cryptolocker | b8b8c13ef4144e69fc4bbfd729d9bfea22fc4baa21808e76815cd5b16768ed64

Analysis

max time kernel
1050s
max time network
1051s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-01-2025 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

IMG_0163.jpg
Size

18KB
MD5

75bdc13dc0b5e231a2961f694d1606fd
SHA1

ed92df0ea92fb4ac3499d5f2fe90d2e09cb964ef
SHA256

b8b8c13ef4144e69fc4bbfd729d9bfea22fc4baa21808e76815cd5b16768ed64
SHA512

71948be0cf77730a99fb6163c4878dbe659714cff6a7525929ce99de90060bc3b01002fd176712ec11d10629bb4735595c850c52cb3a7922cceb82065b05ca7d
SSDEEP

384:i8XQ2j+XkW1F5/jMRsy0FmLTtnIjYgRx52Tv7frYXtHFqU9sCaK6f9SFwe:i8Ud1n/jj3FmRSYckb7MtHPzaP7e

Score

10^/10

cryptolocker wannacry defense_evasion discovery execution impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\!Please Read Me!.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1 Next, please find the decrypt software on your desktop, an executable file named "!WannaDecryptor!.exe". If it does not exsit, download the software from the address below. (You may need to disable your antivirus for a while.) rar password: wcry123 Run and follow the instructions! �

Wallets

15zGqZCTcys6eCjDkE3DypCjXi6QWRV6V1

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDF270.tmp	WannaCry.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDF287.tmp	WannaCry.exe

Executes dropped EXE 13 IoCs

pid	Process
4412	WannaCry.exe
1516	!WannaDecryptor!.exe
1072	!WannaDecryptor!.exe
3652	!WannaDecryptor!.exe
2208	!WannaDecryptor!.exe
2668	CryptoLocker.exe
380	{34184A33-0407-212E-3320-09040709E2C2}.exe
1480	{34184A33-0407-212E-3320-09040709E2C2}.exe
2840	CryptoLocker.exe
1816	CryptoLocker.exe
2336	CryptoLocker.exe
2676	CryptoLocker.exe
4964	CryptoLocker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Update Task Scheduler = "\"C:\\Users\\Admin\\Downloads\\WannaCry.exe\" /r"	WannaCry.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
105	raw.githubusercontent.com
106	raw.githubusercontent.com
149	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\!WannaCryptor!.bmp"	!WannaDecryptor!.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 22 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WannaCry.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	!WannaDecryptor!.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
1084	taskkill.exe
5060	taskkill.exe
4988	taskkill.exe
4420	taskkill.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 732779.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe\:SmartScreen:$DATA	CryptoLocker.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 567252.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 948776.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 40904.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
392	msedge.exe
392	msedge.exe
3532	msedge.exe
3532	msedge.exe
4484	identity_helper.exe
4484	identity_helper.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
4352	msedge.exe
416	msedge.exe
416	msedge.exe
1932	msedge.exe
1932	msedge.exe
2840	msedge.exe
2840	msedge.exe
4588	msedge.exe
4588	msedge.exe
1848	identity_helper.exe
1848	identity_helper.exe
4684	msedge.exe
4684	msedge.exe
3012	msedge.exe
3012	msedge.exe
4392	msedge.exe
4392	msedge.exe
3120	identity_helper.exe
3120	identity_helper.exe
3976	msedge.exe
3976	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe
3660	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2208	!WannaDecryptor!.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 40 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4412	WannaCry.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeDebugPrivilege	4420	taskkill.exe
Token: SeDebugPrivilege	1084	taskkill.exe
Token: SeDebugPrivilege	4988	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeIncreaseQuotaPrivilege	4832	WMIC.exe
Token: SeSecurityPrivilege	4832	WMIC.exe
Token: SeTakeOwnershipPrivilege	4832	WMIC.exe
Token: SeLoadDriverPrivilege	4832	WMIC.exe
Token: SeSystemProfilePrivilege	4832	WMIC.exe
Token: SeSystemtimePrivilege	4832	WMIC.exe
Token: SeProfSingleProcessPrivilege	4832	WMIC.exe
Token: SeIncBasePriorityPrivilege	4832	WMIC.exe
Token: SeCreatePagefilePrivilege	4832	WMIC.exe
Token: SeBackupPrivilege	4832	WMIC.exe
Token: SeRestorePrivilege	4832	WMIC.exe
Token: SeShutdownPrivilege	4832	WMIC.exe
Token: SeDebugPrivilege	4832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4832	WMIC.exe
Token: SeRemoteShutdownPrivilege	4832	WMIC.exe
Token: SeUndockPrivilege	4832	WMIC.exe
Token: SeManageVolumePrivilege	4832	WMIC.exe
Token: 33	4832	WMIC.exe
Token: 34	4832	WMIC.exe
Token: 35	4832	WMIC.exe
Token: 36	4832	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4832	WMIC.exe
Token: SeSecurityPrivilege	4832	WMIC.exe
Token: SeTakeOwnershipPrivilege	4832	WMIC.exe
Token: SeLoadDriverPrivilege	4832	WMIC.exe
Token: SeSystemProfilePrivilege	4832	WMIC.exe
Token: SeSystemtimePrivilege	4832	WMIC.exe
Token: SeProfSingleProcessPrivilege	4832	WMIC.exe
Token: SeIncBasePriorityPrivilege	4832	WMIC.exe
Token: SeCreatePagefilePrivilege	4832	WMIC.exe
Token: SeBackupPrivilege	4832	WMIC.exe
Token: SeRestorePrivilege	4832	WMIC.exe
Token: SeShutdownPrivilege	4832	WMIC.exe
Token: SeDebugPrivilege	4832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4832	WMIC.exe
Token: SeRemoteShutdownPrivilege	4832	WMIC.exe
Token: SeUndockPrivilege	4832	WMIC.exe
Token: SeManageVolumePrivilege	4832	WMIC.exe
Token: 33	4832	WMIC.exe
Token: 34	4832	WMIC.exe
Token: 35	4832	WMIC.exe
Token: 36	4832	WMIC.exe
Token: SeBackupPrivilege	1816	vssvc.exe
Token: SeRestorePrivilege	1816	vssvc.exe
Token: SeAuditPrivilege	1816	vssvc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
3532	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4588	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe
4392	msedge.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1516	!WannaDecryptor!.exe
1516	!WannaDecryptor!.exe
1072	!WannaDecryptor!.exe
1072	!WannaDecryptor!.exe
3652	!WannaDecryptor!.exe
3652	!WannaDecryptor!.exe
2208	!WannaDecryptor!.exe
2208	!WannaDecryptor!.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 3304	3532	msedge.exe	101
PID 3532 wrote to memory of 3304	3532	msedge.exe	101
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 3332	3532	msedge.exe	102
PID 3532 wrote to memory of 392	3532	msedge.exe	103
PID 3532 wrote to memory of 392	3532	msedge.exe	103
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104
PID 3532 wrote to memory of 4040	3532	msedge.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\IMG_0163.jpg
1⤵
PID:1440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff91eb746f8,0x7ff91eb74708,0x7ff91eb74718
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3760 /prefetch:1
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  PID:4176
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3724 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4008 /prefetch:1
  2⤵
  PID:920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6328 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  PID:5088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6840 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1988,2646603025308819698,17727738524989447569,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3112 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4864

