wannacry | hxxp://getsolara[.]dev

Resubmissions

18-01-2025 21:29

250118-1bzvfavndz 10

18-01-2025 16:10

250118-tmhlzaxmhs 8

Analysis

max time kernel
445s
max time network
440s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
18-01-2025 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://getsolara.dev

Score

10^/10

wannacry defense_evasion discovery execution impact persistence ransomware worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Wannacry family
wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD706A.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD7071.tmp	[email protected]

Executes dropped EXE 28 IoCs

pid	Process
3184	taskdl.exe
1944	@[email protected]
4708	@[email protected]
2608	taskhsvc.exe
2764	taskdl.exe
2144	taskse.exe
3552	@[email protected]
2308	taskdl.exe
3144	@[email protected]
4324	taskse.exe
2952	taskse.exe
1676	@[email protected]
4540	taskdl.exe
3164	taskse.exe
2332	@[email protected]
4608	taskdl.exe
3144	taskse.exe
4756	@[email protected]
4988	taskdl.exe
3120	taskse.exe
2096	@[email protected]
4816	taskdl.exe
1096	taskse.exe
3320	@[email protected]
1480	taskdl.exe
1776	taskse.exe
3812	@[email protected]
2504	taskdl.exe

Loads dropped DLL 8 IoCs

pid	Process
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4080	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ykbbwuyjdr767 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_Swift.zip\\tasksche.exe\""	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
21	raw.githubusercontent.com
73	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	wtfismyip.com

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 39 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskdl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskhsvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icacls.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	@[email protected]

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3980	reg.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
928	msedge.exe
928	msedge.exe
4976	msedge.exe
4976	msedge.exe
1540	msedge.exe
1540	msedge.exe
4656	identity_helper.exe
4656	identity_helper.exe
4720	msedge.exe
4720	msedge.exe
2376	msedge.exe
2376	msedge.exe
1872	msedge.exe
1872	msedge.exe
4876	msedge.exe
4876	msedge.exe
1200	identity_helper.exe
1200	identity_helper.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
2608	taskhsvc.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of AdjustPrivilegeToken 61 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemProfilePrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeProfSingleProcessPrivilege	2712	WMIC.exe
Token: SeIncBasePriorityPrivilege	2712	WMIC.exe
Token: SeCreatePagefilePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeRemoteShutdownPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: 33	2712	WMIC.exe
Token: 34	2712	WMIC.exe
Token: 35	2712	WMIC.exe
Token: 36	2712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2712	WMIC.exe
Token: SeSecurityPrivilege	2712	WMIC.exe
Token: SeTakeOwnershipPrivilege	2712	WMIC.exe
Token: SeLoadDriverPrivilege	2712	WMIC.exe
Token: SeSystemProfilePrivilege	2712	WMIC.exe
Token: SeSystemtimePrivilege	2712	WMIC.exe
Token: SeProfSingleProcessPrivilege	2712	WMIC.exe
Token: SeIncBasePriorityPrivilege	2712	WMIC.exe
Token: SeCreatePagefilePrivilege	2712	WMIC.exe
Token: SeBackupPrivilege	2712	WMIC.exe
Token: SeRestorePrivilege	2712	WMIC.exe
Token: SeShutdownPrivilege	2712	WMIC.exe
Token: SeDebugPrivilege	2712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2712	WMIC.exe
Token: SeRemoteShutdownPrivilege	2712	WMIC.exe
Token: SeUndockPrivilege	2712	WMIC.exe
Token: SeManageVolumePrivilege	2712	WMIC.exe
Token: 33	2712	WMIC.exe
Token: 34	2712	WMIC.exe
Token: 35	2712	WMIC.exe
Token: 36	2712	WMIC.exe
Token: SeBackupPrivilege	688	vssvc.exe
Token: SeRestorePrivilege	688	vssvc.exe
Token: SeAuditPrivilege	688	vssvc.exe
Token: SeTcbPrivilege	2144	taskse.exe
Token: SeTcbPrivilege	2144	taskse.exe
Token: SeTcbPrivilege	4324	taskse.exe
Token: SeTcbPrivilege	4324	taskse.exe
Token: SeTcbPrivilege	2952	taskse.exe
Token: SeTcbPrivilege	2952	taskse.exe
Token: SeTcbPrivilege	3164	taskse.exe
Token: SeTcbPrivilege	3164	taskse.exe
Token: SeTcbPrivilege	3144	taskse.exe
Token: SeTcbPrivilege	3144	taskse.exe
Token: SeTcbPrivilege	3120	taskse.exe
Token: SeTcbPrivilege	3120	taskse.exe
Token: SeTcbPrivilege	1096	taskse.exe
Token: SeTcbPrivilege	1096	taskse.exe
Token: SeTcbPrivilege	1776	taskse.exe
Token: SeTcbPrivilege	1776	taskse.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
4976	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1944	@[email protected]
1944	@[email protected]
4708	@[email protected]
4708	@[email protected]
3552	@[email protected]
3552	@[email protected]
3144	@[email protected]
1676	@[email protected]
2332	@[email protected]
4756	@[email protected]
2096	@[email protected]
3320	@[email protected]
3812	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4976 wrote to memory of 3048	4976	msedge.exe	77
PID 4976 wrote to memory of 3048	4976	msedge.exe	77
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 1224	4976	msedge.exe	78
PID 4976 wrote to memory of 928	4976	msedge.exe	79
PID 4976 wrote to memory of 928	4976	msedge.exe	79
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80
PID 4976 wrote to memory of 3260	4976	msedge.exe	80

