thanos | hxxps://github[.]com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware[.]Thanos/Ransomware[.]Thanos[.]zip

Analysis

max time kernel
596s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 20:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Thanos/Ransomware.Thanos.zip

Score

10^/10

thanos discovery ransomware

Malware Config

Signatures

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x000f000000023ba7-736.dat	disable_win_def

Thanos Ransomware
Ransomware-as-a-service (RaaS) sold through underground forums.
ransomware thanos

Thanos executable 1 IoCs

resource	yara_rule
behavioral1/files/0x000f000000023ba7-736.dat	family_thanos_ransomware

Thanos family
thanos

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
59	raw.githubusercontent.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\drivers.txt	Win32.WannaPeace.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\1\0\0\0\0\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\10\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\NodeSlot = "11"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\0 = 6600310000000000874fdb491400526567697374726174696f6e00004a0009000400efbe874fdb495c5924a62e00000092040000000001000000000000000000000000000000219b160152006500670069007300740072006100740069006f006e0000001c000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\1\0\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\Shell\SniffedFolderType = "Generic"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\14\Shell	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\20\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\23\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\1 = 5400310000000000874fdb491400536368656d6100003e0009000400efbe874fdb495c5924a62e00000093040000000001000000000000000000000000000000219b160153006300680065006d006100000016000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\1\0\MRUListEx = ffffffff	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\0\MRUListEx = 0100000000000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\1\0\0\MRUListEx = 00000000ffffffff	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\17\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202020202020202020202	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\23\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\9\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\21\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\1\0\0\0\0\0\0\0\MRUListEx = ffffffff	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\1\0\1\0\0\0\0\0\0\0\0	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\22\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\11\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\18\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\13\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\12\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\15\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	OpenWith.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\19\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\23\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5124	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1136	msedge.exe
1136	msedge.exe
3528	msedge.exe
3528	msedge.exe
2428	identity_helper.exe
2428	identity_helper.exe
2828	msedge.exe
2828	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
4524	msedge.exe
5764	msedge.exe
5764	msedge.exe
392	msedge.exe
392	msedge.exe
5168	msedge.exe
5168	msedge.exe
4500	msedge.exe
4500	msedge.exe
848	msedge.exe
848	msedge.exe
5016	msedge.exe
5016	msedge.exe
3748	msedge.exe
3748	msedge.exe
1396	msedge.exe
1396	msedge.exe
5708	msedge.exe
5708	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4684	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	firefox.exe
Token: SeDebugPrivilege	1852	firefox.exe
Token: SeDebugPrivilege	1852	firefox.exe
Token: SeRestorePrivilege	3792	7zFM.exe
Token: 35	3792	7zFM.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
3792	7zFM.exe
3528	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
1852	firefox.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe
5708	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
3028	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5428	OpenWith.exe
5488	AcroRd32.exe
5488	AcroRd32.exe
5488	AcroRd32.exe
5488	AcroRd32.exe
6140	OpenWith.exe
6140	OpenWith.exe
6140	OpenWith.exe
6140	OpenWith.exe
6140	OpenWith.exe
6140	OpenWith.exe
6140	OpenWith.exe
6140	OpenWith.exe
6140	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
6096	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
5208	OpenWith.exe
1852	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3528 wrote to memory of 5012	3528	msedge.exe	85
PID 3528 wrote to memory of 5012	3528	msedge.exe	85
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1760	3528	msedge.exe	86
PID 3528 wrote to memory of 1136	3528	msedge.exe	87
PID 3528 wrote to memory of 1136	3528	msedge.exe	87
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88
PID 3528 wrote to memory of 2616	3528	msedge.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/ytisf/theZoo/blob/master/malware/Binaries/Ransomware.Thanos/Ransomware.Thanos.zip
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd446646f8,0x7ffd44664708,0x7ffd44664718
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5852 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4080 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:5708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3472 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5804 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2600 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4788 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,1196456945351361371,14023924647792196386,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5428
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Ransomware.Thanos\ae66e009e16f0fad3b70ad20801f48f2edb904fa5341a89e126a26fd3fc80f75"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:5488
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5600
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=09549EFD7B7CA44F984F96E0C5E5E403 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:5740
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=A678496DD28F380B8A6E9F4F96B538C3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=A678496DD28F380B8A6E9F4F96B538C3 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:5756

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5944

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6140
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Ransomware.Thanos\5d40615701c48a122e44f831e7c8643d07765629a83b15d090587f469c77693d
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5208
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\Downloads\Ransomware.Thanos\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850"
  2⤵
  PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\Downloads\Ransomware.Thanos\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:1852
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5187054a-c926-4d34-8fa8-532a4e60ef43} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" gpu
      4⤵
      PID:5332
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2436 -parentBuildID 20240401114208 -prefsHandle 2428 -prefMapHandle 2416 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b098512b-2ac4-4cb4-9bb5-723e37bec37f} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" socket
      4⤵
      Checks processor information in registry
      PID:5340
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3192 -childID 1 -isForBrowser -prefsHandle 2992 -prefMapHandle 3216 -prefsLen 24741 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b38dd02-eacd-491b-a977-b7760d1e7638} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
      4⤵
      PID:4276
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2980 -childID 2 -isForBrowser -prefsHandle 3604 -prefMapHandle 1592 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce0266c7-6a25-4c71-9c86-703c60bc720c} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
      4⤵
      PID:4536
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5156 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5112 -prefMapHandle 5116 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7f0f678e-61d1-474e-8710-adc902fd83ea} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" utility
      4⤵
      Checks processor information in registry
      PID:5888
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5388 -childID 3 -isForBrowser -prefsHandle 5380 -prefMapHandle 5376 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dc9b64f-8ac1-4bcc-8137-8c3d94cb5f06} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
      4⤵
      PID:1268
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 4 -isForBrowser -prefsHandle 5508 -prefMapHandle 5512 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {909ce595-ef01-46b3-8a87-4769d6207946} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
      4⤵
      PID:5160
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5796 -childID 5 -isForBrowser -prefsHandle 5716 -prefMapHandle 5724 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {418a77cf-7a55-41a6-9cb4-c40fe1f6eb69} 1852 "\\.\pipe\gecko-crash-server-pipe.1852" tab
      4⤵
      PID:3320

