034460229bca9793b244eac02138b314a7f7aa364c

SHA512
74bbd1b334c78c3063d02ccc601264b8f4d5f4a638923a8b8bf4d70dbdb9558af7b877426efecc2f0493f01188b2215e6a5c557208d0fd623a624f93d0799a03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
eace2c2c50146b6f31673a62b697cb18

SHA1
8192df1d3f4475b31aca4d80d34c5b679429979c

SHA256
12ab0151218a75d6f9c5314208dadc835ea4f68218a61ba8a04719206148ca06

SHA512
7c221080d84be53ebb3e28afeaf7d5c8ba75a6e2f236fbdbf2cf14a74083a8679e364c472586664b626d0a32e58386c59c259a6e2edaee8fecb0a2f2cee638b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
b3f4e801c77f45460dc1c05fe291a3e5

SHA1
b57b052e49d27bccc993c356c11d77e7cb8cb5e8

SHA256
56c14d6abb6ec5070134e010e6f31d73b93751bed2df7bb3abe97407badce8ac

SHA512
bd53516cafaba2ea71ccb8a74e158bfb678c326e09984fa29efe718a8f14ee9649c1e17e919b4f4b0865c9a47d4857a520c8f4cfc21c59faceb094270271e251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
273f22f590338e1ab894f6a47f0aed28

SHA1
c52002361962c716e66d726c07ac184a03d99561

SHA256
f78bc0c6cb2bb5148fedc43e5c9d25006b24966416ad7df586a897f277335c9c

SHA512
a37d50f421d6d8b79f324fba210c0ca6f33f4e2f3e4a752f98d36ed6bf088c80f3bc72bcb006caac9e1538e6e0623d8a8a3521703383def924da69a91b6aa648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
33f8ec39934e702b7e99323cee01d3ae

SHA1
1e4c6889b029f4ceaabb29ba898b7c294cd908d5

SHA256
fd530f5a881777168df5b52f62e6bbd8bae85acfe63560113590ea7583c75682

SHA512
2ba4bb5f0d530c6363ae008093346a39088fcf34242730f593f584ef855dd9320fff928df7b035d5881a165b823c6536bdfad28f1e1f1acf476233fe8abcd19c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
f9ad4ae14200f4b471deb04ecd5607bc

SHA1
9856b69262290fc61daad242a3f4a44b754db6c7

SHA256
ba4f638e0c06abdaab20455bb54cdbae621e7ccde711dc84f4aff4c328428fe9

SHA512
6bc1793e4ac4adb0ead8621704a8619978671104ad21f7bb754ad912aa9cc5a4dd4d40c874136a5e46848028f538b27279bc68f8578339c94f0fa7c249552918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
b809585e1b5ccec58ebff4fd905959ea

SHA1
038acfd6de0177c3634d64b665e8f7572b2da01f

SHA256
cadb113fe170ee74089c71faede6b4fdf356557ede8b5f656c0550ce271bdd54

SHA512
85a1b96cb7b0cd61a3ab561006f8d05cb02f5a5f5aaff8721cce37f042e869d71caea64e37094a39872b3367c834e269bf8379ed7d5ce9d2fed39a061c716431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
e9909f501e345895af76ccd7fb34a5bf

SHA1
9f2d3d512c6dd3feab6ab624d96df59923d71f92

SHA256
ee7e6c7e0aa73ce59d8f2bcdf59bfa18ecfc2aa705e9c6bc44af6cee1dcf2628

SHA512
128a10bcb3ba592682f71d5b93ac58fc280c9ab9374ea79788438b5d29763ac65bdbb7af1596bda1b0037534ef09bdb52fb76492573fd07975e775a0921e113b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
e68b85ba600fe34ae52422272c46deb3

SHA1
25c8c6bdc75f46f2c700a26de11274f438b4c7ac

SHA256
826f50aedad3bed2b68db1c40a9b15a5502ce0a3754ed724b04bd54bcdf5b34c

SHA512
71731f5f31215f76255a80927d24d3992cee555513e43048c123adf139969020a03fd75d96c787d38c1fd609ba0e16671c9851ea9d8cc207271cf8391dd65897

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
4df43228df6fd636dd463fa1bce030e9

SHA1
590d1ba733529a1b9b456219c77d500c5128be8e

SHA256
35e2054f6ddd53a98137659f02c35e89c0b5970bcef04fbe25a13cf563611604

SHA512
fa8c1ac1d90f4d580d6de56e4e5443ce41d3b97b54b3e0502d1e02d3bfad9e88853b200ea611bdf27261372ebaa024beec7bfd8731b095282025a5d849ed7b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
79eb04c2b3bb938af742cf55a962e7a0

SHA1
bde1b14a83e76a439b564a4755dc89a344a81f17

SHA256
7e9599bd15af5e96d7997c3116fc56c71121fd1a5dc4737a92b3b7465694de9e

SHA512
0fb1a3cf960593b9ac0b4d536ea4282a06305cedea0d50e89fe2321070fc6be165c0cb14d8e46991f3aa3ca8e7604b18f9b3cbbd057f8a30d704cf6749930af5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
efe7e7a0aeb3f54aa8540b11e92570c3

SHA1
dc5dddafcfe816cca6bf0756551acb0a1c61518e

SHA256
05061443897e3c671664c124f14bd51fe70a3819a47f42e8011ca0beb70679e8

SHA512
4558e070379b9c63a7566ca39891919a816e5691bd77d7dab9ae39c1defbe642b3da9627b8b9f6b8f4c868c378360263ae5400f535b034921ad15ec82c3d72c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
d84a7e39614e7d2852eb1839ad19bbb5

SHA1
07755d38b54ffeb9ddfbf6cdfb54de432d5036f5

SHA256
d4658cd6e9a095a1e834f40bbccba73ae600873ab7d1db3c250e62be6d0852c6

SHA512
de06ca8f346effb0a29b7a0a071f0e34f733db5abb94dd2be717eea59f19924f1677f17ce12fb9700b6ba438344483e3823e2106bd610784a113cf60bd5991ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
345214843415b3e4ea6cdd368e45ffda

SHA1
3af89cf3233c739d1487578132aa09d1b9db087e

SHA256
99eb8b2fab572c11e776f7774f20ac785d8f419513333e5769905730e9de1a44

SHA512
dcdd946307f2ce3b4bec36add39ad7b215b38b50a90a753d29f5aa9669ccf64ae9f2a975430afbf777424cc32b1b544448ecaf036c6d51776b76cafcc43e2b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
085e110b3fb78cf9f447c147272b86cb

SHA1
6b71516d0edf570b5523a794ac76053030086333

SHA256
566c59908ea4bc07dfae3767532d1910d92fb7db6162f062b41012e8e81f75c4

SHA512
f0f6cebf8e037e1bb83ba3994811991ce7b120145f25e71e55fae30dbba166dc9c9ca4651669a814a97dcd08b57b202ed65e869356d20bb5fc32631a90882261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c479c5000018184f0038a82c74473098

SHA1
52328d037bfd32410b6e100bfc8d3c8b6778af81

SHA256
7deac23a702010f2ae36663eb030c5d5db35eade88797bad8a800931375910ed

SHA512
9f553f312c3d19115e4bde65ae6be256fff6d11d168e75c13e95e6902a8347847038aef5d925316421712abf8a066d2339f25e0f7c92405b11e673c2e697cb72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
1560bd34dc4656d3bc9a7da6ae577d22

SHA1
794559545f6496640a25ea507e46ff7e186d9869

SHA256
1b03a37271cd90f17eedbbe4d743b408886444860c309975300074d89a1f0470

SHA512
ca26cf9a4aca92dbfbdcd05a27e1e54032c400508c7ca8ffb4dc993cb00d022bcc5f5a448d1c37f15755672511ded3fc5f127c4a0248367221f03d1ba0e12937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7c5bb16c913ff689daabf0318b3e417d

SHA1
e85db43bd2953a22b7d7b04bfc13368ce6f527d5

SHA256
b6a512e532e9e71e2b3ec15bc9465a7c0c1c4dbe899e3b6acc9e50db3bd1e572

SHA512
7e61cb0b35b2b0dbfa73ec8022edcc9b0f7acfc6195e7a65c5709c261641a27e92c0a15997f09f3840d77b62373f22c163eeb5f635e2ec7dff58c457f81d0019

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
3905e160371ce4f278be424a91cbade9

SHA1
5cd69ecd5a316ee4fa01dbdfce7a33add4197714

SHA256
b64989065add81db947680d6c3831057be273bd99bbc8902b9e5323f68dcf1aa

SHA512
28c14a14a0e2c3c548c7429f0f0d0277eff11225dbfaf148d984a024dd5dbb646d56f3ede9a68be80a95fdcf52b964cbd1dbab2faf1ff523de59d761c25b650a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
42dd53c2d2372261ea3850768b8271dc

SHA1
1f1c3dada2102d97e491265448c062269e3cb99d

SHA256
cd16e1fa659de56f6fe86c4b4b66997acb209e5373ac0c529b0d4c89d00770d0

SHA512
96a842ca6a9b61671502307502239512441f27f0f2cd035710cb1041b800bc46539cfcc8ebb20a150c2b4e6f87e6147304f65f977f7d652af720b281091b8d07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
a31dc06a447e9a3536005358f636963a

SHA1
3f7940e7a5e3be0ce1343fa6287bc3d876ebebc7

SHA256
3acf391a03fdb5977521d456c4a3b907d9bc309fdc24f73880d78887f05ac4a2

SHA512
9fa2b28e5c2ee496fcb25aaad2a618f4282d7a3a192cc49ce5aba9dc6ab699cfad966a6a77ce7f27fbb610dda31f3d1290eb1a37d3f95a3867f815958de29493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
0776630b20a8070a287056463f50101c