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
936	attrib.exe
2128	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://getsolara.dev
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fffa7493cb8,0x7fffa7493cc8,0x7fffa7493cd8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:3260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:1336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6076 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6372 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,15617520370332753983,4975956280036137743,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7fffa7493cb8,0x7fffa7493cc8,0x7fffa7493cd8
  2⤵
  PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3808 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4036 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2092 /prefetch:1
  2⤵
  PID:4688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4552 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,8254001025364939181,4275083098152959714,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4592

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- System Location Discovery: System Language Discovery
PID:348
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:936
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  - System Location Discovery: System Language Discovery
  PID:4080
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3184
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 323611737235953.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4184
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4952
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:2128
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1944
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2608
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:4708
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      System Location Discovery: System Language Discovery
      PID:1888
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2764
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2144
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3552
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ykbbwuyjdr767" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\tasksche.exe\"" /f
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3772
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "ykbbwuyjdr767" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:3980
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2308
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:4324
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1676
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4540
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3164
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2332
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3144
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4756
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4988
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3120
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4816
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1096
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3320
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:3812
- C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2504

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
f60e2d6cc936cd0978be17ac1169b6c4

SHA1
05523c3942f34ef50bf7310ecd800147b5bf2c81

SHA256
e5214c448d2562075f2ca66d9c459f20ca0c12c13603f9a61dc27f0684a2e664

SHA512
16ae3442a334abdaf93208b4bf310f5c5e3d17c4685842e5edf6856774e0e05bb0aa4304defc1d797f519c984d43ef15dcd216e67b71dd766cbe203e005a271f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
852b3c86a6d00a8d3060b0e512794602

SHA1
587d453d6f65cc18b93d7a337aa8469194cba20a

SHA256
4c284c3b63994d4c70b60f8aee3eb6a30299524a3069fd7a33b163bdef47d8b7

SHA512
5714749c9a80abcda6b4afdc2edd387d486d0011799e19f597a8a40be98cb2af405eecd0d38a39954f772b68508642c3ea51cd97e50222d3d78b68652783d683

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ad92cd4f23cb4c9aca348dea2ec6363

SHA1
7ffe3bc242a16d616668c46531ba45b9b8409cdd

SHA256
b4f9094535a0d97ad33d2a82dc9495a90f80f49a8ffc21f579e1713736b73529

SHA512
6d2b711739bfab13daeebac060d6c9b202d572ce2c8901092e6967ced1cac97111d040472db81b30d86fe8279a4433240b6393a832e5bf67a73619fd41187312

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aad1d98ca9748cc4c31aa3b5abfe0fed

SHA1
32e8d4d9447b13bc00ec3eb15a88c55c29489495

SHA256
2a07cac05ffcf140a9ad32e58ef51b32ecccf1e3ab5ef4e656770df813a8944e

SHA512
150ebf7e37d20f88b21ab7ea0793afe1d40b00611ed36f0cf1ac1371b656d26f11b08a84dbb958891c79776fae04c9c616e45e2e211d292988a5709857a3bf72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb557349d7af9d6754aed39b4ace5bee

SHA1
04de2ac30defbb36508a41872ddb475effe2d793

SHA256
cfc24ed7d1c2e2c6585f53db7b39aa2447bf9212487b0a3c8c2a7d8e7e5572ee

SHA512
f0cf51f42d975d720d613d09f201435bf98c6283ae5bc033207f4ada93b15e49743a235a1cfb1b761bde268e2f7f8561aa57619b99bff67a36820bc1a4d0ec4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
e47cd2ebe7a8945d65364b4e4e4bd1f4

SHA1
18396ac54f3a0a024b93755ad3f733fb04017195

SHA256
f4c83b37ca3612b279f4320154864205ef0407524005b266559324665856db32

SHA512
01ccbffcce65ac8f9b0faac1f85f2d1471d854be87a5c27eac25b8a7ef9f8bf248b38269a69a60beaa0535b8ec46fc140d68d34e85ab11e325c5b2df14245411

