cerber | hxxp://vxvault[.]net

Analysis

max time kernel
930s
max time network
935s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2024 19:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://vxvault.net

Score

10^/10

cerber discovery evasion persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___ZBQLV_.txt

Family

cerber

Ransom Note

CERBER RANSOMWARE ----- YOUR DOCUMENTS, PH0TOS, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only way to decrypt y0ur files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_READ_THIS_FILE_*) with complete instructions how to decrypt your files. If you cannot find any (*_READ_THIS_FILE_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://p27dokhpz2n7nvgr.onion/22BC-1F55-BA92-0446-95A3 Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://p27dokhpz2n7nvgr.12hygy.top/22BC-1F55-BA92-0446-95A3 2. http://p27dokhpz2n7nvgr.14ewqv.top/22BC-1F55-BA92-0446-95A3 3. http://p27dokhpz2n7nvgr.14vvrc.top/22BC-1F55-BA92-0446-95A3 4. http://p27dokhpz2n7nvgr.129p1t.top/22BC-1F55-BA92-0446-95A3 5. http://p27dokhpz2n7nvgr.1apgrn.top/22BC-1F55-BA92-0446-95A3 ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://p27dokhpz2n7nvgr.onion/22BC-1F55-BA92-0446-95A3

http://p27dokhpz2n7nvgr.12hygy.top/22BC-1F55-BA92-0446-95A3

http://p27dokhpz2n7nvgr.14ewqv.top/22BC-1F55-BA92-0446-95A3

http://p27dokhpz2n7nvgr.14vvrc.top/22BC-1F55-BA92-0446-95A3

http://p27dokhpz2n7nvgr.129p1t.top/22BC-1F55-BA92-0446-95A3

http://p27dokhpz2n7nvgr.1apgrn.top/22BC-1F55-BA92-0446-95A3

Extracted

Path

C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___MUWV5_.hta

Family

cerber

Ransom Note

<!DOCTYPE html> <html lang="en"> <head> <meta charset="utf-8"> <title>CERBER RANSOMWARE: Instructions</title> <HTA:APPLICATION APPLICATIONNAME="qmXGWDy" SCROLL="yes" SINGLEINSTANCE="yes" WINDOWSTATE="maximize"> <style type="text/css"> a { color: #04a; text-decoration: none; } a:hover { text-decoration: underline; } body { background-color: #e7e7e7; color: #222; font-family: "Lucida Sans Unicode", "Lucida Grande", sans-serif; font-size: 13pt; line-height: 19pt; } body, h1 { margin: 0; padding: 0; } hr { color: #bda; height: 2pt; margin: 1.5%; } h1 { color: #555; font-size: 14pt; } ol { padding-left: 2.5%; } ol li { padding-bottom: 13pt; } small { color: #555; font-size: 11pt; } ul { list-style-type: none; margin: 0; padding: 0; } .button { color: #04a; cursor: pointer; } .button:hover { text-decoration: underline; } .container { background-color: #fff; border: 2pt solid #c7c7c7; margin: 5%; min-width: 850px; padding: 2.5%; } .header { border-bottom: 2pt solid #c7c7c7; margin-bottom: 2.5%; padding-bottom: 2.5%; } .h { display: none; } .hr { background: #bda; display: block; height: 2pt; margin-top: 1.5%; margin-bottom: 1.5%; overflow: hidden; width: 100%; } .info { background-color: #efe; border: 2pt solid #bda; display: inline-block; padding: 1.5%; text-align: center; } .updating { color: red; display: none; padding-left: 35px; background: url("data:image/gif;base64,R0lGODlhGQAZAKIEAMzMzJmZmTMzM2ZmZgAAAAAAAAAAAAAAACH/C05FVFNDQVBFMi4wAwEAAAAh+QQFAAAEACwAAAAAGQAZAAADVki63P4wSEiZvLXemRf4yhYoQ0l9aMiVLISCDms+L/DIwwnfc+c3qZ9g6Hn5hkhF7YgUKI2dpvNpExJ/WKquSoMCvd9geDeuBpcuGFrcQWep5Df7jU0AACH5BAUAAAQALAoAAQAOABQAAAMwSLDU/iu+Gdl0FbTAqeXg5YCdSJCBuZVqKw5wC8/qHJv2IN+uKvytn9AnFBCHx0cCACH5BAUAAAQALAoABAAOABQAAAMzSLoEzrC5F9Wk9YK6Jv8gEYzgaH4myaVBqYbfIINyHdcDI+wKniu7YG+2CPI4RgFI+EkAACH5BAUAAAQALAQACgAUAA4AAAMzSLrcBNDJBeuUNd6WwXbWtwnkFZwMqUpnu6il06IKLChDrsxBGufAHW0C1IlwxeMieEkAACH5BAUAAAQALAEACgAUAA4AAAM0SLLU/lAtFquctk6aIe5gGA1kBpwPqVZn66hl1KINPDRB3sxAGufAHc0C1IkIxcARZ4QkAAAh+QQFAAAEACwBAAQADgAUAAADMUhK0vurSfiko8oKHC//yyCCYvmVI4cOZAq+UCCDcv3VM4cHCuDHOZ/wI/xxigDQMAEAIfkEBQAABAAsAQABAA4AFAAAAzNIuizOkLgZ13xraHVF1puEKWBYlUP1pWrLBLALz+0cq3Yg324PAUAXcNgaBlVGgPAISQAAIfkEBQAABAAsAQABABQADgAAAzRIujzOMBJHpaXPksAVHoogMlzpZWK6lF2UjgobSK9AtjSs7QTg8xCfELgQ/og9I1IxXCYAADs=") left no-repeat; } #change_language { float: right; } #change_language, #texts div { display: none; } </style> </head> <body> <div class="container"> <div class="header"> <a id="change_language" href="#" onclick="return changeLanguage1();" title="English">☑ English</a> <h1>CERBER RANSOMWARE</h1> Instructions </div> <div id="languages"> ☑ Select your language <ul> <li><a href="#" title="English" onclick="return sh_bl('en');">English</a></li> <li><a href="#" title="Arabic" onclick="return sh_bl('ar');">العربية</a></li> <li><a href="#" title="Chinese" onclick="return sh_bl('zh');">中文</a></li> <li><a href="#" title="Dutch" onclick="return sh_bl('nl');">Nederlands</a></li> <li><a href="#" title="French" onclick="return sh_bl('fr');">Français</a></li> <li><a href="#" title="German" onclick="return sh_bl('de');">Deutsch</a></li> <li><a href="#" title="Italian" onclick="return sh_bl('it');">Italiano</a></li> <li><a href="#" title="Japanese" onclick="return sh_bl('ja');">日本語</a></li> <li><a href="#" title="Korean" onclick="return sh_bl('ko');">한국어</a></li> <li><a href="#" title="Polish" onclick="return sh_bl('pl');">Polski</a></li> <li><a href="#" title="Portuguese" onclick="return sh_bl('pt');">Português</a></li> <li><a href="#" title="Spanish" onclick="return sh_bl('es');">Español</a></li> <li><a href="#" title="Turkish" onclick="return sh_bl('tr');">Türkçe</a></li> </ul> </div> <div id="texts"> <div id="en"> Can't yoLaDSu find the necessary files? Is the cwH76mmqnontent of your files not readable? It is normal beF4kuS7cause the files' names and the data in your files have been encryphfnted by "CeIgdHjLrber Ransomware". It medIans your files are NOT damagezGld! Your files are modified only. This modification is reversible. FIrom now it is not possZQrmynuGnible to use your files until they will be decrypted. The only way to decybr4xErypt your files safely is to buy the special decryption software "Cxerber Decryptor". Any attempts to restM1ore your files with the thirLMI1pjipDKd-party software will be fatal for your files! <hr> You can proc5eed with purchasing of the decryption softwRINare at your personal page: PlePLfI2SrVase wait...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/22BC-1F55-BA92-0446-95A3</a> If tcJw4DCWRnEhis page cannot be opened  clijIZvkPeuack here  to get a new addrLuess of your personal page. If the addreA3KQpS1CWss of your personal page is the same as befoCiIh97re after you tried to get a new one, you c5mbpnvnlan try to get a new address in one hour. At thyvSQis page you will receive the complete instru2uctions how to buy the decryptiJIuGDnM3gmon software for restoring all your files. Also at this page you will be able to resodtore any one file for free to be sure "CerbeaYHxezdhr Decryptor" will help you. <hr> If your pereDTa10x8Msonal page is not availaTXRdlbZRble for a long period there is another way to open your personal page - instagbTrXMllation and use of Tor Browser: <ol> <li>run your InteLGrnet browser (if you do not know what it is run the Internet Explorer);</li> <li>entwser or copy the address <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> into the address bar of your browser and press ENTER;</li> <li>wait for the site loadt1UIX7Ping;</li> <li>on the site you will be offered to doYEdwnload Tor Browser; download and run it, follow the installation instructions, wait until the installation is completed;</li> <li>ruKVNNCfw7n Tor Browser;</li> <li>connect with the buttOcXJiHPrgon "Connect" (if you use the English version);</li> <li>a normal Internet broYwser window will be opened after the initialization;</li> <li>type or copy the addqNress http://p27dokhpz2n7nvgr.onion/22BC-1F55-BA92-0446-95A3 in this browser address bar;</li> <li>prerUXmg4qZss ENTER;</li> <li>the site shoFSuld be loaded; if for some reason the site is not loXj5reD2oading wait for a moment and try again.