SHA1
6c4f4e68a4f8b570269ea55bb796be2240d38b20

SHA256
513a6b9197243bfdace4db05ab9480b9a2599260daa98f079b2449b69e8b1e13

SHA512
0127208721513f9bf2be8d3b16cf814ad933a33bddf390f135ee9cc3ff12ec5e37398117e4321c4b2e77a2d6e5e64411ee44af1aafaea8868d16d94520eb31e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
326586a76db7a277c3c03c446cfdd3e3

SHA1
d9cc256d1b191c905ffe24eae484b419f5b8f9b3

SHA256
f45e51f65d62b7a78da5baaf5bd85152a5fe7e5a3ad97311a93814ae1d016218

SHA512
ae44cd66a20aa891a5f004f2b5fc10816aea03e428c6fe2ee88dff7185f10de7e4ad03c978a45c6eec0f5acc8bbad7d12fa5bda2578e959394e72d7bd697cd56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
87d3f17074cbd6641706ae2768a2d19e

SHA1
574a489a6234e136548c9019585d81be8a1788b5

SHA256
57d04b44dc6bb4e3cf5dcc62c506ec16500b7b499234763a07dd6413dc021215

SHA512
bc9f43eb2225a18faf29576749ebcd19450c12e1fb7ca5eee1fbc53659807c764e5e2e175303fa66f84b1bb9b51e0bcbd36ebe24e7291f5ae4a880c1930b7788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
821e6541a1d737e25c15c2201dd4df0e

SHA1
87fac5ce22e44de92633727c4e2e177af286915b

SHA256
703c6602b2ee9456498181b33cbe57c3d3897bdbe4c090c4dc198a0ab927721c

SHA512
282e543fbc5ce5f343d8aca70449399f0d20eb2c9b7a3bf7dc41ebabaaec62f3696419b41db492dc2b9292b655679a53e44966ab4ab83acfa29d5f29acf3e691

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c042d8f74e21e5d2dd5294d9d64a0c61

SHA1
624968fde3e78ece689ba7d942a7d39ae57fa9d5

SHA256
8087f7c4796597f5b9924a3a63664e03868267ca9381b1c8746077eba69b4c3f

SHA512
2a6e49fa49159293a662e4c62ed76e4e3304e9217967f26ac6bd9eba44b1e03ccb59b48bc16f31cc3844c11e9bc526277c62ce7db03bb97db3bda6fbff856f29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
5303373dde456d8eab0e040736c6a93b

SHA1
5cd27e49ad5a417bd2ad02bf8656bb4d11119e70

SHA256
2f956d767bd47271a90c1539bc779f1174a70b59c7d2943467b0dbb17bb91700

SHA512
af0a696db5f55db9056aed367788cff247c40d1403368f8c54915e894810b61945ef0bce80b525d4e349b8936f5b84bdf7e5aaed643c3fadaaf89d7b4ec4912d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
520f0ba70cdb5c727d47e1c67acbbd17

SHA1
c9757f683f5a1ccddd7a952e5c01d4789107d73b

SHA256
2e2686045bde370b2eb2774278a1e76f8a89b8fca99278f79d83c74d2616c28f

SHA512
64eb0568a0dbc2ee4986f96dec862fce2ca0de163a7f7d037a9c422566fcb10d28b67e344996e837696b051cd2127695aa0aca48d9caa24f00034941cebfcfc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7514c7b6a7163bc7dfab11600d0a9b2b

SHA1
95f3fadecae1c291044170791ec3d7d8557d3455

SHA256
c2675e4c110c5a07bbc6c65c6c088d341de27484a41cf399b9cfdd3e400e3a48

SHA512
3306557c10f17275d956e1b08260fdcfd343a68ba47e043da20e1db3106e5618ad48c617b25b03c11d8fb51cb26a694e6523706e9024bb15a492cfa2d25d565d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
a51f1ffd9ee7345062dc924acb644757

SHA1
d01c651663bfc34278a86cd364430222391e39d3

SHA256
de7ef2810fb1077e08ac19b041aa18c91ff008c0dcce9acc4cc08338d33385d9

SHA512
61a2557d0a331dd70f4776f2186961b63be024a14557ebc1b9a2b72d820b0c421158d43b6c43a7c39e2cfdc2d799efb8f3f679c18b005281c53b3443a5f2843a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7b12b25da4c343a9ffa0e7be5cc16c95

SHA1
260f0bbe47cfd739d2fc3f7b09d22749d8cc4f5b

SHA256
a97db3f5a77e1fc25ad6a9b479b30fedfe4979cded8140c06ccd896f47a3a21f

SHA512
018054e099b8bbfef75844284e5277ecc9dad62a61c018c6d44f99a90132ef84caa903003a180a7250dadcc93025724292d80da5a4045a1541055c85df591543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
cd312f6d0668143b624f1729044374f2

SHA1
c3cfc8558d4db3a3ec27513f84a1c7c7fad03798

SHA256
3fdfe930e5b6ec80e8518fdb2b30d4ac8ffdde41d0136ec6cb9981e755d4aaeb

SHA512
152cd86d47df883606455e4a1e26a5cb28944037723baab90079c6ad379da6931507acf0450a3a94213392ab83f571157bd5356c59c1eafa7ede680b6b33ea09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
58d7ab34a6ac02c4835794b9d790186e

SHA1
3d2c0bb1343eed767eab09d7d4b6f9aac63eab5b

SHA256
30fa4582ea0de393c7ca6d4811cf142d843d21f409780e84d5afbc9064bb0e8e

SHA512
7bc525f6e3aa0ef69c297d129a0b73f458e8479cb5a07c2c805e3c3adb892b4fc5b351ef4a9ab4072c742a1fac34e3f64e8b5ea418123d1a7565eea77223f022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
837acb1be3f34ce5cac1b195cd8d5c68

SHA1
f59f1b147fb3bab681e981353255baa3918cfac5

SHA256
d0408b5bfeee86a4d16bd0e63a5bf0c08c00ccefca330c51bcfd24098f2195fa

SHA512
a1cab0a7c40de8b61bf337504718f4fdcc724c65b98739d80536d389dafb5866c060a9a3f840f9396b9833ad167d934f82db5dc082b6d2726ec99a991cffe32a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c301a7eb7bd1fa2acddc321491809754

SHA1
f6d1421dc44a22e16e7a10a514afd76dc8292f60

SHA256
108dbd16ca2618c851a2868640fda5d7cc0371338c97226ebb81870e2902ecb0

SHA512
ffd51c7b9215c4926562a0051d6e6a6776e0c25b7de68e18b98a802e4021950d4a0bee82b3466681a9c962d68742e34199f3a0effe8834c39b4e68d92e99dcbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
7c0a19bac8ecd4c79ecf4a1b9228c0ef

SHA1
2de9cd7523694482da3f24ab2eea76e17eb9ee39

SHA256
c10bd7ad07b2cd81879b921606085ddfac9103f890ad02c3ca941cb0e6bf8407

SHA512
c3fedb9318c548027e5a048e5b38000b79e244ebc87b615b02148c53d55329a47ef1a81432ed8741f355644200a8221f9286d3fb7f2e81ae427dfd37e121cfcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c9bf611e169aa9a483268cb365e1bc67

SHA1
75391041e52970f740a4b41ac5ac60ce6ee3bf78

SHA256
ee861722d900530a00d91c6262fcb32c966cc2c010904b88d27c99bb2a1ac6e2

SHA512
221239d2712a27ffec9c8effad723b30aec80b7da0c40f0737ffb32fa834f8780de3837f8ab20f4053c615ebfa882d6f15b0dceb1bef96bc046020f13b4be8dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
83a38096a1a2762cf912136d957830fa

SHA1
fc9829a24c4d94c8994180d2c0889bc32f0fe0d4

SHA256
c5dbc779afa04922697cf10a667744fd83a26ef5aeaeccf8e467cafb11672959

SHA512
6f237acd097cc0ddfa9b3c977f258276020372e5da6877025b29658e20da0ad84b584edda65024367827a337ac8f9dfc905f260edc9e1592aba86d2014e936b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
72066f308c9d6c963d696d61c011da24

SHA1
787ef068e9610baf51cfea8d8eb24a7fa512a26e

SHA256
c6f90971d70ae22598099f4c5eec6b9a4276efebc666f26db7f7e9bafbc0683f

SHA512
d9fdaf0c04d456fdb0db20a93ad0e4457e5cbea35e4edced8610cf2c5a3056f34a457b721e29cb4f0e50d90db27b213e586b225f18665dc85c4570e8fe39b393

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c0426f49842255092e7223a8e074bf8e

SHA1
1aa106538ca93e570df29ded3ff8aa410f3c7b75

SHA256
3afd50742e412e0a15e4b5b72614135acf2c7914909ab92e514c9c64358465ee

SHA512
76c0a66101afff9946fc420c874399050f24ceb5041c567a3a236f6601b23334068301d62ddf7ba7335663b908d18cbdf432d01fa1083f6a1c2fddd2814c3faf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
671e012cd505fcb36351c7219d6a922d

SHA1
d3a94015d14efe1c5f1082f25f3d915473ebbc02

SHA256
90e519e0081ef2e22fad00c38a0e78a1a45503f8cca8585cb8c1c813b2fb835b

SHA512
fe28332363c60b02775e412af42f30ea6071554528821288c05b893af16a36bad6321d7340975847cdd1c7c70e2ad9793463de4769c8ee196311938dbdda9c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
429c32d927084ff850fe4073e6631739