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
520KB

MD5
a2a0296907d0bf1cf39db2b09b6b3123

SHA1
aa4890ac58d79c58fec201af1f9b05ba51988457

SHA256
0ed7f3204534457044104ed9e291e124744bd5b15c3691bf44605576ea163a03

SHA512
f7d5ffc724bbdd8f979526c1cbdca5023c99f74481acb6294bd3a847758d6cd5dd3c8f946ea16d0e439f031ce8f91d74567d0adbf1464845b3657623dada5ca2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
c2189095cb2ad6c4169ebf32132ab58c

SHA1
8e8f93c207df353e5ddc47e5aa70955f362a92fc

SHA256
e307af6fcd1d817be8315ec41a13446c7c0844a102a9adc978c10d9ed46e91f4

SHA512
ecb5d22818f1072e927bcb1d422ced11378e39f5acaa98ea5b714a5de110873b9882c8bd371575aef75172f7c00e4c7d34665eb7aac0eb7c0b4dfb2dba294fcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
a805334653036083ae1afeb277a1ec05

SHA1
5d3ac71bcafd2ea539f9fde78b0b5f4fec331be0

SHA256
6fc2b80d7d753f6eab5aa30fc22e2902d2e9d6f068ef3bc4052d5f49070ac3e6

SHA512
60e88ccc4af70f9ad7b9e4bb246b943105f6e255f8baa6c527c0cdcfc9996806d8e839aa2b55551f4a3bfa1eaca10564cd9986f3a1ec8b4d9e65578290acb298

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
70KB

MD5
3b06aa689e8bf1aed00d923a55cfdd49

SHA1
ca186701396ba24d747438e6de95397ed5014361

SHA256
cd1569510154d7fa83732ccf69e41e833421f4e5ec7f70a5353ad07940ec445c

SHA512
0422b94ec68439a172281605264dede7b987804b3acfdeeb86ca7b12249e0bd90e8e625f9549a9635165034b089d59861260bedf7676f9fa68c5b332123035ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
63KB

MD5
226541550a51911c375216f718493f65

SHA1
f6e608468401f9384cabdef45ca19e2afacc84bd

SHA256
caecff4179910ce0ff470f9fa9eb4349e8fb717fa1432cf19987450a4e1ef4a5

SHA512
2947b309f15e0e321beb9506861883fde8391c6f6140178c7e6ee7750d6418266360c335477cae0b067a6a6d86935ec5f7acdfdacc9edffa8b04ec71be210516

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001e

Filesize
20KB

MD5
7247e91eedf36d653790d6d0a1c8a4e7

SHA1
88281d63857f377a82426d9ab6963249c37443c7

SHA256
bd6e42e520f77a213daeee8749872b2ef6b220f7864e72c90f78fdb916861e5c

SHA512
7780717bfbb9661b6715f46c89b81e0241d2a7305893ffed317b0ad5ebf57548552b6ad11ce1518f6bf20aa5671bcacb77dbd86f9b484abe4b7dc2071c4c42a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
e538afe67d38961fff4f035dc7f782a0

SHA1
d2067174b3c1cfa01aa7875bafa873b8fe08da7c

SHA256
eca71188877b03761d4cd6668bc9e4649906eedbc88e6f2c002c1fe946c25de3

SHA512
55e229d2cd4530fe6dc5cdb0abfec3f5910a1e770500a39bce9f8ed279a8869ed2337fd94823a8b61bceb45ac619319055428019eadf283981d1ee7a07e351bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
e80de9868879cf97d0ba0a0bc7e53d24

SHA1
8a99e7505b6dd6d8cc30ffcb607237a9960a073c

SHA256
0f7ef7002aa3f723b2d24b9a58c1826c83694e34a1a918e5c905751a6e6eb5aa

SHA512
cc520da889f5e998ffae9bce2c2fb0694426b0c47cb850acbe2b19ffdb371c123569fd616b08af78f452cbc322b98f634c0b3d984a8b89a4900fd659555a8bf3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

Filesize
28KB

MD5
da3191d4c4f0bae51926162fa95099b3

SHA1
8e503386939e5db8f9bed7dd930f6553b796688e

SHA256
0ebd9cd819ad4bb5e940e0addd09460eb4a41120b9c7d3ce104975006c32ae8b

SHA512
b81448efc39fc227de57874ed4b07755aa4e47831291e0bf2e8c0b7cb92b45fe7a4e068699d06a70f78c0008d94537d82697c7132ed254900387078271ee7678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
32KB

MD5
61839aa6f4d481a45792278644630dd5

SHA1
78e819a0934e523289d9e3abe88fc9c2485ba661

SHA256
0d9740f2e91747ae7b82b535c96fae6536fcf381811c8c97dbc1481683894ae0

SHA512
021fe83e4d23ca2986554cb1df89dc6f62ace8a6419977793ab2bf6df3f107db6ba7f285c94277477b47e3d133515220a85b0345810e88ad910f378a2bbc53c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b7b07bd6dcf89e9837991ad60d6934bb

