lumma | 75026653cd9be402306f50674ed7f8abead6d29517b76cda4a30ff1328798f3b

Analysis

max time kernel
894s
max time network
895s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2025 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1737154984__«FîleReady▬PassWord▬Is☼◄172303►».zip
Size

407KB
MD5

ced26414ca3f2e9d6e330d76f9183f62
SHA1

f640e5339538a581d87c70b5046f109130c107d9
SHA256

75026653cd9be402306f50674ed7f8abead6d29517b76cda4a30ff1328798f3b
SHA512

be7e1e3f3ce3a1b8316fcafd1afb02155df31a7e38fd439d3c9c2c79b20f07ae94c7953ba363e94eef1c39bd46198c0d826f9632f4e5bae962450a5a052ec0a8
SSDEEP

6144:FW1lD8lJNW/1ny1qK2DpyKs2MVUGE1tg+El92nLKq4BDr6iJW/GsF02gjOtW5Ap1:krCoNhgKs2MWgJl9xKiJW+A02yV6a+

Score

10^/10

lumma discovery persistence privilege_escalation stealer

Malware Config

Extracted

Family

lumma

https://futfilcreat.cyou/api

Signatures

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Downloads MZ/PE file

Executes dropped EXE 9 IoCs

pid	Process
1752	Kraken_v1.5.exe
3360	Kraken_v1.5.exe
5372	Kraken.exe
5968	Kraken.exe
5804	Kraken.exe
4880	Set-up.exe
2184	Set-up.exe
1976	Set-up.exe
748	Set-up.exe

Loads dropped DLL 14 IoCs

pid	Process
3360	Kraken_v1.5.exe
3360	Kraken_v1.5.exe
1752	Kraken_v1.5.exe
1752	Kraken_v1.5.exe
5968	Kraken.exe
5968	Kraken.exe
5968	Kraken.exe
5968	Kraken.exe
5968	Kraken.exe
5804	Kraken.exe
5804	Kraken.exe
5804	Kraken.exe
5804	Kraken.exe
5804	Kraken.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Event Triggered Execution: Accessibility Features 1 TTPs
Windows contains accessibility features that may be used by adversaries to establish persistence and/or elevate privileges.
persistence privilege_escalation

Accessibility Features
T1546.008

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5192	5968	WerFault.exe	191
5332	5804	WerFault.exe	204

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kraken_v1.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kraken_v1.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kraken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kraken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Kraken.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0008000000023c77-324.dat	nsis_installer_1
behavioral2/files/0x0008000000023c77-324.dat	nsis_installer_2

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7zFM.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 296104.crdownload:SmartScreen	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
5212	NOTEPAD.EXE
5964	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1992	msedge.exe
1992	msedge.exe
4788	msedge.exe
4788	msedge.exe
3440	msedge.exe
3440	msedge.exe
900	identity_helper.exe
900	identity_helper.exe
4596	msedge.exe
4596	msedge.exe
5688	msedge.exe
5688	msedge.exe
5688	msedge.exe
5688	msedge.exe
4880	Set-up.exe
4880	Set-up.exe
2184	Set-up.exe
2184	Set-up.exe
1976	Set-up.exe
1976	Set-up.exe
748	Set-up.exe
748	Set-up.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1688	7zFM.exe
5692	OpenWith.exe
3552	OpenWith.exe
3776	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeRestorePrivilege	1688	7zFM.exe
Token: 35	1688	7zFM.exe
Token: SeSecurityPrivilege	1688	7zFM.exe
Token: SeRestorePrivilege	4324	7zG.exe
Token: 35	4324	7zG.exe
Token: SeSecurityPrivilege	4324	7zG.exe
Token: SeSecurityPrivilege	4324	7zG.exe
Token: SeRestorePrivilege	4088	7zG.exe
Token: 35	4088	7zG.exe
Token: SeSecurityPrivilege	4088	7zG.exe
Token: SeSecurityPrivilege	4088	7zG.exe
Token: 33	1396	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1396	AUDIODG.EXE
Token: SeManageVolumePrivilege	3468	svchost.exe
Token: SeDebugPrivilege	5372	Kraken.exe
Token: SeDebugPrivilege	5968	Kraken.exe
Token: SeDebugPrivilege	5804	Kraken.exe
Token: SeRestorePrivilege	3608	7zFM.exe
Token: 35	3608	7zFM.exe
Token: SeRestorePrivilege	3776	7zFM.exe
Token: 35	3776	7zFM.exe
Token: SeSecurityPrivilege	3776	7zFM.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
1688	7zFM.exe
1688	7zFM.exe
1688	7zFM.exe
4324	7zG.exe
4324	7zG.exe
4324	7zG.exe
4088	7zG.exe
1528	osk.exe
4088	7zG.exe
4088	7zG.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3608	7zFM.exe
3608	7zFM.exe
3608	7zFM.exe
3776	7zFM.exe
3776	7zFM.exe
3776	7zFM.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
1528	osk.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe
5692	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3780 wrote to memory of 1128	3780	msedge.exe	118
PID 3780 wrote to memory of 1128	3780	msedge.exe	118
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 4052	3780	msedge.exe	119
PID 3780 wrote to memory of 1992	3780	msedge.exe	120
PID 3780 wrote to memory of 1992	3780	msedge.exe	120
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122
PID 3780 wrote to memory of 536	3780	msedge.exe	122