</li> </ol> If you have any prO44xXloblems during installation or use of Tor Browser, please, visit <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> and type request in the searc2Rvjqh bar "Install Tor Browser Windows" and you will find a lot of training videos about Tor Browser installation and use. <hr> AdditXk5I7Ya1ional information: You will fi6nd the instruxwL5Hlctions ("*_READ_THIS_FILE_*.hta") for resgtieVPstoring your files in any fRw9older with your encaJWZKheij6rypted files. The instrK8uctions "*_READ_THIS_FILE_*.hta" in the f7aOz6Au1olderrlXXHs with your encryueXkF75yhpted files are not virBLevuses! The instrucAtions "*_READ_THIS_FILE_*.hta" will he6vlp you to decpv5OzT9srypt your files. RemembewbS2E4Ydr! The worst siktspHxLtuation already happ4yKvened and now the future of your files deQNIHypends on your determCxb63JXination and speed of your actions. </div> <div id="ar" style="direction: rtl;"> لا يمكنك العثور على الملفات الضرورية؟ هل محتوى الملفات غير قابل للقراءة؟ هذا أمر طبيعي لأن أسماء الملفات والبيانات في الملفات قد تم تشفيرها بواسطة "Cerber Ransomware". وهذا يعني أن الملفات الخاصة بك ليست تالفة! فقد تم تعديل ملفاتك فقط. ويمكن التراجع عن هذا. ومن الآن فإنه لا يكن استخدام الملفات الخاصة بك حتى يتم فك تشفيرها. الطريقة الوحيدة لفك تشفير ملفاتك بأمان هو أن تشتري برنامج فك التشفير المتخصص "Cerber Decryptor". إن أية محاولات لاستعادة الملفات الخاصة بك بواسطة برامج من طرف ثالث سوف تكون مدمرة لملفاتك! <hr> يمكنك الشروع في شراء برنامج فك التشفير من صفحتك الشخصية: أرجو الإنتظار...<a class="url" href="http://p27dokhpz2n7nvgr.12hygy.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.12hygy.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.14ewqv.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.14ewqv.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.14vvrc.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.14vvrc.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.129p1t.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.129p1t.top/22BC-1F55-BA92-0446-95A3</a><hr><a href="http://p27dokhpz2n7nvgr.1apgrn.top/22BC-1F55-BA92-0446-95A3" target="_blank">http://p27dokhpz2n7nvgr.1apgrn.top/22BC-1F55-BA92-0446-95A3</a> في حالة تعذر فتح هذه الصفحة  انقر هنا  لإنشاء عنوان جديد لصفحتك الشخصية. في هذه الصفحة سوف تتلقى تعليمات كاملة حول كيفية شراء برنامج فك التشفير لاستعادة جميع الملفات الخاصة بك. في هذه الصفحة أيضًا سوف تتمكن من استعادة ملف واحد بشكل مجاني للتأكد من أن "Cerber Decryptor" سوف يساعدك. <hr> إذا كانت صفحتك الشخصية غير متاحة لفترة طويلة فإن ثمّة طريقة أخرى لفتح صفحتك الشخصية - تحميل واستخدام متصفح Tor: <ol> <li>قم بتشغيل متصفح الإنترنت الخاص بك (إذا كنت لا تعرف ما هو قم بتشغيل إنترنت إكسبلورر);</li> <li>قم بكتابة أو نسخ العنوان <a href="https://www.torproject.org/download/download-easy.html.en" target="_blank">https://www.torproject.org/download/download-easy.html.en</a> إلى شريط العنوان في المستعرض الخاص بك ثم اضغط ENTER;</li> <li>انتظر لتحميل الموقع;</li> <li>سوف يعرض عليك الموقع تحميل متصفح Tor. قم بتحميله وتشغيله، واتبع تعليمات التثبيت، وانتظر حتى اكتمال التثبيت;</li> <li>قم بتشغيل متصفح Tor;</li> <li>اضغط على الزر "Connect" (إذا كنت تستخدم النسخة الإنجليزية);</li> <li>سوف تُفتح نافذة متصفح الإنترنت العادي بعد البدء;</li> <li>قم بكتابة أو نسخ العنوان http://p27dokhpz2n7nvgr.onion/22BC-1F55-BA92-0446-95A3 في شريط العنوان في المتصفح;</li> <li>اضغط ENTER;</li> <li>يجب أن يتم تحميل الموقع؛ إذا لم يتم تحميل الموقع لأي سبب، انتظر للحظة وحاول مرة أخرى.</li> </ol> إذا كان لديك أية مشكلات أثناء عملية التثبيت أو استخدام متصفح Tor، يُرجى زيارة <a href="https://www.youtube.com/results?search_query=Install+Tor+Browser+Windows" target="_blank">https://www.youtube.com</a> واكتب الطلب "install tor browser windows" أو "تثبيت نوافذ متصفح Tor" في شريط البحث، وسوف تجد الكثير من أشرطة الفيديو للتدريب حول تثبيت متصفح Tor واستخدامه. <hr> معلومات إضWNN93ZzTcافية: سzhوف تجد إرشادات استعادة الملفات الخاصة بك ("*_READ_THIS_FILE_*") في أي مجلد مع ملفاتك المشفرة. الإرشNHlcASLS0Iادات ("*_READ_THIS_FILE_*") الموجودة في المجلدات مع ملفاتك المشفرة ليست فيروسات والإرشادات ("*_READ_THIS_FILE_*") سوف تساعدك على فك تشفير الملفات الخاصة بك. تذكر أن أسوأ موSPC7c1AMrقف قد حدث بالفعل، والآن مستقبل ملفاتك يعتمد على عزيمتك وسرعة الإجراءات الخاصة بك. </div> <div id="zh"> 您找不到所需的文件？ 您文件的内容无法阅读？ 这是正常的，因为您文件的文件名和数据已经被“Cerber Ransomware”加密了。 这意味着您的文件并没有损坏！您的文件只是被修改了�

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1136) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3476	netsh.exe
1684	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	cerber.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
256	raw.githubusercontent.com
3502	raw.githubusercontent.com
3508	raw.githubusercontent.com
168	raw.githubusercontent.com
169	raw.githubusercontent.com
181	raw.githubusercontent.com
254	raw.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	cerber.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp2453.bmp"	cerber.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\the bat!	cerber.exe
File opened for modification	\??\c:\program files\	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\steam	cerber.exe
File opened for modification	\??\c:\program files (x86)\word	cerber.exe
File opened for modification	\??\c:\program files (x86)\	cerber.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	cerber.exe
File opened for modification	\??\c:\program files (x86)\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\onenote	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\program files (x86)\office	cerber.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	cerber.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	cerber.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\thunderbird	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	cerber.exe
File opened for modification	\??\c:\windows\	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\excel	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\steam	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	cerber.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\word	cerber.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
3432	1008	WerFault.exe	245
4300	3980	WerFault.exe	255
4728	4080	WerFault.exe	260

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cerber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NOTEPAD.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 4 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2556	PING.EXE
1008	Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
3980	Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
4080	Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe

