cryptolocker | 4ea8a10216467c41d47aa6008f31d650c74918a3c7de8dd8b5a57de66aca4cba

Analysis

max time kernel
1050s
max time network
1050s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Screenshot 2025-01-10 185717.png
Size

5KB
MD5

e67033504810204d124433a8c958b9a8
SHA1

eeabb0c754e277b1fc0e4c3a7324dcbcd88b255f
SHA256

4ea8a10216467c41d47aa6008f31d650c74918a3c7de8dd8b5a57de66aca4cba
SHA512

260869b12895115484279765eae89c205426accbb75efa1c63063ae9458de4a94f1579ffc6990ef9e67d74f5a3c7479d20994620fdba2c12b3c5446245048353
SSDEEP

96:Qm3jh54FmrQZYnWFLANVbwxEZEHJhGwllZvf8cGG+RYRRm39qoLwi8vY6:5Th+FJFYVbsEZiSwlrvf8nbRYc0jiWN

Score

10^/10

cryptolocker wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (54) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC157.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC17D.tmp	WannaCry.exe

Executes dropped EXE 9 IoCs

pid	Process
1796	WannaCry.exe
1064	!WannaDecryptor!.exe
396	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe
1844	!WannaDecryptor!.exe
5412	CryptoLocker.exe
5244	CryptoLocker.exe
5280	{34184A33-0407-212E-3320-09040709E2C2}.exe
5196	{34184A33-0407-212E-3320-09040709E2C2}.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
104	raw.githubusercontent.com
105	raw.githubusercontent.com
184	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4148	taskkill.exe
4332	taskkill.exe
4836	taskkill.exe
4476	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133812812504774744"	chrome.exe

NTFS ADS 3 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 484244.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 814346.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
4764	msedge.exe
4764	msedge.exe
3920	msedge.exe
3920	msedge.exe
4688	identity_helper.exe
4688	identity_helper.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
2596	msedge.exe
1740	msedge.exe
1740	msedge.exe
4336	chrome.exe
4336	chrome.exe
5812	msedge.exe
5812	msedge.exe
5560	msedge.exe
5560	msedge.exe
4600	identity_helper.exe
4600	identity_helper.exe
3228	msedge.exe
3228	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1844	!WannaDecryptor!.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1796	WannaCry.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	4148	taskkill.exe
Token: SeDebugPrivilege	4836	taskkill.exe
Token: SeDebugPrivilege	4476	taskkill.exe
Token: SeIncreaseQuotaPrivilege	684	WMIC.exe
Token: SeSecurityPrivilege	684	WMIC.exe
Token: SeTakeOwnershipPrivilege	684	WMIC.exe
Token: SeLoadDriverPrivilege	684	WMIC.exe
Token: SeSystemProfilePrivilege	684	WMIC.exe
Token: SeSystemtimePrivilege	684	WMIC.exe
Token: SeProfSingleProcessPrivilege	684	WMIC.exe
Token: SeIncBasePriorityPrivilege	684	WMIC.exe
Token: SeCreatePagefilePrivilege	684	WMIC.exe
Token: SeBackupPrivilege	684	WMIC.exe
Token: SeRestorePrivilege	684	WMIC.exe
Token: SeShutdownPrivilege	684	WMIC.exe
Token: SeDebugPrivilege	684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	684	WMIC.exe
Token: SeRemoteShutdownPrivilege	684	WMIC.exe
Token: SeUndockPrivilege	684	WMIC.exe
Token: SeManageVolumePrivilege	684	WMIC.exe
Token: 33	684	WMIC.exe
Token: 34	684	WMIC.exe
Token: 35	684	WMIC.exe
Token: 36	684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	684	WMIC.exe
Token: SeSecurityPrivilege	684	WMIC.exe
Token: SeTakeOwnershipPrivilege	684	WMIC.exe
Token: SeLoadDriverPrivilege	684	WMIC.exe
Token: SeSystemProfilePrivilege	684	WMIC.exe
Token: SeSystemtimePrivilege	684	WMIC.exe
Token: SeProfSingleProcessPrivilege	684	WMIC.exe
Token: SeIncBasePriorityPrivilege	684	WMIC.exe
Token: SeCreatePagefilePrivilege	684	WMIC.exe
Token: SeBackupPrivilege	684	WMIC.exe
Token: SeRestorePrivilege	684	WMIC.exe
Token: SeShutdownPrivilege	684	WMIC.exe
Token: SeDebugPrivilege	684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	684	WMIC.exe
Token: SeRemoteShutdownPrivilege	684	WMIC.exe
Token: SeUndockPrivilege	684	WMIC.exe
Token: SeManageVolumePrivilege	684	WMIC.exe
Token: 33	684	WMIC.exe
Token: 34	684	WMIC.exe
Token: 35	684	WMIC.exe
Token: 36	684	WMIC.exe
Token: SeBackupPrivilege	4276	vssvc.exe
Token: SeRestorePrivilege	4276	vssvc.exe
Token: SeAuditPrivilege	4276	vssvc.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe
Token: SeShutdownPrivilege	4336	chrome.exe
Token: SeCreatePagefilePrivilege	4336	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
5560	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
3920	msedge.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
4336	chrome.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe
5560	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1064	!WannaDecryptor!.exe
1064	!WannaDecryptor!.exe
396	!WannaDecryptor!.exe
396	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe
5076	!WannaDecryptor!.exe
1844	!WannaDecryptor!.exe
1844	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3920 wrote to memory of 1992	3920	msedge.exe	91
PID 3920 wrote to memory of 1992	3920	msedge.exe	91
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 628	3920	msedge.exe	92
PID 3920 wrote to memory of 4764	3920	msedge.exe	93
PID 3920 wrote to memory of 4764	3920	msedge.exe	93
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94
PID 3920 wrote to memory of 536	3920	msedge.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Screenshot 2025-01-10 185717.png"
1⤵
PID:4936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffadaad46f8,0x7ffadaad4708,0x7ffadaad4718
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2972 /prefetch:8
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:2136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:1
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5328 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3640 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4100 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3508 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1448 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6244 /prefetch:8
  2⤵
  PID:2428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2072,16024365801705515496,10443366186224217553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1524

