hxxps://github[.]com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/WindowsXPHorrorEdition[.]txt

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20/11/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/WindowsXPHorrorEdition.txt

Score

8^/10

discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
4548	Whiter.a.exe
5068	LoveYou.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Whistler = "C:\\Windows\\system32\\whismng.exe -next"	Whiter.a.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\whismng.exe	Whiter.a.exe
File created	C:\Windows\SysWOW64\whismng.exe:SmartScreen:$DATA	Whiter.a.exe
File created	C:\Windows\SysWOW64\whismng.exe	Whiter.a.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Whiter.a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	LoveYou.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 17268.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 913725.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 514803.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1108	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4888	msedge.exe
4888	msedge.exe
4952	identity_helper.exe
4952	identity_helper.exe
2520	msedge.exe
2520	msedge.exe
3820	msedge.exe
3820	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
3132	msedge.exe
3132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe
4888	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 776	4888	msedge.exe	83
PID 4888 wrote to memory of 776	4888	msedge.exe	83
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 3560	4888	msedge.exe	84
PID 4888 wrote to memory of 4428	4888	msedge.exe	85
PID 4888 wrote to memory of 4428	4888	msedge.exe	85
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86
PID 4888 wrote to memory of 2492	4888	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo/blob/master/Trojan/WindowsXPHorrorEdition.txt
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb400f46f8,0x7ffb400f4708,0x7ffb400f4718
  2⤵
  PID:776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5728 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2520
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6748 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
  2⤵
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5368 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3820
- C:\Users\Admin\Downloads\Whiter.a.exe
  "C:\Users\Admin\Downloads\Whiter.a.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  PID:4548
- - C:\Windows\SysWOW64\notepad.exe
    notepad.exe C:\Users\Admin\AppData\Local\Temp\~sn2178.tmp
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6440 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6968 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3132
- C:\Users\Admin\Downloads\LoveYou.exe
  "C:\Users\Admin\Downloads\LoveYou.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2068,14382937084150252321,7342476317339881156,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6724 /prefetch:8
  2⤵
  PID:4772

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0eb1c13c-d35f-473d-8836-ab9f23f97874.tmp

Filesize
3KB

MD5
d1038d73f5afbff48da312be3c4193a6

SHA1
00b849bd2da5dc4c9a709ddb6151e48052d6d0b6

SHA256
73a823eb99fa00f5dbc32581ebc36626ee702ac11700bb15a26bf3eea758adcb

SHA512
6efdd38377c6f47ee4a46812df057cb7a883d476830f7187dfc4ead4f8229e6378e7997f02d988c34cf72672b570b124e6d95c01dada38d107a5edba645fd20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\99f44457-9b3d-4e32-8c44-2e18e8d2f71e.tmp

Filesize
1KB

MD5
6509170164f51d12144d76b51715d2b6

SHA1
6b4911ac6f8f27ce7ed06eef21a745a39bfd9629

SHA256
3da61cf21508b4303e085794414f3bca60947a9d8f31aef680cf892b962b55e9

SHA512
fac08d951f867a98e1930c05fe2b6f095018d6d955324ccd5a4e7de220e3b38b47d7ed474064199d5950c6f3a0e73f9d36df5a647724edbbe03ef01ff028c799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
42KB

MD5
c18ac29cb1e1afeda67dcee7b8fa497f

SHA1
2e2fca9619705de092131991d0129594aea866e2

SHA256
f5f3e3e947878d45fefe0b0a2f895a13010d3121eba5e9d07bd1d79e01ddc3a0

SHA512
5dcae0c20e115715b382792e9b6293e644d44b644dad8a2960a9815beca0ba1ff2697118d282580c473643f97442b61380bd59a5ff92eb50bad11e96dc81a48c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
51KB

MD5
5a7091bb1c4982bde3f9d3901587c11a

SHA1
2c990a8d38797d5dbcb8322219fc9d828aeeff29

SHA256
41c8fb1312e45d8c38f20cce6e9b922f39ad22728366566aa135bfca41e8e725

SHA512
1a8628e84210a47deb5d626d0f3c3ae39113e72a71df7ef90c6bcf857cff336248bc2a07a3b9be4cc66bf90587636dd34213eab52ac27d273c74c6005b3f7e4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
75KB

MD5
2ee637a139176e5dceadd36b7950148f

SHA1
e58f177af0bed34040dda4db346b975e0992d4ad

SHA256
2f4c129246b422e49dfbeeeccb79b47c774c6086c91ac254704f7f8a2c6c3c7d

SHA512
10cf6765614919a943defdd383501be5d7ebb824f8f336de04c158b94e462241410f582fc8afb7aac0af85e19fad59dde0996b30051ae716b25aef70b2053204