Checks SCSI registry key(s) 3 TTPs 12 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2592	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	cerber.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2884	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3500	msedge.exe
3500	msedge.exe
3672	msedge.exe
3672	msedge.exe
4024	identity_helper.exe
4024	identity_helper.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2952	msedge.exe
2336	msedge.exe
2336	msedge.exe
3304	msedge.exe
3304	msedge.exe
4572	msedge.exe
4572	msedge.exe
4104	identity_helper.exe
4104	identity_helper.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
1360	taskmgr.exe
3976	msedge.exe
3976	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe
5060	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 64 IoCs

pid	Process
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1364	msedge.exe
1104	msedge.exe
1104	msedge.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	firefox.exe
Token: SeDebugPrivilege	2600	firefox.exe
Token: SeDebugPrivilege	1360	taskmgr.exe
Token: SeSystemProfilePrivilege	1360	taskmgr.exe
Token: SeCreateGlobalPrivilege	1360	taskmgr.exe
Token: 33	1360	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1360	taskmgr.exe
Token: SeShutdownPrivilege	1596	cerber.exe
Token: SeCreatePagefilePrivilege	1596	cerber.exe
Token: SeDebugPrivilege	5060	taskmgr.exe
Token: SeSystemProfilePrivilege	5060	taskmgr.exe
Token: SeCreateGlobalPrivilege	5060	taskmgr.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: 33	5060	taskmgr.exe
Token: SeIncBasePriorityPrivilege	5060	taskmgr.exe
Token: SeDebugPrivilege	1464	taskmgr.exe
Token: SeSystemProfilePrivilege	1464	taskmgr.exe
Token: SeCreateGlobalPrivilege	1464	taskmgr.exe
Token: 33	1464	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1464	taskmgr.exe
Token: SeDebugPrivilege	4784	taskmgr.exe
Token: SeSystemProfilePrivilege	4784	taskmgr.exe
Token: SeCreateGlobalPrivilege	4784	taskmgr.exe
Token: 33	4784	taskmgr.exe
Token: SeIncBasePriorityPrivilege	4784	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
2600	firefox.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3672 wrote to memory of 5076	3672	msedge.exe	83
PID 3672 wrote to memory of 5076	3672	msedge.exe	83
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 4476	3672	msedge.exe	84
PID 3672 wrote to memory of 3500	3672	msedge.exe	85
PID 3672 wrote to memory of 3500	3672	msedge.exe	85
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86
PID 3672 wrote to memory of 4896	3672	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://vxvault.net
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1fc146f8,0x7ffa1fc14708,0x7ffa1fc14718
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2236 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:112
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
  2⤵
  PID:1488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6084 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2944 /prefetch:1
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5844 /prefetch:1
  2⤵
  PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2612 /prefetch:1
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1896 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:1536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2672 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5668 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5980 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1
  2⤵
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
  2⤵
  PID:2192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3916 /prefetch:1
  2⤵
  PID:4280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4732 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6476 /prefetch:1
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2076,16723707707417607659,10401518627704319786,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5780 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1796

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4684
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1956 -parentBuildID 20240401114208 -prefsHandle 1884 -prefMapHandle 1880 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eaf23b2-a7da-43f7-9596-264d3df4f44f} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" gpu
    3⤵
    PID:1492
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2380 -parentBuildID 20240401114208 -prefsHandle 2372 -prefMapHandle 2368 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b239a4d-e327-4e28-95fc-9bb76fb9be48} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" socket
    3⤵
    - Checks processor information in registry
    PID:2904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3156 -childID 1 -isForBrowser -prefsHandle 3192 -prefMapHandle 3232 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7a538ba-2943-45c8-849d-9dc8fa6f0c82} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" tab
    3⤵
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1240 -childID 2 -isForBrowser -prefsHandle 2544 -prefMapHandle 2532 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {20cd255e-98a3-49b5-a29e-cc5ded07d7f1} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5060 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 5020 -prefMapHandle 5072 -prefsLen 29144 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7343d02f-7045-467b-9323-6cd7f6a93a5e} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" utility
    3⤵
    - Checks processor information in registry
    PID:2232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5168 -childID 3 -isForBrowser -prefsHandle 5160 -prefMapHandle 5156 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {961eeed1-f3fc-45af-89ad-a4130fd74f5f} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" tab
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5324 -childID 4 -isForBrowser -prefsHandle 5332 -prefMapHandle 5336 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc81d423-9ac7-4c61-92b1-a322e4240fbe} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" tab
    3⤵
    PID:916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5592 -childID 5 -isForBrowser -prefsHandle 5512 -prefMapHandle 5516 -prefsLen 26998 -prefMapSize 244658 -jsInitHandle 1268 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87a00af7-dd61-4223-a507-bc589b88417c} 2600 "\\.\pipe\gecko-crash-server-pipe.2600" tab
    3⤵
    PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffa1fc146f8,0x7ffa1fc14708,0x7ffa1fc14718
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:2996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2860 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3504 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5292 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5556 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2984 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4284 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:1
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5784 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3792 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2156,8898681546219060629,8339636153478792995,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3668 /prefetch:8
  2⤵
  PID:992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2760

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1200

C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
"C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1432
- C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
  C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
  2⤵
  PID:2072

C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
"C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2556
- C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
  C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
  2⤵
  PID:2488

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1360

C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
"C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:220
- C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
  C:\Users\Admin\Desktop\Ransomware.TeslaCrypt\51B4EF5DC9D26B7A26E214CEE90598631E2EAA67.exe
  2⤵
  PID:3140

C:\Users\Admin\Desktop\cerber.exe
"C:\Users\Admin\Desktop\cerber.exe"
1⤵
- Drops startup file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1596
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:3476
- C:\Windows\SysWOW64\netsh.exe
  C:\Windows\system32\netsh.exe advfirewall reset
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\Windows\SysWOW64\mshta.exe
  "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___DJC5_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
  2⤵
  - System Location Discovery: System Language Discovery
  PID:412
- C:\Windows\SysWOW64\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___I0IWMC_.txt
  2⤵
  - System Location Discovery: System Language Discovery
  - Opens file in notepad (likely ransom note)
  PID:2884
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4592
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im "cerber.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2592
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 1 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2556

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\a32de46b8ec3462da560e2d0a022e995 /t 1244 /p 412
1⤵
PID:992

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Users\Admin\Desktop\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
"C:\Users\Admin\Desktop\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe"
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:1008
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1008 -s 368
  2⤵
  - Program crash
  PID:3432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 1008 -ip 1008
1⤵
PID:1896

C:\Users\Admin\Desktop\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
"C:\Users\Admin\Desktop\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe"
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3980
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 336
  2⤵
  - Program crash
  PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3980 -ip 3980
1⤵
PID:4340

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4784

C:\Users\Admin\Desktop\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe
"C:\Users\Admin\Desktop\Matsnu-MBRwipingRansomware_1B2D2A4B97C7C2727D571BBF9376F54F_Inkasso Rechnung vom 27.05.2013 .com_.exe"
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:4080
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 336
  2⤵
  - Program crash
  PID:4728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 4080 -ip 4080
1⤵
PID:3768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1fc146f8,0x7ffa1fc14708,0x7ffa1fc14718
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2224 /prefetch:2
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4104 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5740 /prefetch:8
  2⤵
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2216,7625074244823226142,14027376617685624630,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6132 /prefetch:8
  2⤵
  PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:1104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffa1fc146f8,0x7ffa1fc14708,0x7ffa1fc14718
  2⤵
  PID:3776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:3620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:1340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:4864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:1060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:3964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1185070479699011412,6689879491542912003,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5364 /prefetch:2
  2⤵
  PID:1012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ed5bf74863b97a89926d9c9eeaebab99

SHA1
457d675bca6ea873e0d0530eb35cf2ec870d943d

SHA256
75d39907498b1c9b720811b15c717be96964a2e69c6c19dcd3303f2b221f741b

SHA512
a932c20703f2769a427b9d75f803e1aa932d92755d6b5709ab0870f3d52de36869345da49870f2dbeaa1289a91f96443216ebe2e1acb2713c3e5701e74d3b147

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27fd880b462c0db528c3fa935998e092

SHA1
3a3fa7d6779810c4fbc233fa24617fc17b5e05cd

SHA256
103ae0ecddfda19a9ec0982f28bbd2ee111140ada3ab7bfa5a0049df4a5e19ca

SHA512
bdff522714046c759919be644948ea7ceda09f14d14fdd1b4dde97d82b5064a60bed8c7a53440471ce74b9a748972b42f95ff7c798ac60e5784edc96cce8bdcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81a20178b71a9aa94e779b7bd80df47b

