badrabbit | hxxps://github[.]com/Endermanch/MalwareDatabase

Analysis

max time kernel
289s
max time network
290s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
29-09-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Endermanch/MalwareDatabase

Score

10^/10

badrabbit mimikatz discovery ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000300000000069b-371.dat	mimikatz

Executes dropped EXE 1 IoCs

pid	Process
688	B011.tmp

Loads dropped DLL 1 IoCs

pid	Process
2080	rundll32.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
446	raw.githubusercontent.com

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\B011.tmp	rundll32.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File created	C:\Windows\infpub.dat	[email protected]
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 29 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31134268"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "4129138582"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133720514839467984"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	firefox.exe

NTFS ADS 7 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\DesktopPuzzle (4).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DesktopPuzzle.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DesktopPuzzle (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DesktopPuzzle (2).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DesktopPuzzle (3).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\DesktopPuzzle (5).zip:Zone.Identifier	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4912	schtasks.exe
2744	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
2480	WINWORD.EXE
2480	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
3676	msedge.exe
3676	msedge.exe
3604	msedge.exe
3604	msedge.exe
3400	msedge.exe
3400	msedge.exe
3212	identity_helper.exe
3212	identity_helper.exe
2960	msedge.exe
2960	msedge.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
2080	rundll32.exe
688	B011.tmp
688	B011.tmp
688	B011.tmp
688	B011.tmp
688	B011.tmp
688	B011.tmp
688	B011.tmp
1784	chrome.exe
1784	chrome.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
684	msedge.exe
6496	msedge.exe
6496	msedge.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4288	chrome.exe
4080	msedge.exe
4080	msedge.exe
6828	msedge.exe
6828	msedge.exe
5648	msedge.exe
5648	msedge.exe
3004	msedge.exe
3004	msedge.exe
3088	msedge.exe
3088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 43 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2080	rundll32.exe
Token: SeDebugPrivilege	2080	rundll32.exe
Token: SeTcbPrivilege	2080	rundll32.exe
Token: SeDebugPrivilege	688	B011.tmp
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeDebugPrivilege	2688	firefox.exe
Token: SeDebugPrivilege	2688	firefox.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe
Token: SeShutdownPrivilege	1784	chrome.exe
Token: SeCreatePagefilePrivilege	1784	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
2688	firefox.exe
2688	firefox.exe
2688	firefox.exe
2688	firefox.exe
1784	chrome.exe
1784	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
3604	msedge.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
1784	chrome.exe
3604	msedge.exe
3604	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2480	WINWORD.EXE
2480	WINWORD.EXE
2480	WINWORD.EXE
2480	WINWORD.EXE
2480	WINWORD.EXE
2480	WINWORD.EXE
2480	WINWORD.EXE
2688	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 4332	3604	msedge.exe	78
PID 3604 wrote to memory of 4332	3604	msedge.exe	78
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 2392	3604	msedge.exe	79
PID 3604 wrote to memory of 3676	3604	msedge.exe	80
PID 3604 wrote to memory of 3676	3604	msedge.exe	80
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81
PID 3604 wrote to memory of 4428	3604	msedge.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Endermanch/MalwareDatabase
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb016e3cb8,0x7ffb016e3cc8,0x7ffb016e3cd8
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4940 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1624 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3008 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3288 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2968 /prefetch:1
  2⤵
  PID:7668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:7844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:7864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3048 /prefetch:1
  2⤵
  PID:7008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2848 /prefetch:1
  2⤵
  PID:6844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2972 /prefetch:1
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:7896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:7908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:6824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6660 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7320 /prefetch:1
  2⤵
  PID:7284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:6416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:1
  2⤵
  PID:6172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:1
  2⤵
  PID:6444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7696 /prefetch:1
  2⤵
  PID:6916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7792 /prefetch:1
  2⤵
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:7412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:7796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7748 /prefetch:1
  2⤵
  PID:8116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8064 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8156 /prefetch:1
  2⤵
  PID:7324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7212 /prefetch:1
  2⤵
  PID:7604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8096 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7008 /prefetch:1
  2⤵
  PID:6768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7668 /prefetch:1
  2⤵
  PID:7532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=8632 /prefetch:6
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6428 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8784 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8436 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8924 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9080 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8888 /prefetch:1
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9132 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7840 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8072 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1244 /prefetch:1
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7120 /prefetch:1
  2⤵
  PID:7256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,15189058318819582077,11295525904796244553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
  2⤵
  PID:2844

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2264

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2976

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_BadRabbit.zip\[email protected]"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1652
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4920
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:4884
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2610034139 && exit"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1004
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2610034139 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4912
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:59:00
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4732
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:59:00
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2744
- - C:\Windows\B011.tmp
    "C:\Windows\B011.tmp" \\.\pipe\{3509C6D0-9F81-4002-A660-3C88C4D2D16A}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:688

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\BlockInitialize.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4580
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1864 -prefMapHandle 1856 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {414ca56a-ece3-45e1-93d5-326cc0eaba4b} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" gpu
    3⤵
    PID:1900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2352 -parentBuildID 20240401114208 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 23714 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c86e8d9f-e03e-49a4-8d37-c833685cefd2} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" socket
    3⤵
    PID:1232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2840 -childID 1 -isForBrowser -prefsHandle 3336 -prefMapHandle 3368 -prefsLen 23855 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {222cee36-4fc5-4358-b948-3a8d62e80191} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3012 -childID 2 -isForBrowser -prefsHandle 3400 -prefMapHandle 2272 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {45c36afd-6432-41cc-921d-80a9e85a9ee7} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" tab
    3⤵
    PID:5496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4304 -prefMapHandle 4296 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5418cc1-574b-44a0-827c-4a5581245541} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" utility
    3⤵
    - Checks processor information in registry
    PID:5848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5384 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b9fce78-c55e-4f3c-8239-f09256c9c970} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" tab
    3⤵
    PID:7100
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 4 -isForBrowser -prefsHandle 5516 -prefMapHandle 5520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {35545636-e444-4c3d-950b-3f3fe2b5803c} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" tab
    3⤵
    PID:5764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5672 -childID 5 -isForBrowser -prefsHandle 5680 -prefMapHandle 5684 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1304 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f2a9c32-d141-4bd5-b384-2c8aa549721a} 2688 "\\.\pipe\gecko-crash-server-pipe.2688" tab
    3⤵
    PID:7144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae877cc40,0x7ffae877cc4c,0x7ffae877cc58
  2⤵
  PID:3804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:5356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1636,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1956,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2272 /prefetch:8
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3064,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:5780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3216,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:5792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4224,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:6308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4536,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  PID:6496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4524,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:6516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4872,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4884 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5092,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5108 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,4582608920002476884,4898571643634285435,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3696 /prefetch:8
  2⤵
  PID:6960

