badrabbit | 40f0a61db3e8d3a9214d8cdb4985e90321d7117508c16f569a57e72e42ce4b96

Resubmissions

28-01-2025 10:14

250128-l96nbavraw 10

28-01-2025 10:12

250128-l8jgdsvrgn 3

28-01-2025 10:09

250128-l6zetsvrdn 4

Analysis

max time kernel
258s
max time network
262s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
28-01-2025 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

270KB
MD5

330f0941aa62e18b70c9b4360bf343d9
SHA1

eb22e6147fbb2b92b36a8db2d06f5366c9bb4c0d
SHA256

40f0a61db3e8d3a9214d8cdb4985e90321d7117508c16f569a57e72e42ce4b96
SHA512

6cb71a976fc59dd2857227a255184c9b84ff95071b52d10fe89969833915f8e87631cc72e7c7f3599b9c7ee6dd86a0f0c574911efb04256f9da310f3b8b07c9b
SSDEEP

3072:BLIAkp2SvaEvZ+pIhnrlf5RA+Jej3SN9A5VIcwoAwtN+25/jg+y:BLIAk8KaEvZ8IhJ5RNESNyIJ4g+y

Score

10^/10

badrabbit defense_evasion discovery persistence ransomware upx

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit

Downloads MZ/PE file 4 IoCs

flow	pid	Process
77	3740	msedge.exe
77	3740	msedge.exe
77	3740	msedge.exe
77	3740	msedge.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e17ebc96.exe	explorer.exe

Executes dropped EXE 5 IoCs

pid	Process
3964	BadRabbit.exe
3744	5824.tmp
4900	Birele.exe
2312	Fantom.exe
3948	CryptoWall.exe

Loads dropped DLL 1 IoCs

pid	Process
1420	rundll32.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\e17ebc9 = "C:\\e17ebc96\\e17ebc96.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*17ebc9 = "C:\\e17ebc96\\e17ebc96.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\e17ebc96 = "C:\\Users\\Admin\\AppData\\Roaming\\e17ebc96.exe"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\*17ebc96 = "C:\\Users\\Admin\\AppData\\Roaming\\e17ebc96.exe"	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
77	raw.githubusercontent.com
72	raw.githubusercontent.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
193	ip-addr.es
200	ip-addr.es

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001b00000002ad99-1027.dat	upx
behavioral1/memory/4900-1055-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4900-1056-0x0000000000400000-0x0000000000438000-memory.dmp	upx
behavioral1/memory/4900-1058-0x0000000000400000-0x0000000000438000-memory.dmp	upx

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\5824.tmp	rundll32.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File created	C:\Windows\cscc.dat	rundll32.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 4 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4632	4900	WerFault.exe	158

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fantom.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoWall.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Birele.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

NTFS ADS 12 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 86246.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Birele.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 524608.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoWall.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 10467.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 149132.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 248913.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 957787.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 132640.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 832565.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1720	schtasks.exe
3068	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
1224	msedge.exe
1224	msedge.exe
2000	msedge.exe
2000	msedge.exe
2308	identity_helper.exe
2308	identity_helper.exe
4552	msedge.exe
4552	msedge.exe
3740	msedge.exe
3740	msedge.exe
4776	identity_helper.exe
4776	identity_helper.exe
4840	msedge.exe
4840	msedge.exe
3596	msedge.exe
3596	msedge.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
1420	rundll32.exe
3744	5824.tmp
3744	5824.tmp
3744	5824.tmp
3744	5824.tmp
3744	5824.tmp
3744	5824.tmp
3744	5824.tmp
3504	msedge.exe
3504	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
572	msedge.exe
2676	msedge.exe
2676	msedge.exe
3596	msedge.exe
3596	msedge.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
3948	CryptoWall.exe
4252	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1420	rundll32.exe
Token: SeDebugPrivilege	1420	rundll32.exe
Token: SeTcbPrivilege	1420	rundll32.exe
Token: SeDebugPrivilege	3744	5824.tmp
Token: SeDebugPrivilege	2312	Fantom.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
1224	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 1492	1224	msedge.exe	77
PID 1224 wrote to memory of 1492	1224	msedge.exe	77
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 3916	1224	msedge.exe	78
PID 1224 wrote to memory of 4164	1224	msedge.exe	79
PID 1224 wrote to memory of 4164	1224	msedge.exe	79
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80
PID 1224 wrote to memory of 2916	1224	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa04453cb8,0x7ffa04453cc8,0x7ffa04453cd8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1680 /prefetch:2
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4764 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2012 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1804,6797531490290717349,11259854712597503598,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1476