SHA1
5a2104e5cd92a6ad0d444d2df4ba36c1216162cb

SHA256
85e817a85ee3f3c6dfcab703caf64752b9e5e5cb57d663ff09f083fa076c5c26

SHA512
7e8c331ae4344a36689455e7c1740e4adff1c1bdc8cad5ce2b41321ed752a611ddacfd59a3f8c6e97409d76762635fd08732fc3c92f633e6b75d400f5cfd2049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c3584c4243f679654fc192b62fd3d6c7

SHA1
353a8b631681cd3d3237e58b6b00e895498fdada

SHA256
1c9149820eb919841968d3caa0b95d1306e19ea5c51c33a06c68ab15c062d743

SHA512
905e72d6497c98565659344eadadd51b7b5821908eceaca6ea43f03b41e16a1afd09ac44a83f53f6d7b201754286416bee9b7b2c3c79a53351b9efcb113bbb4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\8470d30c-1368-4e19-84d3-0d9d53272c5c.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
67KB

MD5
b275fa8d2d2d768231289d114f48e35f

SHA1
bb96003ff86bd9dedbd2976b1916d87ac6402073

SHA256
1b36ed5c122ad5b79b8cc8455e434ce481e2c0faab6a82726910e60807f178a1

SHA512
d28918346e3fda06cd1e1c5c43d81805b66188a83e8ffcab7c8b19fe695c9ca5e05c7b9808599966df3c4cd81e73728189a131789c94df93c5b2500ce8ec8811

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
68KB

MD5
f26bbba7e176ea7ee28bb8d1bb559e46

SHA1
04efbece4b8f5160b177211e1451a649b844b775

SHA256
e1fd5de2bdb5c05b81918158dd6f841338028f72ceee214de7c67813ed2a8155

SHA512
c23a748d54d6829127e50a912a0af1f8e9e611bb919a972697a0e71ba812843dc51642f4d72dfae6b6cfdbc65503828456a7773338e1fa83a2d88f889741fd45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
39c5f7c468d7f740e7b1dbed325058d3

SHA1
be32308c61b4bbd8c3e3f1d4b8f91159e2b4ec1f

SHA256
02208865ae9bfb9507f49f9c492a1b8fad3c0980fc6987d51d56764605c720de

SHA512
c14c482bb17dcaee766942d8d8deba87d0e6c6ca24af62b75661a10cf223f614bec9966bb978e148866bfc3d6417bd93c479ec3c968045833b7ddc2c59f34595

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
6337423816968a55ad00fcd1794ccd2c

SHA1
c12e8b4775d2be400e0d3880b6ccfc980046012e

SHA256
c095884206812dc63d307879a2b96d6788cbc786c3f1443bbd1fc4a1b6cd2346

SHA512
fbdee5dfa8a1ad1638d4244f26f33a910f74f170074d94b5bcc0e8714e2e8b8a75f51d8d4a7efde38fe8e01dfab54a796b7d1b9fd3588592ee957a61b9130f35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c8404662043ddc1e448e85ef0ad0f457

SHA1
4dbe8e9ad95040f3d75b8164250b72543e44e810

SHA256
a39e61f37ce6e3af3852497107b4ae980a45b5bc7ea79c68c525c5deef262b9a

SHA512
936924c5328b8f0428fb9610f5bea9e4f2900e08a6680d08ae937020bd5abd38284b8898b6f900eddd43f1d15525bceeeae75f54ebc409277417557395796347

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
ef569143982d6106fb7c03a0af5fe1c4

SHA1
e10a8f14db07cf19abe2212203a285dfa6156587

SHA256
f8a06c3b4ca490985f5222a3458577cd1480ba7dab46480d40ff1496a85ead82

SHA512
c22319e8393f13020b372d0a28112ce0358ebbe5004b8354f928adf86cbc48639e15f8704c1c328481bb4010e8f7df73cd47f3fa854157b4abe393698afa484d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
e4afd7c14808dc8da5af4d76148b645d

SHA1
e322690078357252d106c8756c90ec9fac156cab

SHA256
2054e3d631629d4786366fad206d9199bbe2763aa6e7562bb58a5b5b7fdf2d41

SHA512
410ecc603806180def197afde409ac6a5f6f91ee82689ff48c480cf9f9dd9a1a162d20e5978be0d5a323587d29e8f2c8aee4965d29fbe38372f73881d5c55922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
4a5ba0c6b41bc34ef7da71db4dcfe7e0

SHA1
f1543db0e0010dc786d0c84df0f29ae8a92a00c8

SHA256
b50546c6e283a194aa5b7b685ba5774168c5f098ffb469c2c8ca8b91d530586a

SHA512
763a2f555885b5b9522c808b508fd4997b603d2e798e7941e3a0edcebfc191f96c60d996c36d44b0cecd92bd6272c18d48b65d36344920770c49cc6630f210f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
32KB

MD5
70eed2ccdd117de46e3e29165db54dcf

SHA1
db239c8d38b01ec3111379eb6351d17640c4139f

SHA256
31175df9fd3ae9dead4682f2d2f11ac59e50a52c029a750353012b7e116f5ae6

SHA512
c31b0111976e63788909e93451fb83bfdd4000c1f82fec231740a9d4e4e55a991848fdbd8e821ff0268c74f2a2c43d1c45d6482dec6c579269a455854ee6ece2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
0dabf8d8129e5eff63e863b57beccab3

SHA1
cfbb559aa50b1f6456215c672af128971edb9150

SHA256
5868807891ab708fc44a701a28044cbaad4bcb51dfecc82766f7a2103f235a39

SHA512
c38306df1dbe7d6074bbbee2eb2d84ac9f480a1ff98f15d7dc46c0445a6e791b2b4bf505c131b2bfbad0b6ca19bb23b27dcc2726892737cbc0c3a958194fe43f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
f1e9536ec985e17a5600555825c94dd7

SHA1
cd18142d4d46adf50054a3b9d8038ac3251bdd74

SHA256
8b51421c80c74064e493f6d34e80a077fbd79d93e270d0ed3ae07ccf7ddb8be4

SHA512
18d589f71b074afa1fac8c0f0802af0612d1b010540f03a97b3db84bd50cab7cab517411a2fdf4aae6fd4e3547dc0f7c47aeca44d99b7149111a37b65b1b4a37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Filesize
48KB

MD5
11051da340b034738e86975f0686a476

SHA1
2377f37f1028c4ffe63796443b0c1b666373f372

SHA256
212c8d7e57d42fbc480967dc77d3f53a240687d4d35c05f6ae0f612f20f0e2b7

SHA512
797ab7c7f3bb1f60127bf52df1302326ec26d01b15bde4473e7aaf1b27c0d73502b4384701d75e53a1442e4376bf8d69d9b4e78108eb577e06d4e774e8f2ce8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
bef6a558b5a4f6a87792723ab4f8c91d

SHA1
6729bfe442a8edc67b3f92fb7951768508deb4ed

SHA256
ce6f0bda3eb44bab9ca7d04a5ec4a733e0c3a4994dae2a6eb990c82c5ea114e4

SHA512
4847b03ff8f8d0551196debcfc8dc2f4b57aba62bac97c740a5509ec066b9b88c13754b003e823fcedd529ff5cf0a685a1f80280f10b372993975d314900784b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
07974cf56842b50fb4ee8e744ef1ad38

SHA1
c9189949c425d79ca199fdd6b55c16abafd3ea19

SHA256
3d1ccec165571281cfe81c5a1d2bd2097930cb566f2cf313b4d8c081c95a3411

SHA512
665e05f1399286137334d5446175d70dd3306cc2d8de32b9fb37036d2a2cda92523d8d510190f81f628244cad3bcd6602dbe28f34e054985b859c159b77345f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4bcbdfdff457de04d203b114de39aa2f

SHA1
f0cafa16c7c13b0ad4aaef07a0696e7191964b1e

SHA256
80f7ee71e3229ebfda8fc7213bf85c8924573935b88ef2d897814ae74b615834

SHA512
67cf21374212a7538209aca0c8f06b112211c0f82b40846f766c30157078e9a680a9df26e55bea09943a0a750605d38e8a512512b14bc2ce3ae3e56c01c4a4ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
909bd022c47b94aadac1b04eaa758620