SHA1
e8615473c529d85501fd8f736f7f9ea3ccd61134

SHA256
aaa73a0f5d085fa7668f7d42be6438dfc7ff90be2b72d06e2c27d52d01a6b217

SHA512
4d913462a54b4638b0a188937aef6f456d131a2032e9ef60eca5854628ba17b987fd17bb4fe71ea37dd929f575ac31901f06e8da05c432b70fbb6593af22ac54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
d28b5c2b887c914960b9fe80abff33de

SHA1
a77d8c2b16e2584ff4b0ce1a2a9fb9754605379d

SHA256
f637d9daa23bc066bce55c9a0fb906c9139b1ebc341793c61551308d10a07758

SHA512
64cb0fa6d48e6f5be4195a761ec27d60e22d7d59a281828244e5f98fd540f17d3c6e86e20519205c23f4afff6996625222001678911b3b6696055791f0205c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6KB

MD5
20bf16f60a6cde32292a1c3ddd617e3e

SHA1
1e58af1253b75d759bd0e4092f80909dc28837c2

SHA256
627858341c5f841e1fea2e19eeae25a13c5acd7ec447b3714ea8cba56bb5bfd7

SHA512
fcdf9df7f104c54f242189ff78cc56f16967464ef676e6850bc5009a753e1bda606729716568f7743874541c3aee0de1e0f4eb91b02449b7ef79e0e8a5eb7f59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
24KB

MD5
859b6ff2b55e98dfebd07246d4481a1b

SHA1
e28c5f3b245297fe2fc20e5d65fd071f910b6357

SHA256
4ebcd2c3cbbadbb2d3eb18e88950e06117b725bab7c96209e24c2fa7bfc0adc5

SHA512
e0990cb22faf841ad164f2030ac984f5a935f5e7c1d495e905692f8b28375a7b6081f2f12ea67f7eadd9483f7784afdf2089f89d634779e67005573971c55881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
ea1065603585953b7780412709578f9f

SHA1
af91c50122fdd98d13c48a2b98c76073ff2cac70

SHA256
640aa9e88edc3ae90aa6abc214b66d283c0b81604bae98a9c2cf7bdea9e798fb

SHA512
4161f6596549322fe93cc1c96f0f07c6e49ac46c80aee62897e92567ddcc0e06d8772a6770e5237913feaeecc822dd23b6737431507db46910c7d3d0f39d5289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
997a5ca0f2ca3deab72d57a25cab2afc

SHA1
f78765d7942b96c521f22f82d318e04bce119fbe

SHA256
a510cc72ceaa67be377a4b14b6fa30bae3cf439e2c7a79b36f1633de2b6caa2e

SHA512
14d2b10a6925e67f86c68efdea45a314185e312f985e2f53b81c80b5f28be930c49f56ffda05435764c936578d66ce364e03950a163f83a07a4cce2a280a016b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
b57c333a8e202a1aafb07ae1594db39e

SHA1
b297981646a486e29248cd422247352ab8943771

SHA256
3d676db867e7fff99fe251b417d6318a0313298063bf5f336507208ce47c815b

SHA512
7fa86d50bf525574aedda3f64b69e42014a78f38708dc3c073288ea34a9df8a3dc7a5dd67a838ef6f842e73b8aca254fb99ae97d4fa18e47ed5f498120676d8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
e8edb1eb010b3594361c4698f631e6e8

SHA1
c3cb971559f7a5e5759e4d882db24a73dc5974fa

SHA256
049944a141e99504caef678de99069fd8f1a661a5f9270023c622975998e8470

SHA512
ae34288328532daa839c22aafd5764d1675c249f75aa3dff13aa1d7ffc6846e26179bf984db17fda20765654718409a8a7c9c6d448cd293e77b815bdcfdc4563

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
18259ced7ba5a1d7dab02d5cd755a087

SHA1
dbb02635176b4d18ab6160b5aa09a53095462c10

SHA256
1ae60fa68d69a8976a57cfc73c77b6922c40f0356145dc9719636294de9e33db

SHA512
a0ee249413c9aa9e313c514e4dc8680d52b159c1c78dcb6e173c7e886cc977048122364ec4e5dfca2a179ad22c25ae21a613b2054b3bb8010d0de01a1aabb959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3ae764b142ceb70dae0353fa17b82957

SHA1
52b0f3a2347b4a25033be4dc2cc7ca4dcbef2db1

SHA256
4d2eb98f343df5f9ae8ca534e69e06372f3729ba56623dcd74dea52fa6d42e90

SHA512
4301cb03f0276e35fcf08e1292b1f3316d2683169ee765210bcfe0adfac612409f47f78363cf2dd1c0b8a6850a7886e8016d8ce3e61ece5754abce1781dca069

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2a2f8cdac150f4cafba181e5cca643c8

SHA1
cea803ba48c3a097df2874aee2a6111e954f8672

SHA256
990f885090f99a2e0c3e6f770888089eea894156bda365106622548a4b48de73

SHA512
8286864ae47df0b9cccf2f36a17a8e379a1eb6b3c7920bed780e77fd623fac2bcac9c849120ac9ff9f91fd12c8961f4c52bf7f58f8d378d1d7b6a4eda2763f51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
55deff56c2bd19836e2183039a9fc03a