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3984

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:1796
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 135931736807608.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3856
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1064
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4332
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4476
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4836
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:396
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3648
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:5076
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:1844

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf8,0x124,0x7ffada47cc40,0x7ffada47cc4c,0x7ffada47cc58
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:2328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2232,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:4688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2304,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2488 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3344,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4796,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4856,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4792 /prefetch:8
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4420,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4472 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4400,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4936 /prefetch:8
  2⤵
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4868,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5188,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5448,i,11105709042159746208,6411715326269793870,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:2
  2⤵
  PID:5664

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xe0,0x108,0x7ffadaad46f8,0x7ffadaad4708,0x7ffadaad4718
  2⤵
  PID:5576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2472 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:5876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:6128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:6112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  PID:5368
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3468 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1952 /prefetch:8
  2⤵
  PID:3268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4032 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5312 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5820 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6036 /prefetch:8
  2⤵
  PID:5328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:5412
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:5280
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5196
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,13395881308556796831,16245721322241193218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:1076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3568

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\!Please Read Me!.txt
1⤵
PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9532943b996f5f1ec5192b111f004640

SHA1
a6e24b4848bf9ce332d7b2389ef949e3d1fd97b4

SHA256
616b8e35346d166923809a444ef179558203f671bfc69593c842e15e74b51741

SHA512
6c34a92317f46dc37be072d38f8112203dbd9d6af4b3922fcacf155263a644bb00ed57ecdfbce163439ba14582920396f42f9aaf51b829c16b5919f689133ce0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
21b6afcc6f1e7bafd2e0e1d0d1c27be4

SHA1
76d22dfe506636930d0df575d1072892042ad20a

SHA256
4e48afe81c200576938a8b5b6a8de3fd8cde80aa8d3ed64c2a7c3439c28ec11e

SHA512
55b00d145275007be8423a74dcc3dad5337fed4f5b826d8c812a4284521c5d382fdd08cee6baef6ed92f1f635200a964d5b72c40d5d042c74bf543ab8ed67f50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
45c19ec47ee13dc92bcbae593d82045b

SHA1
ef18ae3950cbbc71310c694f73178f15d0e6c0a5

SHA256
21039e5777797dc516d4e654a391b439428523f16b8fbe228581ae7f4f5a7ffe

SHA512
8f66247d7ac9f991bdc05a605350210e18e05d07fdbe78d159a7ea9fb6e73f3a66439eed7bdbdd4ce2aba94fcca29cc457f0b41952a7fc20f21c33c59cdf2f82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
aaff4f2dd983d44207267136931a71a4

SHA1
413c11f209658a996cb3370d2dbc78e42a97ac5d

SHA256
73cb98dfaeea6bb10d015aa57bb93c05dec9b8fda706978c5084b12d077c649d

SHA512
483953ebf29610eb829ff81a8beed51147fa26e4c827fd77e97fba1838a80ddbd74c0a47f8dfeae92ec6cb20e461d85a5590cc5fa25ddd12e0f73ab39915261e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
da1391708e5202306d55fdb4e2fb5150