SHA1
bf9343abcffe1ecd69ca95d573ea621dde674a47

SHA256
160718d6d5233289da3e320afdd3d4681462242fcee53966a8afe5e17960e856

SHA512
f70c61b3b521514e20f23292c9a5f10c592cd9f4568550a6dcbb125738db25c48c9662fefe93e96f8624589daaf1e900fa8e6fcd09d53527069a7314fdc8ddb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
19980332b1952cb76c15addcf19b8e3a

SHA1
f3f4323ab860933a01d68007eb9e12fddc0f5735

SHA256
06d6878d69ff84b1375ec8de61b8b611cc52cc8828ef418c66e5c46af008f450

SHA512
56f6f2c5a7ab73a0a2f6dee051791aecc12285d00c0195f62a675ef4d38c2abd2bcd7a8a7c4f641ea54b5119a0359e8d957dcc2c0af3c734a1f584a46315a522

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ed399a9f92691390b97e3d77be2d2103

SHA1
45ff4f8c5a6fe99f53881c26759cd2eb9d479469

SHA256
7d680208d64da584cbd4fd23c95cc3bf054948327c48311ab8a589b45615ab73

SHA512
e4428dbf15308ad50fc45c6cd2e4652ef139844782efeda3c99263eaa3b576ec92eba1e152f46f58a249d38d0fc09118fedb4ab6c4fa202cc6190357a20e7866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6641028652f828a8debca24058764c1c

SHA1
c83278515845693b9afa55c8e744dee2fc0710b6

SHA256
c84ad07efa95423fb3e6b89fdb2279a482ddeef3dd7dc7fc07cc365681e9192a

SHA512
ebaa8656d04661dc78f21711f48a492c977f0b71f89f8ed21644c5845fc6fcb04015839cbca865f184d03906af7b91c8a7d0e70aa043dbb6f81dd28e3210a7cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db935e6888fdc72de3aa18cd564247b1

SHA1
828c8c0d5763d114bfed175a6494820f1e95409f

SHA256
90c535c8b7318e5a5d784dbdf7d90ec8739060daf16de15d2ff60bebc014f369

SHA512
2e877e99eeac5c0789e0bf6c76a2273806b4ceec1a82990165dc5c5af064a4b384a0489f00fac0275e82af848fcc1febf54ac874105a02cffde5b582555464ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5cd2c160d301f676ec050f7f07f3eba7

SHA1
3cf468f8edd23eee3115b82a13b502b9eba62254

SHA256
eacfa2a74df2b20817db66f2cb99e799c2fe4c44a042d56252f74c083d3425e9

SHA512
2d58df24437bc4a806b76311d81372597d45e76d27f69af8f9c0170743a05557a330b4ffca86975aead878b009d51d7f4cea5d97b82ddb57ae9c76d2eb551c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
da7abc8c013af072801fe514c4d27a79

SHA1
77c50c02dbd6925f12b69f2e7331889e5cf50486

SHA256
bbe63ffe982477f74624ff1cb9b6ccc22e68ed306d57be584a2a5476d7a2c974

SHA512
11e4cedd3cc757d59ec76bc5809d71ac1a38407f58ec88743507e645b5711a2ee52ab5b889a4325656c1fe40fec005d510e4f9d04eb7b915f69c575bf60f95bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00cdb923a45c0e4b2215b4c9e8e614c6

SHA1
b139a60716e48537013557ed23d81d6ac0374cdb

SHA256
c61ec69d8f252d9922bb3169b0b4e4a088bf868ada11f187b75682f402c864e9

SHA512
6148017a466ff83a532d781c594733b5017faffdc895891bd14b596d610d973f74575dd9127d3e56d7f4751aad6a4217c9764b74032413d845e4dea284ab326a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cb2231074bf619dc772e22621f28eea7

SHA1
e43119bd75e79ec18f23fc74892eeb4c6b81eb26

SHA256
38b7d4721fd6d4b45c5866fcc6d6eec2ca680fa7fd56c7e1b08d1294dc9c5d33

SHA512
9511f9a477dc5d09fab36ed5673aa7d551cb2472534a7b2105dfabc14d219f3899fe6d55c6f5c68ed19428a473902ba0adcaf7d41ffd426a0ca0f8ed2d350682

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1c6c597a53f40a2296bf8483ca6f7499

SHA1
45e694ddb8d1f9c40564168311d027bab6f469b2

SHA256
231969c71c46df995bc0c9cc9dcbaa1f19d2ae6d8bd59e097cfddaf8ae3dbe82

SHA512
cd4d84e0bcf3615645250360d04384236cc202832f26db85c1476518f7a74b25de1672ab7ec643224e83d5af6a1a8da45b43cec57370bea42b6eb2f2d7e86efb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
111602b66a8c84fa2c06d4ce38b693f7

SHA1
957eb14ea23244b8aeade9d9e07e53ea4469db88

SHA256
c1062b624149b3ea228cc85e1a4fac9c99a37dbb5bab9239bb26d0aef65388a7

SHA512
6a23438a5eebbd032fe832d81998ea8a7a79cb69a3a642efb079a488f1261fbec5f01746cd82468529543497940440d2e12006b8fa8d6235f5bc17f86a4f0ab7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0d0f38a5710d8e6044eeccb0636083d9

SHA1
274c2a56537893da71f8b022c4f90fc2c7bccea3

SHA256
6e87ec32df919607103560527a3ab451865d2b5c345d86f0ff9f7396c1a9b618

SHA512
44e160d3239a23717d98382595988f67c8d28b800624ff6b18656e1bccb72027cff86f6d8edeb85f2ae0d19b89fee59dda8dbb3a6569cdac50f909c4489ed3e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c32e6c0a808509557b2536f93cb0bd81

SHA1
da0ad10c61eaaa5772e52be32f816bc28437bee9

SHA256
0e60d922f920a1079b5a571233ec91e644b50ca6ee584adf659b868d076f4657

SHA512
3e7c871ef5cf58ae3e65e6c90e91bab0002bcffe14662748375716f3ef387bbdd9606e65dd34565e1195711b181a988a474adc8de3d0cdcaa07a019f9c061ce2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7e5d2cd0bd388ce67fd61ab93d0ba7a6

SHA1
c6d7971a45718ca55e95a8ebd2619d4a1fe183bb

SHA256
39b7e8d12acd697cb86f557fd99f0d1077d66f533efdcb542cc938684381266f

SHA512
df4ecedeb0aa0644ced5246a8b9f9ad98fd5f023ac8dc6016e0f60e04ac08a5e22603db34f8a2cc30a8b8d7eae772fe62ec6c8bd06853f0025c364290d8464ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
223d236ce7b4a3d2757f610ef4cc91ed

SHA1
cd87eaac89be7aa0de63b30a511b69642c1e5ac5

SHA256
53063f7078703b7438e18410359c4a9e435726e6b3b916a98ea6d2f73156e8a5

SHA512
fee83d8c520b8fcf6f95e35756e48e771cb9bb1b5f465a3cc546f06978be63a6c8c0004749f4527d6d8626457101bb89f5bebbc36c20eae3855b13bb25ad3607

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
28c69577833337358a7c71d69f125fd3

SHA1
d2cb1160a0daa6bee2bacb9b660c70dab9285154

SHA256
7ea3e1631234f7e81f522fc84e072b6cc3e82a56d890e9e08c6febf3ce00d30e

SHA512
3ab194f5ef4929f5ff5f346b8997ab103635bbfe7711517bf6740b4a7668e6f33f59f515aed8906289f9d71fb3a6f62d466cf80a3df46cd8090194e1f661ae9d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
88f1040a09564b022caddcbc0226ee04

SHA1
6bcc9cb67219104eac5d76830a4a7d19df2928ef

SHA256
26350d8b078469762c5343d4819eff2f4ec11ccf84849238e08c5a46a68dd8d3

SHA512
3ab1d9a98cdab5c710e07008cbfd6f5286c13f477c6fa00b76bdc521f878e75e7b147d9a5c11c6187e8543eb41b86cc753ebdbd684978dfcde5c005ec3de4f11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
228706aab7add9edcf246505ebdaf56b

SHA1
918efb1fb2c3c1839bf8920a43d8c53cc68c7330

SHA256
c7eb5ee1dd5a4220635b03a861b9004677e8711523667e543149f3586bd1d93c

SHA512
8c495fbc61e1456405a8c03e4f9abefd6669a09ce3d4c672ad6618081b8ba91418d23ae69750b7ee8219e67444693ff2da2b9fb0689d8ee558526cd70be1cba8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
4e7b11000a5533bfefb6d1a5d825aeef