SHA1
79bed3830a536d80a32032e47148db499addde80

SHA256
5fdd145d068764689f053ced30894e0d2ad03145efcd669faabf447d89876112

SHA512
f6ebbf3bfa222a86115f95a945f6b6897425a52fb41b12c0874ea715f96cb1bd882f1c1c1ed0cb2f2debb28fe6151216a099f6ca8810eb5dd836ad7ded00495d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
4ee31aedef31a94a2b1ad832e3e20740

SHA1
0bdd93e52a13b84b3653c047dbfbb06660d96737

SHA256
6c0617d3e12e3772ed07c7ec56e7bc44abd9cbf11ffa1e06433bd6d8aea06133

SHA512
4a5c237f721b616b9dae4297bb8cf607e8c2ab8a1beb50c5c727faa613ebfcc2d15117052c0666dd0df27c180cc597898bee24364f5d1533b99aad9a53f34bb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
ff2ae185575e4cee99d771bea0653d17

SHA1
bf58594bff2e5c2a170b4cdb22859ee8f5d3130a

SHA256
f1d25cc5d469ac86bc64076f6746a0c9f0468a22daf21ddeb1f1bfc1c224b52e

SHA512
c68193c2b82ec111c95251960db6ee0ed164a7796b34eb32e28c0dfe00e6da67401ceb3076f4b0cdea47c1caf6f54f736bc6ad95366d7abce8af7da84e996d2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
6ebf52c068405f71d04b3b84d9550155

SHA1
149102444d8e37e61a00500afa14acbb8762a883

SHA256
d2083f8345f1e6926d5d88efd14017803c61f1415d8240dba917fb6fa3aea6e4

SHA512
eea9a9a23a82a94ab74eca1d04464216b5915910be6661bda275ca1d73a7d285808f7b50fae26a84b68aa56d2de07cac1972851627c49a154fc23769ce61de36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
fc829152aed2bbe4ee08615a34ed3846

SHA1
ae4739e6921950d0b6d776689f1b7c013b8dc673

SHA256
aac71154085f4365ed96af50e70354230dd849a127a5436a9d40a6fb95b05a6d

SHA512
49d59ddae5d547da85c9ce7f31c36db24d7f1593d8c10bd890b6eeb77fb8653af220da2ee20bcec9c89d54ae68d1854ca94e377d752ff02974f7fb3352d62f38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
13ef5e4863a661d88a859e1910cf1f5c

SHA1
5e0c15f8e17a905212c0e797ea9af343ff8e23bf

SHA256
6034578476ff343b5dc71b20f200c67ffce50b8b30daceda28c28c972df18386

SHA512
61f1f3e99c436790c848e4c8e29c4c71594b3dd2ca9a08b43ca0b2cab5286cef798d9e88ee9a34479d59de6f0dce4290247abd226e548f24303edf36b7a4dba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
5a27a1fd561d51adf718326e964c5896

SHA1
10adc18b2add3d557372b79dba3471564926ed6a

SHA256
0d1d89a052cf65a6435a40097b8c64deeb73f92bb26913ab9d6bc52f2d71c592

SHA512
a8689cd997fb007a5c9ac5a45b809c99403818645e68b32cb699eae8322108bbe05a6c483de92f63a041c7846cabf10b1894c819c2e7bb369de21666d85f0766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
060e8f55c597e11ea5947e4321be1789

SHA1
45b55cc97d678c23c60aeef584d0452701dc91f0

SHA256
0cf5839a525c6ede8fe119e6876122022034883d4cfdf62ce004ea3de5d12958

SHA512
994fc490c3e40e03bfd6c2b40cbad541725945421750d029a54e883fe8d8fd3cdb6d20076cfbb6492e4cf182618d669559714cef48617bc03292492cac710450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
ca42c5722eef4950b7b86a7c05091e1f

SHA1
5621ef4798739a044e2edf599479056cf647c59c

SHA256
a0515ce654f7201aeafd8b84ceb263d6c3639e3f69a52b81352f4c77736752ca

SHA512
4d738b80d6e15eab6da53c2b2e3fefba5fb4e0d627611f8471c198548681251d82c79d584dcfdef54b3c9aae5abb0347135d6fe14a0adb0c84b8989ecc91f464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581102.TMP

Filesize
538B

MD5
a005fe5590d7cd7d52804391eda50237

SHA1
8f26d8b14e0b30c6b241dbb1f51bb16de708c339

SHA256
8bd37c88a00766d7cec62854a30b7fc86c00a653c96762f88df985e8c634cfcf

SHA512
92575207fb64de625e02139a6dce18699eabbe22e72578748ed31eadf0ced4ee2832619352f62174c908c26c5deceda411a6ac178a6dbb34174b8861636a37dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
399c7d7ae2ad39b91da793472b436aa0

SHA1
2d2ded18a52d3855c48b433dbc04223c2ca858ae

SHA256
8c8197169617c80ea8182c5651dd699f784749a7a9a0ae1e70573aac96d7a86b

SHA512
958f1d4f2741b17fbc0c04e013cc80d8f3206fe55ed88d3f77715025a8efd4f8cdb9b4cec08886f6fb2ebe09e41d8a19c4a851fc35b9c360118d33c064a9b346

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\acbe7a4e-2d1b-4a79-a081-f8bfb53c7482.tmp

Filesize
11KB

MD5
57292a8b1fa69b6cafded41fe743981b

SHA1
4bc3a980d5470d86e84498a5832c1938ad5f3a7e

SHA256
3d2ed305ebe5cd48b7ed694d024eb24ec44cfc745cbd9eaf600cf213d558a192

SHA512
8ca559b1608f44b94b47ec7d88161c1953798593565cb95a4fb9de8491bef5229153c8d35fa54872d4890ddfedeae997783a77f2a364a27a791a65f87581b9ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1c56e18657f4f8649e53cb5d5aaad837

SHA1
b7af8b0d8f1a9a83e51dba0ed7970f3026a2f557

SHA256
b20af0b447246de7753f86da57ce4273cc6735539fe5bd0fb923e232f0855d3c

SHA512
f3bca37d7b61ddfcec62e1ca58a537df51c32fe1fea4829196db29bc412a5c89d2c996b76048c0a4f3772415486a78a4d3557045d51abfeed194eefb479432cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cf482327a3f0a7f0e33100041fff0aa7

SHA1
90589bff09400b37d54345a5dd5e7d642a138ca4

SHA256
29a04c56516e93c121f02c187222ee20e68cc3d0eb1a624db56d9c5e0603d045

SHA512
226271a68acf83ca76aea3ce28ad54d480cbf2691a57de6b51db89e16f62001c3d410727d1645d770e1ad6b9582e8662e2f0a6047b7c4ebe38b467ec63b4fb6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
740ee735300dd3f8ce9db0494412ab74

SHA1
ef0953fd71f1f5097e12f91e93d5527ac6053d88

SHA256
d1bf5fed1f88d164927b90bff4ca483f3ec3d03c1d122217bf4d3af4e7f04ec4

SHA512
5d7aafde6caa707dac534ff290012ec2ce2c057a61eeb19fb1c8c62d72dfd12ee7f444e2c62d677e96267b348ff8579ed4ff15d88f2c2cfd9c860d661a383353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
54b883a11fbf01327d82abced0be4413

SHA1
e31cb7d8f73c804920f201f6d6d035da404a89f6

SHA256
9c0a7185338f07f25ce35474209894f06103ca1841e7056179c48bdd66d3e95e

SHA512
51c0df9048975c7f310671cd3150c6f11c0e0777a476c8a044c9d8205d288695c860010387447e95d16abb8a845a11d87150375239681edca7181ddd413b8096

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
338df5423be8cb50036ccba872e1eeca

SHA1
23dcebec34035e0b1642ade7b472a4c3797a2fc5

SHA256
fdd046493b75c765361235448f84e69da2549ac6814f980b99a2f66eae7c1196

SHA512
842d72f6612e610e744edb6a49ca8b1e08baee1de9991130f1100215affc2a42c1c8d3779cb75911b68dce1fdc8e643514bffe50fda984f748ecd835364df600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
98b86cbb97e8bb4fec72f2d9a6f6d84b

SHA1
238029bc0ccf2613464ec28316ae34111c321973

SHA256
1c60ccf21545f01e5bd6dad0575cef3cd0bd54c409626d243a479c675652cd0e

SHA512
0343f9c6ddec6c8830e18dfcfc4c7e7987060ccedbe321ba8503ccb8edcde369db15b652ce3592ea90b9627764201432efe8149d4c1d08516da83b562e550f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e6aa1d9c571fcc85dcee721011fcb2c4

SHA1
ed53e284e87cdb6d0049624fc4bc9156c9b66ad0

SHA256
88809af552b654430ae9f0db86f520e4f2cfc39db178130b60a08ac3d5d6738e

SHA512
ea124e7de415f3d407cf2bf7c0ba2a32e562a0ba9d4a1e68f903e16b1b55ee21547a7169c49117c5b586dbe993b0ff37c968f117affe94bb55b9160ebb0a71df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1b9fb05ac570960d7a2443ab7441b82

SHA1
c7cb370c37a0e8fefd10aabdccb59d2b33aca5e2

SHA256
74e37a12581e263d4d95dd81e9f014e811951dda4039b04c7d4cafcc8ad82a35

SHA512
5542bc46fa8bfac69448777906d1e28cd4cd4cd545639333032a4c4284c913ecdeac3c7651cc0828e58bc5cd9a3a8a1ade8a088dac1e4b37897ec4c79dafb0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
57723ebacd6ca738b9fb9e96473e0647