SHA1
660d9c3df2a30e202dce2ef603dd05b5724361b3

SHA256
2cbd6fe3a92b3bcc7620a43b0e6bcfb0fbd55ef25628eafc33f86886e6a7c547

SHA512
b9c8fe642a1398cf17db681e25be5b09876c4ef9441e26f6969307dfeade2b8c75005cf5d64655feb5a9b598de92c112dc5e228d798c8d88f23eb8c1dca54c53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
ae95ccadb560f7aca651785bf13580d5

SHA1
2fc59f852a28e4b3db1057c2483565d63bf80298

SHA256
5bf203c759e516766f0d5428ed729a4592e9b153fe8934c63187a38f3723e4bf

SHA512
490710b0e19cdf90e7dedcd647ebcbcf45061f3d6dd8fc13a345074354c895de20ea26c04341d18f5ec8e58629c18847068c465e97dacb44408c08f018370c37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5c5f4e.TMP

Filesize
48B

MD5
5efaf5d6d662725d99b78e68c3616e08

SHA1
be13972fe93fc71e8e92aca93b9b6533bb69bbc3

SHA256
783374e2ddaaef6abe7d3e992cb3a83f0baa12f8970fb8abbf40033e2cadaff2

SHA512
b8aecf9efafb6d455a368ad59dd1273837a7b7791d58ddd0220c310e5c60c867b2a96f0c9e9d48207bdb22affc25c5aafc6bb570ae41794ae0da31fb8693b1bd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
230KB

MD5
6129dedaae1fc257a8d2a1428ec305d7

SHA1
e6da256f356b95e09064d3d8b8b0fb6d86db6c55

SHA256
bf116ba0026a9a7787517664270d2f7d32d2b34cbbd38d880eac8da4ee8ff8ee

SHA512
369e73d611027f4e6681f06b7e3e75dc0bad66780ca1677b4c338937f64cc7e8a178d51a837880ee2af31177911d0b66147ca562056efec7402287a3978eba14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e3b416dff51ae4c43d04dfe53a1cfb93

SHA1
ca5c9dac3fe3c94ebaea963626bf0682c074f8c1

SHA256
dfc8600408427b9d6c23235af513905c9154530670ce75ded3cde42bc7df9993

SHA512
cd7432270e7e154cf4297139bb40af4239dcba456aaf8b1c8ca8ce8b9228dc7f3f2f9833aa54e583af7f98c2349ad1e6c8bfb71cbe0be4fc3b11c11e6825d02a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
637bb1a02e76d05efb9a2015b602e35c

SHA1
219bc46b8532e8cb57e687c8dca32c6987da37d0

SHA256
cbce373432fa17352ffc8ef27ff241f3b1e606c7e0b03b235a3b3c779c35dc35

SHA512
beddc55a4d300a2de7f26925d8744a9d8a7e35ac6939154618f02a8f8a0a105089f2154f0c822938b19c4bccbae188ad42d774e24a1ce0298156c6a8ab26b7ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
20KB

MD5
8e7ebded7f0ce6fa732cdddb907fb249

SHA1
b21ad396a0d0a73e0f839d21a50664a1034253f1

SHA256
8213a00e8a037b13d0e30e936cf94ee04f1ad72c29a0e26cbc180bfbd3791a2b

SHA512
25092676fd31505bc1d81ef448a2fd6cb7124bc7ca2909486eb6b9f330a57aa1f2e9f279cab3ce3ad45327d175944a9c7ea4b843784d0139604e630d9c4c0141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
75ff9805bbca1974ee1b7d7bbd51d614

SHA1
e53a1f48ac108fe0363da4d8f49968c66d828bd7

SHA256
7e1890210715c1dd9dfae40ce0a846796f4fe7e104320fec4e7ec5e0d880dc23

SHA512
0099459efdc6361687d939f37c3e13d31f27dde60aec0a6ea44b0ea169bed2f79810428dd845baca8c39c7e3ba344b65ac7a02f7494bfbc58a1275e6b4e7129b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
76bf0446cef3f281ecf4ab6f1ca9c44a

SHA1
3a5a872c8592f73dece0597bd63b0d90e5ccc2f8

SHA256
83128b560455a67b63e614db6c9248421a763bd1691ea2f119e26a2ab4275368

SHA512
89cbaf0720630ff5b1fce1ea61a7a562f04f760241e62100f80fab122a9f908b2c2525a3058734a822dba03674859e56e0f34c753accb4aa4051110e02189a80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5d17c1.TMP