SHA1
04eb25edcb1081e01a65baffcd381ee228185941

SHA256
3d4d4367d5c22b250147e780ee345d2e489e8fe928f76cf5d1e94573744eaca2

SHA512
1eb6715a8c817199780ce4bdf7e0d7e4b6c898c51933394dfd2a48807797e3c8cd18bb4f061ec2750a6334a4302720bf7b61873f5102ce5b1106cde121106dc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
d4939627af0b55c8bbd9e407969ee967

SHA1
b5ea06732907bc744b3ca7ec9dde021fac462720

SHA256
d443fabfe90e3de2adb111721131b7fd3a86fc23f20003bcb67d079e3acb4a22

SHA512
398f8965faac5ddc13f318ea258946381983e76354e684ae624557000d8ce25186137c6f0b9abee60ec12d66a04fad62f3e4ba0784674524f41a10e913f66c58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
743767394213a36899d649ce42508348

SHA1
738f7602e2f2804d23b4ff2dd89781ff548b7a7e

SHA256
22f0936bfeab4d34869f710cc572b5b63ad624d319e134906512c87e3c5bc693

SHA512
bc54d38b2cb5fe49e1644ae5fff61f12ac24785f7254ff59f9e93c2ab0b7da6a0c29456c2958ef6bfb02350eb88cdaa5c364cb273716cdae69aabca00c624357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
56f06d416bdfa0f228d1a468fc046794

SHA1
1147a676607afa268c1805b6d7cae9457f5a0b8d

SHA256
17a4ba37954c27d68ac6d5253bf4671178e881e5ed027045f01c99caecc85cce

SHA512
ef6f2170a0fae6bc4443c5928472c953d6fcd8fc7d8778999d2513426fb44512ab0ef1caa8cd92f7463f82f26b9adfa7509e0d4f6dfa102aa96b557a9641152e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1c22a75a00a7ff54675ec1badd67d91d

SHA1
982d29a70b3f3e5d94f5f6fadce23872179efcfb

SHA256
76bc14502a7848f3336555a4198c65c45752c923881c5af9fc4d705a5721d31f

SHA512
bf13955bfb2775b5e474a4dbab2551273a83106eb324a33233b2b8e5b8b401aa07c361907fce7d945601a38826c9161529134d84c022622151a46987680585fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
0734134af35de79ec50c2fd4648123e7

SHA1
d857993558bc9f9460c52c33fa5e3bf20ae13c61

SHA256
59ac43101afdb77aadadafc3a1de72653eb9891139b0c30a2f9efd51b9ae532d

SHA512
88c7618106d061e31b7ccf23d9ddad6f0ebcf7047a9114fe717f13116296a26af7d87c76073e91ca8f7d5cecb7ff0d018b9e9d30f73f2515d2c69a70c7ae30c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
1KB

MD5
a5852e200ac488f4abd356daebeb58a0

SHA1
7a5c799837fabb1e7d018a2543db2afb534e3e26

SHA256
1d6304e11aa3926e257c59ca20f4e428d89e392ce6a689c0c3ffc8e79f70cf2f

SHA512
3c0c33b4095d27bb9132cdbd770db694f1f9090f3128ad3f62867f98f42cebf07be7bc2f86c395d86b2839c3e43e6239e1e3accc99b2d2fe9479815e08533b7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
9efcb5ec67b92c9446a1ffea13b27caf

SHA1
7f01ac27d8a223b4a91bc4d95bade3db0df148c3

SHA256
07651514bf7f3452eb9c79aa5eed98801bb360cd0025b43b3d6b6b346b923cc5

SHA512
98c024e02c9953256be32bd78a36d0eb31ff19f80eb476b171e87f9151c84910cae8f7cee85de936110e4eb9d5414c54f70e011fabe243f204212a3139b7f10a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13381709372284947

Filesize
24KB

MD5
4df7ce7a946c8c9ce40cb892a17cdb6f

SHA1
883ae8df9769d7eecaa3f350a94a7da8eed04c7e

SHA256
98c6fed414e99eee82877b7a6eb4e7569cea1b61ce51a15cce8914b915a78e79

SHA512
5b62f9d2e17762c07b6c4230f400adaf86cee02c8b24a3b0b941d85f831b2622a1f963e2cf6153cee28dbaab90a030ab12bcf6dfa431483bada31a9f5846b7e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
256B

MD5
b4c18a27735b7a1a6f7a87be5bdfc824

SHA1
32ef3b42e8e9ba63e2dcfe4d7c16ee2e993afcdf

SHA256
8cd77e2cdf811edca113994336bc5ed7e6f459b60013bdaab0973dd101ba3848

SHA512
bd1888af2f96c6c7dd7826918978cc18526e8178626daab10ddbf8098c3d152c535ae39f2db7dae2c3e9505176d53c998fe7dd69dafbd275c906556a585f099c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
c918213346eb42862e1602f666fe3454