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
87KB

MD5
0b4382ee291a4396334b4aeff8da0141

SHA1
27a57a0593a12112582165292d01d891fcb94cc3

SHA256
54595e951b97d6931d0176fbd4e1c10343ad35c1dd05ff2f9254aca182a63ca2

SHA512
a3244439a04f48fbfb20c48e4aee7da248ddac40fd74f8b7bbbf70334d343df15e0cf1a7d53c6dfebc4b5cf10273d5bbfcda8276443e6a08e941e65816d473c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
21KB

MD5
660c3b546f2a131de50b69b91f26c636

SHA1
70f80e7f10e1dd9180efe191ce92d28296ec9035

SHA256
fd91362b7111a0dcc85ef6bd9bc776881c7428f8631d5a32725711dce678bff9

SHA512
6be1e881fbb4a112440883aecb232c1afc28d0f247276ef3285b17b925ea0a5d3bac8eac6db906fc6ac64a4192dd740f5743ba62ba36d8204ff3e8669b123db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
134KB

MD5
26cbb15dc4696bcd1d806bfbb46bcbc7

SHA1
48b0f81f2fd379e08cba4173a4610b0213f78007

SHA256
bb0fef1cc317d229a4ed7b274b0f4fad0518e767c5c8fbd6ce6540c04f3bca70

SHA512
44e232a3c58c9be8374bfd76d17c5fcc83aa2b3dde7f96f196c99b86efcab98e4817d0b1533b15b220ef5bc814a3a78d1fb6ad7ace002844e01ea4dbb02c12a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
20KB

MD5
87e8230a9ca3f0c5ccfa56f70276e2f2

SHA1
eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7

SHA256
e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9

SHA512
37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001c

Filesize
73KB

MD5
e00b9c2b0d709c05426e3538c6887b84

SHA1
4644b04dabb857278bd0ba27d4c594aa672b5c1f

SHA256
c6ab3ca6bb0450a2444c45ffd3741f62e58317fafd3908567c23c1edbf1136f3

SHA512
af82797a75d19d5929613b337f751c7b4e6f21e73cc54aa657e80d69bf989566cbffe9e97be6bfc2771dc3718bc4c3a3b915cd6e2589c3584e29a1d14258b3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001d

Filesize
68KB

MD5
0284fe5fd54c057347038e6b9a6521b3

SHA1
54e39cb465c3af2197c6f79338392394966db295

SHA256
2a83ea62274cd3271e029b9344bdf62f6846bfcaada2d3dcad779ca1b5cb5c59

SHA512
7b99624f4d9bcaa6a98bc896f556cd736aca07050611ea8f50f45e654692d7a3b532039f3392e5346006494b779592ec93daca70aa139cc001c7b4a1a180f732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0a9add3b69aa88071b29bc0534ce0b84

SHA1
1968d190dc1658f1d2541fd18bd722116b613053

SHA256
8deb244a43e68eb69fc04d7a1428a9943673636457e087b8975b85e9eee8267b

SHA512
8464f5d2d94d3ff03bdb7f2e9656b9b69a67fc42d6a87ecd08419231281e71a5d502ae72f4c9257ab2dec4535e8b4d8e8ebc0a62d84d4a72875c0de2d1bd8f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ba0103cece4ba45d4c6ba170c8e8ef68

SHA1
49762d6340d34604d9002d0b98307091b00b95d6

SHA256
ae3f30921a21501db0deefb42fb21d5ea1cf539f38f995df31e4df489d16a311

SHA512
6c7209cf4656ea4287b5613442878163a0c1c3e00737281368adaf0752229a907b9808ddd5e585cb40decbd125c0bc70915c7f706385813359690d0359c10563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
31e9dbcddbc890022064c75483132aea

SHA1
53d61ccf95685bd723f31de6898fab3e48adbef6

SHA256
ab9f94b6fb0701c9383dbd5f35c64a71edc1470889c9e1accf5a857e8e0a3a59

SHA512
43f677f2add947cdfd3dab3b39da690e5080d2493ac24242d38d7dd74461ce44f05c84683530b1563c3a5619ea0a7f28cee6d3e4b8d206887afc597c88a4409e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d5cd0fab0708101d4f7e245c87a041f