SHA1
58bdf4dc8a29052827505c047956b46ed872517b

SHA256
8e14740a403fcab2038c1e80a241c356fffe5cef39eebd21c377b3cf375f63c0

SHA512
e1760334acb77c1402dc5b08b7b2218db149ab73d99ba16a6850f744b329756beb1ec5edc1bcf5b8c440f54e0049e4ab5bb339ce6e21a41cd2283b4d6ce8ac43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
71a257f58709fc94075863bc5687397c

SHA1
1a78072efb020cee0018027d74d27571f988e414

SHA256
bef9c4d189a31f36ed6d2c043716b944ece9d8acf011d67fc45e80fd8c4feeb7

SHA512
4e1d48698393d4e7ad83592fc46e682426754266e7f3a259c8c8b93a1ee59a229f8ed86c054605a7d75380c7eb4737f03cf45bfe2d086aeb6248c39be37ec94e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
83ef6040bfaa7ece2123fe2af7f102df

SHA1
78b65a21c80ff9a0ccc6253147cb40b55aa7c228

SHA256
1bffcb136af010f27978151353371b380c8f3dd593bf94de3f86c891f1f655a4

SHA512
591c9fa384d3d88f750ad342805742d82abe636f1ebbecfa428240330ae54411355312d460951a72c04416ff4ce78724531ffd566848100c0b620612e2ce5a58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
96c9140e3bfbd892662dedd8cd08442c

SHA1
c5986a618de2cb5fa5e59fe05ca1d4d4c188ac9f

SHA256
851fb1e3d3ad0178d1e9933996288d7f1025a175debfa16dbbb2036dfc09e986

SHA512
74438de90df033a157b4d394eebc0586eb027bc74e68be3ceedb67a6f72ac118a3d743452f338a3a18b76dc43fbda8d0e7d8708b4bb089c950aa05eeb9e9428f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
03022571e2777bf242554e3432cc8b50

SHA1
1d6c824f0d8017fb29691d9df870bab84cdd1399

SHA256
b42c39a4d1740b4bb82fb9b09eeb2e0d754eafb1c2066aa51e0face547759ca0

SHA512
0325dfb097d2b1b1b8834a2224d8e8f2621878e9b47a9ee31f553675a4d4fb0bd2a91bdb185dab15a304cdf2ee2723d27e9c47b9c200ebf261dfdb000fb27615

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
77d1b7f1e67c8ab11b9fd5b1d404c7cc

SHA1
e884c6b10c6f893cfc81b2b6853de8d729cdc563

SHA256
479337c7e04f0ca37e63d87c2cf02e8ccda64e34d7355d3d405bcd1f760b95f3

SHA512
0b2044719ce0e76a1844453f35c82e2b0ef02005198bcb79efbc3bed708d9289aaf5ac141edaea759a39b997b82205eea461f7c396c15cf27a47f37db43345bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
664B

MD5
67e01de2d0d4e1d1ec132643504b73aa

SHA1
ae57f6dc8853ee07fa065bfe3d6b756fb5ecfb22

SHA256
aac5fd37a4273d6f7aee6493f905e5be43421a79ad2aeeeefb1a19d2c34264d4

SHA512
fee9590f6912a0831e3cecc3c57a5a0d14988d7d1b0a4bc76e7d8fe6da7db265d4162cbe32d5e6c1f4737f7e5c9640550a223605fd00932b48cd0436bd542e79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
86071073cd1d1753d807f623c8a567e5

SHA1
67dd83d061519957a544ae6ea18d490f4d6d6121

SHA256
2df46e022d0fc994229e6009797f8a8732cc7551c4cfd3a06b63b8fbc4612a3a

SHA512
cd971112170ab46478838c79e01f848294d153978ebe901fc5149f94819987be0bbe29efed9e34b4ae624ed8fb4a4a0e4c2e0f534ccdeed706ad4fa10ef2e0a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f6d1abf33042a0c9c2f1635f014b6ee3

SHA1
e91f61aa01023b957a4f18ae72f30079216347c3

SHA256
da1a688aa80eaec65487bd6cc1fac484d50da89002c53523aef07ecdfa79faf7

SHA512
222727dd69040e8a37b13490f3510d34da2ac71a26cac9173484fc41e2985f6d37cf499ee6bc461b44da40d31c99a9aedd6965d2a06b2e82c92b36d3dc55db51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
63cdc74c494a99b0c848daf4461829f4

SHA1
6acebcc6536af06c49c9ab7b001d6c40c6bf9a0f

SHA256
85e45fefb796a16b1a12afdfd47c5c0d665646f399314abd3658cc31850c29a4

SHA512
279cbbc9b48e20ec803ec5de00e2cb7af64fb5f80c68a025eb2c410c1129e3a4a889b6ffe3df8d0f7222d0f88032091ed25a089a15f677b2c2ce07d5a1fee86d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b1252a4a9d87db7fd0dc10e8e55da873

SHA1
ce6aaf1c20cba9c5c2e2d0d04f8badff73f01859

SHA256
c335b88f99bd603189165b82c1a9b146e3e14112e3e69d3701bf1a9f31244ed2

SHA512
c69f4d09158fd35d45c1f63d51de8198fde9821d0743f6a7b0f81715065092c2fb1dada879fa1959f38940a81ba7d1a2e88f471a286581a60efbc31867097293

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
1669e79363afbcfc0dbda42928dc96a9

SHA1
f55bc97e55e616348a2b9978d3c27167ba219681

SHA256
d9b82c65689e61892203f23b5774d79fbb05c034a98b04f72c69ad592dbd4b35

SHA512
99291fd3d6d3cfad53c7b57d6ba98a5aa943599dd6818b5bf872c007f6f4c3f1730629c0581fd5501d591bd2e06906b729f149ea1c3b804355b381d8bc9f56c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c982a0464777ffa5066362af0cf74ae0

SHA1
db88b92c25d943b2f31f61ce28f6864c9ccaff11

SHA256
2ce9b1aac616e5ca58a49d4fb0bacf0766a719fa798d79c46fc48860b50d5ccf

SHA512
30199935d30e167d31bd4615533c7113fb4377eaa33b8b65d537ef33e73fcbf04af833eca78a673eb6d3848c222d9d45d7fd84a87fb6b899846bfac87dc79dda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9eaddf7d0e7d6ab17cbd39044a14b5c5

SHA1
260416384255c0638767ea5c68b9e9908476806a

SHA256
e6190b6b59fde9983eb20ca2925e491bd410685db54b2b9fddf939ef54aaf33e

SHA512
f691574e0a331ad4d051c4805ae480f7cea5148a818109f43275c774d3a7c7c4fcc7e7ef84f4ccb1537830b082ea1cf701722a98ccc3a6e85afab4e12ee26d31

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
dd0f8d760daad33a0eecffae9acf6103

SHA1
b67c3aff1dd0ea60d66fbb89b57fd77744add9db

SHA256
11340afa50fc0e80095c315078baa75693d3f9868963be00979f8cf508ca1b0c

SHA512
a5c041136e52cd4f714b9fa7c8c0f026b7bf26c67da6eadf3094e5e15b8a6b225a9cd03d45e2a8e4a649d65be897da36278f8a72c3d6ca956643bf23987cb1ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
119f32c402446216902e0bf48868a8ce

SHA1
e059bb6196159b39e7164badb66fe128b39b9813

SHA256
2c32653f6480a2617409b808207da81ebd7b8006efaf1675f903ec29d9791745

SHA512
e3a3e0f9aedfe70cd5f043d29ed18119418f5a34a792f86e061fd0c979c9ac649e4acb9f572323cd60edad0160b73b20257106596c0de31a5ced6f423fae5a7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51068ee755a55e8c18b30a44662f8d24

SHA1
b814afd87b59e17c7264679edc98b73f577d329f

SHA256
ce7557557b59a365fa24868e7617f6d0f862be30a7cc0d256e2ebca48264f845

SHA512
49bd5cec8af283410a92ad40def8aa7a96de30872897036f926efe1f8baa2d2a4cbde75fa0b0a13fc20938301b137ebc2bb1fc4322159173ccf835eee574c8ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a2d1901bd1de8ae3eda73feac3472c2e