Filesize
3KB

MD5
3b6c8e353e2d2e87d6c0a49de8354e0f

SHA1
9ca386bbfb6102d642c888ee5edaf8f198609fee

SHA256
614b291aeae85489886c52d794c7f4f19a68cd1219bddb4b14126da4d874238e

SHA512
342c62a54912eac64d1dd4cc8f1b4cc917ff84c8979e4e6fa607af7d7cfea8db253f239f4323b81eab323db61244a17021bbcb3ed913d822bc5db75c23a85408

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
2b1ae25aaf5f515dcf28a58ae197f5fe

SHA1
766b2d1091faf35653c0205f16b83054ac02e49d

SHA256
7f73ac06fecd6944f648cd8809bbbe5ef0c0b17d97666ffc53cd331bce50c96a

SHA512
0eddc68710f31852ba96062b947415b56dec34f419c95f9ad65a8d13293e44e1c6bc20a545dc008ac80164cdf1819a104b8b2bccc0243045a35935837f47dde3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
ea89b1c9ce781b11d835e962625ebdd7

SHA1
e8b71af35a52f96f019ed80ea38eeca075d9b9bd

SHA256
6c17c6c3b761c496003b3e22cbe27fde9cc880a530bf22101f48322d6e42b994

SHA512
4b1e3d8e24c8bdd7d95d5cfa4ab6a23bacd578c5b3388d0cc35f4ec75c3568600e524acf65ef15444cd6299cf90ecb19f23c38269997cc8e6e74100b237cf913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6409dc42f91cdeb2dc558a6549627741

SHA1
03f46527fb2c79464ba664f98d5c3ac8454f86a7

SHA256
c4d8ca5a73e6982ee66ae56265cd33b0ef3eac11e6b0a845a19df3240869f7b2

SHA512
d79bc2d221a18208bf4cd6f3dcfeb6611c3a9e46f2ad16372113030bec4962e565229ff9834ded2db51416b76bb91c952ae41f98c390603ed4533c6a701be289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
6f3195bf00e8c957989ba3f10fc20d60

SHA1
269d88e312d3f28486e096faae465da2c2a26471

SHA256
e8f35ca830b6d3f048b5fea9ce028cce4ceef4083a8c6398651d9da0dab9fbf4

SHA512
d49830e73fd236ae068e29459c397c4a7eeed6a6e62bc6680689c2a42a3b953618a9b212e6b17f657cbad7f6680387432dd3cffc1ed27b95c994c6131bb963c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9f39f70e5657611ca6a1b1d5092de405

SHA1
813333a422ba311d8c5bf5f581d8f5cb0a55e4c4

SHA256
c54967e8dc5e63dd08da2eb3fb33ec7ab9efc671bbfe7d7286a75f3ae4beca4e

SHA512
0bb59486435eae2360e96de59ce8df5af6a75d26ea47464a66b7f7a291cc17419cd8b4e665c61150b5ff1c47a05dc1281963dc84e26fcc289a42594f06f5c78e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5774b30f12d704cf5c8488fe089667df

SHA1
f303a7b8ce39a45d3b2e0b223a1d878693c5f9a9

SHA256
fe0841b9ff9c36cccfb56005177d065311b294f29bf8d06eb77cc9bf0c4f3c55

SHA512
78312b7fd7b315ffeaa890c174c558f23ca002097c57235795d48e16a045446d9bee089ba18f32056eabfbccff4beb193711c91e8fa0bde31bb2f9d1da95a4f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b077bd475c14c33a7c135e098f228562

SHA1
a63c19bcd63fa66dbe3f3c8e24a9a746707f7c13

SHA256
129a0b7267c55f6b3eea266c9b8613c7e695e37aa0c23bfae0373888c8430a54

SHA512
8d8fde21dd6a5486c47bcc7add1b48ac1e4d16f7c8c5b69e1df8152eb0984f33d942884d6fb442f5255e4404b72b779f7145c5b5009f97b125dfe4988024d715

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03d2d5dd39e78d85f6e34987958cd733

SHA1
98e59f5d4d97650ae944f8266306a78d0de0fe12

SHA256
3083b60617100e4a4a52e78d6a1c4fd02557886cbbe4e282685c19406a395369

SHA512
b608d50282079c8b3650f19c7b7fd21d24ad77b46699c80276ce15f61241296f720c300065fea78275191e9bf7be5ad347db88e48c1d6f12929def6916d94dd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b93da30e8a586054a7e3171620ef8be

SHA1
03c20f6853d5896a576d8f9b6cc22ae59a15f8af

SHA256
bc91badab5cc8846d143a67b93b9673ba47d454ae7e62ee060d466ddd4486677

SHA512
56b421ea1ad79bf68615b2a5996de399000c4a7a680207dd2acd49e8ae5c3e21d79d6a68e0fad8ffdcbf517abd604700c00d214d940e5d2aa58960d2a187240b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
dade6b53a13530dd30a321a76a5c0f50