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5940

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:6592

C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle (5).zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_DesktopPuzzle (5).zip\[email protected]"
1⤵
- System Location Discovery: System Language Discovery
PID:6336

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5644

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:6388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4707945d82fbbe13d7f4af08ed5947f5

SHA1
7aee8e84969f9c0300f8bde254eca23b3f4aefa9

SHA256
d8a4c1dea66bc0a91f580d0f445282da6e22d81b9fc17e87de3a9c698d52affe

SHA512
f3dfc37fc3fa2965f8fedb775b7c7075b90102e2fba0853902a74be7f19bd2852cfa7aeb97cec1344eac54e025eaa0bba952ca59cb43f2d9553eae06ec6ddb0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
21345cbe80f9cd6f4ae85855f749dca2

SHA1
e06de14c2e22f0d2462344e065d5fadb67643f39

SHA256
d7273133a90498011f27d748fd322d546fc93ffeff852988368668e22e3d25c4

SHA512
c633177ee3a17e66498886f49a9bc93054fa2e8a7fe82b5550ffec376b6bda4928d07fd27d6791f433de9590768a381a1ee3191a33a1507459beb63af0ea7d3f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4f136907d240d527b37417c9627971e5

SHA1
11307eecca8a47e7dd38cc63630fde8fb06b8134

SHA256
6f556c3f5b12aa886be86001f7b2675e03bc078b2b67f493b26e457bdc166d21

SHA512
21b4453ba2b3c32d3fa217d9322ffa4292b293865a9aeeaf74e46a63129df777a96e92ae8e35396522464888b778d4763a8be2a6aaf0271bbd2d8ddd1b4148ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
c7ade3cf637e068533da5a051c85cced

SHA1
dc9d497d3b9b9292b59d8190c01be30b1e0465a3

SHA256
5a5eeecf9010e57db2745ac219d6a6121052923c5adec1cb6dc94434919fa3cd

SHA512
8d7c4f6b22f91dc20b8246eb23c1edfcc6b7f027742ee0ce0c9e27a8c2244889aac3ffc5e3ff4711ad47155491b2cee18d595a2d88d542ede66594b3e60c3ef3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2bea602a539f3223a548314b8f787269

SHA1
54cdedf98fe202a5c90f854ddc7a27effe714d69

SHA256
d9b4612b19810774767c1ee3ee0779864f5dc88ff3ced9d2225c168a26e55fd9

SHA512
da047d8687662cbdf30b58d10e47c917aeaf89c672a9c34252df2f28f5b93c5e90224cd26d52644cdb666b6d6b0d1ea5fac1ba1e6e2965592de585b8e26dbbec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86aed6a57204af7edb12dcc8c77ea2d1

SHA1
303ab1b63f0ddc2e1d8c131300a82474c3e4beae

SHA256
b95edb73ddad22b92288c56c671996d1611cf37ab506f298903b258e8aea865d

SHA512
8deaf8edb4795d34316dddb0753b91e2ffa15089f4e261a35a5b07160b9e9a5399fccee0a3a11a1f7f8835fca6e39d3026d2b5aa2c28eb467b8eed3a476929b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
09af9422c6a997d2d23700c3ae1074fa

SHA1
d3f742a920dec60236bd92d5ae0516c8fafda982

SHA256
5663a48dcd38658a4f047e382eee6e34cc3bdd9d8941c6f58b0004a7e240024f

SHA512
ba82e810ae7622d415961222cb56efb50007d81c04bba6bfa82e69208358a215fba455a93e30b205054cda5728832e38e8a1c17ff6b3abe266588e02ef7e2cee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da1a9d757fe9d70be301b30f657b255a

SHA1
be8d48094a2d2a7a3aaa8b4e29b6cc5634d9bb12

SHA256
50a17b1fe52dd0656906ede518f755d3a2f1188ff487243c2327928e5e251bf6

SHA512
94c9dc71af2b95b30f637df699355e03bdb265947070853afbe465f47ed7c86dada63006fcff50d879b6f7c9d81fd3bb89386e83151dfd00c896299f91ffb242

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a8387bed251738589e12fac178a13a19

SHA1
3018687f9b3d1f2b4d48cab4d6d3d2c21b318faf

SHA256
4d23e9efd8fa0d2e54f127dc07ea1f65a230c0f90b84f195d00ab3f2273948fc

SHA512
89f051c93dec4a0569228bf13d81760de79a05174edb98ad1e3e61cb7da1ef76559a60242e7d2920891371c20ef583a2df2c076f9965f7ba3bb17f900d322fc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f90fb839cedd7f78343bc74d6bc19b16

SHA1
51e61b6df4ac906f8d83c56a543b9f332853ba51

SHA256
a36e65eb97d4afb6f7fd1706c56603e2ffb3cd18fc5b82fdd3e958ad3a982145

SHA512
1e80af105ddd52781e5154a617e329242fe372c84e183a4a331007f8c65b850442b4d3eac4d0139c6ee9838f0057cf9a36f779fc975fb5420f7900ecbafe7da8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e28c4fb9c9669df942a9aa4880e00544

SHA1
fb31e1d9866562d1e8395045a28948bd7c880ef3

SHA256
f00d01e3139d9a5c24b50a4085c4e076960948c84c8bbc586495c616ef3d300f

SHA512
61b2f18022cfaafeb8d2e2d4742bef4699c136f12352b9c9defd7b999161d5545e5f35ee4a7f3d2714e559d452e187f8d364be5e56f67289303d07c9f9dabd61

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb0b59c9c5cd09437b03460f7468e373

SHA1
fc22a9c7d31281b15f9f634d1f40c4c92c5a9644

SHA256
9b143254dd9e6cee2c4590395c2ce1589592b2083278c1fdb63383c9d99625b4

SHA512
65e9fe167be396e704d4b3ec65819dbd9d94c3da534be9c755841ca19a899f025215515cca0dcac9700ddf9543a0a1a3d88e90bcd25d0f195a71adcdfb00d233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d79f56061088c74051eccdd4598dd2d8

SHA1
452734acb52224b6cc1e0e6880a731211e7ad0ae

SHA256
7980c01830739262549a4a81a30e380e8166383da8d081e89a7819a416dfbd67

SHA512
d9a566028949f8d75a0585b5338b2258bb488b9d999f11798fee6eea0ae7eb222e24d7b4d88d74ec60cf73e7ba57ce2f61b949d0646238cfa0a01bd267056ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4604289f122fc0e4e58526a409ac1ab7

SHA1
83da34a4ca9b89cffec9f83429e2e1f60365fcd2

SHA256
b52aca6b0cc7ffc22070c1036df6c05708bd4877001255c0e742a57cc6ff3b95

SHA512
f33ae8de8f67c3288c43df3415fc312d5375c64d8adde3e70242917dc6e91a13fe661e26cd8ce613791f4c560807d4e64c67e6ad9450304e1ac4bedd195db2f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b67d9e6bf29699dcec4c24f2099cc568