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\Downloads\Ransomware.Thanos\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
1⤵
PID:2528
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" C:\Users\Admin\Downloads\Ransomware.Thanos\c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850
  2⤵
  - Checks processor information in registry
  PID:5784

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Friday_the_13th.408\Friday_the_13th.408.com"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4684

C:\Users\Admin\Downloads\Win32.WannaPeace (1)\Win32.WannaPeace.exe
"C:\Users\Admin\Downloads\Win32.WannaPeace (1)\Win32.WannaPeace.exe"
1⤵
- Drops file in Program Files directory
PID:3284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yy20grrr\yy20grrr.cmdline"
  2⤵
  PID:5196

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\42b098f0bacd41cc810db69f06af3d8b /t 5264 /p 3284
1⤵
PID:3436

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528884
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of SendNotifyMessage
  PID:5708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd446646f8,0x7ffd44664708,0x7ffd44664718
    3⤵
    PID:3480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2184,12721063250669686980,5632626290550657960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
    3⤵
    PID:6004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2184,12721063250669686980,5632626290550657960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2184,12721063250669686980,5632626290550657960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
    3⤵
    PID:5976
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12721063250669686980,5632626290550657960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3168 /prefetch:1
    3⤵
    PID:3660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12721063250669686980,5632626290550657960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
    3⤵
    PID:3580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2184,12721063250669686980,5632626290550657960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
    3⤵
    PID:460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528884
  2⤵
  PID:1704
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd446646f8,0x7ffd44664708,0x7ffd44664718
    3⤵
    PID:4864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1432,1604041816938149687,16704971293138073825,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
    3⤵
    PID:5408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1432,1604041816938149687,16704971293138073825,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7cd657689252f6e187103461e20f5b3c

SHA1
b7d25c41cf8647eed146807514ccd3e1a0346925

SHA256
de848323f395a0ebaff3073ac825f9b84aeb4855d95197f27881377d13cff032

SHA512
0245dd348ed45fd9fe1419868ae5c44a561cbf6d2f17ba8d51100951910c0c861d4e6d80b00e3d784e25472e48d7be11c9000b75e3a1d91af1b7dd68afb30a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
92b7ee90cb6ee71d3e49153ff23c6ed6

SHA1
868fae0e4d4169e57991c90123d7ac17dffbb0d7

SHA256
ed23a79b8fd86a47c392d5426b2377d01e2c653d8a0af6f8b6310be230ffd6f5

SHA512
74ec22f8beef2c0feefc4b3f9e261f69816b690e214d757fbffd830d51552284daa513fff83eddb60d066ac8dea7b7382e4b90f44b12aaf7461da204f7857cab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
c099d58aa897eb84f5b6b1525254bcfe

SHA1
934a43eca5374b6cc5b5577ce800dee3bc638dba

SHA256
0044a40436b834341dfcd5892eec3ae735eca97b6195d8ef2be279f540ffbad5

SHA512
cc9fcba3be16e453ade10e93b24c5225894d6b3b8c609cd6d86d06a4b82a378f580517891cc91910c312f6a3dd8f6c1d4d06809a8c150e6583559cef704d6515

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f7767bda7eb5a413a3a75c551d59c70e

SHA1
7508b7ef889ecfaec30f09580ae3f18876397b8c

SHA256
c3491f0c043d7ce2511b3a71f3ccc092798f4cd8f49cea99ededc21ae8356603

SHA512
48033e3cbb57b4fa9d0f05a7594e4be386ae9b56ae81d768f5159e10d5d05504b88e3105fb35b1d2fa76982ad74f10927cf9bd5c7fc13f1db3c322bbb43adc52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9ce7f0ad2d2bce1c84ff723148222cf8

SHA1
c312ca46dc22b96a378a5dccf134244d3f44908f

SHA256
431334c19903c8de5283af98802f34861a405872565fe0f3b811586ffa3696f8

SHA512
66b464f21f79a8c0326477b4e7396933f08f417c8194aadeb751cef75f6c0e325f1c1e8cad1115d938682dc7996cc32a0c686678933c98cbb98550d1e600fc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
20KB

MD5
b265bfbbcc5c380a73ad6c909d35ef93

SHA1
66a9657b91fe58bff32fe67d1df81f544b02166f

SHA256
9d1d272d89a13fdf88e49574e546b686efea8e13eb2106e7a85e340c8313ab6c

SHA512
23ba4e38d2265e904df8e04c845ab64842fc4a09b4527247ee7591a0a18ac12ae98b612f491a7a7e72d11d43acf377e4978ea389d30f3d8d92c7a9c8e23d43f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
bdf69816ca3ff2f04f41e0e5b0b7cc8a

SHA1
7cd290c56f02a6be325e4f481acdefa0957f4624

SHA256
3e69494cb7afb96a2201798337dad896657254a75d4d2805c49d52816c7bbd68

SHA512
de6123930266a7bc9b5d7d960369dabbcfbe8bf3d83fa8a422e14fe6302d1f438e5aae5ea65e6f9a7b7c85c876caa256fd13b5b9417e6d4c713f08803328ed37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
376d5d7ecc85b1210913eac9f8722f5d

SHA1
1fec0f32b42c93667854eb6d7db9c4e015f45f46

SHA256
94c1263d462337356d2fd721b04aa096f49bede99f9cc0c3bf70dd0ce0089bad

SHA512
77b7485eddea7b0814fcc0440a51f4ec8794b35a23c3bc9be59e9bea60a77ef7beee3d01ca238bcf958154a42af9068dcca74cba9694b1640648b2b4d88ae08d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
9d52569add224c6e9b143b048955a96b

SHA1
aef8eb0d46e7fec9b0b1073e774aa51c22b0d300

SHA256
8807ed8d35b4e4ba9bd0275ef9728b61246867de4278cf90b1a65da2cc79cb0f

SHA512
a049eceff32d7734e7502bd5f6dac45b64a31f2fcaa17a956bee5e0ee942c8080248e8cad33c8e5a8893ded115ed192516c5b82498c350e63f24aa6dceee5067

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
2e322a88741decd92b1762590b2360b1