SHA1
0079cbe58f052d706600c425efb7ca7fa2c241a2

SHA256
91bd4d98500ce6275cfab5c65db199932b06a97d9538a0da9624746aae2959c5

SHA512
b92a60a2783602635cff840994c97f71a99c6f6145a1fdcc7b81c5e41a01f2607519248689caabf36b3e2922ccc5988cb74fbfdd5fac05a0a7886905440f799d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
44093ea0fe17068206efa8b1e7b59d85

SHA1
73c65e839d0b85f54ced38512d91cf427db4b6ae

SHA256
16c04212893687532a33210e2d864239417b1b0f4ee62131114bd5862c983d84

SHA512
66d9bba6e23bba2cbd8d59c828c409795d5adc4d465abe000c446ad5fc37998f3af556807f17b5ea4cc624c5ecdc81530eb6b959b2bb4956c1a464c3b83337b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
24b02a435a84e5ba2c6e3a8e1de88998

SHA1
bb255b4228b5e3d4d735e520f30e14d5901a99b8

SHA256
2ee2a0f8e488924c3bda52551b6a4d9acd89eef03b072cf1927364f437255b4a

SHA512
e70d0157e100569a1733888de1baaf563b44026e1b4bca45a79322b8db772257c1932f9c6c133f16c071c110bc2ddf21a4e64f3af547a0cbaa38f8e41fce7ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
809a72898a34b472249b76ec8f4b03af

SHA1
b114253616bcaa33b582b35a6af1b0b2ce897f5e

SHA256
f407b4dc11e6a1c1a2c3047584254ab05404ca085fc1dd5b952b436e718bdfda

SHA512
0b5921f1debc9c9d82d36005c4aeb9ed8c987b388ab3b282c08ce6fa9909adf9d227baa1f5500845709230753f51d70ea0c8823ecff854617d8a880be354a6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0476f261d68f124cfce94f3d9f3b2c40

SHA1
23cf64315dfd825b4663c884bd9bd8c5098a0e9e

SHA256
a87eca742a4d60ec6bd4350366d9130e2182c157e3aeff1586b3e5a6b24d1958

SHA512
280c60e8a57f5ac89972944141330156138a785bb6970039fe55356898e722154a3fa085839e282bf85ce4ed59135451a5754074e28bcb800f42926d809287f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2f28107d2d8cfa0d3dddbdff5660e860

SHA1
67584d12dc0edcf36c95a46877557dff96530c3b

SHA256
a13db86ae91a3702edf1b23aaf9803977a9cc0490cd8d974812a894c2a03fe52

SHA512
17372553dee4cfd6ec30379eb397206e60ef4b8ca9dc85c4875c9612a4d23940fe80a96ac6a43b9d04d3382cc9e5c2717432bbeb40c8a8b1df5174c7d74bfdea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
538048e5ebf2c0455fad9cd8418990bc

SHA1
fd12518d73b66a307fec7bf7db7398662d405f22

SHA256
3f29a28dcb4a3b75467958a53a7e80b3f9d554567316cd67ec828892869cf2e3

SHA512
589f7086dde14d28d065c1ec63aed5e2cedba439d22e0575edf80435d503a3fc219d2d5fef2d26641221d6a22b0b7e59306b72c9d1ccbf6e87ef43e0e9e0a637

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e58d.TMP

Filesize
704B

MD5
fc42504bbb5ace05ca9fbeede78b8b44

SHA1
3d76c4654900ebcdca4fefddcd67cd67465f6aee

SHA256
fdf3ab85910d27fd4cabfd2ac71a604a216c530bf8bddc416e563e40b1f782e1

SHA512
15d4d2cce126b23cb1c5e21b4f55056a9cd110986102bb2234cbf5edbcd1f55c8014b0a2efdba5c0c46ae8dd63b35e291ce403347ce0e83e52e017c67a4bb638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
dcb9a2f32e97216c59291b395d3a04a0

SHA1
7d62e5a54d95acb11316a4223331646516a0b4f0

SHA256
b77a98db59bbc62e2d5a5cb038643462088e1c7dbd25254555182fc72c6ddfcc

SHA512
9bbe6e320d283f8afdcd47ff69ecb8fa97b24521a3e93680f0920dc5b132676ef86e38911a9f317dae03c64a3df9ea5900c514cbe39e09cb878bcb9b1bfb6de3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
112KB

MD5
3f9ec51d28b7554667b7e7ccde95ff37

SHA1
3b3f63ddae9da143b36a342587d0a005dc85ad9b

SHA256
79455e610be8e5109c279acffcb480ddcb55045b362ae7d3d10580a6544b746d

SHA512
42790ddfb2073a1727b71412250fa47e44dd05d622f6128201aeb7f6ee9a1b01ee12653cbaf89ea40251178b77bb76b5da8736c4cd591056b0947156b64c03f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
76KB