SHA1
f5842f2a29424730f30f69093b0f2766a05d578a

SHA256
27a2104f19e3b65cb5cc5647aabc931f8038abaa9ed66a3036786b8f0e844a51

SHA512
e2a800c95249dcd3241fec5f96a7d0b519e2e5d90b46177c150f10a8e6f82c005fb847020fd25ec8181df9c7faf44f999f8b18847f6e4f2b1efd739ec9777713

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e4e60d075d57f52552b28c4d6bb3cace

SHA1
1a2bb0ceca9f584259f2b43d0bf211308c09be52

SHA256
c0cb4c0eda0541cade17aba6fa883fd13ce663ae8702fb150f45dbf33b92fdaa

SHA512
fcfcb1296cdebb470ef64064ce63ea3a76fb6679004094f4ef36281f0db017fcb7f09dcf1c4dcbff96e43b9d0e78b32f48c8c52ea188704e80c6778cf6ba36ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
510710481601ff7c8afc7ba57a3b2ff3

SHA1
00103535646174457efcb92c292936fa2f02f0fa

SHA256
f5575366ba931943007ee05dc91dd9e98a2aa7daa6e829bc17008612d0673c51

SHA512
9dd15c9a98e4c5fb2daaaa103bcf5b4cf309c20032126dd9afe15565bbf7d9be1858c84d68e402d5e73535aa06125c01e826e4148935c3b2f0c6c4b4948e4ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
936bd951e608682acfaabcd0e5fa67d3

SHA1
3a72722761c8d7c5bbcc1aca216bc63d341ffd39

SHA256
e54c01005c45eb68a12731655ddb62088aa9667c9f045c514dc1978a50d39005

SHA512
8eb6dafadc3a4f3cad8738deb640b8badb0ca2a45a6c9e08088a0ebbf1bc1e8e6db627a55927cce2ce76ac0eb1266406972157c1a1b5b5f32156f7c1e1a90b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc0b3a2bb9b87181f2c20ad251183bc1

SHA1
708ee983b6c4375190ed902b4e1b83d634467128

SHA256
fc13cf2594fdbdd02fdaa075f77a18e490e68efe8c3c5ad43cf5655837933317

SHA512
365430410b9f916e93d0e552361a6a1879ae4a4c184995b686d2da359b0b3ecaa32890b895b14430a90d5e2a6c725aab79efaf23b334405d9cdf9ddfa11d1712

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
65ae92a6041450a8b06a10042f3a44ef

SHA1
265d4faae1fd43222f6adee5e09d96155323f348

SHA256
959f391ccc0cf7a99726dd47f8327bef0876441b4479e6c1f001b9d5e92dee05

SHA512
519177a300a3a66f75e08f361b0038128571cda20163d090c2b60c184e7a97ec9c4a9a9b5071dd933c877557db525614e9a572f726dd26a8ec44debb9983d7a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e90c8d4d3574cbcf641357b8bd067f02

SHA1
2aa6033d52472e6ca5c504bb3297f9c74d8186de

SHA256
56f81bc8085518f093f527ba9e962d5f8045b9b2c4d0c1e9537963f2d97150ea

SHA512
2fad3647e84950b86d5e65778e16000d1f527ba47f9808e1525c397fbcd756abcd198881aef03caba67b5f6b96eb43a2b24fec442e90cc77e47f76672cac387f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a88907928449167362329f26f7060ff7

SHA1
67c42294b2452b290e202ed6f6ceb29bba05944b

SHA256
2b7b343daffccbfd80ae67828f0c0f96148a73a1245af258bdacc79f68deb047

SHA512
e30698a6d5289d0027d38da2164bb8dbb0f669d9b042571aeb2b8d038d50b91a50874a7e732f2a98113e4debd9e44b7ec69d61ed46e1f717feda3cec0eaa8a93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
97768b8ef561a8406c90cb57419d85a5

SHA1
ef52ce2fc32c2b72cdd3f59e6230f98bd09040e1

SHA256
81169c268d611b61e59b39acef4582a5da93f5408b32c91275590fa84883aed2

SHA512
edfe6e22a0ff8f726da528acf8f2fede8bc140d8f22e49dd3a355256e3d8dfae85bf7b729abce6b2545a6104e68df3fabf584ceec5463489fd2e7c0926fa5e19

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
204fcae7a29366d9af0a0ae4aac767f4

SHA1
a0fc2baf2b0f75c8e85ac09eb84d634d5947eeaf

SHA256
08079e6c65a62a89384e7cac3340ec2d6d1414a01f5783fb24477a7518e6eb24

SHA512
29ff85db55461483423298a72d3f116dfcf1978b175286c74ce58a8b05a5ce26af638b394db1f3717bc7925a292941a4d3b4c8966de4deb034e54b3b18343052

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIEwQsUI.bat

Filesize
112B

MD5
bae1095f340720d965898063fede1273

SHA1
455d8a81818a7e82b1490c949b32fa7ff98d5210

SHA256
ee5e0a414167c2aca961a616274767c4295659517a814d1428248bd53c6e829a

SHA512
4e73a24161114844d0e42c44c73205c4a57fa4169bd16c95fb7e9d6d5fcdf8bd01741541c77570556ac1f5ee260da67a9041f40381b6c6e0601c9de385bdc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\file.vbs

Filesize
19B

MD5
4afb5c4527091738faf9cd4addf9d34e

SHA1
170ba9d866894c1b109b62649b1893eb90350459

SHA256
59d889a2bf392f4b117340832b4c73425a7fb1de6c2f83a1aaa779d477c7c6cc

SHA512
16d386d9ece30b459fd47ca87da1f67b38d52a8e55f8fd063762cb3b46ae2c10bc6eac7359b0d1ef4c31c1ac8748ae8f62f8816eff0691abdd3304df38e979a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
3cbc446632929035efdba4dec9f2e508

SHA1
471255f744454c8df15f6b98eb25af76799064e2

SHA256
0f52620a0c5e739e26a89aa94d2827c745b701eeeab7ed0436ade9ede92b38a7

SHA512
7073e1846bbbf945dae4c0dae8d04b825234a2e88c33f737f5db3ca3bc7025be900264293eea660883748208abd8788aea8883bec6e1fb2c4f5514c7a88cbe19

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
968073f641a3767f7417191289614650

SHA1
cd5243443b2a346cc754708e36a903d55ffdc636

SHA256
33982044e923f750af2611198163a27cf1381fb9607c1f3f5c32eb4b4b0f0576

SHA512
e383bf604c7c3f038dd9a7f8a1b2095b6b8cf40005820e6918b25a551f0e7b1cd722f73b675f41251debbb3540a43f9373f52857c8f9c771775f394f47d2f95f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
204ae2debeeb25df3a36d9d036a851b3

SHA1
31f83c734471c7162e4a7e21dc69e2eb4931d098

SHA256
5c07e081b66228d19eb358afd4d45905fbcde0f19ac7637bd82971d7128be71d

SHA512
37bdc716f38c92091b0ce8e1181b76e0c09bf88488ead9a5604747fd30ce340d8c00c22e77df9d37345c139f95c41a5c756af8ad34178456405ebfcdda69f352

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
ec10a3a28a0c034971a7c478ca99c04d

SHA1
872705bd9ff34e936631ee7263b8277ce61d3963

SHA256
9bb1fe6947da71f895764fe5b79cad3dfb8dc04c6d3cd2c0c4d57ec931632133

SHA512
89f428c38b9ba01bd336b9519fa6ab5e1a1f50ad662ec552db21f75a35cdef20c9bec5a65e61c65e3137793f9a96be45262068868d75740e3594fbf0f442adc8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
c8b7735217271b1774dd2c6c1692a9f0

SHA1
959aafdb83d608dce19553a22213a7a647a76024

SHA256
d741a795fc2f665f59a0c85298b8af16f9fe26b9b7578e8c53b55ad66a00d359

SHA512
2eeda497101cf074bc7225e45ab64f56201f4e1ec161518caa75e4d9243613a024d20f30af963f2f8fd00c4ce3ab1bc9aa304ccd5787e9c05fdb8505caeb4936

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
b41cf5215b935b4ad3c6319a3350e5b5

SHA1
11f4322058777b3dfe56ace986f2907b28347498

SHA256
31af4fae38a69dbfd1fda580bbcaa236983fa0a9081e429306056ab04f3889a3

SHA512
29d9636163b62c73b9676a0e6db1376ec9870d73a23d970f0de096c3f8bbc5fb0b272868f735123a8c3efa85bf5b58147815264b86b41c565725947a09a54ef2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
6a2f36a26f30b8e5cca246ae0d5ce712

SHA1
8c54d1876db71fb269f8c4e9fd608a54e441787f

SHA256
d6ce4e4e56ca27a9fff223a5e5064062cddd68df176032107d9ce47afe0bc5c5

SHA512
fa816e24174232a2fb5d88a3e5a5370817c3a7eaaaf2b4831ebeedcceb05b43aec683a293e7c7b58157d216965e063fde9c306fc5ba4837f15db7abe5a317a4c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
b946166733307afce852094c4007a0a6

SHA1
87ae6ba20adc12bb535b5e3fd6f9a730dda1151b

SHA256
2cba2445ac16900b6dffc25689579f8bb3169b10435c741036647b1d39692074

SHA512
327c74c8eb68fe0f6a376bbc73398fd1b159a9864fc2c5b96f1235459cc7d9046285cf9bdaf8fb080c89c1d690e57f94eef9f35a58c6868a558f390827dc5836

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
b64ff86487cd214d86d374de4029329e

SHA1
a4894039e90742179a49a4a739e75a1deb13d7c1

SHA256
1d57d427586eb024821066db4c143817d3ba4e749a99ac272b512b36abfece01

SHA512
6b1bd1556bdb76f39d76f2c9d0ca271368f4c2ecef7a8c6d16bd84b8cb4d2b28b8b3e64fa69a0181e5aea785e2a354157f5efc6e08cba68d7272b6d438a41aee