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3356

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:1504

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1536

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:4744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa04453cb8,0x7ffa04453cc8,0x7ffa04453cd8
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2096 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3836 /prefetch:1
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
  2⤵
  PID:3804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:1228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4512 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6656 /prefetch:8
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6820 /prefetch:8
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6192 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6652 /prefetch:8
  2⤵
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6200 /prefetch:8
  2⤵
  PID:1820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6304 /prefetch:1
  2⤵
  PID:3148
- C:\Users\Admin\Downloads\BadRabbit.exe
  "C:\Users\Admin\Downloads\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:3964
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:2596
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3564
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 468228512 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4744
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 468228512 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1720
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:36:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:4928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 10:36:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3068
  - - C:\Windows\5824.tmp
      "C:\Windows\5824.tmp" \\.\pipe\{39104B2F-9F1C-4C7E-B721-AFE8DA932A0D}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3504
- C:\Users\Admin\Downloads\Birele.exe
  "C:\Users\Admin\Downloads\Birele.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4900
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4900 -s 280
    3⤵
    - Program crash
    PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4912 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Users\Admin\Downloads\Fantom.exe
  "C:\Users\Admin\Downloads\Fantom.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2128 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6368 /prefetch:8
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2040,6343730805102263684,7541190008128964710,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6796 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- C:\Users\Admin\Downloads\CryptoWall.exe
  "C:\Users\Admin\Downloads\CryptoWall.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: MapViewOfSection
  PID:3948
- - C:\Windows\SysWOW64\explorer.exe
    "C:\Windows\syswow64\explorer.exe"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    PID:4252
  - - C:\Windows\SysWOW64\svchost.exe
      -k netsvcs
      4⤵
      System Location Discovery: System Language Discovery
      PID:3164

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4900 -ip 4900
1⤵
PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\2a091bfc-b84b-4fb8-93c2-74ee83d3080e.tmp

Filesize
11KB

MD5
004264f14ce00cbc5b4c17158961d3e7

SHA1
b918e8c4860432d80ab512934cfc877c797aad5e

SHA256
9d5373a36efe2043748cf84a478cb9285b1183d43d3918cd6515dce90e0937ae

SHA512
a4db2921ce949da922ce2a2ea9c1cbc315aa98e70ee09aab1d3cbc2aa417e3a872f79b0799aee09a0cf5016c656196f88ce398c246f2d4dcf04e93b30c6045b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e361aef1af1e5d79ca4e95726724bb55

SHA1
70e7505b28e725e897bbcbdf150af28be45996cb

SHA256
03c67388985d753a7661a405ca3c1bea955184b611cd2667d76b1618b94af5fa

SHA512
5289773ab9c33d22828ff3a165a113073e087f12a11b1b07a0b27558b0f94159cf4589532e598df1a98fad93be258a31b23231cfef609f5daf6eea0775274fc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
aa503f359cd9cc61ad80550170b968b7

SHA1
4ed2c0ae83a37adc9b027166d566e6a711803858

SHA256
6a8d032bde5759454b026e452d248a36eb7f86ccc500a9bbebbb56a727798a4d

SHA512
28d6285c3fefdd48c39f90c9e73728843a152ed255c626e31af95b6369af7a8635aac2064837ac809563bfe4d0fd9729a65ee99d3404e5662afcade3723110a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
5c6cf3ecddeb580cf443fcd91c649c3b