C:\Users\Admin\Downloads\WannaCry.exe
"C:\Users\Admin\Downloads\WannaCry.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: RenamesItself
PID:4412
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 51241737046444.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2684
- - C:\Windows\SysWOW64\cscript.exe
    cscript //nologo c.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4384
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe f
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1516
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im MSExchange*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im Microsoft.Exchange.*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1084
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlserver.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4988
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /f /im sqlwriter.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe c
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1072
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b !WannaDecryptor!.exe v
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3376
- - C:\Users\Admin\Downloads\!WannaDecryptor!.exe
    !WannaDecryptor!.exe v
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3652
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:920
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
- C:\Users\Admin\Downloads\!WannaDecryptor!.exe
  !WannaDecryptor!.exe
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff91eb746f8,0x7ff91eb74708,0x7ff91eb74718
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:1272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5648 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6196 /prefetch:8
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4684
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:2668
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:380
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000021C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5664 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=2180,9391139166516993761,1526432989654417904,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=6048 /prefetch:8
  2⤵
  PID:2440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:836

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ff91eb746f8,0x7ff91eb74708,0x7ff91eb74718
  2⤵
  PID:2172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2260 /prefetch:2
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:1120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3852 /prefetch:1
  2⤵
  PID:3488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  PID:432
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5564 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5128 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:2124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:2796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3976
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6272 /prefetch:1
  2⤵
  PID:3144
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2336
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6364 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,14742117197019590917,3360029385502779001,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6384 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
977e6545fd8d72aab30df3fa828baf21

SHA1
c8b5ec6a1ee5c179ffc11288d4dd1b88b9990f29

SHA256
d9c8314c69a953188db25bbec832684a8998d552136ad8c2acc6fc4b8a3cb90e

SHA512
036673a3de3a3ba68fb608e41cb799cba5837665c97f87c1b89a2e637c2328ac37e9d327a8e14beae72a362faf1c72d93400f24dbe03fe15db4578ee4f43d5c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8a1c4c06cf2a262d7c028dcc67718ba

SHA1
2565607fb5ffb276ccb4796fa39771db2cc29822

SHA256
dffa8cc1668585196a01eeaaf9bcbf4b34a010f64b17a3a5b02d5d27214f08a7

SHA512
dfdcf0aaf379472de3cda8ee4bc82dc40231080dd16b508fd64b43fe7deb397803465c653c5ccdd085adb68608b4608fcc33099e5553015ef2ff70cd22299517

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bdb6c1b951905d8d37c5fa606f2a5d89

SHA1
f634196172afd8aa48c95e8b2edcf189a354a086

SHA256
2e8c707ca183a2bc2f908789dace22a857873d22efda74c571c80e57b306f06d

SHA512
d081f6b166eb3eefb4947bdd88afaa1ce81d19d0bc1a2c0f9bea3e92d5f3becb74f852b64882304478dc415d32605fd6bb9ce143d3d471640e567d978b470a77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
20KB

MD5
9fa1d3f7af5bcfd56f11740a34493830

SHA1
8f9d54966becaf8258ee12f4a46a11c4a5bb85f4

SHA256
06825f5f6446574d85f5b01a90c29e40b79b0b060df38c68fef5e32ba49fc398

SHA512
ee35646f3326aea20eae0180cadcf27ee20a67fb87924e4331ae432c851e4c74b71490f004cc970a3b7a502a0400f501caf81f7773127da920db38a583e9fafc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
3c460e8844b9e694647545a72795b00b

SHA1
b9ba4a1678273f4a98a3982af28b64ae9a2148c2

SHA256
566493651a38761bf3062af797526aa601d0113ebd22042e5a91613f2b237536

SHA512
84516b3ff023a36f346b89187b7b56896ef77a8ddb5a5bed7aeb479816cccdc76e3d9ce1c45d06d51c1a1687aa6aebdd292510b5c18fa6ee98dcb5b863c82024

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
197585e2a657da699e0a86d2b8b0563d

SHA1
f13fded3828e6912b5b042ee0fc4cd7d757a8967

SHA256
fb6ec4b3257f48365dfa43c1216aabd7fc876bde2db1905c1541cfb52e55b841

SHA512
c40535a5f088934fbab66476a141339231cb3eb6c67c534ccff79e351245e95e35bcc59e132873b6e9c2961ee034937f4fa2b2fcd3c37c23c4e3f5098e8146d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
59ab8914cc6ca7ff49bab2330ebf4e9d