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\1737154984__«FîleReady▬PassWord▬Is☼◄172303►».zip"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1688

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\«FîleReady▬PassWord▬Is☼◄172303►»\" -ad -an -ai#7zMap17492:120:7zEvent9049
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4324

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap6490:120:7zEvent14354
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault79b61b35h2ea0h4183hae42heeff6fa77f4c
1⤵
- Suspicious use of WriteProcessMemory
PID:3780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb10a846f8,0x7ffb10a84708,0x7ffb10a84718
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,13364199210596875409,11058389141285833145,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,13364199210596875409,11058389141285833145,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2408 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,13364199210596875409,11058389141285833145,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4320

C:\Windows\System32\SystemSettingsBroker.exe
C:\Windows\System32\SystemSettingsBroker.exe -Embedding
1⤵
PID:4476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:3672

C:\Windows\System32\ATBroker.exe
C:\Windows\System32\ATBroker.exe /start osk
1⤵
PID:4236
- C:\Windows\System32\osk.exe
  "C:\Windows\System32\osk.exe"
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:1528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x3d4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1396

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb10a846f8,0x7ffb10a84708,0x7ffb10a84718
  2⤵
  PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
  2⤵
  PID:2772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3596 /prefetch:1
  2⤵
  PID:3228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 /prefetch:8
  2⤵
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3868 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
  2⤵
  PID:3044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5668 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5912 /prefetch:8
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
  2⤵
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:4308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596
- C:\Users\Admin\Downloads\Kraken_v1.5.exe
  "C:\Users\Admin\Downloads\Kraken_v1.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1752
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kraken.nswardh.com/readme
    3⤵
    PID:2264
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffb10a846f8,0x7ffb10a84708,0x7ffb10a84718
      4⤵
      PID:2992
- C:\Users\Admin\Downloads\Kraken_v1.5.exe
  "C:\Users\Admin\Downloads\Kraken_v1.5.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kraken.nswardh.com/readme
    3⤵
    PID:928
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb10a846f8,0x7ffb10a84708,0x7ffb10a84718
      4⤵
      PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6080 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2260 /prefetch:1
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,12089840007906549582,117611556420298224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:6024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5084

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5272

C:\Users\Admin\Desktop\Kraken_v1.5\Kraken.exe
"C:\Users\Admin\Desktop\Kraken_v1.5\Kraken.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5372

C:\Users\Admin\Desktop\Kraken_v1.5\Kraken.exe
"C:\Users\Admin\Desktop\Kraken_v1.5\Kraken.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5968
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5968 -s 2084
  2⤵
  - Program crash
  PID:5192

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 5968 -ip 5968
1⤵
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kraken.nswardh.com/readme
1⤵
PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb10a846f8,0x7ffb10a84708,0x7ffb10a84718
  2⤵
  PID:5136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5692
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\«FîleReady▬PassWord▬Is☼◄172303►».7z
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5212