SHA1
eec4ea7796f3aae564bfe91180e6782a6fc4d31b

SHA256
be33031b3a740427b221872fd14ecfc3f973258ec658997c38e757e5ae4ef0de

SHA512
2d6eab06bce3d6936c2cc389f53be0dad0dd2283b31d65617c59c5b30f89cf21b0072a9128ce33707d370c9bd0abde7c1d03ef451441baec3e4a25f93f09ce0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d86f09948e49c9d906181ba8bc618e27

SHA1
f32331564467651b2c8de827d79d7cfe5fa27414

SHA256
85a102f9d8516749d34a69626105426fa74b805d7f8d3ae928b7627c777dfb2e

SHA512
5c0e78b5db11cd1679994ed1d817e39f717965159919a9a6edd1aa28da163e6fb5a677c0d9dcfa82b6435313468f3ca14efbdf1067927922566e6c633a402181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59efd5.TMP

Filesize
538B

MD5
9f61349f09b3e013f10fbd164c1568da

SHA1
5e3e1a8a8425d1d091de7cba92d86c2ea5e25d80

SHA256
3ee03a12bcab9f2cf7fb865089969428d337756065f7e155d50ad0b4ded30ec9

SHA512
ed99dc5b5833d024225926cbd4c88be8cfe669dfab1fd339e4e5d413df7492c15662af7db7e6cc5dabb5437c8f7ba6233042af2d8340074da368d137a779069e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
4a4bac6fc27f0f3bc636eb0c2183c3ba

SHA1
e659340fdf2bbd3167f15b612bc42ab5c14f2281

SHA256
1d9d897c5ab9e0a0082fe790f48df3262f40c69213b1bfd5570dd79087a0016c

SHA512
6f48802d97976be01bb975601dfee0ce020940cd28238f12429be3a172bce31170f52a2e9ce1f4cac9de293518cb50192c4084afd5ef5ff5b64e13b610776e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
7de216bb01570a6f62eaecb61674a237

SHA1
3ebf099e87778e41b5e5769fe7b4f7617d754a15

SHA256
6c8fe1adfa0ef6fbfe577715162aad8bba365be212485535e0f874b1a12fe2df

SHA512
8227a1e4122ce79d02ff339d0d008c9736a6bb8ac52926d0422798ad4c62a91c9b22690f2edc4cf2c072f2be5fbe78d1df1ee5c35660d3891cd4f77f828f46fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
589c49f8a8e18ec6998a7a30b4958ebc

SHA1
cd4e0e2a5cb1fd5099ff88daf4f48bdba566332e

SHA256
26d067dbb5e448b16f93a1bb22a2541beb7134b1b3e39903346d10b96022b6b8

SHA512
e73566a037838d1f7db7e9b728eba07db08e079de471baca7c8f863c7af7beb36221e9ff77e0a898ce86d4ef4c36f83fb3af9c35e342061b7a5442ca3b9024d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
60e3f691077715586b918375dd23c6b0

SHA1
476d3eab15649c40c6aebfb6ac2366db50283d1b

SHA256
e91d13722e31f9b06c5df3582cad1ea5b73547ce3dc08b12ed461f095aad48ee

SHA512
d1c146d27bbf19362d6571e2865bb472ce4fe43dc535305615d92d6a2366f98533747a8a70a578d1f00199f716a61ce39fac5cab9dd67e9c044bc49e7343130e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ef3571485b17ddf9fc3fcbec6fbfcc66

SHA1
94e6f6ccae1a138bb9be680925bf939ad39e4415

SHA256
033eea762cf1094da8165e6944f615dfe80013cd4bda02543df0157f0e46fb4d

SHA512
755d7fa26cd171c42af1fe497d24e0ba897e8c20429da55ca870a050a43e4a22c28818f611f2244f1a34f0bd4bdd3fe70c7cafa3ffb6d2035ae0431dde31f149

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
57737fe3334886220a95da93bc046004

SHA1
7c7f72b27632e8271bc7514e79abd13b56b1792e

SHA256
16cd7679112103f97060fb538990a4384097e2f051317531d6dc4c15fbcae5fd

SHA512
e731ae9754a0ce2c807add5426626ee02ffbc0385ff8c321e7f3cf360c9298d13dfcba47a46b16e36d04cdf20e3ff74c6371cd2996aa2d82dc43af27eaca5765

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8b5d1c4d318aa290acaeb0ed5d93de81

SHA1
2363a5e4d3a1fce5268b68343fd89cc8485c7556

SHA256
5f79104cc94e16230a7b7f7e79c80d1b6e7d8082bac81e35c800291704252721

SHA512
447dda6cf4b05b2b4ec9d4b90b8ed2a754e58ecb9228af3115b48c590a3d7c63ec549ac1f835588ff90203aa21dd8cb20ab2d48b02751ef528573695f7fed993

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
edcd6d0c24b8f9c68d0c161160f04d4d

SHA1
13ab0f1bac84be587431c7fba9344ae572686336

SHA256
69a990a13ba08c1f45ab2155310391597b73aaec4099b135b06ec984c3c9788d

SHA512
0d3b8c958ec7e347c8e1ec8426b54c7cd32043db4eb9daf82c54c2549897edb919721c66245c33ce9d9629aa686fbcd611e47f08c7a62000de0aed312f5f6cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ebeb36646d99e6f5dbd5e9c1fd4f86f

SHA1
62e7a5f3b2e83fccac2f45246d8fd799a119f75b

SHA256
490b4ed1185735ab418f8104e3491914fad6fc3c8d4a584a7a24fca0c09ea229

SHA512
f3c1ea63b15ea1eaded7a8fd2fe6ec07edbf57ed86e65036e49a7d200e4ba6a11490c18deb456992c0b4284b11d2a5c4e94bda80a723f128666934b11d9c5181

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f51c591307efa4099b58807fca78e8c2

SHA1
5ffdf868cdbfcb9f67e53e79ad45b3f658cddfa8

SHA256
7bb8a7ef80058e530d95214e7e315b73b8d68b51d9b7867cb6e2fea00bc97a4e

SHA512
863046c712f60add11139c14978956cc57d1b975eb1fe19854cee68042c6e7bb379e75b8ba52118481e316e4883ba92b8062f9f2e413cbf28bd175f77db8a901

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f15fafecea90beb0706c53ceecbc32f9

SHA1
fe3f3eff87083721bf7fcc489a1e3727a004ede9

SHA256
32857cc133c354f1648acec6c6df8fb698e581cc217bd3b0a4a35ea6ae51c52c

SHA512
0fe1e60fe48830fbbd559f5920bcbf5c5dc953e995fa76a73d8881e538f03c2de061c7cd37f2fdf4cd3d4cdb966211b6d680278d164eafe14b7a7243fcd11766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
073e150b469dbd288a785b51e7a5388e

SHA1
7abf8f726ef45d2f95854dce06b41142d822251e

SHA256
05777be78c66982ca603a5f932f8546bebbc4132751a0f8594a77e08cfcb16f8

SHA512
f8a5986e26f09dbb657eaf3783f6a5dcb3121aba5c2ea6b71a117a955042e897daed6c27d0780efd0e1c36876b6444af0af4fe6b81635c9a520c01ee700cf408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___MUWV5_.hta

Filesize
75KB

MD5
44b6d7ef1cf172663bad97c508d2afa5

SHA1
0c6af769f4da256ff0305184ddb22f7be616e57f

SHA256
31c120f3d28125bcd2859cfeb30cae4b288f0f157fb05c665144f8a266ba3a9e

SHA512
abeeedecfb5793fe29f1310e2e8d73ddb9308510551dd9a6a430f3e66290178bfe2a183b6503c93b645d29fb8a377b7339878f19753a6b42fc782a0db4a3dbf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___ZBQLV_.txt

Filesize
1KB

MD5
25ec652c3cfa0822b00318e767d84172

SHA1
ef47a6a3fb9c6f7529474ca4998dd1e00bb8ebaf

SHA256
9e7f38d4d651892de4d7f153de3b41c17897089cb6db54f4e84ae5074334093d

SHA512
12e426ed2616456e0d0fd3c9c215568885e68a35a6b2a1d528f6b838fa120e2ac360b434b126a590437895ae42457127c55d2730de9f2ee0507719191b95a25e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lhmx4teg.default-release\activity-stream.discovery_stream.json