SHA1
8ebb93314c5e26258e021c0149525cecb6e15e02

SHA256
8b444fd1fa51ee90d65fbdd2faaf4e89936e18bd0612c82b621f3cc5e1487b36

SHA512
946a19099c52499387f80676803bbbc1b661ee6fd7dbf97e077af740bd0e9a36f5b30fd6b1d9b4c9a13c7f4f151b990ef9669df1ecfddfbc4b767bc16d563aba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7906dd8b51f5d59374d7c5bc268a7ffd

SHA1
50cc2358354990557b7eed36ab67a1ce8b32e3f9

SHA256
1a3cf8606e29fe61187dd37ec01f5a51834e770317df559fbfe90871aa53d02d

SHA512
53c8f3d717c81d19282d04677afaaaffe908207c58b6add5b257fee1a62f6fbe9983d3614b4fa08dd1928adb434a669b9d296f41adf73b36354e56971114acc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56d00c8731d0e6fd68b860c15a078823

SHA1
748bc02c50a60a014588b527893f1829a8407628

SHA256
220dc146bccf73da92e5abc6ee9dba7def1fce1d53ce1c9e55d42f2b56125ef7

SHA512
64d121f613c6c64903a5bc9c867b70c8c5f54a84c7e8efcf2c487fc74ad19bda7623459b868f89bf5b185567a449813de60c2557a5eef078e46303fa945fb0e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4f89d8c6b01ce83e833fcd2a6d98cdf9

SHA1
9d69eafa95c5e5ae45d59ee5b7f7911c913163c6

SHA256
19434607fae3924ab7d6355caf73d30541d620a2fbfd9e94e16188d993cc1c5d

SHA512
ef8ec39ca96f2b53691dd8e6e52c6f4b11aa6e57513e73acc6a8e91422ea49da015403cd50d0591ebe81c51112979df2f4f222ab43736b5607b6f935834ec8fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
2cd6e5a69e2e5d833f21adb7fd91b2f9

SHA1
e01d713158597d9821995d9b062d648c63114370

SHA256
6a9d401ebcc15c5dd22e674dce5a1325c2748d415032f7a955f33413b5131534

SHA512
f9938c8aa4d1bda01e1b7560f94b0846cd969cd5c9def7e8d90259435b76dc514a5d434a4d47837315d5868bb50d6f15272cd100f0855a582286fa5de809d219

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
100KB

MD5
ae8b87f5965ce3d4d69be439ada6aa0b

SHA1
61a22f8125987920740d3041cc38052cbe6f0e77

SHA256
192408a9edaaf0a8d42c393ef6da182da6af3af8d743b8620f442eb5fd062581

SHA512
e25c704eb9fdc20c0bcada27c68231ba19620b921b48c6b13517ab310d4b073f6bc0b170d637053d7156454f2260710d2cdea6ae405bb6378445e886b04aee4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
212KB

MD5
4cf90add11745742002ec446bf658f66

SHA1
024fdcc0aaeeda34de72bc72ec9cbe28afb2dfa1

SHA256
ddeeac50bf535532f414ce33dde3a4ac2fe0959d38ef806282ddfb0174ce1b00

SHA512
4fcb60d6b283a90375eb34dbce82c0616b3630137beba06651683a5bca8a5fb0aad050d2b25c9266791eab7784ea585f4954ac225612e64f561c727520d0dfa8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
70KB

MD5
4308671e9d218f479c8810d2c04ea6c6

SHA1
dd3686818bc62f93c6ab0190ed611031f97fdfcf

SHA256
5addbdd4fe74ff8afc4ca92f35eb60778af623e4f8b5911323ab58a9beed6a9a

SHA512
5936b6465140968acb7ad7f7486c50980081482766002c35d493f0bdd1cc648712eebf30225b6b7e29f6f3123458451d71e62d9328f7e0d9889028bff66e2ad2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
27KB

MD5
4aa91eccee3d15287b8f2a01e4254255

SHA1
d89f8203934a66b5741256aee086c04f966cc6d7

SHA256
79c601189597c9c5691b763f0ec6fdc9ec8339eea80e49713f76e9fe9199a7d7

SHA512
46424f50d444aebf1dc3a93607b3a374d3e7e988137e291cd8ec28211d05a687d0b6214b45d6dbfd27608728df6b34138504e3343e6bbfd6e1c0af98199179e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
63KB

MD5
11642fb7247934422c69b24a90a63391

SHA1
4438b23266d6759fe3204f056f506d8908eb49c5

SHA256
9ae549c16ead066b18b0fdab6658d6a1cf9341ca738a2d92b46236c9d11f807b

SHA512
e3926bfd112f90c5e4244cafb50645ab1bf24b354db02bf33a9d5e0de2f03c506a883707d796ef1c3e7ac6973e6ae4d4f31cad434b4716af366b12536b5a81fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000047

Filesize
31KB

MD5
468d290b2eeeaaea335ff0a17acc1141

SHA1
b4086707e7426b8df2ecec39824156249b0230cc

SHA256
387c0a2c6b337fcfc564caf63e13de4c5c5bef793aa28e42230285a6c8f7c802

SHA512
eca380704aa87ccddf856dd9d27d44b8ad1d7d299b00721c5c0579830cd36727b634ce8ef8a5b207fa6bbd07021a4c7a6fd8d343a86ac7760309bdce9f0d4631

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000048

Filesize
100KB

MD5
db6c459339c9ec822a50111ca7b21781

SHA1
dbf472a34da6a6e8dbe1277ea4975fe9f7917f8c

SHA256
7b66032127012dc7e4f24c8bf0660a82cdb042b612ce5e26d1262340d2cf04b4

SHA512
389de05c9bc1a7925974e4616645b9d7973f9d4d7e08bf5a36444132e074116affab01caa713260851e56b0453f574a124f8748fb79eed24d486ebf80d4f614d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000049

Filesize
84KB

MD5
c9f5aeeca3ad37bf2aa006139b935f0a

SHA1
1055018c28ab41087ef9ccefe411606893dabea2

SHA256
87083882cc6015984eb0411a99d3981817f5dc5c90ba24f0940420c5548d82de

SHA512
dcff2b5c2b8625d3593a7531ff4ddcd633939cc9f7acfeb79c18a9e6038fdaa99487960075502f159d44f902d965b0b5aed32b41bfa66a1dc07d85b5d5152b58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004a