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
2bdec41ade9f33d406bc9ec7447954ba

SHA1
72515e44f8baf241f26ce7ec59d07b8d9207fc86

SHA256
fefddda904a7d36cf6a09b3f29e126eaa8c41f7c29ced7b24c9a377a58d25db3

SHA512
fd31c0489161be327185a5363313863125256ee0fb09b616267cc41d85d5c6efe8f5c5f393609c19ddada4a76dcccab822a3600f8f0222fa3b0cc5140924e5d1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
dd6bc95f7ca7ec5b305bebc918f45c50

SHA1
79911e6fff1588cf072b6116d469d5e37bd3b7f5

SHA256
b4e9d7a58c37a644075b2133d06e10d6a771df8d69c802349eaba7394aa25b8f

SHA512
c7f39aaaf6de2e3db7fed78fa3b411025dbe15dbb70ad225c5631780090bc33690298349958b1b74b2808f0430384af5a3bc900af41de5cf6baa2df868af7886

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
090276e0026a13cef6ed67f8740261c3

SHA1
15d8e992ccf8c666712ccab7f59f2476dbb1a720

SHA256
93077384ff7b3de9cb5dad90d7c54e6a307131d923a490687dc00c6db9de080b

SHA512
9d6f5cad43728ee9711c47fe77beca0131d8cda832f860acd8afed2a039d70fa484972aabd9a35f3a4b3094b675597e726e02b0a16f28599d06ef90c6f758b61

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
fd7443b2627644f3453a2e51ef02ab0f

SHA1
df3b0dec61d05c69bf69ceafc8cb42355375d9e8

SHA256
41f617defcbe2e9c6282f4a98337c061400c6937381a731f1ede969645f947b0

SHA512
f1b373a3603556d946024b2388150e89f111f0f30f9d09a1abef1abb95d6ddf8be5b778fd8694659800a0ddeddf2f94d64e6f5e8f375d6eefc3e1aceb7d1ce78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
d268cc37100240f2deff564527c8d6d2

SHA1
016e06d1bdefbbd2e50ede49a3dc0257bb1fc62e

SHA256
339080c2088b8fa25ec569cc830b85d55f5b33abba7bb312a5d7bed324ef4db0

SHA512
cfba071aab19be0ab90157117a58f159db502d8be444b9330f21da309243c5190d513d5c193eef7695b2236970fc16d380b5d61c584daff10fcd45b0005da527

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
1d85fff6e19d44d9172ec3d175fd3030

SHA1
c721b26ab2ae55cca33479b07abdbb75a0e5e815

SHA256
9aa43478d728d9275b7cedd175043dfcf56e734f6f31af0dec2e4857be45274d

SHA512
22a8090ca6979ce2a72dfe045eaa406b266d465f8dd70e3cd950f1dee55cb9f1322b3e17803a1b9dc2c24f7aaf3d7ce5582f7853547fd8f423ce6ca72caaa5c7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
f9fe7f9638ee180c7f7064e588b964ac

SHA1
ab2f1c007695846c9d5f447e551aab6a5c3ef798

SHA256
fd34e5c3906e2b8957c735069b7062d95c1f63404fd0b9f095e46cc8392a8064

SHA512
e7184c246c2f000d1cfff35918be8aa924eab3539045b2b872a5ecd65d261b219a78425ecb6f5b5944b275a28d925ff98d810e2b2b61f97c6588a518c94d9878

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
11KB

MD5
b9d0060a881de6dccf831176f9202d6e

SHA1
fe0d27547d72df401649b115ff41bb3d0fea83ff

SHA256
6dc3d3f7139b40a63d11da86d3350716f31fb9e8829838876a55389950e2c76a

SHA512
2f86803fc84310276eb6f426b9cb1ebed5cff578c4fe4ef1dfa9640eb81825b46d56ec50891446a9263a07a4b7019e11a44f6dd31dbc6310dc030614fffc222b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
20.8MB

MD5
600b7b7d149e6fa4f0769253dbae6497

SHA1
528441037d820b8773e92d784b46887e87b4a67a

SHA256
3c928a5d741ebb6ff8147d937aa812dc3be1a04551471ed8afb0b5683876299d

SHA512
ead031bed97c64e136222097048d815e638ff15e10822e33cb7a3fd04cd704e6409150044d288d803c61054b62dd41c60e91eb7b3fb0f464ad3e0046cfd72f18

Download Submit
C:\Users\Admin\Desktop\Quasar v1.3.0.0\settings.xml

Filesize
51B

MD5
8af01757cc429d1347430084913566d1

SHA1
e4ec570a0b1a5c99e0613da232eeff4b42ffaa75

SHA256
f1a33cd5b1c9368f73b8ff144bed026664577317df27baff774b2bd2acbd52ef

SHA512
3edbca5a661d0fbdd0f8aac994b50e3f844e1d6ee6bfeadf0d8aa89fab1b7cec69b9f687a704c7a989726bb676604e2cdb75ca30441e94a05fdd4027ec9a494a

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\3c8ad2dae0b1bb536925b4e8d5a87e77c6134371eada2c7628358d6c6d3083dc.zip

Filesize
1.6MB

MD5
25693a812ac4b5b12559937595917d61

SHA1
ac5b40c937a1deb00c6a761e0799bf8e58fc59ec

SHA256
76d4218ed851e8546f55904f90ad5cacd7a806862ec17d68bb09ad9e46e8b182

SHA512
561e269e07fb6a041cd27ccc77e10030a516c0d0814fc8f5c222a76ec28240e682a72340d5bffd913744c9ad31ba85680037d81a3b223ba7cd2a34ffdddefa06

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\AgQS.exe

Filesize
636KB

MD5
9844e49d700d552080cc07e5b145ba9c

SHA1
b137b5650bd50c5a1f38dbe6a1ccb43f06594160

SHA256
17d60fb364adb3eb23f3701f523319be1db94d77cd89f03eec58daff61fb8391

SHA512
368b9548d0c59c6c40d3cbf0702fb64068606e1e935dc86d8ec197efa0d09e24e22831de022218022cb32fed24c6315c6de73728f9602afc3ec3cd552d610359

Download Submit
C:\Users\Admin\Downloads\Brainbot_v1.5 (1).zip:Zone.Identifier

Filesize
213B

MD5
84ba78bfa65ec75acd8d122a49d5c0fd

SHA1
9da55514e71b0735c7508eb4adb737242db16682

SHA256
7e4c89e5e1f36321790955df59dc2dd8e8a360f782e9d3b0e0cc1c2fe7ceebdc

SHA512
03448f50bd4d46c9b517b6248e98bb68023d3a1451549076155c7498c7181935628b3fedcb9b48e5dfac85f9e5cea2f7b7ad58ba88b04ac66215a0e6d998c795

Download Submit
C:\Users\Admin\Downloads\CYIg.exe

Filesize
211KB

MD5
7470a692966d62ba026fc968afd10b54

SHA1
ea5a80b3db38afab975c4b940b8eaeb0a5a76e09

SHA256
03ddbd4cc386988211e3892747678b60a7a8482547b4247d7d28a5c4de8a5fb1

SHA512
2e289f41cd99b0e4005bc1f053f98e4a9ac961eeb9818f7d7465176b776cb877b70ab3a9282fd662c3480fb3c9557a7d9e46072fbd57bc6034cda8912a57bb9e

Download Submit
C:\Users\Admin\Downloads\EAwk.exe

Filesize
525KB

MD5
462f2569c8532a20dc875feb4eaade6d

SHA1
9cf14b2b87af1a84b3e22ba593d20b34b21f2b00

SHA256
99f59f24db57692edc12df45408b93e5962056671dc2d7f6d07a70a24742a11c

SHA512
4d297b2363ce263eeb097650b17048e1317bd806a289960771c6aece052547ff712e05518eb369db7e9760b0bcb9295e0918332637acedbd715c759e2558e874

Download Submit
C:\Users\Admin\Downloads\EQUu.exe

Filesize
428KB

MD5
57bb22f410d6b477ef0f8754e26074d8

SHA1
4e97376c7d2d6f531e1183c2557158394313c872

SHA256
df360169a0fa23b3487b890297257c13cee1d7138bb02040adac80aadf524069

SHA512
ef175762157ea27639612acd6f9219b6c44e010304aec88491d72770cb7dcba042877e16c3a70f0a0d03969289201f34733a849512e7c2fa0776b15c1528266d

Download Submit
C:\Users\Admin\Downloads\EoYa.exe

Filesize
324KB

MD5
cffefc8392a39237d692f87ca580043e

SHA1
02c3ffae7850f8d152778d67f58be7143395e0f0

SHA256
0dc49aabf5f61773e33553b90fbf76fcb106ab9384fff71bf19817ae9d8c3a0f

SHA512
88896d8ab5afd4a5e4cc15141ca003e5662d56dff498f89a6cfe7f4686e3c71365410ff843a1b2d49ee00c798c14130810b3a9c45f65ac6b66e69ffa2458eaa0

Download Submit
C:\Users\Admin\Downloads\GMsc.exe

Filesize
802KB

MD5
23a1a6488d11774706b941bf222e0577

SHA1
068c46b87adc0e56152b48cd85e9da0830380af8

SHA256
7f6dea2de39b34b6f6d06802f6343c933ec7982eb7432386f618f175a9be7c92

SHA512
e2e8fa0bfa0671de488d35d724e34c9fd6d8177b63c80794324caaba6fb63e81863bd6e1b08e66155cfb379d856e84837214a8d20e69eb9bc38ed3d0fed99306