SHA1
eaaffb7970d8cd586b6fb7aea5f7fad700341f8a

SHA256
65b361f2d8c2879be667ce1fc58d7c48c0782cba8b620ba3dc879122afd92508

SHA512
f5015db6716c0d469a0a6111c762baa5bb158b0a92a7e3656de61627c2cef0b4cbd8d0fdc8d497a31450e7307ef70233b2bca2f6b93833caf6e447f05833593e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
67322b82d231cfa1cbb237fdfe360692

SHA1
418aea6763096ea18bc282f8e4a07dd189e1d033

SHA256
2bc66bee25df232cfa66ba1ece331cfc2edc32aa91655b4fbe05af402ef52388

SHA512
2c7f54f115d94539246644d7814a958107f36424347da79ad10feb4fecb54b675b48596f5ab30a4e944002e0502a5da459ec74e187fb2fa6aebb46963c2958d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9410a54898849fd85bcf895bd295093b

SHA1
d9a2e57e490fafbd982ffb62629dcdb8cf10cb05

SHA256
0ee7adb53292f3caec5ba40a2e06a0ae6584909a94451b2be2b0ca4f16ad4342

SHA512
cc2b0aa87edc1907efc60d815357bf0260c6d5399868bb9ed36a7ee6f50b013f4202bd0168e362e04f60fd64e7898bb53cabc95d8055a7f13c9120cf88200c2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c9993252e382f9ba6603c770fd670c6d

SHA1
79b18b3fc8cca1c09b0ccf6958893c7a7309897f

SHA256
47e574c36bde4fac661048a94c83108f8fde35023fad03b710eb44dba11844d5

SHA512
fa87a3ab305b87244ee317b2230425d3b11fd6b2cb75ca367cc2dbe1fb9a40d4d61372921d985bd912dcdf070c9138ef43bb7c8b0ecfeaf1eafa04d94c8f710c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
36536c1bc0937d32eba8613ed118d770

SHA1
95982e21dd4d121a04c662e374d5d3cc01b6cb50

SHA256
d02d204b1db1fc356e305803f80648edb696e1fd4033f2643afcc91cbb212b93

SHA512
e0be08a5c373a87a4cbef88fc43e461f85058dd05a86d37731f2fbcc13075faf21e5e7cd49024a119936982fa068e24331c6256b2c680e52afed0a278217c0c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe5cafdf.TMP

Filesize
3KB

MD5
f4f2bfeac5f91fe1a6a69dc1649fa36a

SHA1
26a8fa12fd581b906efdad4464ddd07a6f59c632

SHA256
37665687264324015cdf31103d4f62e426e5a1b6e56a9846f73d4a02cfec8b6a

SHA512
3f5233889e780a0012a2e1274e2acd3621d8cc9f434163cc3ca0ca880ce008c3df1ae62e4807ac642bb27d69f70dc723264f1f77982f818e1b314cb2ecef79ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
28KB

MD5
631da91b93b87cd014ac329b358ec2e9

SHA1
b0fddb5a4e078037452afbc94598ce264daea7c6

SHA256
3779fee716072c5b62fcc74b491bc1f23e49b954638835fadafe9a7d4a8a20bf

SHA512
b0361aadde1b7c63d4ce1a1ac9b521b77247cd35af67da544eb4e300fc3f6776cc92ed8951df77979688400d9717ceaf72a3328beb8741aad6283b6fb2f6e85a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
802399a996b9bfee65333805f5f7ec79

SHA1
2fb654783fe2e05e0133dcea8d9f70c6e31c2150

SHA256
d5fa3abb8cc1644c4666e692b44dd6a85bdbe0644b81e1adbe0f1eaf1928b92a

SHA512
b8bae4f741d0b61fd6b98af235cb2132f9d64ef40b82112746e192a1ef5b1b748c3ffa468e8e470580d26fc7217cbcd2145d9a1f52c9725a5a2cc1663fb9a6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
0ad681b504bf8f8f50986bd06be9cd95

SHA1
8dd04733a69aaaa6f0d40e4657ee793616aea262

SHA256
318b246eb558adc82bd67c978ee3d95296a91cfc7749f59dd83cddae4f5a5c89

SHA512
f51a42aadbb5e728a3e78e6d5b97edfd90a4d68dfe9b835a9db38263b3545361936d6a0dd86e8bbd689c9ebf8bd051267534106bb03a180e2258a33d2fd6e47b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
c2706debf1479d261a1fb79c24381b0f

SHA1
d226e3f139e59731f2045600f27e4bbd917eff84

SHA256
97e1c15205fab7013b79bbdde40e9cf6ac59c2020b8a596edb8f840998d39bae

SHA512
3e07222a99ae726855cbffdc0557385ee2bf7c82ffb615fd03a4e24fb833443778ac919ac330eff011ce7c7697a0915fa2ee25974aa94fa2eb18c9e1e4ff462d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
4KB

MD5
60d54134009a78474568322a64b3f580

SHA1
488086c6ebc2089adfc8cd17609c5c1eb881052a

SHA256
c5f0554002e28f331a6dcb2bd7f2d9f2a30ee81dfaeaac471dac7040b054f22a

SHA512
d121085c3d8ee875e5ac57c915d5e186de3767c98c566d6f66bb4471aa41ec443a6fca2367aebb2718a9b4d05c05ba24c8e05d2dba7b3ff39647d0cf454c0410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
12KB

MD5
591264464e20b42613128a673266b6a4

SHA1
ca2efaf10cfc92e32dd50395b289cbbd83b29f8c

SHA256
55c9626bf7ee4941f69cf32cccda6c3cafe5291936ee876593cc5392810efd94

SHA512
55dd5eb5f5c1285df8608aac52c169f30ac2666c5094480a593104cd02cf13541a0ca19bf8bf5d49205d713f126162e61cfbf77d58d2d5ecc829c4b4b592897d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
d38fe13d8604106d3b815975298275b6