C:\Users\Admin\Desktop\Kraken_v1.5\Kraken.exe
"C:\Users\Admin\Desktop\Kraken_v1.5\Kraken.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:5804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://kraken.nswardh.com/readme
  2⤵
  PID:3660
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb10a846f8,0x7ffb10a84708,0x7ffb10a84718
    3⤵
    PID:5176
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5804 -s 2172
  2⤵
  - Program crash
  PID:5332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5804 -ip 5804
1⤵
PID:5272

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\«FîleReady▬PassWord▬Is☼◄172303►».7z"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3552
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\«FîleReady▬PassWord▬Is☼◄172303►».7z
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:5964

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\«FîleReady▬PassWord▬Is☼◄172303►».7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3776

C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\Set-up.exe
"C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\Set-up.exe
"C:\Users\Admin\Desktop\Kraken_v1.5\Recovery\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2184

C:\Users\Admin\Desktop\Set-up.exe
"C:\Users\Admin\Desktop\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1976

C:\Users\Admin\Desktop\Set-up.exe
"C:\Users\Admin\Desktop\Set-up.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Privilege Escalation

Event Triggered Execution

T1546

Accessibility Features

T1546.008

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Kraken.exe.log

Filesize
1KB

MD5
ef9a7c7a74c9f75bc21596096338442f

SHA1
cce8c38c78ac1f3c9daea37e758d33e5fb32a3f4

SHA256
813da7a12b17b885346d43f14f72ca552f77189d49afe4b4928413730a5ab201

SHA512
fa8ca2d8b8a7a0c25f5fa3371fb18345032ec168c2a75c82889b676fcee2dae7f5d35078f29f5a350dde5e207be73a4568259cdb97f2a551ab98347bb6643e99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a37da350dddf3fb4450b9a4372478df3

SHA1
538ae3ff940b52ee4aa6eee84bb53215655b3e94

SHA256
05afd62e44653b83ac58c2fc041b10ef0ef5fadc5341e301cfc675334da199a0

SHA512
bde4bf98f9cb7e40e3320408b51932ded8a620b415197efbf7d072adee1d4de67caa5f405be2dbc1e9dbebb9c063ced3e58d0ea778a70b47b7dbbddb2791b862

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
22KB

MD5
6998607df710b6363877b8609be6463c

SHA1
b2e19fb880d1e9848b753acd5b3aeb310db8c6fc

SHA256
289aa17d56418b886cd6de5a4f1521164ff2e8b400c7150e3cc9ad3800b080df

SHA512
11551d4831a0d0db12295333dbcc627abce4f9bda22a6ef932f652730c4eea686461bf144570c636e6f24678d31f9447431672b132693d585c232ce218ffe7bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
29KB

MD5
fb0e6981c97fba54d76f9b2bca152299

SHA1
7c26673f6d5dd46220ca13f2197a5f5e70d06335

SHA256
09b221854d59bd9fb7dcd7042f9fcee8b6b8f958d932096a9ca307e2d63813d0

SHA512
beafa70f582e2e2d2a8de30fa22aa2f9ab384fcea0ec7f016b30392e3001ed98ca105874f64f62a5d065d90ebc0912cef566cb37333c3903f6dcb1d3e1d4eb51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
249KB

MD5
095a0c5edf9a5041ab17774200326a5c

SHA1
79eaddf072eaf40537081bf6d423b52dac808be1

SHA256
cbdcb91f08a92ce2099284391cccb0ba256889b10561372ca3a0c73f71eff634

SHA512
5f8d82d7827e292ce90dbea2d11ad0e5c9b27629d751091bb47311fa3ad9637533f6a31a285a0e2590d2725cddd2e9648099f17063b3f235266b5a792e343f17

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
70KB

MD5
ae990e80be9a9904db60b0d3d06adbc1

SHA1
d9e9c4775f4910f9fae04600d9dab922848098cf

SHA256
ed7514b6c3a5fdc386bff4dcccaee5e0c72e83cf31f90ff5ac4fb70e33fb6857

SHA512
c33992fd8c52353a57b0d1080c1f0e9ac64556f975e4d3718f1c93e5410e678423597d50d2e31b87b38b9568e258a0d734bb5e366de90f3f3616db728741a05c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
17KB