SHA1
199baf887083a2e01a14a7ab4f3c7cf6b7e6ef8c

SHA256
8ac0ce9112e3f8f1b829ce28a6bcc9cd146deb5bfe1a44b209f92d93a36537a3

SHA512
566c408c53599dc9de2887bdac538e907f105edc73e6270a7bdb4132f266573cc054ad4824ed07c6c2f0b8f5782d9a8111055db590d79dfc11e6672b01bafc46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
5KB

MD5
639e9bad0b653b48af293f90d976eab3

SHA1
2d8efdf091ba0e3d2bce074b429b4be8d6d4c6fc

SHA256
d6822a9ca2f7154269f0ed4ffddf96408e0fcebeec518b1e5c7563ccaf5b6f24

SHA512
5d87f1a4574eeef1557d654ef09537a19fd9f2b49ed96e5f3fa83f00e0db4fe3df5cb992f86a3583a669c2f485f2ce364b6de75715f381855214ac0e286d17b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
e41cf0f2f778429b8b5ce4f63e6eb6b2

SHA1
6757222fa14d98fe668f1cf00b67a93f57b546f4

SHA256
1b4ce210a10eb835da7f40b6416d14d348ca947ec30592baccf4ef6a50803694

SHA512
97ddae12a1a91d27ab9288d0d151ec28b4a59d37a56bc2100ba5b6c2f2da9d50c258abb8fd9fa01dd593668bc9e23133396edb7d1d1fef6e7219e15d1d63a4d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
d162bc0fbd47a3763199de6b6aad8fdb

SHA1
416ba6bc14193f24c405ed227cb07a4f47e470c7

SHA256
9d034412d73c1b8a196ccd53b091c3285a5a535687e847ca404f6e1afa81f72b

SHA512
1e7a9def0feaa56d4f1f81b00440a5806536c2e0ff1f2282c714d1165260fc15d7dda49147aea74b427b1d819f5b9848f51f95f6ab98f5fd2964be2e957e1a39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
8d2e35ef5e680209262a2ac011f22a63

SHA1
3da604fe13d647f45c5236949de0a1cc3d3006dc

SHA256
9a51cbfc34a99cd5e8540827f9796364cbf35b01e6b535b7e06e51bd9778dcd8

SHA512
4eb414626c9fd3c013cf1dc2cc3303d25002505f97eb1f1f1420653277333b96710946b9b9bfde5dc3889b2259df5259fc23e23df29dbfd5df94c51b41fe8aa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
d364fb8b3ae1e70bfad5638668f3a127

SHA1
dc5ea65ec4cfcc774be47d2a38fcd16f8e322276

SHA256
4a5cc6105eb81b87cb4dff4bc4b1f74f1b4972a212b66fd341f0a7234e5b24d1

SHA512
91f9dcc65d12c2178a845b8c9ef90d5850154038d4d35285371fde40f6737015e8f593c554f82b24e3ebb8bf3871feeaa231364cd2a8e23966a36ac9d15c2a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
46fa4f5f7344089589d117bd7599b3a9

SHA1
b6cc1fe19e527d4a372c97e4d195ed94eee40030

SHA256
223280d95a13f1af6af06459bbf230874500c212a2e16f63914eff3f22e8b57a

SHA512
6b680aedde7e806802652aab9ab31cb21438bc8756b063955e6f03bbbdf1273f7d47c40ec1a19fe27537afeb8d6cc219a246d31f7c6822b481649fe296e2a45c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
8567e1f2692c0b6b22ff80d629299c19

SHA1
58cddc76e9ff5e87f484897575c3a00f748d903e

SHA256
401da02959aad39d1b085fb55389b5f8ca4ee9724f7ced382eda6517490bcfaf

SHA512
4c94507f7f61227a4f10c6380e132df75d8698fb737b635e78c1c2a280b3313f61069eab4117641ae862b228e791e207960ea267fbf201618f6c2a7671a505e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
56fa5301996582f57b6d019bc3b36645

SHA1
374064d8c0548ee467188c9684ad314fd2914355

SHA256
dfbc8ab370a6edb56b00b98fabe754550bb40f77a7835a5baa93ca3d5c9203ba

SHA512
e30f35c11dc823eb06e0552e8c45c8f245e715ebb2fe8600ef8be231a097f0bea74e3a20c839704f5eac55cf0d1357e7a620a025378b7c6296398b338b7050cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
53e8ecd452b0c72425bfc7a5c0580c39

SHA1
a5bab67254491b6539518405eccccfb5a4c97e1d

SHA256
c79bc0b207f072f2af19737f30f3cb07c58fdc7d2fbab12109b254692a006ba1

SHA512
d6395f02175ae6c535388a749f13197703de4b03d8e85ee7883805052c3a2918e16fce957b56baa4e7aadcaa5a94c212e9ab4c0a76bb31cfcb97f2b46f89adff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c00735dd937007658ce2fcaa68690d6

SHA1
f81b4119006d5b7c37c4bf08119de9aa9366a5ef

SHA256
121fd368f3f803ee7815a6732cda6c96798409a89c3ffd26a70602fcf86f65f9

SHA512
4c73c166b909fc4e9158fd1aac550f2d5788d3f68ec35b94658f4b40a2a51d5dc4f20497c398ffd2ea09dd4e74ef3ff67287e512491da2d1813a8515fa06f282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
43fd11e3ff8f1e7f6fd9827da4fabf06

SHA1
97d5b0cd5324544b062257fd863a2756eb5b0b60

SHA256
ba69fc4ed39fa2305d68738b59241ac982d052c1aadd347f281e97c92b15bab8

SHA512
45f6a53e396da08fff757eaa0c5512c77a410d298b73a0f06311a6cbe0667469eda82b868dc1f4e1d0a0773f6daee39ec9447d0cf806db49cf96b1ab369acec1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77a926994ef12502888c6aafd35c7fcc

SHA1
134312e705ce7a474f47afdc1ac8246c08b476a2

SHA256
2a5ef78298ab57e9ad0e85d3a2df814584baae9a5aaa08f7af0bdb7a8621c86e

SHA512
e3452ee280b3470ce72fb6bbae01cbd1980deb1d19ca78ab963953374fcf3db38362d4b0402ab8c7d21dc1bac32e7d2e1e674d8ed723a2de800e7867ebf599a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8a43919c156e5d6c95aff41336e3ab90