Filesize
17KB

MD5
5437e0d70fc9956dce197f98ba69651e

SHA1
b7e317c71bb889b4e0c7efbb50d6bf19ade7d5bd

SHA256
a8e6d64e6055bd28fc2a1fd1d36b92b0872b3b9076068c3bfed6aac83147a977

SHA512
f593f8ee34ae74482b51903567754e588245c4709f90995aaebad0c5574f1ffbd5b680300fce004bc9668afd218b3590bc59300149d8640fe77a12913f910552

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004b

Filesize
247KB

MD5
abf366a801703b0e1c7a1d8f5d88136d

SHA1
7767f7c1726414c5ade4638f90c2b7d9f6700b61

SHA256
a7b64ff0d5deb611fc6827c4b3fccb5d121f1d3c22dbf8a2950b23568073fe2f

SHA512
89812e1bdf3ce4fcf366714405ee9210e2dad652f3a0342e7633cc7cc7a3812342a61c3fcc49a048d371cad9e4d642e7e35c852df086026630657014fc3c374d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004d

Filesize
22KB

MD5
b728a9913e18283b21b99169d5b0d2ce

SHA1
db6f8590d557a716726bb047923fcb9eafaaddd1

SHA256
1e9df5d43c370083500af6ae81869b04731963dddd3761ca4d6cb654860f4163

SHA512
b3f746bfdce9d65af037e4cbe786ef46f8301a5a86fc9db4dd2a30f6b5c44ddfe89c739cfded8e8ddc1f2346d39f5cf5d680678a2daaae308b75c98884948e85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00004f

Filesize
47KB

MD5
015c126a3520c9a8f6a27979d0266e96

SHA1
2acf956561d44434a6d84204670cf849d3215d5f

SHA256
3c4d6a1421c7ddb7e404521fe8c4cd5be5af446d7689cd880be26612eaad3cfa

SHA512
02a20f2788bb1c3b2c7d3142c664cdec306b6ba5366e57e33c008edb3eb78638b98dc03cdf932a9dc440ded7827956f99117e7a3a4d55acadd29b006032d9c5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005a

Filesize
41KB

MD5
0af350c480ab565287007d89ab48a899

SHA1
4bc2a2c1ed2f10d047429af7c9bcaab3a34f25bd

SHA256
030239207754b0195bad3b58d42e4bfed6df4aeaff730c3fbaeed92021ca4b85

SHA512
3586ded7ed16c12ba8201b1a215f818e0dcff598e012001a4765cd727587e5243c87c8e7afe84af623d34beeced1b536e1e1671cb3baf72175512a6800efdd6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005b

Filesize
213KB

MD5
f942900ff0a10f251d338c612c456948

SHA1
4a283d3c8f3dc491e43c430d97c3489ee7a3d320

SHA256
38b76a54655aff71271a9ad376ac17f20187abd581bf5aced69ccde0fe6e2fd6

SHA512
9b393ce73598ed1997d28ceeddb23491a4d986c337984878ebb0ae06019e30ea77448d375d3d6563c774856d6bc98ee3ca0e0ba88ea5769a451a5e814f6ddb41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00005f

Filesize
17KB

MD5
20cfe1e7ecce398de65dec1393eaa574

SHA1
d5e98bc80d8b6cc99687b4b05cf55f064b73b5de

SHA256
1ba8c6f1ca0417edc532ac034580b1037da9dc053ab5578b4811359003cd34e1

SHA512
fbfe3667dc22df30f3456c9b4db8715c9a1bfd3c1596c11d3b502f42b5a200597ef9fe3d7ba63215a98c88f2760a570299c519049b06ffa8c581f6ea5e27d738

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000061

Filesize
214KB

MD5
bf0300ed560bce05089e24b7b4dfd093

SHA1
a9241ea10b544625842cf7b9c011f6fcaf902429

SHA256
5317405b0146b6c9fd0de9d1974970348c21545a9d750113e20c38e43fbcbc5e

SHA512
03080df9cb7e40ad1cac6264beaa4da96f830a952dcad0b54c005a4844c9dc67b9632d67103cf50e281eb23f1b9b3e5a55573fc0ea31c963cd22745d39247ecc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b40f608d234a0f3f84ed9547bde972aa

SHA1
a0540ccf0bfd41b7058aad944d87e8b55301fd09

SHA256
e43d3086f5866b99659b4acb4bc75f8778fdfdb52d7a97676c9334b0fa4d3a00

SHA512
fa89bb689b05c7437609fc9ac68b6aed9e3ba152e1186b8fb7dcb4e7198a77715a89fd77df3b6da25da91dc14c696657bf083c642be47544af2f2c40c66aaa9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
34bd6769813ac3f94ac1de3bed5effba

SHA1
59e9310601ecbd9ec23235ed99c4bed2ec91cf88

SHA256
1877998787a4e03dd2a713ac3f57bb646a66b0ae1015a1b6226b79cec0c28487

SHA512
9ed946bec81a99aa13578b7a78b3e765d9f299aba4376d8077444f513fc7ccdb6b0947f3415b285f620cfc186800e6348308cab96de056efef8e42fac9bde9c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
5KB

MD5
694dd9515f4d3a6a6ea3cbe731f4da8e

SHA1
18f36962634515536ae800a685354fbcef2f9845

SHA256
1a1779e1dca6b79b1214672f8c902a407cb06fa35540366249731b5ddc71742b

SHA512
7a6e50a190e276223ed4c65e1971ff7e1206655863c55b91529b82ed7faceee3d2b773e1a83cdbea4442df9fa63b649d3b748ce8098e1392107c06f95c1229c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
7730f717b3d8d553b70b9ddba9fcea5d

SHA1
774c2750c517d0bf1821fe0652a7e3e2f978fe61

SHA256
e2558a2519f5fa3ae8bb5490029d28d47264914b61a440f13a2de5a3177ec7e1

SHA512
0ff1d02f4e4a39afa53758c180017aca847554183a9cead417f0bcadcaaedb8cc60b19e042dab0c8124e9563efce046318f9422b4c84c2f32440085b9f17654e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
1555442ea0ca804b86ec8e878f7a7efe

SHA1
e73f481627a760b91e99eb2099ea8db0c4c26e75

SHA256
8033eb826766852a1540bf77d054691bf3d26d99cd055a04184cba68b5d12ba1

SHA512
5d1e6f4f11e1024b529600e34518f22bfa2536972475049b310d72a5fac50a656da19f0d4b1b7698d6851ac55628167c70900fc4d4f09bcef37e952df8d397e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
192cfe5a83dca08833f05bed98d64ade

SHA1
e63933587e3a4c5e1b20a4beaac7734dcff5e865

SHA256
459dc773fecaefcfc3461710dad24a417dac4198976961afcc798ac9b0a8013c

SHA512
eb1af326fb1aa7b9cc43d32672df28ed0fde9e91e626cf73b693dbdc2b66e9de98506b4d0784a913382be0af6a24005a3e3b10ddfab168bfe10aec135da6a5d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05e06a89ffa3f60c3304026275fcddf5