SHA1
a9c85b89575db84524b990c2c92a214c30e2c628

SHA256
146af52b30944d618a90f04c22b09d2665a84a4521a97ff1adac59cdc30d4014

SHA512
9efcc210b962595a6805efeb0e48fd5c60c50506d8a0be484080ea986cb9c53c0a17a5952428d6b1d6ea5e44a2599a355b476ff9cb1aaec9461ac20f828e85cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
788B

MD5
7979b5a805b54e04c31b58df53f655fc

SHA1
bdf85f103f7d0c63284c270ba2b8543fdfa89276

SHA256
bc3ceac90db6837a54b3ee3d0578f0a4573a9733e2b2480971bee47bcde384ef

SHA512
da0898c606b389b4a4cacd6be22e6986b738194caf1d749350b93469ac8b9e2ff10023623daad49c632afe4fbd38fb9ce2ac97b885c1286df8bae498da925266

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
eec36012a2de6f9331d8a9ed8cb52e4b

SHA1
d3ef1823c77ddd2bd2ad59f85db49ada2b4a2391

SHA256
08e58b8f3a219c6982a581fd0a8af99bd8b17db5d15e4937456ef0f651185203

SHA512
d343f976c89ed8424837d3b8abe787c1bd336445818384bf8bb3661cd17f38847a2c2f5c6479d349cb94cf00df86c3943ac10e0db841014cbd219b85929b5c3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
871B

MD5
3ee82df0f8c19066885aecf092019868

SHA1
8a9d76f7371410ecfac4893c444900c607b1e649

SHA256
ba2e3177faa2e0a7b4253adee9319c39ef2d845216e6b86107adbc4d55506afa

SHA512
5abaa62073688251f3c5b2cc21f12abff3df6051620fc5b2934cd353505fdf49290b7f71d6b3815830d95ef6552a69ef934a859efc4c6c694a15fbeebbe14136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d2d58c3aa5972ca02f9e3b8d3e459b9b

SHA1
e97e00de95bcace6272a509d11373f67c01e24b6

SHA256
0d26222ad1dc9085ae5df3cfcddff72462b54041321c212af76270915ab7b613

SHA512
b61037753ecc26198590680d5e359c8943e02511433998c735bdac1ebc18aeec7078153a183c353f6ffdec8022a84238b7a038ba316b866a2d434b4e8eb9347a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c5b4ad128d11aa7cec82dddcd71c9d7b

SHA1
5f20631118e2b6a61d35a843739757714d8d66af

SHA256
86f48c938735231adb367965e25c83395cbe1ce130fbaba05d63193ba442c1ec

SHA512
443299fcd6d7bacf488c63e836dd0e30c882481018638772bcf17db08e1ae08c284ef0ee8fb460e635d2d7640d208418c58a3d415070b1a2f215c2678637a72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
9add0456078bd1fdd496bf239e1de3bd

SHA1
9a3774ab9b133ccfb4fa125b4d80a8c80d340cce

SHA256
4f55affd10a0e02cc4370acc563b02eb37684e915f2b2db356b86db62b468efa

SHA512
e88b7a2e8d0c179f83d75b1a5545c8911e324dda0e500f83be99d5b802ec0c183a85555429623cccb5d4830662a54063f6a5b52ce28ceeabfbbc9b1f469da602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5b75d9953bc49518487329c169842a0

SHA1
8c3841405c0882faf6cbd0cfe4a9c2135abb790c

SHA256
f3db057886cb27e87e69a5c0a352a90d4574248b5b7e16e16f585ca3b535d67d

SHA512
06d3ea87f2af907d3e2d4574ffc040c6a4eabf31eb3f7fd2c191ece8bad43e8763b3ea5f5402b7b8a803e46448830aa3af4c41bc429f6b348eb7b5a4702b870a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c953e65e01d2b7a52548ca933e2140df

SHA1
51eb441a666d96058cc106cc89e210d32acc57f3

SHA256
c6fbe465e1624f4b3ff64769a1392e2287f0719ba2fc6322bf158293e1221a3d

SHA512
a5dd038dfba74b9d4e50ccb2a5b653fa34ed592aaffd7d8efa6da58bbb899713ae1f22775afbbe5f8162a1a48875ca386c3eada768cd147c15f29bdc3c8bc401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d99c36e49a0b9250a3a9b0e3337c861e

SHA1
c33660534ee9f1a29282ab9354993cd24a4994d0

SHA256
11f20538e1d80e3847e91935dff6bc420104461acfb18f11db561bb9344c224e

SHA512
dfc8894a97e6c311191b029231a0056b222b6ca4b6cec2b46fbf343642de605832b7e7c325e74c3a9ecc71aa55c83f7020b633c0c4c2a2924249e1d171384bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1969d02de8e6ad6efafc8c7ec4c3f50e

SHA1
8ca1bcfbc2841f6b4425ee2fa25ea620c4f9df0d

SHA256
b623e7d432d7511e5142d4c5c399a08c0202655b09a8a6a7d61261fe67991e89

SHA512
7ac1edb0d711817ee1061f8189d31b8fa6f59d10f167d169f5459f49909902e17c333cdef4003de9c924563c6680511c958590cbb4200b6707c16191e249246b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0e712f1e3514ef2c3104838373edd85c

SHA1
effddaead98cfe43e69e783fe5e3376d7b1a6184

SHA256
61619626361a474606e672c3a090ccb7372ece07e4b55ecca3e751d2483097c9

SHA512
389b5f99d15df00eba2ec0959b1ca5a8a599ddd985757c1e562f81bdff183981366707ab4c9d9fdfa7410de9e7310a81da8209558d59f774fbe677b7cfe08f26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94b022b7a3d3a0ba8990214cd97969fb

SHA1
e4a6433838641724509eec65be7805f8e198167d

SHA256
eac0767cc78d80d05a7f7263854c518bd5fce9dc26307542ab9163dc6fbecb7a

SHA512
720c7fd82cf6629ffcd6b7fcc7c5c2491c9e0cb9140f790b483307188adc62b15923d2d25a9cec3bdf0f942d702a3d806202bcb435d673052e0c3d979bdef02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
95349cde2713cbce54e265bce33119c4