SHA1
ed88c95bc79f2dc743d35785f6e44eea1cc7f8c1

SHA256
6a6cfccb4d56849ea74ef105523937cba2c6a7477da2d7304cbf75c4d6abb11b

SHA512
fca5e61b0c94450dd43b1b705f18b297de26f0072a93f9e35571da23afa75e4583d6940dab6de61ddbea7a7bc7c2e03fcd0e1bdeb16229041f866b6f74e52387

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
92d5e449e7fd6439392e6149065994b1

SHA1
fd4f82b59e8c1174a85fc2f18a10397b876d6fe0

SHA256
67b560b8e42a1f5ac92b9230c6643e228278d9e4ab7f89d95cd2d6f1d1f7f31b

SHA512
665393490bdeacbac682dc3f47c6f75eaaabbfdee7085326633ce5f7fd1e4107d7ead0e23ff3dc0480a07d2c2beec5ba3fcb397e2523d136c150a5f1a93e29a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
2KB

MD5
474e4057932e61023a40f698b44cb23c

SHA1
1c2c00010e628b3c739f28e65ab56e204ea8541b

SHA256
3af51d2c3cd68735148cfc71ac44ab60570ebc81e29bcd899983c0a6380053dc

SHA512
fabbce382244b3b9ceef5736ce692d612f79cb73e2f17964eef9b362769d9407739c4b5ab60c51e4386210b73d0d16d70d1251fe0be843ff4a8ed1da9d88e430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
b99bfd8413bcb4bf7dbe832d05abc0c1

SHA1
ae7de06f060ab9d5145f339b439b767b6b4f8daf

SHA256
735e493a10836f90bda96281c9f6401fb3489c6feffc07110f1b1b2470b4c605

SHA512
e4b14daa9b1c41ede391e435e3ad31b26c9f397b1de0c32d730275202017ffc964699e462997352fe7b593e2f4bfbfa166b62c9bf05a4672bf64317206c344f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13374621749770711

Filesize
16KB

MD5
a6fcb73b47c28976072d8572b486e052

SHA1
6a40d2568723cb79a7956f94dfbacc83616f18d4

SHA256
46cb2be57ca9ff5317d9bd5940702cee0015431e9a25c9d638e6654a8df444a2

SHA512
256c49e2b9b5864372775c325b1dd6d900df94f0e6caa865a5e2d9e685ad18fe8dfc63d4f3826074081069b9a785523e9433dde117d986cdddbe3fd650753fd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
3f5a1472db5d119881e256e52381623d

SHA1
adc71fe82bedbded5de589a030833d01e4cc4d21

SHA256
1ed62c8b1337daf4abb81280951c222aab745373a28d105facc7e4438de67dcf

SHA512
0fda1eb86b186c92629a845d8bc931f8c27ddb30d1fc6f3e80dee469f2866af0cf512c6039e2e5065cb256ec94058debfa9246a286700ea1c29d70ee3c017eb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
31ce6246d4dd53b56c154cbb95c6c3bc

SHA1
0f9902d0b55b79c537aa3d74d4d08a8cd175ea1a

SHA256
c25dbb09a29daf1cf61407a921557450ed992d2bb9602976ce2c43ac0abe1275

SHA512
fbc7bcf4a7744d7d4ebdf5f71c531714d2598ac42cd848bb1816b4f2a98d4d4ef04b9a6d8a9843ea24dbdda6fa9d5b0328de7930a0a8b418174f5e21e4033488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
8babe54f05cace7726fc4bbd50baec33

SHA1
a981404aa490ee386ef1d1908b7604bd118a220d

SHA256
7fa91f65ec937a1a53434982845e1ab69addd1c08edc27dd912836ffc401a273

SHA512
b19a62bb154698df12a202b799e3b2bfcf5261cac436b6aab7e157dcdbb5987028908a66b0a9a4a53aa9b52c1d1b5af2f72804f9328c3611a64c1c84b66b538b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4b6efe706f6739eb2833f425abff35fd

SHA1
99c6f4b804a3d04e3c3723fec5e5efd231d9f3da

SHA256
1de79cb76f31206675849479405c7ae247d77de6917ab0a01d8da14d6c489adb

SHA512
d6cf80e7e99d41ede31f3b4540bfcbed266bdb02fd8a9807950f628caef5874b4ef4d514bafbdfeecf9508ba79acd6bdee5c9eba61b49e6c2896af8f052c3438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
483def58be191f3375ba5677bfce1896

SHA1
4726230159c64536e7d8a9272cdb0bab45d3fc31

SHA256
47306659fb35130682e9e8947cbc932c82dc8850687a5f41081a7f5c840c3c88

SHA512
7e51b1c7d74fd96d71c4368423d35a67838d5c17c812851a37f0dfb71179825466307524c557d342cf51014ee96b854e17ca2ec6e15b75c5496c909a8fbf0875

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
277bb96b57237d5c05159db4ff981c8d

SHA1
5ad05a81f83898ef99ca8d0c67bdfdd29650a9c1

SHA256
e7bf491d45b549332a8f8d9e3d6b3d9a5f72129e09c5a06847e1a3db544d719b

SHA512
66554e43b297fd48e74fd10af2b7e88db051e7410406f8a613e59b5f6e1511eb9f0427be4abe8abda9f54df8fa064a4cc16c9bf7493ad25742c989b6ce1b8909

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
42105776006e15bd40139e8c27513b85

SHA1
fb0a080c1f83ef25ec8490789370e880aa205afd

SHA256
09dec215791a9aff5a69f32d68f0ee8aa37355b5145cdfc3ab92ee87c77c844d

SHA512
b4be7b8f8ad58d6ae89d5dcb1ab59d722afd79349f1967fd5daaf1b1649fc2cfb8015abaabe1e037e3b4c4a372e5cbf39d93ba6fe58486a23a81b441606a5940

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8476c1bcbe95ea5d6ac0edd37b8e47fc

SHA1
a248b59a5ba02b74c4f586cee26d939bc8f0ce24

SHA256
c28fe81656c22428c3b53f8a78e4bef545f772d0318c14ab934a4f88834aefaa

SHA512
3adcf1ab5fdab7133272a17b501cda0f438d91c20b5de82e4c2ba188d9c78f1cd7688cd0ba7d5df35e56339cfa14af9ebfa5e9ae5a44431c224e8372d924b77c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3ab246f495dbf791b4096dcbf661082a