MD5
41e10c7dc78c771f51fbea749955a27d

SHA1
44ae097244786de6527a6908273d22dce0d5ab8f

SHA256
e7a7908255409ef7e493373a5551165e36953da31c1d8e52c2616d439dc47208

SHA512
af72e81db8238d0068ce433a86c301ecc5ec93bf6316e52cb130e4509078709948146c11e1707dce06b0dbdec19fd212551be5073b03c671cef49e1e27acc769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\0cbe47a24aea1c4e_0

Filesize
41KB

MD5
26212ae09cd3beefef1f4903475fe285

SHA1
9e430e872571a0d43d5aa292c5a4479cfbc3cc63

SHA256
63cae8ac3282d45f0206a33a906792e2a87bd71d2568252b8666e30ccdbe4b69

SHA512
ab4f84d0cf7f79da77b22bfd2b6e3d7d195b84e4d6ddbbbc83c4a5466b3922974eae78f8e96e2c73113436260e2e6c30af43cd9aab7ed186db75ae55b511e50c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\73e111902fd65bd6_0

Filesize
259B

MD5
7b80d50572c0b7cb8ea907f7e3c3c40d

SHA1
592373d9efe28abb6c7a6a98c0c83c6fc583972e

SHA256
cc8767c180d63ea30759cf16fb78cbdfa47f1ee71f28152cad49eae9c29869d7

SHA512
a59f45cb4083f1e301fa7d08c57ab938477a5c1f570b01c0abe0275d6c58166624ee55c0b582ba2c6d114e14ad2776fd24b51b9faf025e1f030bcf297876c3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a56492b188106366_0

Filesize
10KB

MD5
46a1d9ae4b50e5466d19997f0b77bd81

SHA1
3ea96fddfe3949aaa86afa5ab8e1097f0d4c9f3f

SHA256
56e24d0f0dc61b7e0d467d5182bf9cccdc3c3e6e6d3e2fae3666bd8b03d2c220

SHA512
22abd363c1f218d826e9135514a38a9bb3ca7da1a77f6ca062e04cc31e422776de5ddd3153018487a12b4080ef5230f9b0872946c3a5f55e994b83eab59d14e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\d5074cd1fcb1d67a_0

Filesize
105KB

MD5
fb2c487c331d801b4ccd54ca719a20d9

SHA1
539316896d78bf432309cb7d086b9549989c76e2

SHA256
45506c3d4fe17173bdf5681869fce11ca092dea53b26744e7d4846d03c0db9e2

SHA512
07377232041e3ef3724208c47806f6423b543dff78f18a23e5a0c7a997a77578834ebc1d693b294270755b49247eeb44c3139d6f851675611b82a6b05037cd97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8d78ea17774d6eac325a74133d36394f

SHA1
961dad5af875a47c9f149ae9c3c0a068d65c3685

SHA256
a5415eebaf1f36417db96356168691ad8c4d8119363798ae6f46bda995443c28

SHA512
f4b2111866e3bb456e7986d997e3d0ed0c9b6367f1554ec8df44cc4b66de920934ab683588324e071f08c0d7993273fce3cf7d62ee785520d55850ac5cc1c79f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
807627dd58099431eb899cd4a31e285c

SHA1
a65c51aa5434b1107392496d0ff6fdd9a7b2b709

SHA256
f4de03e2a3301bd91321d57e3ae7e5c772177a3545ec86d36ce6adc86281e0b2

SHA512
6dbc0960465e22421e5fd1387df71c40698c9e4abd218932b856051c7bc7024c908d0f8c16f1862ebff9359b523fa2fd6a7ed47025f204cee5af1352afdd9f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a4568f4ab6658c861555cbe9c7b057e2

SHA1
975f2948e9102dcc873802914912c72216543f4c

SHA256
362e23cf534cbd23a2330638cf470b75a401e32fe7acc4595aff08bd05a4e234

SHA512
fefdf311f630bc37fe068e33f3c38687c892a7fc28592ea5f669a7aab22f8ad34df2aa7395de37b381a34a6371f6c3d4a558bbee4e495e23016fd306f9c890e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9402e18a9622894395bfcfab27e87f30