SHA1
84a594bbbbbb56540c793e218fdc0a2ea3ac8d49

SHA256
8b13f682a98955bef913e0026c199d17306d643de4d99e280e7574a41567749a

SHA512
5ca76e1c63084c600fb0d5af5183d2dc88d1e36b5c7115f3fe671932ac727b1ae1c554727bfcc26cc9069b78619484fc44b31f97487813bc46913148401e4161

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
43a9e3adc71665f309ec6811e5c8b7b3

SHA1
a2a1b96b7161bfb0884a4037d5553934fab06fa0

SHA256
9ec557367bc65b6d3e90a020d3bac95d1f1749e2778c6299dc206cd9ddb373f9

SHA512
0f85eba2dfde0130ce617913193e6c2290ae7646930344325d845fe0a1e7a8ca92f1e9e3955ff45a5e4657ca4c87d738305ffef8b2ad1dd15eae2d5d6aa490eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_2

Filesize
1.0MB

MD5
22575f3c60dfcf9e36aca0273ddc6146

SHA1
2948516db49eab739895175a6adcc992a2a40930

SHA256
5151dbadda586eaaf7d44ad8f2dc6bcd3c43276181df7695d075ddd6eed6ae19

SHA512
2b64359475f9cbf6cbf19ee804ee291f49529e5c55afb4ef7e9f756274d2e44dfcb77becd6709a3c9af7d10be31fbc1d7cdd4abb5743fa0f6ca843672007eab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_3

Filesize
4.0MB

MD5
18c968d10037c337d1ec3abd3ed64314

SHA1
34ac53a9c886bfaf0a2aa4913882c28245461988

SHA256
81c799a47b842d6375a52e26ee739ace1f9c58ff4951d74b8b6d21162ace28d3

SHA512
79c4f7f624f0bbb18b7da5bf23a78600bbcc840d20e7b61d221b0b52beef2283a1e2fc497d76b2c1dc64e95dce24e6f5a6e2f4e5c56d242a12d271b6f34dbc60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
20KB

MD5
edff034579e7216cec4f17c4a25dc896

SHA1
ceb81b5abec4f8c57082a3ae7662a73edf40259f

SHA256
5da4c64f6c1ff595779a560e215cd2511e21823b4e35d88f3ba90270d9244882

SHA512
ab2dcd1628a0d0cadf82eebd123526979e8cf0a2a62f08f1169d4c03b567eca705bd05a36e5ffa4f6c3df393753b03e3daa18122955dde08fd8e5b248694e810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
20KB

MD5
99c59b603e12ae38a2bbc5d4d70c673e

SHA1
50ed7bb3e9644989681562a48b68797c247c3c14

SHA256
0b68cf3fd9c7c7f0f42405091daa1dda71da4a1e92ba17dad29feb00b63ef45f

SHA512
70973ea531ed385b64a3d4cb5b42a9b1145ec884400da1d27f31f79b4597f611dc5d1e32281003132dd22bf74882a937fc504441e5280d055520bfca737cf157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
37KB

MD5
5873d4dc68262e39277991d929fa0226

SHA1
182eb3a0a6ee99ed84d7228e353705fd2605659a

SHA256
722960c9394405f7d8d0f48b91b49370e4880321c9d5445883aec7a2ca842ab4

SHA512
1ec06c216bfe254afbae0b16905d36adc31e666564f337eb260335ef2985b8c36f02999f93ab379293048226624a59832bfb1f2fa69d94a36c3ca2fdeebcdc3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001b

Filesize
16KB

MD5
cd4e82b46e4da434142a43b103c70d82

SHA1
c90880a374cca87c8db41b629e803cba3412f14b

SHA256
7fac6df5eda28d747100a7de800f01581d46fc81adfb53e5f6597e81ced06613

SHA512
89d38702ed8b7eef95f287012b3de691cca0c191c673ecb7be8aff9481f38e6669ff9b3b422b4e92b1d4bebac4d4e67811cde421b422728930c75962f989a6ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000022