MD5
82601988868e2e58ffee87fa22d9f8db

SHA1
59c058da8c9174760fb02e1db6ecbb47de67873e

SHA256
4b819baa549bd7b2ccd92613afd68593e79dd7376def1e7fb4db5cc8c7e39d2b

SHA512
a004947c90acaa2b7b107771e016a36a98cbd44608a419706d8f1c5ef97293907125f4b55054c8b550b64b48d2885c184c666b75270f445159ffb9e7adc04579

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
2KB

MD5
29a4f62ebb34450e9806ec2e48832e91

SHA1
4f266e71f57c256382221192e9a860c690f4927c

SHA256
5d04178f21103b07cfab93a8c24852bcf706eb9226d99429dc78a42709bf563a

SHA512
2478b3446870b1afb383b255ce0bdd1c1a7f691c28a29f3cd872067ac4a46e08d6ca45b104d96772fa149e1113c7bb6a1602916a726ef2e822ee0878dff8c131

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
7991deed715488728cc4f60f081b979d

SHA1
d353f3b6bd66f974845bb3b7188428fae7435a3d

SHA256
0bbc6cc4b48ace697563617f516d5d73b43bfa17adefe17ded9ee82b38d6c0e4

SHA512
7af8e37e1269bad35c434b8454b37b041d13b5e7f844e69a0eed0554fa530f265152abe382f8c38cf5421bae71a3318699ddac79e2068b6dbf31027d0381cdaa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
70a6adaeb5cc1df37bb50f8f9563c35f

SHA1
ed960a63aab838c9ce77dd377ccc2374353393de

SHA256
7502f7d2313d765946270d592d2d746fa0e632a46b11ab93886d82582813d4c7

SHA512
406c6542560cca7e32728ef99fa51bfe77617616113f14c5be3d951ddda63872ca85715f5d08b6d226ccb5f092e391088b714584e46fd3226436bef7a6633b93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
e22e85b68c5042e21ddb02ab60e3cc49

SHA1
77b1aa1c9a1632bcc76121d9bfd066ebb2b80af7

SHA256
e6f7701652c1eaff7a0a9ae603de45756c20151f4b92fb04904e975e7ffec15e

SHA512
68d6658835bebd8103e8573f2fdccea825bf11eab65675559ecc497850fb118fe36af3f08ca9c21b2f9310941548287c563fa9b96cd7542ca007416b1705accf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
2143fdc95b53c8b8ce9da98bcf2163e1

SHA1
68f02c40e909546f51f137daea8a8befba691e94

SHA256
950f5ec0cdc102ed5253c6d6dedb28bbdd8e1c759216d32cf60e334e2de039cd

SHA512
45a019d514fcd0b1af9f64e5470003a5eb6d68e8055fdac94284af40a4843bf0d0b356aa26e6ac181a54aca32c487f99d26d4f93f0453ec6dad7ff97d7ebb752

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
48705759fca5b9cb170d06fe48244b18

SHA1
fbce6cae98717594d7420f7bfecdb38150510684

SHA256
4a7481aa8ce255f32abe3b8bc935b3bfd401515dc929993ecf3239ccad0b1165

SHA512
ce0424eaf6f8e9d4ff1b9f43f15337568da0492453b024bd78317c81c80838711010347f294ed82b8c31038882f44fa99ab4b2cd9ad9c7c24b7e69d44a47a9cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000d

Filesize
16KB

MD5
ac8f1da831b06f5891a57d2b5b63c8b2

SHA1
b37e329c54d76c85faf0816b8a8dfd9ee8fbb52a

SHA256
68a82d49ecdbd1464921b522c5bd2cca2a5d283eff1d5fc58f23a6b0ab7ba7b8

SHA512
305a34524de3b5c04767845755e6f300707100795a57dbdf889ff21565704e66e70ed8d0e60f359ae205f7cc86caaea5be68d848320629641c1060dcafdb8f27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_00000e

Filesize
20KB

MD5
ef9588ca82f853399e5968af99985e74

SHA1
80d9df4f75c3e789ddf10584d9ff9de2b6154cb0

SHA256
9d550015f47a4d5d502f8a2f5b33bd9cbd136f4fea7c64754c8cc5a9651f7fe5

SHA512
a77b6b0bcea459ab4fc1e5d0983e85b86a6b0835849345f6afbfb27a5e84d8d1a38ff16e21ecf862e95d0a74e3fe97fda28bea66752b8bd64fd44c8ba680a5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7fb3aca7c99751d9450f500def83939

SHA1
e1c8b69676eda6363e380f0d23c5fc6992d997a2

SHA256
a274f6aec921117f33d734951c57b0964b94217086e800004c6778ee7341fa2a

SHA512
1ebd377188dda8a646e74c097820f88e01c71ac8d8643b36bd0f50c3fe0ffb01cab77bf04a4b7117604a861a70ad3356bb4ac0457eb0703107b56d591d2933d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f528b9e2918dee704791d38ab4ad33a