SHA1
f0ebab62a9fe9238519935d87a77f05459b8c820

SHA256
6637ef58dc90bc5c97608035c93775380cbc4ed4f81a4bdaf4057bc7e1ef5bde

SHA512
ca6bfb23a2578164233291903d80e2d2e63a1130aed7cf76be8d100b4d660fd852ec18c2a4742feb59225208acdd5aa628b126e76984363de885ccef56ed95fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
626248dd5fbac6a00a8d2ecf73be1f3d

SHA1
34de62b5443d4d5b96d66593263eb482af8f2c5b

SHA256
402c5281454fc7916c28ae241339672fc7ad217ca4b8b150061fe85bdcd13ef5

SHA512
49fab6c27a6459de59a9ce1eb8387707e7b42970eed6b0251489646279c3474d64fd26913a065f1694ea4d0c833a29cd2e4e3fe51a27f1f9a1ce82252797b456

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a6d970a432edfed3da12be7c3d24c551

SHA1
9598c302ead304f5ed9f56fdd2b708ad9d3adc7e

SHA256
748e3a414653503c7f27f079f6dbf9709f0ea9ac004059c4ef6de0d9d1152275

SHA512
4b60387e59ee978f6986c305613b76cda812bdd6d217b50dfac549dd762046b73385a88b0a8a705f6ee17c227042398a9b7ab033cb24205fac4c24936eb8dd61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
75ab560879e2d347c241f5adcd2d26fb

SHA1
b3379869ba690a4ed525c9d709b1f4660c6a2ec3

SHA256
76ab1955c628bbddae52a45b37aa9849d967efe9e856132826d45fdadc757aec

SHA512
784a9977be144d9efd3d74235365e5f62d640876cc3f638d07cf552e0945496a5bba79463611b93d5a110a390fde10dd6dfb626f10f7c79fa92f446a4a082523

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e621230d56badaac97ed69227b37730f

SHA1
34aeb4ceb37bb722a300e644cb931185845907f4

SHA256
055124ab2b2b4ab073ee7fd8b0184143ffccdba701e662a7bb4fa4f6913f06c5

SHA512
48a00a7229bc0cd03c966229c99d9e3230b34f4e40bc0aa396ff6506ee0c61961cee1e9bdfc46023eabdc055d5452e790b237de39646a9651eab9d010d5b0cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ff30426c6d1e1a3a5fdad62117671f12

SHA1
e759c97dffa517c5bb7d8e69d9c26590767bb9fb

SHA256
69f573177af6e1847ab9909ff3ddf506410c750002ba9bdb6163b8f600544845

SHA512
a636fbdf91deaa6d172240bfdd6705e5b182e3f91611cbcb9b43c5164a174b3bf693403f76a3e38a8cc69623a9a9669647dfff1909ab1c61ee3f8823bd55b30b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7bf16904bbd35e609c0658b279e742c0

SHA1
d38c7ef201a138f499b6db4c15b46ced796d78cd

SHA256
e343954cb0f21296d052e4cd034ce991e29c2f6d30ee6d3bb8ad7271dfb69d7d

SHA512
d3522dde0484c13872c02d020bfb0c98e7ca1bb7f54cf074555181dede64e0727597af9669a79c567a1e943cff3c87768645a6e3f722942b19195a9df16a45ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f60a3e9387496c5eb8be82696e71326a

SHA1
a4d3464e6486d09ee580efbb5efef8c1baf2e57f

SHA256
1f2feaafe34c2db18ff77890bfea5ec23d326201f04426e02aaf9f9c1c6af5ce

SHA512
e35e8d4c046b46c38c075ad6cbe5ff2db0866f44d6c9c31a11891a04c5749ba03e774f610622a29171fb9b14ad95f11768050388690746b7646b0fd9a0edeab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
002700d56d5858c6a430e960c865b204

SHA1
cc4b19f8ae3dd66441c27dae815ee1ae59376af8

SHA256
f629ec99916b64296685838886eb5bf1d2b72f25e89deea93f738b66c9f139fe

SHA512
592fdc6285a33c9c804707aa6b22328f2ac6297c0ebbf1d26d71c88ad14826372e001a75c70146406bce390df9b985bc0ec5215ee2657f7be3bd5bd8b4d755a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0ab692fb8b3858d7c8d18e56f144077a