SHA1
77086e69e77893962249b32547c220e5e416a436

SHA256
3d3fc1966200acf3a5cd16ee05a58597b10777df603111b8b748a284f730da24

SHA512
f56a167e5e313d11b52684da9b196b3af744b8e7e198078cce8469e96a026db2aa9cb288a4de6e0263e576c6fd8defa460db40096cd1a6d803cffa579b75f21b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b8dea86ee0eb18d3cb272580db2cf638

SHA1
742750722b24e06902129f18d669b2961a6f9b9b

SHA256
9eca233aaef190791da802d06f22c2d261a194f36bbfa7e1a7d4d7f44560438d

SHA512
6b6519fdda15c9524ea748f28d0c3462a1cb5aa69283023e244060f5b37b85c63e2680dafe08539a1ab173d0a1b76502ee256fe4db0a959cd3c47f6b245058dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e33cc0154fd6112cf474bc6f9ed89b63

SHA1
9d483a024466e85d53f4bc7cc5ac5bda3313bd83

SHA256
588be158defea7077f08adefdf0519fb46737081c7871c6864213ae9ca4bf220

SHA512
19bda1f44e911c08c16e37becf2952066121ea85b053df8edabb0d58069b6891f78f11651746a3363652b286e424e0f103a5c80f258c1169cf50e95301833b59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f82bf175574b0d7aa0f386816e28b417

SHA1
b55712afc8030faebce24011bd193dbcdceb8e31

SHA256
f003eac81e47ffe4768b15f4969468c50237c27e4e4db64187f25328fdd65bad

SHA512
af083da0b5a83446def68ededf5a1f1563cb901bcf329870c0fa935046cf7d9b306744fb2a7bf644164ea9d90284632ed6d65baa6844a762385b2a290a38e367

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6d109d4a85d8899b4f1417090a359438

SHA1
aa7a42f234e8c356a96d19e6f2ad502b4b818f71

SHA256
13c3dc5b6780f6affd56234feb1b386c896c3df9b4123964504f12bb1b19672c

SHA512
bc7168344104778e60ecade225319d0abdb52060bc7e9145b32b97d67275d74d1f93527b1bfcf2db7eed2a38f3ce57f6e91e6a60f3d6ae64da8c4a032c5860a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
98924c02ab79ad1cba9356c84ab894f6

SHA1
3973a08c7700577f7fa2ac495a59a119ebf49c82

SHA256
0250b9d96a8a052b2428c8cc9221de7dc1d91d53a6841a8861d1c7ca7aeb3e31

SHA512
fa7a8798ac3b6d759fcb947c3811923434a415dac8a113340a705c8db59a1a9d11cb55a7afb5a0f782dab7eb125548a27c14e47cbacc05727d31e6f23c9e24ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
87b19c9755e10c8dba201c867c9bb8d6

SHA1
9bffd323a232ebf8d36c3ed615c281b3590c23b2

SHA256
e94f3a5bb7e0ab504993a42873c74308582f69f2d741d191f2336c42cda021ad

SHA512
56873441d441a0952eb78d35a497beb7da88cdf6abbf17e0d75f364f6e36d453f89a4756c83cb98ca51f7040972924b4599e072e8e0da57a339d7865eefd1b3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
de4b311e55b67d5209c497b1362421a6

SHA1
2205ae2fd7e87da140e71bc66c2e424caaa8d589

SHA256
8555f6eb85be36b5465517225341bac28cc8d073f469ae051544b1c613685aaf

SHA512
800b73eca63e6ff7dda49f81d770015518232c127a2be4fb3928be0ceebe73b2556ea99b039d4dc7dc482d118a884d317956e5157d63ec8baf0202c2ddb835f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13381519855610640

Filesize
16KB

MD5
f8797d9cd496e99c104ab3dd1ffc5829

SHA1
f960e10ff6426b2ac15fcc578c2123f37afcd3c8

SHA256
cbed32e19d40587e933fc2fff1ab8a9fdc49611e5eaab6858405f53a76b16689

SHA512
dc481d41c0e1b480ba14bb639deea2878a5e51b0bf168bf1594b25804d8247222a091fe812b090ce396ac8ff89f562bec70e5d178ba68971137f3a4e04198d4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
23765c1f0b1118db66ddbefe05971255

SHA1
8924001fbd65d7d030961489bfdb671a7219e45c

SHA256
fead79be5362fe9156930cceb2ea4ff5505857dab09dc0bd37218a7569646b36

SHA512
2a6e93e84834d25d33d1a78b06e8e59a8a0ffaeed982f8e6edb851412e5399ed100407a9f5bfe6e4fb42ce0f1a63716a93864bde84697d53448af39b44f8e5b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
0c30e8dc4ec173e60690245f7ac7138a

SHA1
9667035cad338eae1eb856cd862a677e627644e2

SHA256
f611415b91c6b3f87eec256d6e144b78ee9215204eb27f7136a44f08583598ad

SHA512
998e422e52b55ebc967ac51d5dfaa5f9965d3cfb107da606ad987fff6065f25fcfa0d3d2c41fc16e821c35c984932e724188892de88c2a77275bfbc7a5f92a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
16aeb5559cd0b69fcf12f645e1dd0a4a

SHA1
e84ba3d5bca4690e075467aaee9f83cd9a5479e6

SHA256
f162dd17a3675113387cd83084c46ba043f21d32855cd16578608ffa36498ed4

SHA512
3bf758356258741bfb97007bf83e9a04f421d4f1a001104b479ab613535273fbd6705fea4a45b059f890ef9bb1bb29aa28f54c5369a1313c759898c9502fb0ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4186dccb3f4f98722af717c1ac7b2d72

SHA1
1dccb1b0a02a3e5bac0f40f0115240e7eec90053

SHA256
7973f26b44e1415bc43723c7a297787c77911b12df6af2ee36aaef6b52a6a5b3

SHA512
8f5fcea1efed9ec396ddae90b851cfaa7d355ffc4e2138e255843e2506a279cd8cec8dca291d8674f98ffb469ac0ceb8b30850705e9a28c1008fe5c8f00ccc1c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f51e5ad1559d62d8b4ffca0e5b7b365e