SHA1
2384120e5dc057e7bfdad67929a03a9e65d193d5

SHA256
596ef84aea1f3019807f5cb501efaad89ccf8b59b3cccb28148e562e02b203db

SHA512
696e4c0be3ae92bd2cd9582f5931e08b352a536660a7c0b9b5cf14dcb1061f7e94de6555fb3cf98cdf6db9b064dcbef2dd6eab2811b2c2d18de94fcdb97a63fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1ce7318d8dcc9f3c555fb726ff2a5d30

SHA1
915b70545cb1ea97afb339fc15ff8b3662ff5878

SHA256
b99f6ca274acda39e99ad32312725fd30d1baa9f067379537a4baa84d709fdd0

SHA512
2d08d61e7cd5e3180216b82ebad0948bbccaa63bb3179908fb7edf849bf1759b3d93d14d1b125087463ceb6afda68078b730cc1bd56702e1868bb36c03db0fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f53afbda553005f96877bc0b89b0f9ca

SHA1
fd37f774397ac9bcab51f852747b94bf318e1b77

SHA256
a6694d06cc0a7cfa4276fa82717e0c16c29de7800ab9b164665b9393398f0e2a

SHA512
9ac53f0d92f5255c09cafa3a3a83e63dfbcd68929007f591110299e28ac8c86d5425f52e462d46284b8995eefdc778bfcada4f738b804f5f4e804b4dd3a512a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
b13d050eb7e4b0f7f3e3e3abf29442a8

SHA1
7359aa93e76d8a07863d82caf161c8daa30c7c12

SHA256
c80817c1aca8574cb566333f57845d813e8fd32ba11d3c80717c77ddbd21c549

SHA512
4d2b83291b10ec61940faca2433573843461cd9d8f9fae793ee11b7d8960794aa1750f279c1a215cd55ae6aac64dd420e525d35c2a226017fa4c74e1b00e75bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_Swift.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
21.1MB

MD5
e4ea30ba5bde0b11912dd4dc7e11a03a

SHA1
7d3147a25c89366a289b131a0720a9e087584d3b

SHA256
0ac0ce14a0842f881cfe5db3c83d6b635184a9890170194466b14be3b1ffb782

SHA512
fb6cff05f1394f20fa3a110b8393dc7e3ffa6cd3621f0d876b0dd61c44ca6022bf9118222d873bf8553f64ae11c7eadcd5acfcc8b97cdc4b731a2eda534f6f64

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip

Filesize
3.3MB

MD5
e58fdd8b0ce47bcb8ffd89f4499d186d

SHA1
b7e2334ac6e1ad75e3744661bb590a2d1da98b03

SHA256
283f40e9d550833bec101a24fd6fd6fbd9937ed32a51392e818ffff662a1d30a

SHA512
95b6567b373efa6aec6a9bfd7af70ded86f8c72d3e8ba75f756024817815b830f54d18143b0be6de335dd0ca0afe722f88a4684663be5a84946bd30343d43a8c

Download Submit
C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/348-1176-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/2608-2472-0x00000000734F0000-0x0000000073572000-memory.dmp

Filesize
520KB

Download
memory/2608-2485-0x0000000073230000-0x000000007344C000-memory.dmp

Filesize
2.1MB

Download
memory/2608-2466-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2474-0x0000000073450000-0x00000000734C7000-memory.dmp

Filesize
476KB

Download
memory/2608-2475-0x0000000073230000-0x000000007344C000-memory.dmp

Filesize
2.1MB

Download
memory/2608-2463-0x0000000073230000-0x000000007344C000-memory.dmp

Filesize
2.1MB

Download
memory/2608-2473-0x00000000734D0000-0x00000000734EC000-memory.dmp

Filesize
112KB

Download
memory/2608-2471-0x0000000073580000-0x00000000735A2000-memory.dmp

Filesize
136KB

Download
memory/2608-2470-0x00000000735B0000-0x0000000073632000-memory.dmp

Filesize
520KB

Download
memory/2608-2469-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2479-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2464-0x00000000735B0000-0x0000000073632000-memory.dmp

Filesize
520KB

Download
memory/2608-2486-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2492-0x0000000073230000-0x000000007344C000-memory.dmp

Filesize
2.1MB

Download
memory/2608-2465-0x0000000073580000-0x00000000735A2000-memory.dmp

Filesize
136KB

Download
memory/2608-2517-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2523-0x0000000073230000-0x000000007344C000-memory.dmp

Filesize
2.1MB

Download
memory/2608-2575-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2462-0x00000000734F0000-0x0000000073572000-memory.dmp

Filesize
520KB

Download
memory/2608-2593-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2615-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download
memory/2608-2631-0x0000000000EE0000-0x00000000011DE000-memory.dmp

Filesize
3.0MB

Download