SHA1
1710bb4b97fb2609259fd1c798a85e67822f8a7e

SHA256
4109a44fbbe93eee4bcab4e8ee281b108ff9693472ebaec8639d7128e66eccef

SHA512
f33a82e7ccaea4fecdce2c20446ef30d452764e3de13bd4a63a32f4c3f3792d0ec838ddb6b7ca55304e42fa20343de91e6852972d8fe85716a9b7be6a11b5abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0bb030c6d69f15a42c4381bd061f3e59

SHA1
a845076376fdc8b12247c3292b63869a2abca11c

SHA256
9f64b545ecd13f4fa7976b79d2a09ac35a17853eb41fccdbb8806bb974a6a443

SHA512
6e391d6ccacca5d02e8c0ddf995438d048dc0b3b86f9dc410af8dbeb6ca083a61f5e7ab77a14d7e9a145add4bcfc75ae7ac998141518972e7bb91829c16a68f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
6687b50f5f7ad6371b53b60b9744a383

SHA1
f23759e8be2294bd169d3923eb9c158df434ae05

SHA256
7990dfd42a82802204cf64b8c90c09d71558efe6dd5ff3ac3093bedd56fb0d05

SHA512
9172ee0d6d6e84557876793c75e7583c1ae5cfb233bb3ef5bda5c8d89cafe76cada59ca221f63a46a7911a129572524f64e29b7d793d419dfb1516f6b5c35a7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
3719d281c91bb024a9385b04f92b7807

SHA1
e22c7c232e706145db65e3f3f635eee0d91c6631

SHA256
0dc09e464e5fad3c300763b7773d7ebab673940211020f7b8222f24b2e5b686e

SHA512
a390e964feae0acb6cf3730b0bc7877b5fa79269b723fcccf5baf820da6e021626aacf1b117fe1754354c0acd289506799d96d4a5d2620c8b4278286c5c6f78a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
fc0a8944355cf10564ce13c4898c890d

SHA1
35d1958bf30c412506c65ca80c95ec1f04bbc3f0

SHA256
9a47be8c869a0db8da6d31c813fa7d5ec30844cb8859f13b52c6f8333ebca2f3

SHA512
090fa1ff869c2dcebca8207929e8d447a53464ad47dda07490396b3e2a4d1bbb8cbd84ffe694e405741e4fc21efaa5b50b133995d451a73774561d96311c23cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
269147f0db4e4b76b480fe15aa8cf239

SHA1
b297cd2a81ade18603c7649b82c33c60d1eb4d64

SHA256
df1895b12fa92d8bde965a0500c27ac25f62d9a3178001b442d5c3fd024604dd

SHA512
dc24000501da0115703706f535c96c6bae9f407aaf021918058fdd7e4d787378ab42d4ff28dd4a917f9d46e62e9a07a6276addb1244a6b44692df24095b1b9fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
53ce2428395eab5adc5a68f36707977b

SHA1
0c41d10202fbc0fbf335014169bf9ee6dcfaa73d

SHA256
5d7c5a939bce33ad87dd1cfe0fabdf0bf1100ec2f5b01b92b1b0a950f141960f

SHA512
795fd38793e184317870d1237217540f62d797fd04338ed474589b954f4679ab01cbb6f9dc32992047e20c885bda2ac607734d64e832f4a1e7eaa21735d94996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4264f6ff48b2d606bb9d66455a590219

SHA1
5106039dc96336693feb7c13cd5cd0f9d790422e

SHA256
0f7f46735dc68447e17c27e4cee56f059e9d44bf6ae6e03b747901f703c6f0a3

SHA512
5d1123d0a0c7161132a5893c740c63861961fefa820c4fadf1112abb37c619813022f1684bba5991551a043cd5a07addf86fa25662eac565ac5741bba386b22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
daf03062ae86e9243b0b86fd52ade081

SHA1
6fd0bfe83ca06ba96a4945ec0cdf6c9524f96bd6

SHA256
e709237053fad0e30d601cd24fc05deee179f2241a1b0c56c474c318c9c6a183

SHA512
f528a91e45722e516be8f13b7f73ca7bb1330e5e7a1aee64b2a9856988cab0060c361627cd9b848998f7541ca48b386cd84231bcad65f3e2727cde42e3db2bf1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cee3ce6978e3bc3a8b3d9791a4dc1a90

SHA1
d6bb5f8a546d14f81db7f4bac8443df543ef4ba8

SHA256
6e08ba940b99746870222c88be0fb77e0d784f27cd9e4854229650a4498af175

SHA512
cf712d02dcbcbd0327b0c4ba0c4f8b69976ce26f9d502eca0bdf619a7166e650e982477ff303073ba4a712efcb705486029f5a82fa599a06a0b066032ab3a658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6493290af58669cde7016d3fd4c8b1b0

SHA1
7d3cf676374a9e4483f2831372a00af06e83cadd

SHA256
e807f2bc1ea1e5c8c73487b564f7050327d4f8415c35565227f888b72dd05b28

SHA512
140231a5ce8b80f594152a452d6380921326b9a7cc3102e7501c74305e53be6fe6487392cf338fdd41fe34c772b89b52cc7894a0effb73790db501861b2b69c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
6346c2e700c194c2c0b2c2f5dd6422ae

SHA1
e041ce7a1423e4c86608e065600b32dbc38bc529

SHA256
243b77099f163988b6e2ecfd179bde236a0acea030f868c9dd6e7a9189201f91

SHA512
b22ea02cf9ed5a35ce31fbb53d9ffb56ee9746b0cd5880c1338e706193df90d216576a4bc0967cd8470f7a98337336639640ea839d30b8254259bfd0aad867be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e99654e07baff8e96dcd0b4076cd701c

SHA1
ae2644e0fe723a6b2c685f66fc27da9d79a6d23b

SHA256
2baceb2ecdfe91efb5cee93d9c093fdb02e844f6c4263f920f8b9ebbe28cd6b0

SHA512
91bd8e86008753213875dfbcf678acc19376268a6a17a547e409434f63dd540c3962806ed930e706a35bfda990c3182046ce6031c412a681dc8104069f836442

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d20fff19a800b058f8db3427f74ccc3

SHA1
0a8b4fb49ba4ffbf49b07d377bb2d7f0f73224bc

SHA256
cb3c9482c32ba48cd99a4f0890c80a66f2794a6ffe2283eb76f2b785cea08507

SHA512
dbd17e09900e69f5f191a9da7031e1b8601b66d7bfab8f6864acb453f67259da3abd6acc1ac7d0a4739bfb7a46b95e3958a4426ddffcccd0171532b934d98356