Filesize
19KB

MD5
2863652d12812c8062695d986abf50ed

SHA1
a31e107a9c79156509509c7032c8b84d27abc080

SHA256
93091b73d0e1879d503d5a88f6441ba86b9eb9b51603b8c0762cc1e88be36c3e

SHA512
caba8c885090c6490c883105b14c3d62b1f84c439e8cfa7ad876d4514fbdb9724fdf6ff22d8cfa3f9ccfa137afb7ffd62cf194ed62dd067c7c335f2832970afd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
9KB

MD5
00b46e22ad495f5bae175fb8e7501850

SHA1
c4d680158b315f83079431f2544cfe5c2ea4892d

SHA256
f460e740b65d915e3ef75c525de1f739ed87f4f2e9d522785f0c83978068a27b

SHA512
294baf308ee2b8bf895ebeada63ceca6a37e77ee93c0cb5aa93d86701c8e9f94179c240068ebc9b8797284b163618f0ba335259220ded0e6115ae397a99d9882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
c56b59f4bb265ef51ae37a434355acf7

SHA1
474c68614912f643c9df15e17c31c369e6f29365

SHA256
97ae8bba2f4711b3f9e42bc1cec74d74d4820acd181e8c0887c6fd22cd96fbe7

SHA512
c339b67b158f9ba6fa5847e7567722a0dc12eb8f514513d15bf859be0015f7392a87e15d739ddb2f57276839480d438cf3b45727e9728404f65a42454b14639b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
7d9b0efa38e0c1f58c8a6483ae7ce218

SHA1
7cb5e873879bc19c28953651815cafc94be40467

SHA256
13b337589d8ba71194950660de50382fc3db9c104338dfb1e15a158f1c98e1f7

SHA512
1907a8c53cb8346252aa26c4391e2b56299c6ae21fc764a8dd7984a9bdb28c1cc158a0305ae1710ff90730e592111bbbf750df829936f109c2fc1bde1e1a8d92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
51d52059b47ae599c703e5a642af5db2

SHA1
34d48dff0b46bca19bff0d3b643c82f4019ef605

SHA256
c047dd26cbb9ef6ed6128a01bbc0fa10cdf3ea3a1321decebf6ec1a11df9f91d

SHA512
e7b2fa2d8c4fc931c10217f069581f120738621ca6e56e2037dbf12c819407b6e96dec48c78f2f54792ee878e12a03d8ee561951ba907075f2da0465acfebd4d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
8be1cbb84e8ab93b857c2c137f78f33b

SHA1
afa8324a1a15a861dfdc7166637f72c50c975a34

SHA256
360f2d83ecca6352e2839e40d6094c65772313b31bc1421c17b8393ae1f486da

SHA512
4308c71b673223d6f1e788ff4d334475a1744e81a86e1d95aa1967f2c2c94f421d33bec790028fe9b7c0b4ad9c7c08185639baa82cab6d3ae9c278ab8bc6edb0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\1fed6d95-93cb-4bac-97f6-e311c6c7d329

Filesize
27KB

MD5
194c1cc80f2556b4088e6aa2eae7c3b8

SHA1
aaf5ec1d7e532f4fbb2d791d8f1280f359510c37

SHA256
184efcdb2ac08be46a8764ddd07221ac2d0cf3f49d933cf0f58c580c059aa00e

SHA512
1aee0a191507873c89793f6d550bb784df15b701f17cc92b4cba097a2be90aef71d019fa992671945bc1a451f2d8d22e583890477b14cc05d6c323605fbe1ec6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\datareporting\glean\pending_pings\e65da051-edf9-4585-ab46-6c3b316d5e91

Filesize
982B

MD5
d590c0660ab7967f7bf2b5e4922b37eb

SHA1
da54015d022db3258a0c2c0729f91236e6613c23

SHA256
c17f7b6cbc3a332817032286172727facd96851bd262486b62ee71f1c1237005

SHA512
60fec03ccfb1f278f5c08dadf141395783023d638d4a4109a89d0ed9b2b558ada59d414f324fa57b490cad78befb9b22af7f90a7ef7aa295315e883085d3909e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs-1.js

Filesize
10KB

MD5
1c36d1b3dd67d3a5c25eb415a82bedd1

SHA1
e66767b269ac6518d1374715d358e18d04f7abb2

SHA256
993eacaa9f2ea9c9afac2945a94b5b2aee425025ca65551d3f3d80924f1a71ac

SHA512
fd106dabfb7e4cb63668fc3f066a0951d3e9feab9de170ef5a155be0c5b20f437ef7b98442c9c4e3dd1b7a8da6b92dcc631238d2e612ecdee26dfe235e04475b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lhmx4teg.default-release\prefs.js

Filesize
10KB

MD5
3dca8b2a25075d8e289854aeff09fd4a

SHA1
92294fef8c4c2e9fd219e6ac692e64a0cc989786

SHA256
94e368b4f0167fed7e45e5693881eb0ecf32dc246918433680d8a750577e3b55

SHA512
b7cac4dc09e65867986cfb43c62aef93b008b10497c5a9731f32d7deacee17a37fa9a7bbbec6795963906893d64ec5c73b48fab3eb3aecfd42f77a8c2764faec

Download Submit
C:\Users\Admin\Downloads\Ransomware.Cerber.zip

Filesize
215KB

MD5
5c571c69dd75c30f95fe280ca6c624e9

SHA1
b0610fc5d35478c4b95c450b66d2305155776b56

SHA256
416774bf62d9612d11d561d7e13203a3cbc352382a8e382ade3332e3077e096c

SHA512
8e7b9a4a514506d9b8e0f50cc521f82b5816d4d9c27da65e4245e925ec74ac8f93f8fe006acbab5fcfd4970573b11d7ea049cc79fb14ad12a3ab6383a1c200b2

Download Submit
C:\Users\Admin\Downloads\Ransomware.Matsnu.zip

Filesize
62KB

MD5
0a3487070911228115f3a13e9da2cb89

SHA1
c2d57c288bc9951dee4cc289d15e18158ef3f725

SHA256
f73027dd665772cc94dbe22b15938260be61cbaad753efdccb61c4fa464645e0

SHA512
996f839d347d8983e01e6e94d2feb48f2308ab7410c6743a72b7ecff15b34a30cd12a5764c0470c77138cf8724d5641d03dd81793e28d47fe597f315e116fa77

Download Submit
C:\Users\Admin\Downloads\Ransomware.Rex.zip

Filesize
2.7MB

MD5
50188823168525455c273c07d8457b87

SHA1
0d549631690ea297c25b2a4e133cacb8a87b97c6

SHA256
32856e998ff1a8b89e30c9658721595d403ff0eece70dc803a36d1939e429f8d

SHA512
b1a58ebcc48142fa4f79c600ea70921f883f2f23185a3a60059cb2238ed1a06049e701ccdab6e4ea0662d2d98a73f477f791aa1eec1e046b74dc1ce0a9680f70

Download Submit
C:\Users\Admin\Downloads\Ransomware.TeslaCrypt.zip

Filesize
479KB

MD5
f755a44bbb97e9ba70bf38f1bdc67722

SHA1
f70331eb64fd893047f263623ffb1e74e6fe4187

SHA256
3b246faa7e4b2a8550aa619f4da893db83721aacf62b46e5863644a5249aa87e

SHA512
f8ce666ae273e6c5cd57447189a8cf0e53c7704cf269fa120068f21e6faf6c89e2e75f37aee43cac83f4534790c5c6f1827621684034ef3eb7e94d7ee1ac365e

Download Submit
memory/220-1574-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1360-1562-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1573-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1563-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1572-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1571-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1570-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1569-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1561-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1568-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1360-1567-0x00000245DA010000-0x00000245DA011000-memory.dmp

Filesize
4KB

Download
memory/1432-1530-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/1464-2099-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2093-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2098-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2100-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2097-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2094-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2095-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2101-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1464-2102-0x000001F3572A0000-0x000001F3572A1000-memory.dmp

Filesize
4KB

Download
memory/1596-2086-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-1671-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-2059-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1596-1688-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2556-1560-0x0000000000400000-0x0000000000447000-memory.dmp

Filesize
284KB

Download
memory/4784-2284-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2278-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2279-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2277-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2281-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2286-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2285-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2282-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/4784-2283-0x0000019FFB320000-0x0000019FFB321000-memory.dmp

Filesize
4KB

Download
memory/5060-1677-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1676-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1680-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1675-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1683-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1682-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1681-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1684-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download
memory/5060-1679-0x00000132A9B10000-0x00000132A9B11000-memory.dmp

Filesize
4KB

Download