SHA1
1a5b0dd49062028439831a4723e5a366d946d044

SHA256
bd976ac3beccdc40c8983ab3038c7393102c58941f44951e3e06eb836d0d8f27

SHA512
f847ae7929af2b1b7a6c6bed95fa79820bad037b629e98c7b6e5d8580ab14880a245ab721314edcbb4db00162dd99ba844dec074ad6653078fc4fa0bba825bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6ed598a759ce94619801cb10f446d4fd

SHA1
0759adf66f1ba5fc30d1bfa4296ee901c0fd339a

SHA256
0d1f48c9e452c872d2db833eb249c8a3a0d82725064244bc2f50dc298d0f271d

SHA512
9596c0915db60aa41ee02fbedfb38b4a24450e83dd83d76599501107e1a0b2dfc716b056e7994f4a29eb4f7f8f1e5bece64fd5592d83ada40cbd084d8809877b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
f289ed61ec2209020f154f03ca1f2665

SHA1
193bd9856bfe8fcd9610aa0ebdaef5352b7a3ddf

SHA256
ba8dae14e8928b87a1b7df58860b15622d2d341e95f572b29ad233316db4b63b

SHA512
90387689724ef08e2d1c265a017e3f34c6d6595523274efdbd4760c0eff5440bcd999071e1b0609fb6d568b7dc0048a79a71c75c8f239617ccb390938d0a6bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ff7205a80cc74edd7c149ee6eab0a805

SHA1
077eae8e787d019fcadba71db6ec142e42276d1f

SHA256
db2931ca55079e1042ac6e42fa3088386529adfc8b75069c67123e6700c58c00

SHA512
0a0bc86ad45cd86e4bffa6d80eb3c221f978d016e11ca089fb3e8fc5fd30d8e0d66a27192701af52c4bf28aa129cc228ad33158bceb2a01172cc08e2e9f81043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2a1bfe58455e131632ae953f94c05fd8

SHA1
5de25b08f78de927f01b3fdcf0bb0c6f5b5e3ce5

SHA256
77dc7b553032c971d920301f609e78853bca9da8869c88d7b6fcd6b652d2e746

SHA512
4da176f28c22de91d60d5c41735bad5fe9de4309cced5fbe7e9f45c35e47f35be7f4c5d6d5613f84c340e39d78d36908c9cab833755df3a4e13d302f804df314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13d9a98178339844269391820b12ea02

SHA1
7223760af5e5fc85e6cba8479e970e1ace6c2d83

SHA256
aae787759e3840b4af8735e417cfe40197902b48163d21f381c0c58511015f76

SHA512
ad730fb0e11f002a907a869a0aa99de415a8d7dbcb2e1e37bd4ea2de3109f33c549e21db958eaab43473c78fb856dc386cbfaafdb44d482f4d86907f333e4d7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8e238dc33728c07157bbf2137c3317b

SHA1
bffd12e963c99e6f2c40a61a58375139532ae5cc

SHA256
c88ecde718ff6e8275ff68a355f21e2dd2d3a06f4d4d2983acc9511b909c9152

SHA512
47e1ab496ee901398ffda9fa9183ef9b012966ccde6b4f89eec6557d44b285ae8edd2b11005f94e7446b793928ac47bff72c88f4f5e3a81efabda1b610319c6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66d13a8ff290a5d9d302dcf4e723d90c

SHA1
9e7f66ca9197fa65564a8b32fdabd541856737f5

SHA256
41a033163020a818e713185e8a15c14b28b4cedadbde5e5ddb08e8a390bee564

SHA512
c502fdea7c23624269442875daadf7189fb272840099743704f7bf20814a07a5cdf9841c1ecd8e6059d258784a037927251d8737d8797170ec2da4ba8e421464

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2df00508935e2b94392b4b0e080c3a9b

SHA1
bc4f8fe22052072b58eccc257a37cfe9b873cbf6

SHA256
d04ed82d6b62a808f9f062407f0e053ca30da443c865f1bc6aaa3475df07c008

SHA512
0c6660d312f38c6ad0a3070617160f8f00287d74cf27674e5c435abe461f717c49f740a0096734ed02c0b8c8d43a09e311a8157c7be08bada23a46db39a01fb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
741ae6bc56b6eb6d95cc08bb773b4a75