SHA1
832fccd023096c9e60d9baa0e1c11dbaee0e2ce8

SHA256
0dd59f31e5c6739b05f6f933b2c04227b5c99e28d9a6ea72c8ed571372745e96

SHA512
57c9e3b220e74bce229492a6d485a545fdfeb9c0495e4baa5e7b04a03b75849af372379a0c924c27fd6ddc424adf7e7bd51eecd6b1e4a9c1ee4b92a5811167fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
538741f1e178a31dff2ab771cc690965

SHA1
30b7820bfed52f8f52f534f98c2f6688615819a6

SHA256
3ecce902d9487ac5746bdccf040e2de9bc260b8ea829b1db065c3821b6f0f79e

SHA512
00cbef2c9cb07d1effa5890bfdde9f87c900ba6d4a1d7fc359d495573fdc3f726db7021a379d929af3560bd0fcb58527f48413bd008763eaf35583fc81dabb6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
13064aca9f34f13aea7e2d43aec86e84

SHA1
dd2c7bfb30d5505315d74d699274e837dc0da8ec

SHA256
688cf7f977cf848b88e9d9d945a2c0364018f7f640a650197972501f22fee22f

SHA512
1bbcd78419f52b1c89eabcda7d209e1006e1d08a8c2eb7a8f14f7f3f4c8baa175b45367b91ddb4e7eb628760220618bd61e2039df706f19cf19ecfdf50035bdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
43bff6a3882b9e6f37b01416a7cd293c

SHA1
e63fb978c0a5880d22a0e8b763aff97dbea92c20

SHA256
bbb1fe2f20d2a3b68c72f0257c8dd80ac8a0b3181b36ca797838ac774df6a150

SHA512
13081cfb1860027185ec3e4dbe5ff3363cc8045f26c5b6050cdcfa61a1f8bf2ef60df157615b3ff18950929da3543903370c4ec933b1b4679f9aafe3320cc78f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
263976927f550a52383e8b9f11c553bb

SHA1
54d2a3ee0e1b052b0323f12447ee28b765e3ac1c

SHA256
a862078ac59e33defb5152581e80055d7a1317a2059d37fef1b3123c28342095

SHA512
7387b441a2a70204ae8448a9ec857f4655bee5d5cebb7384822797c97c3d23d017ba7cd8da31d8074239cfc8825a40b4382b27515f96e819f67663dd2ce93ca6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0efd233f70293c569d0dc3cc84b18f37

SHA1
ae7db458e03448e92c9e6a29aa2aead71f2cb95c

SHA256
73a1dc0665db8ab37c15afa158b1e7b194a25789069f3fd3bf662d584aed9c50

SHA512
3f1d2e34671106d603a167e76470f94805bf05c73d5fd24fea3e092d79024d9c7403bdc4593f619fdfebfc120c81b9f983b6d0298010c1656c5be4ca794787b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7852e75e270488ac4091009bae56b511

SHA1
bdeaa1fd0d7d2b2e5f37193aa7cbba73c0e545c6

SHA256
41da2389685a63406c10abc87f0317310208bea32e831509cec447efdf2c226a

SHA512
01696135844288c4744dec78e930600243a5c5c4e9d8d1e273e99e156e7266a687490dbde730dafbcdef45d1333d07daaecdc6daea597520826a2e87a4611b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8a632571b109250270f5330cb4bba593

SHA1
d4a4feb840df790ee74f4eaa3c570ed8d91ff0fb

SHA256
e7ff9e4edd2707854d2714057604d638e6f0cb97829594514d22975a245546e2

SHA512
e2d20a8467eabbed125ae50396d200c943af1afe8a6083ac265d1cda10a4c1f6c6af5d60d0eb35e5e94c3d3297bab9eaab36a113911dc1f95fb350d39da828f8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
925f4ab31af8ec244b570685623e0a13

SHA1
ac8d78b30222ba575f93470862ee45d6add9a932

SHA256
612c836cd6d20f94896ff0ae6de19ad85b3eed7185ba14b0d23d3ef5ad486eb7

SHA512
ae5cb1aff030a71eafbedb82812a65cd61e69995b9a3d41c8cd8c72b0d4246e0e465402f95345f35e08658b727ad0c062ce667502510522ca3129defbf9b2a53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7ade410b6e131fc1b6a9354a9afcb26f

SHA1
2e6ee41bb577b4f929f7cc6c4df8c6877a0120ac

SHA256
c84801b246f1f509357d99164a7338cdc241d2ca7254154581df7877443002a9

SHA512
dc7304f26661b500320897c8e37916393188ef874877b3404cfdd51dd76877448450ef1148c1b1326196bee38bb8033167ded6337d33f30b3ca3cbb55fd13208