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30e2b5ea7368dac0a9251ed0837cb87f

SHA1
b0fb4554c9e084d3dbcbcebe56beb1a8cb604537

SHA256
c62cc986b9d3ca3674977060b72461ad4eab61e885633fc6488378fc11d82437

SHA512
8b5e2a76d22ae6c3845ee2e067f422856be3e5c13a2ae4195c5090f01c0d27fefef6ef2e2f839927f8e32f995c7bd059b2bb251b38b89d44db5b43f1070dd091

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
d8161ef346ef5c9104607445abe6ea12

SHA1
9b88ec1069a3296b815010b4413f972317096f4b

SHA256
aa7214b15738e767086f0b2e60b9300571be62278038506aa9a3f7adfb034add

SHA512
62f98565a9657cfbc507f60943c8df8be406cb724239c6ee203a76a7d9db1d95b4adbb6e6a5896b89036e62a35a115ad49ef9966c277ffadc58153e7c87bb3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
31f02060821a6a096339f6ed588a0c5a

SHA1
36b1ccfd2610a87861b28448090806d536e17511

SHA256
7742bd3eb6ea9ffff536903820453fd061b3a96d83da7e8dca689c4f1a219256

SHA512
e3a91bfdd55b525d339eb751c7350bfc8ecb7429d707d8d90fa38c2d215faacc8bd76a71a005fc4ce74d2a9332752141200e9f19826f184f91ccea6e5eeb8000

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
b4b99622732bf1ca6f2be4d778d5c607

SHA1
c06c45f81c507663e189f37c4b7417cbbe4cb660

SHA256
18266460ea3756fe1c39caf278a8e1698efe394c54b2a1da8716f102c1468fc4

SHA512
ade95c2f801d8bda4942d8bdfea7b7f4ae85b49d4245ff1e7f1d6ad88aa8e7f7742997562d4b9f636f9e7d84e45c229a4c86ce53cb1ab7909b34bb637ffb9a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
ab01f2b6e8d823e8675118cc6eee87fd

SHA1
9dc9e658fd670f58aeef186ceb79a20bc1a05721

SHA256
42b62c1df3319ee43264e0a1fc0cae4e89afd322114e7510586f775e38b214d9

SHA512
591e69122df752c151fc41e46ef01b2b50293ae29cdf1ca3d53532779c68af6258792a72dca88b84bf470882e622ace79a9602ab297520b9d4b9af8c326e64bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
aa1a35259c0f448557a291615a124fcb

SHA1
a90ca155f4fffbf6f7833925189439622a65b05f

SHA256
04c9de3f89da45ed2c1ff894335ea1aa39c29d6baf0a7963b295866f02bf4d0e

SHA512
45ad9293f558f0e3adae287af4ac0868310d7d8f92e53e77dd98651dbb894ea471b029bed1aa96d7abad1703b008d33478b7f99a8c0177d1c4151da2f5fbddca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
31927f31e4db833e378e5b0d7de683f5

SHA1
59257b4c75409e0e0fc1f705164b9c673e47b6a3

SHA256
a8892d5d8b192f8ce014b327e6dbd9742a6463c1e23803a08ce294a1d9239df2

SHA512
b3ff15179eb94dac1b37837bb74b01e7ee02a840b1fd440fd15b98f95da74d212bacf1afaae6c3db687e52f0759ecf551d95ba37742514857d89b61d3d2ea087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
bdcd259dad1357ac599e13f29f623ece

SHA1
4a31fb854fad4961538dd7897b1f37c79363526b

SHA256
51e4346cc823876864886ba92c9d997f232e0f0b15e7416a7d0c498ed9fbe179

SHA512
fd1e37bb95d9994573441f0ae1a6370484a71df7a23ba0e03e296106469774f597856af96d8910ed75367a52170eb716c47e21821dc358666cf167f924651baa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
6e8da88865854481acb120a624d72085

SHA1
d836a89f39315c64a616278ce7a94275643bd330

SHA256
7f3600ad0e044df8461bfc60273e201cf3d68f499a710729331f2ccfffb1b8a4

SHA512
b911c41f3de90ca6dd96293ce9a28ed54daf9707e559e7734360d92bba3e7a03d3b527ad2c397558e78c384a981ff8eacec2b878cca8b87aea9ee4e6e8c95c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
9345e553e624ac0e98f074432b227db4

SHA1
9597e840c7779ed9cea7471dcff27fa546a00e2c

SHA256
51a8bc6c18cf29be91776f1a45dcb343cc64fb8e76d9d784d8c53d92933cad59

SHA512
b353aae48bd2e76ffa78a2a5e243171b3406ef800a18b757e8661263fec8ed76f26916e98d1a529c9cd450b47042ad1cdb5c609e21b411ccd18997dd02ff0da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
16fd6ebf08ce685bde14c5e6cbc07d0a

SHA1
880094159ab5b484fcf7092eafb5837598e9b84d

SHA256
82c55d0e9fd2a2dd38a5c129616643c8462a217e7591b14a5a945b4f8a8b33e6

SHA512
b7af3eee5cf1a01efb530f443d150cdc8d4478af114fe902ef1f4b2122ab7af45c102a6b59d6d4657077e81ff357d5d31a8ffa9b20bb3fcccd46b511f53bb1f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d7ec06d4ec9aa5a564517be05643587c

SHA1
44868ff3d43011cfeaad9293d83fd1f1d24b27bc

SHA256
1fe77d331763e726846be308b8c7537cb5d07b9ee9b884d305a16bd096de38a8

SHA512
70f371311664f29b2f8c8aeb04b2f22740a4318785e806d17641fb8c1505146a33ea7b4b76c4e25b882518eda7f69583f4596f6dcd2da11e715fee6368ffa5e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
0fdd1a1913724e980f7127f2650ce3f3

SHA1
2276e704d0e53a271a39aaa11b1d73d7a3ee5f19

SHA256
ea63e0287a97dd166608eb5ba1d3d977905a2df60bc2a1365765da8d511dd301

SHA512
b63c3a1ddc28c1d9359e31b545c877ca6434a351f2814657f9a0a13368fb441efec216dd336c598fcb4a9689e0fe7076467ce61578392adf66b4158686bc9fb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5839e7.TMP

Filesize
1KB

MD5
a06d2b8a0119b970aef12b1f3e5b0f12

SHA1
f131f9ec1aaf655b7e6a36a105798ba26dc10d40

SHA256
1d5c3ce2dc46eb0bd650f36102f48dd849719f315e33ccf844c6915865e26e9c

SHA512
0912fcb3fff901ab9c8145e6afd25484ed3d4b9a6db7d54fa62122190f8433cd1fc7debc0d0eafbae9b8b6d01d3678f1dfe1632d9b9c950d33803df9109111f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1cc7f8612085e433d1339c12cc976fac