SHA1
e084d5f02cdd9b89d84c5dfb715e1511836cbff6

SHA256
4c440d37236b4382ab7add61622dc419437ca96af7a2420851fcbb335bd457f3

SHA512
15c46b15fafe520d9af3d6992004782f81003c6c020543869112d34f4c77216b613d5c74db051e147a50fc76ee9c4f67fcf5fc96d360b8ec2d2664cbfdee13f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
adcc77a8e21060e1f33d4247e17b4cfa

SHA1
a97fd9256fcf989cc12c376491b98672c441e137

SHA256
c08e5f5b8c1b4467041be5f0b75910a38336ff3ae40b40f3480232253ec0e69c

SHA512
1d79233915f403fe701159ec243ca5b715ac12b560def3519f08fc2d1c1f0fc43a9d2e75e16c9df07e40d8d967f53d3d13ff1ecc9c7d20c4da9b645f9156db90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
794bae61adb9e4d9926381ff0d3b614c

SHA1
7874373255d90450a7a1b66cff6dfa6c702131b5

SHA256
8943977708d1ff6b1a4d23fbfeb7dad5af790078c21f95d9988238aa0a782cd9

SHA512
3df6f3eded338ccc02bcbb2423fd02743ee9cf359a2cf411dcd823b79a9ee65ce7f57521c9c3718a5156dca881e38789e698df6f428eb37e6dce21ed8b61f853

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
527a23ff85d3806f34d0b2c7a1c4abd9

SHA1
de077a6e8b16195739b8e244a8c6cd5c089f633b

SHA256
3faad1bdd3329faf79c37adf8e9bea44afc2d8fe62b945a544f919f1b45c1a54

SHA512
faec64c27714cde0698235e725a5998e99b9231a64b87aad113dacaf3c558653d1616a53bab83bb68cf26cbe0d8d485975be59794cc7391ab486a893d3d07e21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9db1e597dcdadc47ac4d26786982745e

SHA1
18469317f152939e8fc0096ff4022bb66ca4a5e5

SHA256
3461f758cdcbd879e9a98700f8d61433ab4ea391f369d72607fe555c6ad2bf72

SHA512
4c487c698dd019910f352bdf0de63f7dee3feb1f0baa791c12eb88829687986d96e98c580520613d0823493afbf3f4cba9749f4e69e6d3e1d620ad2fbd8858c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
7260cdf6fe25529d0e48fb37dfe3d67e

SHA1
32ef6fe2b4640ab54bcd215db591a0ecb7d96db5

SHA256
e16aa1efe59d1ccf8dcf9e49294f3795be176fb9988b53bf7242b2385ac36423

SHA512
0e00d90022f8d776cb93683655d0825dbec5f663717f4d39aad0607eff08ccc599b9c794befb1d51bf75654f7fecf83dd8c712a7ad4a37cc4a0c73127cff3998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
0627d4a54fa895c36a55762148012a59

SHA1
23af3c53891d0361d06221cfbdee042b33a77472

SHA256
5fe2db7e58f0876eb8da58314066a405ba37f07d78814923aeac0a3ceea69fcc

SHA512
67c0733a9a4f9c1b8036765c6c0edad4c4cc391d92e58e373b7bfd826a9d8f9a0193dfd689a3171b2cd41ccc64813b6c59fe640391239d0b910dfa66124283f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
ce9123ba3969435606652918d4050ea2

SHA1
16d289a21592587337e122b5598534f34d46f53c

SHA256
f30c817d8bafa8d8b0e56f1adb79bc6e18b3b40e8f4f917e0582ebe086baf718

SHA512
5785da12574454bbd4346b7bc9432d0f3870777a6213b400be458f94da9f1dd5fbc570ec81977a4870fe664738dfeb885987bb02d19482a3717367635e6772ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4b79d780497eaafb5e8216c77dff71b1