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
718d1b8104967f3dceeb4f480efc2b5f

SHA1
3bf62afc6cbdcb9e2a510f48f87412defbaa0830

SHA256
69316b1f182b3b0c2b09cfcadaa3946ce4fa51a3956beaa445325ef498c9ab86

SHA512
409dfa77f99c8ac60db860159089295f0421552aa7095853e3d8e0386354a4d6463850b5f1b29e20830d60d61fdfbf12aa43744a665d0a43285353b183e3be64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
395b00c79110aa8c5d4a1d05f0c71978

SHA1
d7b97543fa0672ba85ef6e77d59495a3079f2acb

SHA256
167a4c3d46523b9c7f19ee2a667afff8571d2ba2b5267ffd1237d77504793e0b

SHA512
0cbd9dd367c4806ccb85943ac72f7a293ee5cb9c7c95607151b17420b779b0d62c91157975ea19f1a440b4bd9b872e74e97e0317809b960394c768b637a5cb1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59ebed.TMP

Filesize
532B

MD5
55e965421fccbab326773ee4b910daf1

SHA1
8f658fef3c8e0bb9cbff957e6c4becf196212d43

SHA256
2a6415d54fd70d47520146c87671ae6f323c97ba1baf0f610ebc7b2b8a331a89

SHA512
e8702aa621327d40de6ad466b3a75b9fee07194fc50f8c20eb9cc78bcb8760a5d31a291398a9be5780f06cdf8939da99c91b94f39eb6d18192d0c0ffd53d15ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
0270ab320096a17e0adf14a708ea8122

SHA1
0446db3c4846decc6daca56e3a3d70416b308dab

SHA256
3cd1dc8d3df3f79f8ecb6cdf9c351229023bb23a2bab95324ebe023a74bb4b65

SHA512
9feac3da0460719bad97add3f5d33c1d003814f609b0005e9ae3a96b909e5f0c28568f0d2136d3ed3d98e7e84517b5274a6d9c25d9b8150b1bc11d2bb17e2142

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
889cf818e50fcb6fefd1646dde90f693

SHA1
075b24a6830355154225e1a36cfd97cfdee46243

SHA256
c25c1bf6965b10b0aff428bce12cc2d96a872e11357e6dccac926d8990ca9200

SHA512
292dd4e788372f6be20e6e9500be3297ab244c4de441d5c5bac77adf8e178e8ef5398111e5010e84ac45d4e0c065a21e848fecae7f33e96fa3f9907647e06209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
bc83e32fd2d09d3bb586a8bf5ccf4ce8

SHA1
ca053790d05e68a37c6178dfd04609ea4083bfb8

SHA256
be87966929330d77b15d224cc92e296b2595008ce94e7e687cff8992e687d5b2

SHA512
657d2a946093d606bf5aadd83531f04753a3768720fb8fc53cdf025543623e4cec319cf50220fdd6103c5f317cd233d06856524ca64aaf8c528c84e8e9eafd87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5821e9cf9a59e63e33981c515791e579

SHA1
0f337aaced7b7de5c92967be6e0ad516a69352cf

SHA256
6218a31106a76a606888fce7d4107e3b4b446ec63dbfaf1ef17afa279dfe0da7

SHA512
d508cf18cc05579fcfa9d6b6e2c411c08740cc8f40484a5dac778ac5de93a125b7cb8341c66117aa5f18a15513eb86a31d8b2098f212c79e5ca1fd19bfb9f188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5abd18a3a47de125b0d650301046843b

SHA1
e58b0a8c13bd616078335ff2c9d31ca2c726c5b9

SHA256
8360471533a9e1f59b94fcf074996b8a258be9b316c370ab1e367fd844735c51

SHA512
a830a612af8c78e412a2b569b66b6ea321124eefe9a1c151394c1ba3a7b9e654697df6b826961cd51adab79051124ebe9b017e350078c34b1c2b2c9fe950b064

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b370927e157dbe1c678f1bb5f764df80

SHA1
b463809eddbf046b4c9adff7be38d4eb2a098cc4

SHA256
24ea840009e2f046508fbf5eb662175b0f3d30e7a7c1e3d2be803f4ff0dc771c

SHA512
9d03e51af68d722e2f9554ecf05dbd75e1a801d33a76cce597008d261a62b5c64b7a5f641c35cd6e9d41b74f285db3c933ba62760bae45859ae1a986a92df359

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
833204d482500ad23dc0f738dfed5d0d