SHA1
1910e3c04c2dd29b658787439f60f5ad1ad569c1

SHA256
d36c7d90c30f4e85804c09a3ab1b14429fcf8fe4beceb3cbccc9fb47ed161a89

SHA512
50bccecafb6fb225b72f1a7a88fb08bd472e31df9ad8f658f05f56ccb132588086f9feb84d971afea191a7dad9af767cdac1d406efaee63f42a629b4c7f45316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cae87de8aa9560e59bde2aa178982bcd

SHA1
8a9df99eee0cba87a9d8d235fec2ee31130a7635

SHA256
4006076c35918e45407e8a9aa31054d62cd6df2ae63215e041f07da7bf44b72e

SHA512
f29b5698aebe036cb6177ab72f97b227506214af0c536d6621cd26f3364c0f15d30dd2544f1774d94c8c999e92e29a5170ba877e4cc025cfccc1d2f0707b140e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
fdbc19faf463ba8cd9ae0217aecc2f10

SHA1
105209e6b1bc74b182852503e3a823a7f3427d88

SHA256
b299804daea13735a8d3850912c6936966c696e892517ff9235ef7779f1ef70e

SHA512
262ffaa51cf8e193dce73f0cba44d49f44c75586206de768be5469de81067360662e0f4a6db3296725ba847872f94e9d55fefb6bb08afb9612322221574ce6e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
6346049d1242460b4d6d3b31a78a0f47

SHA1
526b035efd1d967340f51fdeb085e45e690571d9

SHA256
594f0e10530df3fee389080636bf10938bce1587bee761f1d209b244e390e355

SHA512
a73b8b29b9aa5e65aa1099a1f88167ee590a51972ead606a27f3110e5fe5b5dff8c14c6c819250446cca7126058b22aaf04bc7d1fb6bb19ca6959dee73cfd8b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
74ce076c15fd4a07c363a87b7de41802

SHA1
80b97534d0ede81fd36cffbe098145ac248b034e

SHA256
e46e2fec1b0a5888f031dffa20f65e1f46a7cc9a8f8e344bfa704d3bed32a2fc

SHA512
69277c673185814d43438f22c0aec78de3dfe119505054780ce336f1c5b86451428372e7fb58d4d12e5e68c789410bc5c6290b74a4b4f98d4962a8a96250dfc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
95ddc51a558258d8acd13abc2cd2ac07

SHA1
0ef7031e6523bd706061699616f1bdcddce8d05c

SHA256
6f93ae235872dc0f0ee40a0cf32130d88c8edf88513fab942a0946e061489ae8

SHA512
61c46be9be2cbad4ecab1891233ba0e76946b1161d5933028502acc2ca0032949d4c6dc1dc33a6c07c8ed531e3d1ac182f552de0622a2a181a20dfaea733cb4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
962afde065732d2bf83b0d5b2fdb57a2

SHA1
f332de78667347b757fca9ac874898cf066824a6

SHA256
3e2a473edde017d7377ec6678a9a288cf287fca167af288c0c0abf81315d2f84

SHA512
91e7288b16afb5d9769aad254627eb52fc07e0b46e8dcb2d1f60e83ea5f931d0d151a2bfbb73d30e66c37ee936c8c14bdaf069a07c1367d07262ec684f026a9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c43efe6cb3272d780f0983917ca8db6b

SHA1
0e86fa16ae4eeaf7a12005c13cb6238c4354be83

SHA256
1d7baadd7a31f26b7b60e257bdfa01b729f12e4d87d1b2bcdf05abd94bccc645

SHA512
9abc496ff2a1b8e46091bd8bdc23321d7b09bb961b674da179f810c1f73b9b0f8870faad59b77cf1f1a3afdce684f67538388cd0b4e423245f94f7d30a30794a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8fb40f5b099cc7d849c205f4246d511e

SHA1
e5e331d21beeca2d08638d92f8d34e52bcc6eb4e

SHA256
3c4a7db7835244b5c4cf6334466dd797d28411e0f090ecb434f1a67855d7186e

SHA512
7bd5b9bb3769b8d9ac174ec53ce61e6bb9ac05758686bbb53cbc5b8191d6028d4bd4902af75564683b0ff5d2f11455beb0790a2677cbd461c332a031f29e6004

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
397868bc40f7c1d7431d180b63f307af

SHA1
b0e3de447bb7048317dba3a14b143102c4503f0d

SHA256
bb029411afe75b042f45db0670e2835cce04147e2bbf5f1dc219b99ac2d51e4a

SHA512
3ffaa7c7eba92aa8a105012332f939338f8a51cdaa21d42d91506783be17e53db1da0eb15b91785451de0546b0a3f720352d6da7bd3cae305efbe07e7f36d58a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ae4bdc82a7e4b93aa2d654b81ae4619d

SHA1
e63adfa447a5f4a93517a9d28e55f43e191bfe99

SHA256
a058593bac20ecea2d21d7988af61959080fe36de36ba8b584fca7fc8c812b66

SHA512
0efb822d0478a02d43c801bd6765ff28b0efdc3a43ff00c9bd4ebdfb4fcfd3dc4a22eb6c6abef0e8100648a5ea0a4b94c5d69c84a7a17121e5370c99adb6bcd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
5415bfc943fb8ab9e496a087ebbef097

SHA1
dca9729be7b13fc8fa10f1849f1b243651f6b4c7

SHA256
15fec0a089d109ea598f60331b7791327af6cf21529458100b23a73082393704

SHA512
dd7038141d3604c1ee8e1fb1a92689dfec8ac35840bf7c0e5260b89fc249ed5b8b6ada228d3e96ed91456c9d9bf6bc31df54dd8ee1be5e4902e98598c4e82b96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd654241194a268bf6670e8da8d6fdab

SHA1
047da90afb2472059393004a6f889b7011f9c7da

SHA256
5beb56c479fc4561114221f419ff9c210f4cc887ea60d25a4484c5de81cd469b

SHA512
0e485e46827769004e6c118f7bc2a57cb7bf7d992eb5276a5af908a75da431d9a8f6960f40031e19324e8d87512925cc70649320568e581db7ad9a3e05b89490