SHA1
c6a4a77bbd3d746c88ee5d2fc59f8ecfe9e33eda

SHA256
9224fc14b3c006de5d85ec25a55e2a00320695da2ba14dcdb62651df8a60a97c

SHA512
56ddda60e181e88e898afd81985fad2978f62ba1bfac6eaba86728ef7dd2c5870fe133341da770cb71897e1860e1cc2ff8729653bf08a5f0f147f2cc3e069d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7fafaf4ce9fffe7d507312e93c7eabe7

SHA1
2e8513869a936b509df0cf6d9078743ffeda2096

SHA256
397adfc3020b3fc857ec39cd639b11c36a2ba199c942d45025a80c449020e70a

SHA512
446f552a55823b58282498c94a1b7bce860c47cb40cbb3efbcc151f02f85b49c2e948b558145cb25174f7e308592b1f62f392d29ad8859da9144882e87b51251

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
db0568fb658eb33585cab7581582e8eb

SHA1
69b1e5a371dbdcf65de4ea5fa9c40cf2b055407f

SHA256
6f058b7dd0ec5b27352e019eac7430d3336d811dc46b435be4b8df6a74bee48c

SHA512
3741da88f261e359a34bc9cef0db59f3919e3f0a8541ad5c96004674e2e98084a59824eb23daff10d6189015ca3087b3a17219ecff76618a7441693b42b91ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09e3e9bb8810c2c6d6aa123f43ec9ec7

SHA1
ee7d2f9ae974f9f0f9869272b0ec9a2f92e82fa2

SHA256
e7aa9fd663f2afeea22ff98d73f6d562399f1d9cd36cee743674ca8bfb790e0f

SHA512
7a6c98da0f2a6abba68240716145f255569b9daf426de94a0b1cb4937bd745c0539de8917d0e427dcc8809d587b3b93276287b4ca290a4c2dc2d4378a2876958

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
1f7d6ac832575fb74df06752a9c4c8f9

SHA1
87bbb65f881936236faa7364361d27fe4076a05e

SHA256
0ef7d7ec0c37ecfc7b6d9484df4d5d9fc4ecf40fee91e34eb50b27e510af7304

SHA512
7fe9a0817f832a073e942663fa4b8539045da19769e7c9b9f61dede9609d86b33a97762ea1abae257fe853543b5962dfe8c43bc402c525a225c7afc599fdf1ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5B74.tmp\System.dll

Filesize
11KB

MD5
fbe295e5a1acfbd0a6271898f885fe6a

SHA1
d6d205922e61635472efb13c2bb92c9ac6cb96da

SHA256
a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

SHA512
2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5B74.tmp\modern-header.bmp

Filesize
9KB

MD5
583c38fb0f5af5fe584d9a9b01d6a3e7

SHA1
84dedf7064bb740614f8661793f429f5ee950d86

SHA256
4c9e804ce1a391f8e603b7b9c732a6529c1e81be4d12f125c8562ea9d49095c2

SHA512
298dac48f75b5d597474fe22e9d69782629c02ebc855f4df91d470edac47ccfb8fe407a1a504fa4a5c94c523c6f03b7b755105b852f25a12d778f2a42313143b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa5B74.tmp\nsDialogs.dll

Filesize
9KB

MD5
ab101f38562c8545a641e95172c354b4

SHA1
ec47ac5449f6ee4b14f6dd7ddde841a3e723e567

SHA256
3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea

SHA512
72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse58D4.tmp\modern-wizard.bmp

Filesize
51KB

MD5
9e4cd80a60db6947642677bf31a10906

SHA1
feedc432df18b13ffba2b7478347d885861701fa

SHA256
a7b2f12e01cbea88d4f645f797f2ca6107d76ae13cd1be6dc532b759bfe0d925

SHA512
a02ae76b7a5df03a149a0b9c9efd314b8646b829b930233d0cea8b619b21720b383f92be95838310e7f1c4183d256823a96e48866b65ac7d2141ed4254ae471a

Download Submit
C:\Users\Admin\Desktop\Kraken_v1.5\How to use Kraken - ReadMe.url

Filesize
59B

MD5
395b2e1bc024ea4087bb82394a59b0aa

SHA1
40d341231ffd07c8820082c9e5df6c7537c67e52

SHA256
dcfd9ad51460b804efef029e163b53c010c852c3ec1991e1153cb5c63c98f230

SHA512
dc4e887528e15627e815b093e2d33bf3e9558ea5400e9176145efb75a1fffa045496dfe58dadd375b158cbb445bf9de227fc5fa8187e3f6191bf24358d11b26a