SHA1
42e53bd4613d0523b979868cde3a2d47754a92a1

SHA256
40d0719404458366dd7f60566f7a6da0a5fe65ca395c8c88dfd97c3e09162540

SHA512
d39be247bfba2627acbf690b5c9e492b53a39755716c4c6fd5b8cd2ee914f31d03e81a709b76d0cd57da74b43f45c7ee05b49d939fb523cc86fce9fff567e5a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ba242b9304f5f9c975482bdba8e5e14e

SHA1
1f817552fa267a2ef03479f681ad416bd5b492d1

SHA256
42f4d320047a0de85ab677765e2efc26495638a2f3a23105fd89ce052ab53034

SHA512
b6137b78a4ab5ce1936ea0ad323fbfa2ef14dca1f8fd32b80f8adc9afe7e748e4f4d74258c8bbedbaa0c9062b55de24b72ccc26db256c44e5d3100be2afc9c16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
274583a65fe6b9b9874eb891eb0acf17

SHA1
19c068ea4adbdf7bfe8729c603dcf8ba9249dac5

SHA256
817f4787ab03c4377decd864c064ec156a0b3f5dffdc70795908d37a81a556bb

SHA512
249d4ec5e10f0d61965d6ec6da27c0e620b362cae669f92fb203a06e4c0613dc57ce9c623fd4a19deb83cd0a9e5c6b2c7c10b33dd4f8c7e519db5fcca9758286

Download Submit
C:\Users\Admin\AppData\Local\Temp\c2d8dbd7-6e00-4814-925e-1a5a4846f10a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4336_1105041904\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir4336_1105041904\a7c4bd9a-1250-4fd5-a0af-42a9dc4275b4.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
4490f66ee3cf12f5ce02ef1f3bcf3ed7

SHA1
183ec614fc4a96597f4690bb1cfcb804c11bca5c

SHA256
943adc8cde664341fc5e12e353de4bd871405752c69bda6dadd0c86936a9db50

SHA512
a746ca2a1b73ea7557cf6b0aef5fc3c7e02fe0b40bb3f06ff650b8b1ea191f6b4c8db618b14911ab89b4f55d08d7afe79d38481346811e21a30b63dd734db2c8

Download Submit
C:\Users\Admin\Downloads\00000000.eky

Filesize
1KB

MD5
b2683e6295bffdae1dc6343f876cc252

SHA1
bde8ab07b34584afd64da3b9d16cb3f851cec3bd

SHA256
9cafdfce7b0dd4542bd1feec265a7c56051ac927094d66c7f75e31f285175cb9

SHA512
532bd3deeff53794aadc4d5e8eefbf7304360c55da0e1c7cd255d4ae4a7257e191279f37a6a9b252d5120dd37f225575af5467a492b05d135a12d557d612c922

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
2a89ad0a8344c192f03d8d7487b74a52

SHA1
aefeb0dbb6e39a23f428aafe31b4ea831118e382

SHA256
a463eebaa52bb272265e41f00c22e98555b65a631ac57a93949fc2ee7d4e5f5b

SHA512
aae56b22033388f96d3e496814670adf67efea86d025d96b39e55cb9fca338573dca2dbe925b71699da53f51312ec4b14cda7c22f7a4aed6f499e4ef52127945

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
d61c0d95ff72457669d6bc0f9aa14610

SHA1
ef143b030d4875899a52889f23caf173a430f851

SHA256
945c87308ab901f810195729703302c5def9e761f0fde8acc2dcd0c7db726f54

SHA512
4943b171c8e95cc58daa96ecb795fd9fca86896accfc98702d46ae39caebb397b1ab7af7c8fcf02d007f4cad73d4bcb504ba798e1695f4726439f6497c550a30

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
529c83b32fd73fbb12e56b6544a4acd5

SHA1
e57e4e167ea78ed817d399a6b28327d13a9619d4

SHA256
0be45cdd0ba0bc4c00a213930c7b46d950f52aeb69a2eae49b09b42a57abeda9

SHA512
75e45995ca44392631802ee7d243f826685f900e9d4bc664ccbad32c78fbc0dcfbbb54d7284c3f67eacf55e0505cae0cfabc4d04cbb8046193504eec7e1a1c9e

Download Submit
C:\Users\Admin\Downloads\135931736807608.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 484244.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 814346.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
32191904771d137455419e270427935a

SHA1
1b954da0057ddc93295e17dea8e0ddcefb5ec9af

SHA256
6220a244664d03c304675ac3d0036e71279a329b453317068a63cbdfef07a6f1

SHA512
169ae6df32d57831e8f4145386887b5b5d4623193fc8e3b7b842e7f35b0c5ddf83331b293e88f158c5fe7892e87c68ef3ecae2bf447d5e2209b77459a6bdebe2

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/1796-674-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download