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2794d36d3be658c8f19ca099616e2ddc

SHA1
f4e8196cc10ace562bbed4266a3f98de62aaf30e

SHA256
cf356590f79eb8ed4d2ba9aa94b1c0264e78791d72212f888278e9074d365394

SHA512
57250b6ed716216efb55a8c9680263ab69a0ca4b650885580bff890b0624053ed29dd6a6a67c62d7b7fb5c84058fc8fefec27eef93d773ab7c5917c136766b09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582872.TMP

Filesize
1KB

MD5
a1ca3d820a2927082f53681b243c012c

SHA1
db019f12231fcf777bbf8b79497d6036349edb9d

SHA256
e4bbc0d56c19e979533008afc96792d7d71fd29a2055c1a997c7b80bbe144d5e

SHA512
92fcd96aa105025bad316927dd2b493a241384e19acb4ca9c7590d9ebc35b0fb71718b7dfef1f71a2e21b1e22bd6f6c6e0d8517cc111e6b435c75a45456c55b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7ca90c40a64ef20f63ebc04f1b52083b

SHA1
afc97c9c3944e6fbffa4099ab991247a5a0d787d

SHA256
56b29e354fc4267b891eb88e0a162d52ae8b8e52d38c0f314921cd6db785b424

SHA512
2c23de35af7d2e90947c045017f6478474cd522b1af2ad072f450034d445c357b83fb7df188558b42f8e32ecfecb39b2ef8d182c6bcb422c460f82d1f2b4ffe7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
f2c8e508945cd1704d7d9c22bf40cd31

SHA1
9a0ed1ff3faa2a5e85209b712994b22a5fb344bb

SHA256
4bbea54b7111ed5c5c1526ff0784619f72648bb22f3f4651c57a6e8b2cf91f21

SHA512
b7406f44bc5d2935d970e72724b3c05da88e1d4ea2f855b1ed37b50350a591fafe2303fbca93b6f419c1fa9d857e10545b6d0c82eb82dd49d6b3eaefc22686ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
23KB

MD5
245178e9594b2a2264277bdccc76c31c

SHA1
d33af1cb5d14e88002a390b2bce2db7ea1078a97

SHA256
cfd0921982ef0ab9dae86f78cb955a161c5106208113c62d362292eaea49c4c3

SHA512
102f9967996c2506fbac357aecfd9afc6ec5df700151e45ff8640131ee8aaa61c0df21076fda7f97477f47037dac11875d6fd70bbd1a5ae7703e9c175e81c115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
1bf3a1a102ce95452a6709113c1b7d5c

SHA1
208266dbb0304e3c965b0c1eabff2b37a532f2a3

SHA256
2447127d95e949c72d55c0f976c3977ff9b10d816d46c7a7d07890dc361a1c56

SHA512
c7f980debb6ec5217ee49a4b188b4fe7b4145d56fc25e7f054d0c002c80918ab3ce74ea54886da1d6f58881a5e4c6065e4973e54bdfa2d1dbca824d741fb1700

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
565B

MD5
99ef8d9330b733d1c6bcc881f5714df3

SHA1
89957ce650a64adba193707096f537b2851e2334

SHA256
216424a4fe224a037bc881b52d8f65d4576f400764463eb33072f94f7db34024

SHA512
bfa2f587cc2430ca6001c0ac5f8609de59ba202730545956b8f57b6bacee2a50c506b6ad6a55cdb33c6d18bf0416ef185d46a2173618766e75680715d3160266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
438a62ad7a3a164cf2d7c4c2dd480d9e

SHA1
b1abf3e99a429a972eb4136482497f0b378953aa

SHA256
d241607cc63399a96da9aacf440969935d6128b9338f7937665dac83558943c9

SHA512
7f6286a40eea65fbf0515177c357cc47d204c1906dda1a18f839223a6495a1b368401e1338d221b6db895e237c72fd2ca365e86bc3534210263a1d3fe8a3c51e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d30db5fc4f1bf991321bfd1ca2f0f7c1

SHA1
26d6f003659f7e5f14df6dab9d399376192632c8

SHA256
bb7afa074c6581fe76a8940bfc127299701721a4432c84083f732b07308fb34e

SHA512
c641ca3d709374ceec0b7d869b492efae7634bbdccadc9b7d8a1418cd11de6f8cf451fa9b48da839d5d455bd2d3a5ffcf39ca38b6badc278fc7e2b10f86bdeaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8103674de8e4a79b014ce5c6740eeeca

SHA1
10ccda39a9aea9b170f095d9806d1fa72278529c

SHA256
4cd7aeac1cce5325d08b7ef22930009647f4a7c11b06c7c3c74ba043c75d9e6d

SHA512
154a0058778c32276554c01a35a4dcecb25513f4ef7e8f10da4ff2996a9bff25ab31661917721df6472d3bcd6c2d2c7cd4cb28d80b8aae8f88bc140cfcfbc2c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
a75b2410cc2002a46d9f903f07e695a3

SHA1
b4f8570e494f659f984caa3ebafe7f8d3e428b2b

SHA256
70084800beb48f1c7bd8f06ab2a4a2a00025c929896f2f8a433daeb792299f4a

SHA512
c0f743014522609fb08dec3a5bc71e050a6107c58b2b7ff9feb3803fea3bbad904fd9cfdbbcbc6aa098abef5065740847d30ac4872077eac3a0caff26ffa4ea4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3d5d0e59fd98b9ea32f09194cc218b4c

SHA1
fe0198c4826e40727ad81a51eb230f6181f44d2b

SHA256
158c8f2dec112941ee4baacd9466483a670815028446bc3d56f82ba6131b3274

SHA512
448c3500575e7d50f54241ffc52f4ac50d01889c4c113b0cdd1e9f4d34642ac01249ddb5eeced00a82ff9c002ce44ef2832cbff4b677f239cce515a7f7268471

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
c908397fb2a48f6d9d3336b5504ade80

SHA1
5c3568bdf2bb550a200ce1052240027e9cfa4c21

SHA256
d4ee04af4ef3ad8bda80c97ec07101864bce523aff90e3c684b6128e46b2558b

SHA512
d5190d1c15f4a44da5c79fea46660b20885b774e34100c38b9d8a427c7b4950429f3e73e463b4dabd516c5b561447be50bb24abc7afd8d14073e0d163710f8ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
782d5c33889ff5277ef3d5cdbbbb1bc9