Download Submit
C:\Users\Admin\Downloads\GcMA.exe

Filesize
235KB

MD5
69db08218de704ecfc736339d53c84bc

SHA1
345c62d8cc788306b906163a8047b4b320b84aee

SHA256
e5ce4872635d44ad972d19bcfb4abb720901663ed6d4939de82eb3041fb98d1d

SHA512
f6623a5b9c6310715579ade887a6a52cd12ad5f870c11bb0a6d311998ec089d8ecb50dc3d6ee5a95db99a07ed4722b6910ba3d5baaeba0dbcf69cc0c4b06eab8

Download Submit
C:\Users\Admin\Downloads\KEMO.exe

Filesize
635KB

MD5
f6d83a5a093f513a20f6e27b29aa5144

SHA1
ee797c9e6c14c92000cb09005326cc1a18414f97

SHA256
c61d912b9179c4dd8ebc4b59d9894bb1ff13765e552961abaaeee81cab7ad0c7

SHA512
a98330db199058cfdae36d6f343aa17c39d647f30213b10b03b8d26f7d86c48a2219f227530c013a37efc9671f19f27caab24df5f6cb8946c5147ac40ee52d52

Download Submit
C:\Users\Admin\Downloads\KMIC.exe

Filesize
430KB

MD5
421d453455bf1390c283000ca36a1e72

SHA1
7f831abf00b3d8412b8e51982729973f11e95117

SHA256
ba7751b0c5cc246023887d96cc9b144e0454ace35518441b5736e77e8ace66d2

SHA512
9efbea4d861dcbc511d43a3ff0c297e103f2d4034a678610f280ce833dbf074b283237353be4126f500fe9c00b72ff0350506edf15e6a93264f1c7276b3a944e

Download Submit
C:\Users\Admin\Downloads\MgAu.exe

Filesize
436KB

MD5
cb5b46d3d7e5aeb1f840ad5b7624537a

SHA1
b6701608910c5d6784ebce760eb9e701eca127ad

SHA256
e4f05d40bf737b339442db65608dec26cd988fc3ffec51b456d7525a35852a1f

SHA512
13fbc511f26942251271d73206f063fcea4d6cd841d8853ca11ca979ba7f05c71744ff6db21d41d3027d59d6e5ca1989846db5c0c030333949c0e00712173852

Download Submit
C:\Users\Admin\Downloads\MwMQ.exe

Filesize
438KB

MD5
7b05cd4a9efe3f4d25c5306f6fb0480a

SHA1
dc72c66d89b54843c63f7137e98c4c572ffb8e5f

SHA256
c52d58ebc270a0835744bb2e9e7186f4288adc90d858b3605e885e67f85b8618

SHA512
2eae88d13d5b8ac5dea3efdfb6ea4c309cff9c03db269652bd11ded2ea09aff5e5d6b886fea0288e1960c28ffc4880c48dfc70eaa9e1de18403aa5241ed9e1d7

Download Submit
C:\Users\Admin\Downloads\QQEs.exe

Filesize
229KB

MD5
642fe2ebf950d8a407a88add059d29ea

SHA1
13bcb710d395f3a1ad5deaf380e61e7a40f4fb1d

SHA256
8d81bd3e71bccd10cbb6945fd6b1caaafacdb82689f71c55258edc67e666c183

SHA512
17956dc78a3cd6ec50178cdc61748c98c0cc7853a03d016d096618c2a6f8446627db7c485a3e8f54745620ffce5ac28291fbd5a01b03eb2f5839141fc83172f3

Download Submit
C:\Users\Admin\Downloads\QYsK.ico

Filesize
4KB

MD5
ac4b56cc5c5e71c3bb226181418fd891

SHA1
e62149df7a7d31a7777cae68822e4d0eaba2199d

SHA256
701a17a9ee5c9340bae4f0810f103d1f0ca5c03141e0da826139d5b7397a6fb3

SHA512
a8136ef9245c8a03a155d831ed9b9d5b126f160cdf3da3214850305d726d5d511145e0c83b817ca1ac7b10abccb47729624867d48fede0c46da06f4ac50cf998

Download Submit
C:\Users\Admin\Downloads\QgoK.exe

Filesize
585KB

MD5
d17265405676933e88722d1e07229b68

SHA1
bc370eb2981a455345ca7886db713024fea7a44c

SHA256
5050f220b48bebed468018cd077a7f8eb8004c9e899d72671e84a6bf4646f5ae

SHA512
730485bf31f6958844cd141a74062a70f6ef1b9894bdde40c233372a5188b6747c0a15cf5a7bd5d0b37d131c33ca0f0ea43e4920dfc270b9e4afee0f82f099f5

Download Submit
C:\Users\Admin\Downloads\QkQY.exe

Filesize
228KB

MD5
2856ec090dc57750bcd2d5edafcf2ca3

SHA1
7d9432fd768e76fef9767ed80d7e75c2106f2939

SHA256
27ab5c843cd710783e58c4e71d8a295c3a7d314d56ee915bdab33cb5f38c7cee

SHA512
5dd87b989ed08022effb0710eb0364103e5d3e6a4acd439c0ce25930944283e3702733886c5662aee2f3962a9eada5711b0d08206522a32a6ed0d60910782144

Download Submit
C:\Users\Admin\Downloads\QkcW.exe

Filesize
424KB

MD5
84dae5467bce1127168058613d5289b5

SHA1
287bf09d75bca235fbb511a8e0952e1495ca86a6

SHA256
5b853a55bd321aeeaf91c0e98ed66f2313b201348b7b37173e6c78786a500ac6

SHA512
cb7db89eafb39931c5d99160f85472aecf50b102f5dc1a62f412ca2b1f8c1556b93634274ceee5c807677c8dd86828234bf16f0f084c389535861a67acbb0b0f

Download Submit
C:\Users\Admin\Downloads\SEYM.exe

Filesize
420KB

MD5
ddb7b4416713296e7e0e653a8ff1f947

SHA1
08ed493b7f548eb67b0d28d28ffcaac50d02037c

SHA256
d56db87b6ca64a1c2d031d71b57153569dd566280287ebdbde21c0ab93c098cb

SHA512
b46e0051fa1af0c1dc4b5d9fc46b20bc3d8d718e2a5a051c2a019860487540969de7e33a9ebeaf1a7f4aabf4ea5c967d320b7b79c1adfe25b3371d2802bb31e5

Download Submit
C:\Users\Admin\Downloads\SUYO.exe

Filesize
812KB

MD5
958e73eea98cbad3124995c64b1b9ca9

SHA1
dd9669263deb69b4e0189e1c3d62ffec50924fba

SHA256
2cd8ca6a93bc6a97ca2cc061276ac207565c21261e976d4b3cd739207aec52a0

SHA512
2d5f502633f2f90fae3ef521f22b80aabafb2f5ee8dd2e09026f1c7d0e860364ae785118a24358f337da7ecf72533ca22a8b5f16fe7ae7391fc1f4f993ae7606

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\UIkW.exe

Filesize
424KB

MD5
e228611541a6b599d03473bb7492f7b2

SHA1
c8da1fe518ce8ff2554ea5dd6095f7fb681aedc3

SHA256
25621596af1bfbdbc6f3ce86d3cb976e74fdf042be256ae6314245769187e503

SHA512
34072c15e7cc022fb21030a19046c0029a4ae057a71b5addb90bf9fc66e63fb4b171c368c92b481fa0b626d5f51e89f9e773310cee4402329336e88021085838

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 160044.crdownload

Filesize
49KB

MD5
46bfd4f1d581d7c0121d2b19a005d3df

SHA1
5b063298bbd1670b4d39e1baef67f854b8dcba9d

SHA256
683a09da219918258c58a7f61f7dc4161a3a7a377cf82a31b840baabfb9a4a96

SHA512
b52aa090f689765d099689700be7e18922137e7a860a00113e3f72aa6553e94a870bbb741e52de9617506a236a2a59198fb224fcd128576d76642eec9d715df5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 160044.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 29953.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 376367.crdownload

Filesize
3KB

MD5
e1dc44e0de020ecd29e5c1a0eaa93a8d

SHA1
00408230f71185ef9ceadf7b3dfe935275206fef

SHA256
da0669cf3d15d44c7f7080b40c457748196ac6170ec7cbba5173f4691ffc00f7

SHA512
2d85326c013f5737f4d2c5010a22ba5887d7529962ca38994206625591be18f40f4a5bdec9d4d5597a08c7c69edf586686b257b0863c9cfcd0cf9c22c4cceabd

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 472831.crdownload

Filesize
2KB

MD5
a56d479405b23976f162f3a4a74e48aa

SHA1
f4f433b3f56315e1d469148bdfd835469526262f

SHA256
17d81134a5957fb758b9d69a90b033477a991c8b0f107d9864dc790ca37e6a23

SHA512
f5594cde50ca5235f7759c9350d4054d7a61b5e61a197dffc04eb8cdef368572e99d212dd406ad296484b5f0f880bdc5ec9e155781101d15083c1564738a900a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 506093.crdownload

Filesize
48KB

MD5
86a3a3ce16360e01933d71d0bf1f2c37

SHA1
af54089e3601c742d523b507b3a0793c2b6e60be

SHA256
2ebe23ba9897d9c127b9c0a737ba63af8d0bcd76ec866610cc0b5de2f62b87bd

SHA512
65a3571cf5b057d2c3ce101346947679f162018fa5eadf79c5a6af6c0a3bc9b12731ff13f27629b14983ef8bc73fa9782cc0a9e6c44b0ffc2627da754c324d6e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 592717.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 809557.crdownload