SHA1
c40f4c06da0c9c026679055ac50ca6270cc502c6

SHA256
91c845aeb45469e727504db4a7885c664537990255f1aa7a74f68393431a4229

SHA512
3c7304a4b3cc7b1a69153b5481a87cafc616b66e9149b482ba936e1d3e98acadd54388c0589c8cd86518918dadcf76f3100127e8553c73eb22156b5009b520ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
64c4a31c9bf596e9c313f7e27d5c6681

SHA1
d2870fcc8371c2c0ca808c5cca5a5d7faee110b0

SHA256
4bb0ba0f2c1761d081ddd80dc3ce9403ed7ad251427afb66b8543d0e6b46dd94

SHA512
79892803f74d48604e88705a150bbc16c86ef019c7caebd928dc94cdf6b714945302849732814afc2932ac4af5f5e125aa6675793261107924a8303f45fbd84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec565eb4edb65c87e9f13d1b13087f7c

SHA1
1d58e8cfde7b2b687998345b65b352f0944eb2f4

SHA256
0ff9e1c08332cc6f219eacbe0589bd361ab78fdf915d65973042ba105aa0f1a7

SHA512
c4178c880c7eab87cc5460ede24cff941728bf88b8ac98a8a1828976a09c7ac406934865beb0187eda8a76279d8a36fd92be1f0cf1fd10b1e133d91ea6f4e75b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
60758360e629a30704a7234309d194d8

SHA1
e14716b4c489f7b9dc89d6aec1cc3a0a6188092b

SHA256
d778afb3a29b4bec9710ec40a935b9937197d82c78bd04e36ccbca3adf40062b

SHA512
15e0958ac239cbc8c26500973b9e82c6d2b2218e7d4563184ac1f1bdae283cd561c281530fb5a3278b87afc6927b08ad690074d793aa78710011a52a9e099b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3f9b180db684dd6738ad0f80c259bb0e

SHA1
6c4831ea1ac41787cb018242e33d787627e8fbee

SHA256
daa638032541863935734b7d686801cf55d6324fbaa0d0fa26ff2c1927d924f9

SHA512
dbb74c1f265664986ff52272d054fe483123aeef0cb9e4c4f3a7bf5a973a42446e7994e51c300d23d4bf23a46b961e482658baf1f0abbb0c9db578c68655c8f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a21b2972d40bcd1714bb20d0a072f62d

SHA1
0d3398f81c0ecefd70db20558e1e2660c7b0798c

SHA256
4bdd8288bf1ca644e11e136d4bf60982e9572afd73dd93ead96a22da99713266

SHA512
f3c24d9576be66f68f46952a3d143134b28aa7541a51c4f040e9f66b345e242b927296cbccee523e24e6a659cfe9716e87501b1953053fc6367e6d35af150ba7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8903e771fe9e3c951add5cb5067f80db

SHA1
8766396287052ff61da309118befe154a8fceb0f

SHA256
8273ac911b979e175dbc0bd0a9d30ef9af4969464bc288409531c20af4bfe58b

SHA512
bf0c6e32fcfa8c8f523edc6cca394d551e3c4c8226474cdf986ee8dd870f19254c0ebd62f1b317dbbeab6ea02b78beb64dd026927c4aa2e99046c923ff069083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
a9628696040e925dfaf300a0a97552ee

SHA1
e79e78082c7b971390c272d20057b1ba46b98ad7

SHA256
e6da611e9ddbea378c543a80cfa4809ed758a23c533ee3419b9370793cb35c55

SHA512
1b0c0f71ebdb170214c41aba637ce5f910a342fe424ffda17330b9e792b8aa1d5ff1a75493b6e9c587041d2c183eaeae88107f6a103289bb16ae4251d858ca52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3c5b7db1c96ef1738d74f4ecdde880ae

SHA1
0939f7d3bf5f2a437bc1f3d6862debeb1115c195

SHA256
77c9faa2ce6b950a64125515f0267941b6618837f91757630cda9ca15aa3532b

SHA512
c71c029b521aaf79bc046e4b24a6c10e75f783c043f4c55f0938bf7537cd169eeb5c214c068929a23b79630a4e6d974c53ed7811f320ddea6b81546af4962224

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e1264244cc944cb85c5bbd89a086034f

SHA1
0adc45ffe02f815160e6dd649a04108369c2e15a

SHA256
55a04d2c589ee3513b40839ab7b8d47e054b8d28a298850a4b31a4136449d71c

SHA512
83cbcde2196a1c6d7a6c5dbe2be65a0f30735d7fee1c7bff884a176a8de7e95cb43962e8ce130d8059521b51cb20adab672145459a569171f5521c65c7212d90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
03d1761833b5719dfebfece09bda9bd4

SHA1
dacc4e167e1064883d03bab5462ef064737a8695

SHA256
bcf9b00e87a0e96f691be3bc4c3dee70b56433d725275ca7cd8ffba63501aa55

SHA512
2e77aa268d3bd58213c95d2d3a8e4ad89dda4bab6e99a8619b672732696f24ab8b168ce1baca5a015b6a35f08cdbd6d25b21ef477564bad6d9f7ea63c99e4e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589843.TMP

Filesize
1KB

MD5
36439870c17985909e0091d66c427fce

SHA1
c98101d18aa99a2dc187aaaffc6a4fe6539eb573

SHA256
9693ed0b39602ca6acdab89de3eb06d0c9c559b0220c97d9d4673bd6673c9fbd

SHA512
aec172ada6a256e1c8f9a926684b0cf6fb39b693e0f45e203091a3bdfd70917aa558dc70e487c0f73b7df453a4517b92a5334678de20d8a9af90a5c6f48925b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
7dd84e229835c595755ee1e66f09afcd