SHA1
179b35ef9191e469895e6d3c2aa296632b88a287

SHA256
7f45bf3c8b94cd3dbe2a16019c2c372962db37e2f9981ccf7059a98db791d7ff

SHA512
2a40165c43446836d915e8753c1d5aead24aecb31c29239fdd5cd40bc7df574d295fa607e0b502dd4e449101d58f5e0c30aa68a0b34784338c972795945b7519

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
85fff4af6e0c4510997a11197afd0dcf

SHA1
020c067bbdec0cf5210111aa8045b8ec2f833d18

SHA256
98340befec41c4a5dedf26579aa426028b323faa34b9b62c45e1bb67a19a4efd

SHA512
e42eed04c071db4f01d5c57c0637fbff11f472aaf84ba975e3e684447b98680fdfbc9e195216f18ae7f4183221a990c686ac1d3b38e34d94b9ee8db7dac26b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
be81a04e60c776351c348deae393fa5b

SHA1
d6429e5e6a83a9ab1345cde0c41a9952c9ba8eec

SHA256
246bb2525899fcbc998d19b5a6b95498d534220f51f0c43d6b250ea232341b36

SHA512
9ca8bd3ae32e22ff76977e880058da9865914ffc5d6e3a3ff3de8a21affb7fc7452375158cd164a3f6cc16299b667569d1fb61593c0dd4906df2f75639f4cddc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\d6fb0ba2-f961-4a4a-b4c9-a1674d39918b.tmp

Filesize
12KB

MD5
c528fe8f940311e076a4d98a8e2986bb

SHA1
4b56d9e2adff12eae377166c9cab2f835dbd0f9c

SHA256
23ebdeb26216e8f0740cb2bd30ff7a91f5fe2f00efac5407db55652d121b0d9b

SHA512
14d7a48370b90412c094a8403d5869b6b80fac1eea2c9a5bb03a948c93dc6e781bc1bc7e8d0541f053cd6bcf040c1f464c39b2154f7ba5f810fc5db39ef72112

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\y0bypz8z.default-release\activity-stream.discovery_stream.json

Filesize
31KB

MD5
2edfa529b153cb06c9593fe75f0eb983

SHA1
ea44338e80aefb0b1830c3cbdbb60c67c94fbcca

SHA256
e8788f1d0384706e955c0bdcd31f46165585b5a5846178908b32f263dfd21292

SHA512
b772c9d85d3fc5aa2ae962c906524679dd89d58abb2a2f7f68eba3c705af6e55ae007e74f6a735974b1a27947994d996ba677f6ec557954960e5e08b95eef671

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
686293fabd7da38f5607c4e7429057f2

SHA1
acb6acb500e581789c8afceff27c72536d87b53f

SHA256
077c6c644fa4dfb1823c88a4d732bf2b21fca380545afc80c7911d11502eca1a

SHA512
af4910bd9d6ff6cc59e3e36022b58f1751c04e1ea0e1a7100f8f089c0e118f4cbe9811e86767f903c40b4835f9b6301e5a535b069b4da5cf85939c3f751394c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c9821529eb4f95c7cefd547e765f8100

SHA1
89da0e2ef2d671e3e6849e9de9fa1b847fbae307

SHA256
134cbc5055a0c85a3f6ca47a0a6782b2707076ae2598e6b87245346eee7f8801

SHA512
c2cd8076c91dd15de8ee5926c3b150394fa664697bfa499581bbf581cf16fd201116a9a84ae74317a4ac5704c5660d6dc379090b2a90337d7a8c0f91111f708a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\53d3e059-ab40-461e-8889-66a257ee4372

Filesize
28KB

MD5
7344904c4b098683a93a02e96cdc3cb4

SHA1
5c820cb4e815e5d047477ede76c09a970ff022b2

SHA256
1c0a5e933d3dc5d5f57db8ca09f3c9deb34eb1ce8fdb1c5fb2a0913aba757155

SHA512
8a9b3b353bec6419bb11ef2089336cc2b81ff3e80f04111281c35b8d61c42584061c4aab7cd3f4f26e1ac44ac51062f81821261fbb1838f490eabcf8906ada23

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\647f070d-804d-4a0e-a8e6-c74e32f48dc1

Filesize
982B

MD5
abae22a0fae7ed94fa04b92eee13c9a8

SHA1
d0fb64100d7c9bea4b46526637a4769a243ba898

SHA256
f9753ab386226fa754fc66470388b3666007df525f459f4f4ad3b2f1ece84cde

SHA512
8a2d37907f7366ff9ce9b8fd3a56021e3fecf990576aadcf76b4aefb4b80f9da99305327b8bb8d1d794fd49e1309d335ddccb9005286e7b97039aafdd36f531a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\datareporting\glean\pending_pings\6fc3fe14-40fc-4250-b336-611a2ef54a6f

Filesize
671B

MD5
2d146a152914bd5d86784174ed0b067d

SHA1
20dc9e4cd73ae31e9ce50fe334ba52a5785fa42c

SHA256
d6f0ecb05d10ef959628e5b76ce17b08b50cb6f7fe4fab74a8d4191e52876c1b

SHA512
353403ec5b7d3c0372dc9cd64d083612ee79e16d8585d21bdd79c3d7106e8b60ef5c0a6f4a9f945eceb0d64b6f49af53abe2b6885d0f11f58066b0ee9416e7d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs-1.js

Filesize
11KB

MD5
3dd12539c1d79d215f8320910488060d

SHA1
01571c314ae0fb94b280166fcfaf8210673a45b8

SHA256
46dae2360836341165722035768e172beb35100c576193d54172d97e0a17c096

SHA512
667b34268c493690d841d8f539bdc33d42f1376a2706fbe9825ef4b53cf2f2f9ce1de39a5db119245739ad6aabfdbdae8e26ac016310cad6b5b55554b210b48d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
10KB