SHA1
498e8afba14418c07bb59753171090bbf9d8466c

SHA256
e15893d102b6b6de757d8d599a890fc9f6c9410b0546950dac57758cfb8c4203

SHA512
e09260e9c2dbbec8c4fe9603dcbc9ee49059fd1a2f19eb773565ad6f87398967d058e6c819c4de77cfbbb7065df35363baa66588ec983c22d77b4aaf8702d3d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1a2f551028daf49f286470bc7f76ba70

SHA1
d37ad96002239340008e9d1350e75fc6fd546a8e

SHA256
9eeb55bb258d59d08aa5ba3e7a6bc667426c586f1c8f3fbdff13ad2ddbf7af53

SHA512
7e0f9de48491199a547ee032da14ee640544e55eafe6969f2d3a838e46cda9006017727af9d1cd1b31469f2c0b4265242db4bdadb5cba738bba27aafae38f4a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9b8caa741fc20219f6ce51196080ad4b

SHA1
4fc9c6238b291599b9ec04c08a2bac580ee3b0fc

SHA256
c83884037c811906351c29bb70fd9ca54d06bb3374d6a70292955dbc6c4957b1

SHA512
5d9b1ebe45b6b56cfbcb5f37098d4945a22ff93ed06a5e3f476135977ea2aa10ef1e637fc9d565e02d72288d92d9b864c9d43aa2f944b5026f85117f697702f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6c94e51d1b5a9b68bdfeafd7be4e501

SHA1
ae3fdff29747151d1330528c9bada5bbdf8263e8

SHA256
c8666292bceab485a5c2f7b3a7a50c205b1b8000e9abfd82222d501676440f59

SHA512
130e8c8082b298b95d4ef4a4e94135443bd9f3c7028c796a00f14b74aec1ca609cd0221c2f43ec129d0db4fea2609dfcd9a42ef247020e5f53d59ead8da62927

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b686e9f58ab447049ea46e2ae0584647

SHA1
08d3d48bddb4c795720dec7d598c73824e0f63a5

SHA256
5d686b1773fb072437377684715d2dd82c013b5a377ecd85f82952c6dc5c8c95

SHA512
6af9b5a2791f01604261d3e3aa5047236e60ccdd4ac9cef1fa82dc359744d6c2c7f3395ea4be8b4c078cc5df889a5afbc3ba2114b44833c63a66ee072442fe79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
729143a0c9f50d2ed868cfb6ed4ea8db

SHA1
8a97df99f05c1c6092531e0d88affb2c25904dd1

SHA256
64ceb2b8f24920dd0e841e1c7cd2709b65aa5359ac5eb901c641feb9249d4f3c

SHA512
f08b7eb144a66c4832a978afd3a2873fff1dda3f6976a9277c75d78090b1b02c1f95bac2d95a367d214191598d486be6e90d593baaf90b41c0ff36e6eea42f7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e66008171e6e58a63f36de60bc12e742

SHA1
eb4275e29faac4f8682b79386fd86c9694ad919d

SHA256
06d4657fc53fc8f67fdb0e35da172fe6c6f70c22306b7d7c6c879e6dc0ccc9b4

SHA512
806beef2f9b6ff61804a14471c8584faf938973172676effceacd4b585ffc97f6840b8b664e352f11a58a37a1c2782a3fa712e2c1050589141423a4c3631c277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b3e890a26e1e254c917297b3c8fe8031

SHA1
d828e1c50638f7965a3c197d66c6b0246d2c346e

SHA256
f59854308ea22dfed071f3f6951e068b306a54759c4e74a68d844d2568c20af3

SHA512
dbd4b9c6aee27df784175176f09dfa1072085460a25023d4d2539bd2dee3f152ed888a5f6fada9ceea2247c2aeefecdd10c9fbf31d908c7f73b700d6f06221e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac540c02b85d55a8d888760349c2fc7c

SHA1
3856951ec8d95b6b4d55e9c99bd0801dcae6a5ca

SHA256
2afd36993970bf75940553406185a0526e5e96bc3dd6e24ec89b0827018e26d1

SHA512
b5b2da9fee17c7987ee1dd90d78033abd5836c2673eb3e4f92417c35ea9c48841a66d1a59402c49185e67d245307a8981a369b89479bfb3202c268071e26bbc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
80d66a1cc6eb21c905045ffd989d67fb

SHA1
b61e15521d0e82b3356f9d6b765a9c0a260de0b7

SHA256
0c0d9cda5cfffc8b2b7ef929f5a68d22789f5ff5e93a6a2c92fc1d0a43b00efe

SHA512
9291afb28049732d83c48b7c0a03842587989402a60936ddf8217c4234e1aaa27e854e97b613e20687bc4d68d75fc0e8e0ac524f494ce8037102687a738be62f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe582ad4.TMP