SHA1
0ec4cda642965a9ead3c16679a90a5c3daf3bd31

SHA256
36cc6a3911d6413dcad31d0069897975eabf0968ff3443960b1e84e70574fe7c

SHA512
f1d1fbc328c54af46eb13f4351c112e10bf40e47b7e94473955ae16274306bceaafb5c2aec1abb0df82e8c7ba72d3f0ecaecbcfb94a592ab019314887c7419ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b551fc38d112c26129fca45ba29fe231

SHA1
ca57f0e0cdae0dec624a04b6be9d00070e45dd8b

SHA256
da3a0d222961b156c2b78a2ed7cd4d4954b3d0e58a262bf11fb9943e76d6e50c

SHA512
cda19bfd7496d13e34068cea6a879f1623d42fc962d0890e01ff68b26def9e5dcafc0f3c0542d4a10bd711b5d331b7fc354ebb704ff247ff16310acc8f240506

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e32a607e9bc87ab2765fb93897266bf3

SHA1
c743e2d93f7038a53dcb7f74c80403571c105f7a

SHA256
68ab878bfd4bc50605a1ee33fea4e13f3e82feed23a98077c53de47534afd3b4

SHA512
aa6d1df8f22c1fd1982b351d535b22760aea0dc807debea416f9abdc20ee7a43838c15e2e85db9f81fdaa0fa9a1daf5158036c461e5e1500f3e083ddd3c8216e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b2183cfdf9e6b562012e939132a6144

SHA1
b05c25b95f5bb9a475edeacc3ed368bb9c2653d5

SHA256
ace9d5a37a57bf03f32942904104b44eec2cf73a8bb53d2a57e44b248b2764a8

SHA512
194fe84700190ff3618ea7b06f06e85c50df9f3b6276bec66c60e16fe12902403fd98242c1d41da202bca977e0cd1d37877350b5542d0a6d3ede0875673f5823

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
29ed75a5066546054a3624034aaaa4c9

SHA1
15f3c005436bf36c109c06a999cefa2e5cdb1f7d

SHA256
71bab7cb926369f50349b86410ed8d411709d6f4b36b803550cdaffe43d7a621

SHA512
61980dba2fd5eed7aeafc455d3337220c55d572d4177bba6e2e91d945bee93b9443d63efbe40bd75eec108b52be84153fba30da5c208f135bab7ba8fdd1d0ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9dfe7dd5103315d741c7de34e5e118ae

SHA1
3dccb8319ca82f0a4101303ce80b94623ec6a988

SHA256
0364c146b98e4847138eeeade2ebf5e9b00b3637315b978e8f96c566eb6f5413

SHA512
839a6266b7b003678d0e95c663af54429ca352c86489bfa5c85dcd808b7b9094d6e3eb2841f72a6085028d82ad0cfba139e34fb83376bbd3e2891a665691128d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yel8o60i.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
3a111f0f77f88d4f1a1c1f78f35172bb

SHA1
bc3c215a97202984b330557ff4b37b9f33268372

SHA256
2a2b1e3d29ccec4f743aecb927ca1d5983d65b505ce642a7d2da7c960028c11c

SHA512
1c9680b174533ba9baf587a755a154df7a199f8db756ddc889fecbcf222dbd74da3b1e880ebf32b565fd6757a53f11d58077a30fb2ddb0eb216e8dad52683fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD2BD0.tmp\sist02.xsl

Filesize
245KB

MD5
f883b260a8d67082ea895c14bf56dd56

SHA1
7954565c1f243d46ad3b1e2f1baf3281451fc14b

SHA256
ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353

SHA512
d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
8KB

MD5
7317a57d95eeeb57e141e7c08acc8f16

SHA1
1e244c90f74c934ff69ce09fcb446ebcbed7cb17

SHA256
1aa5bf1de866372947bfb00dbf7c95770f8a1391b1511d0264659e47ee7876dc

SHA512
da624f7f4e8496800b2d2ca0063a3daec8e1a1e25bf939e13a841bc1bc230be0d87c9a0b516845ac54aa1150b89848c5bcd623b0240ea7068a0621e92a9a8f8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
6KB

MD5
72e1d7bdbefc9ff2b33ff451c7313711

SHA1
23bb621402ac6a0204c4af596bf664a99f7231df

SHA256
7df0b3df92121f9fb982e5d39267710d1e849ad67682de357009f2972afb5603

SHA512
3e348200335b9aab4e1761887b9f6fbf5406502f9d73f9eb426628b5ce77e96e02325090eacdead886d78ce0af834c78d7e6d315a39fd340512ef82596420c62

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\AlternateServices.bin

Filesize
6KB

MD5
b94aeb3a3262fc7af29d5d7ad0711c31

SHA1
14db3ce48f9499c3a8f2c958af771f251d3c133d

SHA256
ae4d81164722117d62652bff8726ccd157d1cc0f1a97e42e3da1641e5d5d2867

SHA512
65815b85bdab4ac94c881006d35f19f52b9c309e66b6da70b6ff658d1eddc9fb7233cc29cb1806b97050e204292a5795996684090f2b670f053a5d30a6a9fcbd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
cf1085748e10894e3a3907a75780855f

SHA1
3a40f4c7137dc143168413fef52bdcd052b1fa5e

SHA256
b41efb5e9f4859a777a9dafa16e7fd0ef98782ff12dd44d9b74c66e044a12511

SHA512
938f2f0caba150eb209c5a0b976112eddb3c4befb6d0c459207d7e6bf56167b9e263eb26bd60b20e010c9a7c68fe75aaad5c5e6d578b1cee10c520ee64da3c63

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
bcddf0c904526c2550fc6d9d15b85907

SHA1
5cba213ab7b88d55f3f224a6dea0d36c5e342c62

SHA256
b3cd67bfc19360f0a5449a8b548b6d419ab36c94543775cdfded820dcd7b0093

SHA512
2a3a48b88a5fbf197522c89f59704b9edc00997ffcb5c4cb75227409f07b6e959d0beaee31ac0c515d0fe5d375db8a0fa79ad7277d42df57c3d7f0f6b8992e57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
23KB

MD5
a2adc6a2eae902c13b42167d3d440af1

SHA1
4ba5c6716b6546ebf8a4b32a9be457773a6429ec

SHA256
5060d901c24530ede91864cd3f9bef51ce4edcef8cd7b32cd18ae8cbcda8e53f

SHA512
26a7ee594f8b0c9640c4c2faa39218115c62d6f92bc0602982117d0d9b9f4c933506e7bf005656b28ef09509fc885b8e170d31720042daa0ed41787ffb2077ae