SHA1
8d9e1e187479bbda1047ed979e912a5c5e21958b

SHA256
063a1a832defdd489dedc1aa787c0a546ce317df19fe0554d3f14ba3e6530213

SHA512
55e2dbc3d4cab23e9e1ddbc1dc144717a14adab4bf9008af5367cd4037d48dbdde8cde4bb002b1b2a596126606946f3fb0d839ec3fa453c47a0c4ad7593a4ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
e2acd9a2203e6bba2b1ad98224ade9e8

SHA1
87bda0b602ff4757bb839a155ab310ff37bbed39

SHA256
8992d2b9f8ef3d9f809bc9b8e0b3909f88fd8c11a11f306c62da99e2e2b4d84d

SHA512
67222aa0b61c57316f02cf501739b7bd232d251fef9031673930d898a3118cfe8cfb2330ed56a847c3dcbff19be71a1109f52d5fc1615f13c49675dc9e7e0c0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c9ef7417-ea3f-4608-95ce-2803c59eb1c1.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9e02552124890dc7e040ce55841d75a4

SHA1
f4179e9e3c00378fa4ad61c94527602c70aa0ad9

SHA256
7b6e4ce73ddd8b5e7a7c4a94374ac2815d0048a5296879d7659a92ee0b425c77

SHA512
3e10237b1bff73f3bb031f108b8de18f1b3c3396d63dfee8eb2401ce650392b9417143a9ef5234831d8386fc12e232b583dd45eada3f2828b3a0a818123dd5cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
945d679a68ffc8becb37e18f39c2d472

SHA1
dd1f28c22aae3c937bb79899dfb97a59952d38af

SHA256
e7c2a62776dd1a0cdbc89226de64870172fb80a7750ecf3c04f0a42c03655497

SHA512
10065c118ed70de125cc80466ebec79e72cceebe8b74c680bf1a60b965e9b837d2b1f9dd28400af4e376aa77d83c33ca01d9c22dd139a77370dd63ff03e6f950

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
51b67396ec7ae7b43e6d38f686c41cb2

SHA1
70bc86f412b7577a70d137386115363b5abc4319

SHA256
aa82e53cf33b91f56b304fb410fbd38b9f3955a16f4b457999f495769c91d46a

SHA512
e2308b4325b3e2643a3df1c004e239c841fcebc050cce06ab617fd31d01a17801f8670a2ccf800265dc50ba2914eabaf9bac6ce37de90c54506a6e2115e84258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
fa2185c6da18d3840e4a950b691bcd9b

SHA1
5e2359790beda865e126cac6ec7a31f01ec0cfd9

SHA256
7a07d293882f70a2cdf78347afbe25ec0078c06b5d093e3f4bb3b52a7a1adfbc

SHA512
1a9ce806b919fe31ea0c775f45e9e44134f92c2289230f7d83969b837bdb5a1a3a35fae2c0c3d067d736eb59f38ef7abd8c86f69ae713d8b205b7f0b1ff42d36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f54cf97eb841d1ed2b8ac58e323697e3

SHA1
f4622bf4830d64e5f3fa69697e15ed6bf0f12e75

SHA256
258e8213e6904251293c536d82ccc8887be11d5c65951994315a4b588c9c6f61

SHA512
2e539f5a7e90b7f6a478ec8249ed1224295c90dca0d4ef110864f9c53c816e2337103632cebbae359f30a4485f1347445f450528b143cca87eb8e892fe6e5db3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c72a7329324eec7c9ed9250aa35a54f

SHA1
231f7a034041cf8f861bc8a25bb2d896f4343ba2

SHA256
d6bc3a6c3070319a05ffa7335328122dbaf78986ba2dabfb7bd10a34e29db166

SHA512
a4b96ae808190941cbb7037e500357b985fda4ad45b802f3ed859c67494d25463e18b3e3fc9925161012c4701be96fff0ff58e607a82bf12783784c11da82c91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
0e8e453e668fea18a3d3217d26152ff7

SHA1
046ad979e4b0063bc29a5e1d94d3788d2b05df04

SHA256
b287143417a12e6d45d8c2834706a92c3cbb137f1433efdfdf20e427953dff30

SHA512
7e7b7019133babad28a95f06441408e59627d8f0b0cb1b4199d8e0b358e9681ee111a83f21305ff1a0d7245aab9a189fa2e3328a4cdc212c80433d15ba3dbc86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c77125aa63fc6d829d356a70b66777fa

SHA1
d1b186537f466b19537e8abf397a8407e91bdc88

SHA256
51cf3a74cfc9489140f901e6d1d2a7b49fbea470d9862d1124ed4e8ce70b0a17

SHA512
0785574b4c12fc1fba529d7169681e52c779b1b102c4d10104ba351b64264e32441c9fa52f8efbdcce1e53d5260c4f8c67d4c4ea75092bfaec5455e7216be2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
4B

MD5
2a5c9aec016c65bc668458f14536d75b

SHA1
9b054cf7d5621828a522d371ddd2cc4a51615a8b

SHA256
ef381116ab55a658d7916ace5a0dd9b944d8b71ff9b11d279d5d7401e3d33fb6

SHA512
a4bbd957f74c84f38e4a9d6c0e19848e4d0d80a55cae97c4122d154e029b15641715c0a020c7a75ab0af7daf91daaa3223d276db302ec3ea41c7de4cd2348f2f

Download Submit
C:\Users\Admin\Downloads\!Please Read Me!.txt

Filesize
797B

MD5
afa18cf4aa2660392111763fb93a8c3d

SHA1
c219a3654a5f41ce535a09f2a188a464c3f5baf5

SHA256
227082c719fd4394c1f2311a0877d8a302c5b092bcc49f853a5cf3d2945f42b0

SHA512
4161f250d59b7d4d4a6c4f16639d66d21b2a9606de956d22ec00bedb006643fedbbb8e4cde9f6c0c977285918648314883ca91f3442d1125593bf2605f2d5c6b