MD5
70b6990a58fcce457b84b2aabe3c216c

SHA1
75602bbe0abaf89834e004246d1257e47031c3e5

SHA256
9e751248e65035b031bf16fd108a6ef0792167264e8ef2f5610b3517f4e5d741

SHA512
3228bb0b060ae31cafcebda6182f447a8b03bc5546f94f5a732f8797f2332e417f6b79e602dc9d001c42603cfaf56f56b3e086b272263be51a31b3b7b10275fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\y0bypz8z.default-release\prefs.js

Filesize
11KB

MD5
edc5602b51973ef3ee53517749ce6170

SHA1
3546f40293684c0f95bc7ba59afb9ae944366530

SHA256
1574d2bb9b42635bdc83e45e796e246ccd3d57eed29b9986f2d41ee519a3cb08

SHA512
211218a39095e3c382b9c38c74201d9e80012741736c85b81f046a93778f7d3f883b9ec275ac812d59301d85ca333eaf23527a59119aa4043629b34ba3efd358

Download Submit
C:\Users\Admin\Downloads\-VsG1x65.part

Filesize
87KB

MD5
d6d956267a268c9dcf48445629d2803e

SHA1
cc0feae505dad9c140dd21d1b40b518d8e61b3a4

SHA256
c460fc0d4fdaf5c68623e18de106f1c3601d7bd6ba80ddad86c10fd6ea123850

SHA512
e0791f6eb3116d0590be3af3713c94f787f7ced8e904d4bb8fc0d1341f332053414cb1e9095ae2de041b9e6d6d55cf773bf45ebeb74f27bb95c11a3cc364abee

Download Submit
C:\Users\Admin\Downloads\Friday_the_13th.408.zip

Filesize
763B

MD5
2485d09c7b996855eded9ee500625773

SHA1
78b0450b55e8ab412d73e98115235ced86f13fb6

SHA256
06cb3fd37ab2ec2b99b6b1e88482ca57871674246e153c129ba256eec529394b

SHA512
8263a4f48aa0efc1771fa82da4c221b320debb8d111e8082d46079bc790d3a4ec09e8dd7748b082c3fa3abd1b45531e4ed59e9f168292b2e1ad9e10d9dd4e6e0

Download Submit
C:\Users\Admin\Downloads\Ransomware.Thanos.zip

Filesize
145KB

MD5
00184463f3b071369d60353c692be6f0

SHA1
d3c1e90f39da2997ef4888b54d706b1a1fde642a

SHA256
cd0f55dd00111251cd580c7e7cc1d17448faf27e4ef39818d75ce330628c7787

SHA512
baa931a23ecbcb15dda6a1dc46d65fd74b46ccea8891c48f0822a8a10092b7d4f7ea1dc971946a161ac861f0aa8b99362d5bea960b47b10f8c91e33d1b018006

Download Submit
C:\Users\Admin\Downloads\Win32.Unknown_SpectreMeltdown.zip

Filesize
97KB

MD5
98b25e3dcf67d0c5362fbb0514564fdf

SHA1
ad14ec4e344e2d0467a93f6bfe8d0700816304c4

SHA256
6db0b6f57010d9e4038a4b15f0344ad0a304e468a1a901c46fe802e70e23dcb4

SHA512
7fbf80ca1a5487f4466537cc96e7dd4181d0a913b9fb4ca97af34e03fc932d1e4562811951c10bccb03bcc084b86a4c96a19af106955fce432cc821f480cdd54

Download Submit
C:\Users\Admin\Downloads\Win32.WannaPeace.zip

Filesize
477KB

MD5
96593e22646caafcd606ae75f816c989

SHA1
ab3cc81a4304d0d5ad93f4e7b87e6ca42e7a5804

SHA256
cdb4ad5d0bdb1c44cad5937305f383331fdd75b2bf41c4f0fd66b8015002c5af

SHA512
ad8fb66af4483e694d806148b21633d2bf288db5b3dfb8b13957fb6f8fe2646503a57700e8382123f23b586fc743d0ac00fd09c145df335d275602793141fe66

Download Submit
C:\Users\Admin\Downloads\Win64.Trojan.GreenBug.zip

Filesize
383KB

MD5
9ed25c4a6ae99f9eb28fd3c654109006

SHA1
1177f44b7dd14c54ae17b921917e0123189c9c09

SHA256
141e8f924ab11d38249ae1d3a3e09c53a1a247b20dae8bde821fceebe1a2e37a

SHA512
15844aa55807e3f683cacbcbc070e046c40fe82e6956158025ed2f3da778d2d3fa61dea33bb3c763b8f45ae41c57b3606806fe8dc1c7a956e21be899ba7490d4

Download Submit
C:\Users\Admin\Downloads\WinX.SUNBURST.zip

Filesize
994KB

MD5
31b50e5fbf4b123b6f32fc28edd0ba86

SHA1
47b55dc480268e654ad0c7519f85fc53d06d87e2

SHA256
8127165190392dcd41a6f55fe81e0494aaf04b717cde9f135199c2cafa170828

SHA512
45eba38b0f2db913c3d1f198837d5b660b92dc103daa7745879ee76a59c6188a1539e7fad1c94d8df39e3e0e8abcde849540f866b3dd752b45021acc11574b8f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy20grrr\yy20grrr.0.cs

Filesize
42B

MD5
0fd6c5ef54a461a3968153320a86fe2b

SHA1
11aab7e8917c87fdf88f1fecbc0d5a833972e044

SHA256
7709fd57593ec1b52c4ab8883244eddfc14066a7d3734a314dfae8bc5216fca8

SHA512
1d16b2915433a0219b2b84f42d6692f125068e3f01a0048b2dc20717c51907137ebbd30e31a2092089a8ca307cbe3fcaf4efe42b3df63b47786020cbba52d682

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yy20grrr\yy20grrr.cmdline

Filesize
117B

MD5
fa4288ca00a3810552c1871a5b48d62f

SHA1
58b10d9372243fa40cd020785809c3ad141eb0c5

SHA256
575cfe8a54b5ea3f993fb833e33f53e7c651c285351abb4ebaffa9318c85ef37

SHA512
e46b0d4b648dad4313c1d17871bba063dd817ce0736a690556e33052760a73a7f3188e4ce374cc98fa287e7a92c919cdd7e44c0f433b3c73185f05283afe4914

Download Submit
memory/3284-1146-0x0000000000CB0000-0x0000000000D5A000-memory.dmp

Filesize
680KB

Download