Download Submit
C:\Users\Admin\Desktop\Kraken_v1.5\Kraken.exe

Filesize
78KB

MD5
0992f76d80edfdd3817a64f8b7f76f2b

SHA1
a3c655ae31218b54e5996b3cc33a9970670f65c1

SHA256
3c9660524b7579b5d93455727bab4339f55705a5dea3652ff14c757194fb8306

SHA512
a2e0660006e3e811dbbba82751081df661134cbc2403018d53c32b0fb35710b1863a00fc134eeb6df6e7ce832ce1f1e660246ccbb8b3b35aaf7e7d3c9b3a5f69

Download Submit
C:\Users\Admin\Desktop\Kraken_v1.5\dll\SevenZipSharp.dll

Filesize
147KB

MD5
05c9849856abc683bcbc5c8d7921c146

SHA1
ad8ec49116b026eee2dd04d6434ede7ddce9734d

SHA256
49284b31f28d0a62d797cfcf17f464c8c2b22b29d0e8ab7c15c94724d83e595c

SHA512
c0bfb5d987fe06eba3a7b0f0c73e24cc74935a8d1efd8a79d64b36c56d498532e453049715fb8c1509eda50a0a2f1213ce67d1edaf6bfcb200e0be58af67ea5e

Download Submit
C:\Users\Admin\Desktop\«FîleReady▬PassWord▬Is☼◄172303►».7z

Filesize
407KB

MD5
8f546fd8bc2b52410b1664cc4353f96e

SHA1
074a7013eb459c4a60f079ccb53dc0a6fd3da916

SHA256
70242bb3e670a4ead187ffe778b034eb96dc862188157715247a213ed3e73aa5

SHA512
f937ce99517d6acb08f4605d761adf3d5b18196d8f87423bcd879df5d3b67d04758ca1a63fbfb3e1963732de1f0a76648e497f6d9d846fd896aadc2ceb8e8d2a

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 296104.crdownload

Filesize
1.0MB

MD5
f9fe1fe3ec50ded5f77234bb40d926a1

SHA1
8492bd22bbc5b2b5f34e92a2207262f3d1d36443

SHA256
e92d56612dc90ee84e96acb77d7b9183d8a16843ee0c401cc685442b95780c78

SHA512
8b30c3b0ede129ddbf1335c1da6e522fa198cf6144eedfd18f3f3879a0f9ff60acf10ea8f537be0f7fb06d32fbf9c86ae18bebe6fa90f3ea644a1343adf9b430

Download Submit
memory/748-730-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/1976-725-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/2184-716-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/3468-68-0x000002339F150000-0x000002339F160000-memory.dmp

Filesize
64KB

Download
memory/3468-52-0x000002339F050000-0x000002339F060000-memory.dmp

Filesize
64KB

Download
memory/3468-84-0x00000233A74C0000-0x00000233A74C1000-memory.dmp

Filesize
4KB

Download
memory/3468-86-0x00000233A74F0000-0x00000233A74F1000-memory.dmp

Filesize
4KB

Download
memory/3468-87-0x00000233A7510000-0x00000233A7511000-memory.dmp

Filesize
4KB

Download
memory/3468-88-0x00000233A7600000-0x00000233A7601000-memory.dmp

Filesize
4KB

Download
memory/4880-710-0x00000000007B0000-0x0000000000802000-memory.dmp

Filesize
328KB

Download
memory/4880-713-0x0000000000400000-0x0000000000520000-memory.dmp

Filesize
1.1MB

Download
memory/5372-534-0x00000000066C0000-0x0000000006BEC000-memory.dmp

Filesize
5.2MB

Download
memory/5372-533-0x0000000005A80000-0x0000000005C42000-memory.dmp

Filesize
1.8MB

Download
memory/5372-532-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/5968-573-0x0000000006830000-0x00000000068A6000-memory.dmp

Filesize
472KB

Download
memory/5968-572-0x0000000006780000-0x00000000067AC000-memory.dmp

Filesize
176KB

Download