Download Submit
C:\Users\Admin\Downloads\!WannaDecryptor!.exe.lnk

Filesize
590B

MD5
1a253f6e9e627a7b1344e0085ad86e79

SHA1
0502007535936a7ac5f0fa64da39bd07591277e8

SHA256
0f608cd33967914993be7a9b17fac2ae9f1194aa2a93fff70e535162695dab34

SHA512
5ad22cbf36d5491eee520a7081ecb54c2595dd8093bbec7df437f69b4d8008b3501d0ba4e6d3deba45dd66d7423992dfc68ae38a5197c6930a2d2c1d1ea7801c

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
e90ff6faf99ea43436fc1778ff1ab70d

SHA1
2eeaef2632eca380ef82a71884dea2af19bcf47f

SHA256
ebd543961854f42311dfb30fdebabc33a7eb605ad46103a0a66e03a7a381972d

SHA512
107a41d1f969c3f67198c12520980bd475d53512d747dc1a0dc5929d49487a404c56cdf69023573f019e63cdda4cc08c9bd2e26bab9ccce6c896034db4ba06e3

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
5d33eda2a493024fa3b6741d1d30b010

SHA1
ed2764c64b2ff60f5ab922fd5520bbbef797e98f

SHA256
fd2cbc59a36c03ccaa7d2e07c96481d3616200b98f84d316f13f2a98a04d8f97

SHA512
b1a15b596cfeac6046eaa5a32e054b42881c8ba4530b545b377680403949759f27bb77dbd3293b162eb242fe021e05a3bbe670d38d144c9106c983f07aebce3f

Download Submit
C:\Users\Admin\Downloads\00000000.res

Filesize
136B

MD5
de0ad3e5bf03f130a45d08cd8be4f299

SHA1
b3f016119f17b6df3a9bea4e96022fad171e1c65

SHA256
43d5a6dfea672635d54260e568a8b726da39869e0a178a769e91abf5f258f4f8

SHA512
bdef450dbd386a3fcd688807f989f858641e763a10752bfc9073407e2adc2972ede1cb03daea8663e3448aabc977170196ba10c3168bb16d60f7721527f66fd0

Download Submit
C:\Users\Admin\Downloads\51241737046444.bat

Filesize
318B

MD5
a261428b490a45438c0d55781a9c6e75

SHA1
e9eefce11cefcbb7e5168bfb8de8a3c3ac45c41e

SHA256
4288d655b7de7537d7ea13fdeb1ba19760bcaf04384cd68619d9e5edb5e31f44

SHA512
304887938520ffcc6966da83596ccc8688b7eace9572982c224f3fb9c59e6fb2dcaa021a19d2aae47346e954c0d0d8145c723b7143dece11ac7261dc41ba3d40

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 40904.crdownload

Filesize
4KB

MD5
93ceffafe7bb69ec3f9b4a90908ece46

SHA1
14c85fa8930f8bfbe1f9102a10f4b03d24a16d02

SHA256
b87b48dcbf779b06c6ca6491cd31328cf840578d29a6327b7a44f9043ce1eb07

SHA512
c1cb5f15e2487f42d57ae0fa340e29c677fe24b44c945615ef617d77c2737ce4227d5a571547714973d263ed0a69c8893b6c51e89409261cdbedff612339d144

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 567252.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 732779.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 948776.crdownload

Filesize
224KB

MD5
5c7fb0927db37372da25f270708103a2

SHA1
120ed9279d85cbfa56e5b7779ffa7162074f7a29

SHA256
be22645c61949ad6a077373a7d6cd85e3fae44315632f161adc4c99d5a8e6844

SHA512
a15f97fad744ccf5f620e5aabb81f48507327b898a9aa4287051464019e0f89224c484e9691812e166471af9beaddcfc3deb2ba878658761f4800663beef7206

Download Submit
C:\Users\Admin\Downloads\c.vbs

Filesize
201B

MD5
02b937ceef5da308c5689fcdb3fb12e9

SHA1
fa5490ea513c1b0ee01038c18cb641a51f459507

SHA256
5d57b86aeb52be824875008a6444daf919717408ec45aff4640b5e64610666f1

SHA512
843eeae13ac5fdc216b14e40534543c283ecb2b6c31503aba2d25ddd215df19105892e43cf618848742de9c13687d21e8c834eff3f2b69a26df2509a6f992653

Download Submit
C:\Users\Admin\Downloads\c.wry

Filesize
628B

MD5
34b661e258edad90c030adde9d8b6407

SHA1
dd86815a6c74797198ef2fc7da1d1c1751635551

SHA256
48460fcbbf6300edaea20c1d53beabb47118e292617363a213a4655ff1cc5121

SHA512
5adb16d0d687b5c5cf66d2a04c4f9d47952e4733f5bc8f197d748a7f6c24920eb62aaa5b86d6d9f37567d3f44c9313405696e4aae7cfa10efa7f786a31108678

Download Submit
C:\Users\Admin\Downloads\m.wry

Filesize
42KB

MD5
980b08bac152aff3f9b0136b616affa5

SHA1
2a9c9601ea038f790cc29379c79407356a3d25a3

SHA256
402046ada270528c9ac38bbfa0152836fe30fb8e12192354e53b8397421430d9

SHA512
100cda1f795781042b012498afd783fd6ff03b0068dbd07b2c2e163cd95e6c6e00755ce16b02b017693c9febc149ed02df9df9b607e2b9cca4b07e5bd420f496

Download Submit
C:\Users\Admin\Downloads\u.wry

Filesize
236KB

MD5
cf1416074cd7791ab80a18f9e7e219d9

SHA1
276d2ec82c518d887a8a3608e51c56fa28716ded

SHA256
78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df

SHA512
0bb0843a90edacaf1407e6a7273a9fbb896701635e4d9467392b7350ad25a1bec0c1ceef36737b4af5e5841936f4891436eded0533aa3d74c9a54efa42f024c5

Download Submit
memory/4412-663-0x0000000010000000-0x0000000010012000-memory.dmp

Filesize
72KB

Download