Filesize
390KB

MD5
5b7e6e352bacc93f7b80bc968b6ea493

SHA1
e686139d5ed8528117ba6ca68fe415e4fb02f2be

SHA256
63545fa195488ff51955f09833332b9660d18f8afb16bdf579134661962e548a

SHA512
9d24af0cb00fb8a5e61e9d19cd603b5541a22ae6229c2acf498447e0e7d4145fee25c8ab9d5d5f18f554e6cbf8ca56b7ca3144e726d7dfd64076a42a25b3dfb6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 811764.crdownload

Filesize
194KB

MD5
8803d517ac24b157431d8a462302b400

SHA1
b56afcad22e8cda4d0e2a98808b8e8c5a1059d4e

SHA256
418395efd269bc6534e02c92cb2c568631ada6e54bc55ade4e4a5986605ff786

SHA512
38fdfe0bc873e546b05a8680335526eec61ccc8cf3f37c60eee0bc83ec54570077f1dc1da26142488930eabcc21cb7a33c1b545a194cbfb4c87e430c4b2bfb50

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 892911.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 897075.crdownload

Filesize
1.4MB

MD5
63210f8f1dde6c40a7f3643ccf0ff313

SHA1
57edd72391d710d71bead504d44389d0462ccec9

SHA256
2aab13d49b60001de3aa47fb8f7251a973faa7f3c53a3840cdf5fd0b26e9a09f

SHA512
87a89e8ab85be150a783a9f8d41797cfa12f86fdccb48f2180c0498bfd2b1040b730dee4665fe2c83b98d436453680226051b7f1532e1c0e0cda0cf702e80a11

Download Submit
C:\Users\Admin\Downloads\ViraLock

Filesize
6KB

MD5
76e08b93985d60b82ddb4a313733345c

SHA1
273effbac9e1dc901a3f0ee43122d2bdb383adbf

SHA256
4dc0a8afbf4dbb1a67b9292bb028b7f744f3029b0083c36307b1f84a00692a89

SHA512
4226266b623d502f9b0901355ff388e1fc705e9baff0cbe49a52ef59578e1cc66f5026c030df4c8a8f5000b743523ccf18c533aee269b562d3017d14af014f9d

Download Submit
C:\Users\Admin\Downloads\VirusShare_089d45e4c3bb60388211aa669deab26a.zip

Filesize
316KB

MD5
ccd2b32a57224666be27b22cb7e4c1f8

SHA1
3552ec2fa77121202b18d47b4f9783fb5d5b9871

SHA256
e10d5b007f701ff9ea6d88f7ea74de2e482d0164c276478d98e6f7913d0d6a6f

SHA512
b33933dad114c6aef4c3b84e5a693396cfe6668fc3e91cbc53bcbab7d75d6c7df96ed3455ae45eb5637a3a6ca0d06a874593210f75b97fc00766bb8d82d862be

Download Submit
C:\Users\Admin\Downloads\WkQs.exe

Filesize
250KB

MD5
ec6bb053b57554b10b2f81327db93186

SHA1
e1e4063829ad773b3d4c7ed73d65a00fcd6cabcb

SHA256
ebae35173877c4d0f4273b508582ae5cc00918604027efc5a97a799365f2b367

SHA512
44513258e6886d127b40c67fccd48bd18fef7ff1a2180047035f06559dcfb48f7773e02d736bcb868dbf520ad91e5e44d8089ce61e5e0d0891305115a965a16b

Download Submit
C:\Users\Admin\Downloads\aIEU.exe

Filesize
646KB

MD5
c1207d91c8fa82c5cc61aa75c32691f5

SHA1
7a9aebb9b2eb4752a93ca50c3de03fc2f2fd0556

SHA256
c5fd5aa28e2d088db9ca98240cb417ce48845ab2ec5d2af91e17861379f1eb7b

SHA512
392a0d25ddecc5b754d228ddcb9d8863d8456443a481050d812d5d58101790c6186254b429ebb5a935b61c598ca4d274b6b3a3b994f568b16bf1d158b0ff0854

Download Submit
C:\Users\Admin\Downloads\cUAs.ico

Filesize
4KB

MD5
8ff64aadbcb8620bd821390e245fa0e6

SHA1
4d03910751bff2987d165c7c43e52851ae064239

SHA256
38d6a9052a4fa9fbd656388704522cb851247c32650c387c19b15cd28ff3b6fc

SHA512
b5d4dc4bea4ca5c7238d875f2f934f5813b97100e364a16c4c6bc800e9a6df06a3075d7807d8ab42e551faa3f8a870b21abb61ae4816ef95f0e7163df5f62ecb

Download Submit
C:\Users\Admin\Downloads\eb8303cb-2476-4936-ae95-698255ab3293.tmp

Filesize
611KB

MD5
ac17f5bfbdc14e9d9e8100d64cd9094d

SHA1
dd5b3afeb326fc02a59e3eb667abd68e2088212c

SHA256
30a4ec904324aab10b9f77127944ec98e8e1f222c893c1862f3bed4970ead8fb

SHA512
733a79e5326f6a09b5c4b4fa648bb967cbdf5ec00b389df8a12ddc0c46bd326e4ca7ad98e61b009a373ac404828444094498408b5683fec4e63251900ba3621f

Download Submit
C:\Users\Admin\Downloads\ekoI.exe

Filesize
418KB

MD5
fb6747243a0b31e2c1a73008babb6a73

SHA1
ee04815eb8caa6deaf34419e366ddf419e95021c

SHA256
bedfea83c49895cfac96a960c0a94f662cb0a769b5a4325e515c3f0306b80350

SHA512
75be0badbd51e0d9020a862d4065d68428fecd0146078153433a5128cef9cf3277aeaf4ff2ac197d0dc1e1312a8095d4bc42affd32dca2a43b408f00b8618743

Download Submit
C:\Users\Admin\Downloads\goca.exe

Filesize
436KB

MD5
e57687fe6168200bcaf5a94629ed266d

SHA1
7a989f845fb41cd5973442ed47afeb23984eec45

SHA256
3d9ad1b9437bdef3ddb66f41faad399939f0b7a287fbaa41b8b0d28597d8ef40

SHA512
b545a33f81acfcfb440a95b926840ffc7bb41ab7a74c8b427502ab38a5ed6a606628a66ee12146cb3147588dc63c4841de0cc1f651c815c6853ad3349119f5c0

Download Submit
C:\Users\Admin\Downloads\gsYI.exe

Filesize
738KB

MD5
53917793618627b3742f68eecf513d50

SHA1
2d53d6b1f6ab97163b143a9ab15a8685a8662988

SHA256
bd0c2a24a6142335b2e2389c1a606e42eb1190babd9d9a2a07b3ea1798c99408

SHA512
70dfb468f025a5e71c5c887c58e7cf7977e23e5ce593113df02e4196680c8faa3bb1c68dfbf00f883aa951d472c6c861319d81397f4ede4b531ead15af7d0595

Download Submit
C:\Users\Admin\Downloads\iMYm.exe

Filesize
212KB

MD5
ed74750e0c347f4afc70f1bf2a014cb4

SHA1
713c5b427e6888aa2c3577dcdb13e1ca913c19b8

SHA256
bf885761bce5d207bc01062e2fa1e429e55f324aed78792862b14a2a705e494a

SHA512
34e73bf9b59e8bef3217818319983290c7cf0e502139ab31eb77dc7aaf0055ca72dfb091402ea2ec22d587c9ef5ceb2bb61db331c586dc61de5402d12c976dca

Download Submit
C:\Users\Admin\Downloads\iUgs.exe

Filesize
640KB

MD5
5c90432f4e60d8037cd14e7dea98486e

SHA1
fc1f5efbc4e74a106409cd0a0d80fe84ca24617c

SHA256
6673b3b4a0992639ffc8a0e43b852355e82b1a49f7ff3b3640b1246a401c7633

SHA512
b7549e83bf5c9a8dfafa5fb4db87ea5adf0b1a8f0580e69669aa3e8ff6552ba0b4d2d7439947b27ec61f3739678386783180dc6ddb45ad0a3773dd0e44e01497

Download Submit
C:\Users\Admin\Downloads\iccg.ico

Filesize
4KB

MD5
9af98ac11e0ef05c4c1b9f50e0764888

SHA1
0b15f3f188a4d2e6daec528802f291805fad3f58

SHA256
c3d81c0590da8903a57fb655949bf75919e678a2ef9e373105737cf2c6819e62

SHA512
35217ccd4c48a4468612dd284b8b235ec6b2b42b3148fa506d982870e397569d27fcd443c82f33b1f7f04c5a45de5bf455351425dae5788774e0654d16c9c7e1

Download Submit
C:\Users\Admin\Downloads\isEU.exe

Filesize
1.6MB

MD5
9bca73c3fad64213ff22d042b5adbd60

SHA1
30bd71a1b5fc46c5c294cf1c5fc00bb8103629fa

SHA256
870d935de0d147a2461c9494cc8d7e875e907c941b8f0f4ea56c5108aa9abc74

SHA512
ebd7afb69780e1f4c0599b63d79b5d0c100eddf8f3a259d6b2401298bb03e3cd84553f2816ec6689331b5c62dcfaec757e896ea461e221202bd4d2593c7db33f

Download Submit
C:\Users\Admin\Downloads\kAEY.exe

Filesize
320KB

MD5
6aee9073be9d40a5fdefbc97131350ee

SHA1
6094d4a961fa774d6fb22e663f498a67479f623c

SHA256
406fe7f2d1c04cef4a2fdbf93a32ef0c2ee8b798aedf216ca3da7aa90f93ae72

SHA512
8b0deed918519ca02adc59a0a3fefddbd5410aef387886cd5923f6011a0be96aa230d6fd43e9aa2b47b21a6e0f61ffba89a00831bb38bf34c8f0f9302b9e9d44