Filesize
1KB

MD5
6821a132edae3d1b73415171f8454c25

SHA1
355f8307b452997afcb97dc27053059161b0d4d1

SHA256
2cf31f0f3d6e547f10cee77d6aec75b34bf493072545529494a3edde4ab0cd19

SHA512
a54897a90956bb158a611d258b60ee2090e78c6dd00639e7b6e5e1d2c2cd36f578e0cbfc7207724c090ea2d9323edec11d0c4833dc192560436f55ccd368c5ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d6382be25b22bc7bec952ca0395363aa

SHA1
513f2ba23542555837c97ec7eb782e566405f2f1

SHA256
0f612b8df79ecaa0facf3fe48150cca2af98320d52bc47e92ac718ceb7859e4a

SHA512
83d9abae9abd854c3330cc66e157abebaaa06dafaf43a2b642055f40c5f1cf4db9fd388f47cff440a1aa75c2ca0f86ad44e5049bc9bfa9169b9bb68418ac3528

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
97e1326901c254198e9bf9cd2a8b88f9

SHA1
1ca3090b0668421cc7b9ddf4eee3e5bb9aa6649e

SHA256
f1a54b177f26c703c0b7e47e8d532000fe59e74bf5722d98fb481ba8a680141b

SHA512
bcf4a75c3840ed0ab0b3ada1ec7f5dd0d1a53ff9dda0127945d9d10de852043e016c8f442085d3056db07b46d0b83802f1accb24cd36b4a93c77c0b503dbb863

Download Submit
C:\Users\Admin\AppData\Local\Temp\~sn2178.tmp

Filesize
29B

MD5
61122a4b22ee865307810fbb6a5c88ed

SHA1
9b35c6404324b2250495a173555ffe59f7106545

SHA256
99a99ec2a6bbc5bb79229ea27338996ba14fd2f78e61ca656af4b7ba1d6626e9

SHA512
27767d4ec7e0751fcb4e6fc36c67ffc42d5284034104a533690ea20561d7d1c9302b264f859c4ece1136dd34e9eeb8dc7d6289e84fa7d64e560bfed365e5ef4f

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 17268.crdownload

Filesize
56KB

MD5
799b57227561238a7d7a284c5568c1ad

SHA1
f62ddd138ab15b67a2207438b38414fd236d5278

SHA256
fe974c995cfb27e8c91123081986847f6d3d4252b6a8d1e1385c558f2aeb7057

SHA512
2a6de3d751f9b74227bfd7069b989175ebd81548af6e1f4bf87f63cf9e0a69ec6cbbac5b837dd80e7effdf7f648c2c768124257d347f1a0d394a0dd9a5552f12

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 514803.crdownload

Filesize
396KB

MD5
13f4b868603cf0dd6c32702d1bd858c9

SHA1
a595ab75e134f5616679be5f11deefdfaae1de15

SHA256
cae57a60c4d269cd1ca43ef143aedb8bfc4c09a7e4a689544883d05ce89406e7

SHA512
e0d7a81c9cdd15a4ef7c8a9492fffb2c520b28cebc54a139e1bffa5c523cf17dfb9ffe57188cf8843d74479df402306f4f0ce9fc09d87c7cca92aea287e5ff24

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 913725.crdownload

Filesize
22KB

MD5
31420227141ade98a5a5228bf8e6a97d

SHA1
19329845635ebbc5c4026e111650d3ef42ab05ac

SHA256
1edc8771e2a1a70023fc9ddeb5a6bc950380224b75e8306eb70da8eb80cb5b71

SHA512
cbb18a6667b377eb68395cfd8df52b7d93c4554c3b5ab32c70e73b86e3dedb7949122fe8eea9530cd53944b45a1b699380bf1e9e5254af04d8409c594a52c0e7

Download Submit
C:\Users\Admin\Downloads\WindowsXPHorrorEdition.txt

Filesize
123B

MD5
49f5ddbf0748e69f30a2909276418311

SHA1
c3205cccffe909f2a60560d6179cc096d4907386

SHA256
1e9637fc91b1fe4a13401c4bbb1919f0fc951c55b8d120df51854df02f8fcd6d

SHA512
dc741df9988212c362315d82a686dc0b4085890cdccce98bda8ec617a671b737f954b4530a424816cf5fb3affe3355022b1b1acae16fbd7dea33adac7cec80c8

Download Submit