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\db\data.safe.tmp

Filesize
22KB

MD5
d26007a949e2a3ecf9dfbdfec78635f9

SHA1
09bb67ded87522095f29268f52b7ab6b0deeef75

SHA256
40073b312165b320b8d4a9c3aef239cdb2332f257ed630bebfc27a32e4fad170

SHA512
6fadace47d9899a994e7619c6bc7ca9506886aa5e294530736792412bc3e687866ddaea36a63efdde919b243d35b109b4d4af34aa8b8c1d51c160d454d6b183c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\5a4ffbe9-593c-40d1-9058-e0ee8b75dcb2

Filesize
982B

MD5
31d9dc314b7eb34ab11bff1892c9a1fc

SHA1
6fc8114bdba8fee01ab82729827719e8c15bbc2d

SHA256
2f390dcc547c67694b26974bd840d775e961848d0f5cf6e4aafcad8442f77428

SHA512
fce0500efac253b0cda509cdf08c49d39fadb451c57c3f01a2c582662184bfb6317d78e3bb4d4b155c503025f2e26562f7e57ca654c0bcfe049faf9acf91d153

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\datareporting\glean\pending_pings\7b364974-37f0-419a-ae5c-839d1412bfef

Filesize
659B

MD5
345659ef8ede0baf15514eafad59fd55

SHA1
2153e95e92c4bdec427300c4356ddd73e5212c47

SHA256
fcc6fe92649d2059125f2e7ebd0f56d3f38ac8a3d39431feada892a652f236d9

SHA512
91e4ce84c336694ccd32b00ce8f257330b6902d3dfb22d6d90b6a86839db0d1b244cca5acb1206b0ec4f09c03039acb3149fa4d5dadd8cd4fd919429a459caeb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
11KB

MD5
ecb04a5bd395595fd5719ef184f1f330

SHA1
d699f7e2b423995d391a6492baf3538e145d9036

SHA256
c766d53e9affc3d3662a894094c8ddfec7f06c425aad3ddae2c42d9fa1b97e4a

SHA512
053501882c084226c470ac19b4990c68d4201197827420639db88a09c7f780f78cb915945556e4bc43ab76f7df3a80ee1876b3a4afa46394c49bb1ed4195debe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs-1.js

Filesize
11KB

MD5
33281a4e11fd3c391dab409f6cdfdfd6

SHA1
4a917f34439810dfd0453a218158d45553748713

SHA256
5289e56585be0bffb6590bb0689c4262f4a0eb966bb4e989f3d9fa58dac97cc5

SHA512
e885da4a15ae184538c1da8f3a4013539fbf226ac5ba1e757acd9eadeeb3f1ac8de252e7864046f7b8b15551ebd22ddd5e997f5f48387ba557c41f084a993116

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yel8o60i.default-release\prefs.js

Filesize
10KB

MD5
3a53f38ae17fa91feb747526e38fa73d

SHA1
4fa5914156208729b0388ab25d4b6e0dd59efe07

SHA256
932b96b9240d396d80a1e5ff424357f970f75b22bd67612bb998e7d232dba8ea

SHA512
3b754f6fde031d3a00797e0c5c609d9c2c49648459113967f922a2fc1e9a9161934e62831dd0ec0523d4c5a20a6dcf1d180430ed8682b0aa13d94f2e493b10f1

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61da9939db42e2c3007ece3f163e2d06

SHA1
4bd7e9098de61adecc1bdbd1a01490994d1905fb

SHA256
ea8ccb8b5ec36195af831001b3cc46caedfc61a6194e2568901e7685c57ceefa

SHA512
14d0bc14a10e5bd8022e7ab4a80f98600f84754c2c80e22a8e3d9f9555dde5bad056d925576b29fc1a37e73c6ebca693687b47317a469a7dfdc4ab0f3d97a63e

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip

Filesize
393KB

MD5
61d9c992fa0ba1c5dfe87072f275c1cd

SHA1
7b7626f7de611f36cb49abce5954f5b7aaf43e2e

SHA256
2646aebb1da45c9490b5eb521880a1f74b541d1e8c88b79ce88d9d341d5cb9bc

SHA512
c6a1fa11111dde3edc327302b4cf52f5aaabf50a5cb62767bd8f9ce32f272728ea9f55d043342ef39a009033a90193f1eccb927e7dc37ffdf51d8eccbb0bf8c6

Download Submit
C:\Users\Admin\Downloads\BadRabbit.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\DesktopPuzzle (1).zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\DesktopPuzzle.zip

Filesize
121KB

MD5
6ec216cae1f0e898635d296bbb1a7539

SHA1
8725949a62c581e4c55d7338dcf3f67997840278

SHA256
431b9b7321f734a3f11b23e638199ff1f0d9abe9374ec299484d9e47f20b4ee2

SHA512
b619a5e8ccc0473d99453108085b1678a75dc816bbeb1d5301cd265ff8aee18e214d4e7b877d0d5d13921238d45581cb89021c4dbfb9ba2f3bddb4d4f297ddfe

Download Submit
C:\Users\Admin\Downloads\DesktopPuzzle.zip:Zone.Identifier

Filesize
237B

MD5
64a7d3f1507fb14328590114dfa9692b

SHA1
37181e121d17809c33e6fee5b36c1a1297dc9c8c

SHA256
594bf98a10d151106cceebb3f8d775aca6330dc7d949b79c683e5d3d83bf7144

SHA512
8dc122b9cdcd237cbf33044cfd3fbad46b9a4ffd420cb747b145b9893bbaaa631a7e9087508ecd7697509e1eb8061ff8ad88550ce04521d55d8ecf7ae8d8cbac

Download Submit
C:\Windows\B011.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/2080-365-0x0000000002CA0000-0x0000000002D08000-memory.dmp

Filesize
416KB

Download
memory/2080-360-0x0000000002CA0000-0x0000000002D08000-memory.dmp

Filesize
416KB

Download
memory/2080-352-0x0000000002CA0000-0x0000000002D08000-memory.dmp

Filesize
416KB

Download
memory/2480-423-0x00007FFAD0530000-0x00007FFAD0540000-memory.dmp

Filesize
64KB

Download
memory/2480-425-0x00007FFAD0530000-0x00007FFAD0540000-memory.dmp

Filesize
64KB

Download
memory/2480-424-0x00007FFAD0530000-0x00007FFAD0540000-memory.dmp

Filesize
64KB

Download
memory/2480-426-0x00007FFAD0530000-0x00007FFAD0540000-memory.dmp

Filesize
64KB

Download
memory/2480-427-0x00007FFAD0530000-0x00007FFAD0540000-memory.dmp

Filesize
64KB

Download
memory/2480-428-0x00007FFACDE00000-0x00007FFACDE10000-memory.dmp

Filesize
64KB

Download
memory/2480-429-0x00007FFACDE00000-0x00007FFACDE10000-memory.dmp

Filesize
64KB

Download