Download Submit
C:\Users\Admin\Downloads\kAkM.exe

Filesize
1.8MB

MD5
28b0d465043a2a3e3083b64fb9f82227

SHA1
e57296474fb0563cfdb533ec646ca2160fbc9252

SHA256
ac276bad597f5be7a2335167a1399873e729f2ccadca149752454e7511d02d41

SHA512
c66c24949396501d5caf3de919a0ef6b0097de995c1dd5e43e93f34e0e2dc884f978f989e8e42fa2b9f2ed8151fd7dde7863466a09d4671b266f219d1e7f1091

Download Submit
C:\Users\Admin\Downloads\kIkg.exe

Filesize
233KB

MD5
381825f05b34164e8b26d9d1d3401418

SHA1
0c219655200b9a64f75790142f870c82e4fbef29

SHA256
97b5b772dbc4cf4b0aff7cf54000ae828cd6aa6c6a52a91bc5df590693bdea56

SHA512
1d3e0dec58c92243f5e8f775ade5ee05bbb17bdc6771342c2c9e6f6f20e6aec94021a497f5da274cfdbe93027957037416f95d154f0bc17954787da284a622d4

Download Submit
C:\Users\Admin\Downloads\kwIy.exe

Filesize
322KB

MD5
bde9a1e013a3c47d622f6e821ee31783

SHA1
003357263d57af603454b90cab2bce61e8f55caf

SHA256
b16fe8dec829bc55253fc420a30cb08e9e1eae2197e0502f3f61a3a4638e4144

SHA512
19e6d45dcf81fed3c54580f772b4f9639bc3dffc1964d8807f3931deeba95c5ddc8fb001800183b88a6c326c92b726d8d98fa1d9751133a3bf31b5e3ae302b07

Download Submit
C:\Users\Admin\Downloads\moEk.exe

Filesize
818KB

MD5
00e8ce524bc1e869fae967c0655c7092

SHA1
0e5f356209a73b99eb732792cd8d21aea9abc31e

SHA256
44a03d6076697fc8bc426e1be168c90958f4793d72e5b1d184c16b8d631bc177

SHA512
76d588d42d2cc603e1c833f7d2aa9fdda6d967541bcf724b4106bb4efffc5b1c0390e746d2f8c7680412fe061bfe7a145aca43f06263ebd5dea5dbe7fa6c743d

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\ogcO.exe

Filesize
206KB

MD5
5f2ed5514124dfe4ecad6ae528bd05fc

SHA1
9767c6e7d5b2851e9d75dda00d3abfbb86b2771b

SHA256
6329137441de4d9d8d3ecc217fef52f0a996e437f22ff97df2619018c2d542f5

SHA512
bafaf088e4c3ddb8fadaa7e3aeea5b5510eac940b60312af72ae552391e52e4d216e1bb1d0fa0fd2453ac2f75b1290eeeec4a2ba2553a78d2e176d12aac9cb7c

Download Submit
C:\Users\Admin\Downloads\qgos.exe

Filesize
811KB

MD5
8bf8f34a8134f4d82ca635da87251250

SHA1
dbc648a123a3e6c91926bf1ab82ededf5ef27c90

SHA256
f693b599f7be7471f190ca01e21fa166fc26cef327608e223590495f0a0cc811

SHA512
fcf4ad48a12276507843bc2444390bef2f25f82d0a78c08da9d90c8f1b2c8bff509bd8233d771117b1228a9d938c9b84244df71053cdab18422a24a13e626f5d

Download Submit
C:\Users\Admin\Downloads\qosQ.exe

Filesize
833KB

MD5
070e835f039c6f717f51d5cde60ab5c7

SHA1
b5b9c78b25a93cd77be00400e85330fdda76886f

SHA256
7bdc74f42a7e8061454cd54e14e53edc0d7e6fd5c6a7e1cf5f13f04f2f7999f8

SHA512
5000a8d5ffbe182566da85969b814ef87c224763232b96d1a2a842c3c2558b322d62c73fb3c7e4166108c7ea32df894a8af9c569c64df1be45a8776c265eab87

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
C:\Users\Admin\Downloads\uwgw.exe

Filesize
637KB

MD5
41d67abf4cf8f71e30125a96f2301522

SHA1
9da5fe7b2267485994f2fc69a1670f082e8a35ad

SHA256
8ed26d908a4e9cd5a565e21e8527997ac616c772097d5dac16bbb089212bd3a7

SHA512
a94b7bbc1d5e25bb505015f5883eb2c8a731261c3260a7fb54651c63837279c6b3814c030612e7fcab582da73b1d913e3b70a8d3a23ed66b2a3b75d68f150a1c

Download Submit
C:\Users\Admin\Downloads\wUUS.exe

Filesize
322KB

MD5
affb2adf4ad4bf5c3c9c85d834a0b063

SHA1
db99dee487e7ae8a8a2bd013fd870316a9e737e2

SHA256
f7b197997731277c332789c469c9f302a3ddf08f92cc3a589e4fe009cd4d5c47

SHA512
a65dbdadf19a36160defc6a1778a164f21ee1cfb1128e8b7fc8aeac4894f22f1f9aed84a3b85764e29c647a26d090d2b39a60dbe5120f4473b57d22724ad8645

Download Submit
C:\Users\Admin\Downloads\yIso.exe

Filesize
1.6MB

MD5
696b75f7668a3fb66c6b88026e88e7c0

SHA1
02df3a230c4a891c07846a3168b6150326d89d74

SHA256
15abf2669fc0b9f3281df6ccf97c4807a1f52ff029ea3b8ed2b99741c4f4d16a

SHA512
82fb5fca9c40b8e7187e713d889fd9f0718856acc14f4cb8029524c10840254098a39ba59ec42240864eb20917eec5a8d3ec2fb23a2b761e59ae68c1f1afe8e6

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Public\Desktop\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
cb5bd521d40d6cfbc253a57d44aa3100

SHA1
89f597de0c718f756cbe83917e3951e23bc2b52d

SHA256
a22e4e80e52fcaf605b07a67e4c570284767c8883848e8de51dd3a87ea4b90c8

SHA512
b30ab99bf19e82199eab3c164f15ab5d7d73f571e0e47f5eca2ab551f3d5e632dcbc9cde5412e3b1fe1fc3c95496ee40b3eda4f6b210840f6566450cd0afeb91

Download Submit
memory/224-4109-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/436-8253-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/436-6703-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/720-4104-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/924-4107-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/1508-4714-0x0000000000110000-0x0000000000135000-memory.dmp

Filesize
148KB

Download
memory/1696-4099-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/1808-7035-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1808-7044-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/1940-4798-0x00000000030D0000-0x000000000312E000-memory.dmp

Filesize
376KB

Download
memory/1940-4789-0x00000000030D0000-0x000000000312E000-memory.dmp

Filesize
376KB

Download
memory/1940-4797-0x00000000030D0000-0x000000000312E000-memory.dmp

Filesize
376KB

Download
memory/1940-4800-0x00000000030D0000-0x000000000312E000-memory.dmp

Filesize
376KB

Download
memory/1940-4809-0x00000000030D0000-0x000000000312E000-memory.dmp

Filesize
376KB

Download
memory/2052-7027-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2052-7017-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2064-4103-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2088-4098-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2156-6947-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2156-6958-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2244-4101-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2368-6693-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2368-6708-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2368-6969-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2724-4100-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/2848-6977-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2856-8256-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2856-6704-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/2968-6951-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/2968-6995-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3076-4106-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/3212-4102-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/3348-4710-0x0000000000590000-0x00000000005B5000-memory.dmp

Filesize
148KB

Download
memory/3348-4715-0x0000000000590000-0x00000000005B5000-memory.dmp

Filesize
148KB

Download
memory/3456-1803-0x0000000000E70000-0x0000000000FDC000-memory.dmp

Filesize
1.4MB

Download
memory/3456-2059-0x000000001C0F0000-0x000000001C2A3000-memory.dmp

Filesize
1.7MB

Download
memory/3456-2017-0x000000001C0F0000-0x000000001C2A3000-memory.dmp

Filesize
1.7MB

Download
memory/3456-2325-0x000000001C0F0000-0x000000001C2A3000-memory.dmp

Filesize
1.7MB

Download
memory/3456-2328-0x00000000017D0000-0x00000000017E0000-memory.dmp

Filesize
64KB

Download
memory/3456-1820-0x000000001C0F0000-0x000000001C2A3000-memory.dmp

Filesize
1.7MB

Download
memory/3456-2341-0x000000001C0F0000-0x000000001C2A3000-memory.dmp

Filesize
1.7MB

Download
memory/3456-2346-0x000000001C0F0000-0x000000001C2A3000-memory.dmp

Filesize
1.7MB

Download
memory/3784-7016-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/3840-6804-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/4548-4105-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/4564-4671-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4516-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4284-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4285-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4288-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4286-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4411-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4451-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4850-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4819-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4497-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4546-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4579-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4608-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4647-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4751-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4564-4719-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/4744-4108-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/4940-4110-0x0000000000400000-0x00000000006F6000-memory.dmp

Filesize
3.0MB

Download
memory/5152-6880-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5160-6768-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5204-6719-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5244-6755-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5244-6745-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5384-7036-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5392-6985-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5412-6718-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5412-6727-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5424-6922-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5424-6933-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5456-6914-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5596-6872-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5596-6862-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5612-7063-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5612-7054-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5632-6896-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5632-6888-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5652-6851-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5668-6822-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5712-6744-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5760-6843-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5868-6774-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5868-6788-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5936-6770-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5936-6778-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5968-6812-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/5976-7074-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6032-6906-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6044-7055-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6080-6796-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6092-6923-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/6112-7008-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download