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
985cb639707b16295ca2636de5fa50a4

SHA1
740f630d48dff46fd6576b566b2b1bc3dcdee9ee

SHA256
1e7f69a648c544bde5c7c3e29411ce3e12ca6ff0be8f539aa27796229569d119

SHA512
4760632a30d784567aae6eacd7d70dd4cffd63a558fbba2778f7dba1f568f4de9bfc29ec524e2822dd7f7b3fef5817e44045fa92c3c789f50d93f79af7c6f654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
319B

MD5
6cefbf4aa760e464bde1b6a268227460

SHA1
23b04943b8d4713aa20865e7c7b0cc43cb030314

SHA256
b46395049ae0c20b97566a4452fc94f2974136c4ca7890e8e3b273eef33737ca

SHA512
ed592cb8ab785b0d6764bfbbf1e232b43ea593bfa2264a98fe24dd10b085b24b71472c578b53fd1569a05f68895d413ccc8a7fbcd1318660ede1c6b4e71798a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
6a772f5c9ff997a0ef50b01b92d23d4b

SHA1
baeead6a64a72a9eaeec23d1bc4a4c9b181edcec

SHA256
da82258fc982f7c790d2111f7f00ccd52d471ca59e584fd1ed6bc4eb80f2de94

SHA512
5bc55604546f1bc774838e09b360e852cad30112d9fd2399047b0287f38222056baadefe608a7c6dc26418461c88364d58949cce3343dffb27d8e6cd938dc64a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
db099c2bea59b126513c44dd57314001

SHA1
3770b9b910fae62bd09e039fe7c2f3e3c2f2ca4f

SHA256
d7d8cf47d5b9a3a8704292902e0c3f7cf3e5df22a0c7cf8dd8aebaab26a85c5e

SHA512
0cb7c3b4902d5c4eda92725dcf434c262aba13ee93ce49eb8f2861eb01315c7f92bb290fb918ecb125f701b69e05457eb281c17206c553566a7a5691d3772766

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
586B

MD5
19d68ae6f08a332edc49cc8edbefc021

SHA1
03159e6e66e05a673e9973ba0c953ad91c863ab8

SHA256
3df9f8503494d78ab8f25bc20256fa0f88e0198f010dc61097f40e77436a9d87

SHA512
88e54bdbe9314162f2e72934175b61a1868c9b6dd6040caceba7b72334bc95fcad4ad810a60c7b2d846f51a93ef58e3ae76e22ae8e180e8dc5337cb83ead46fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
44KB

MD5
3bbe97b4cc4c8679eebb3a737fba5536

SHA1
642ce16faf61c1a90dbb28cb3fd8b7b5f75c2b37

SHA256
8ff90c7ed50bfafe118cb0ace3f9528bd1620f90e53e0a0df07d19928772e1c5

SHA512
78f983defd162f51ddd0c9c98bdb81108f89d74d6a1b6aef4ada0a3f77960b2d049cccd48a1034f55eb74fa93c8eda20b3714d614fd4c56d76d389a2c8f41a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
124567d4210e84b2e6f48638f1491515

SHA1
7bf70f1612c49c1e850abf23788fb2f850cf0580

SHA256
fe178b41762268c84754562bde3c6c23abfbd2bb3ad628c99a6e0ebcae493397

SHA512
00ea624d6363ffd742cd73b83ff7fd934cf4b361774ec71ab86bedcc61cb3fac2576581f0e9ca23115a2cb954f44aa365739485b997d97828422443ce0c3b20f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
5d352a03280eba57cb274d27ba6c6b7e

SHA1
8887766642a81a1248dd5f93239ce63e93839900

SHA256
3b358849502f5cfd881dd035ff274a5753f90047a131884838c677e22f2305ab

SHA512
b8037a046c4be7be120bbfddedc780a4175fc8e6c863e9095e39a4e16d2e8ced27c40f38c569a79df990057175e3db6aa35eac645598af3647caa5744052bb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0193ac7a9d3ff359cd9fe89cdce14345

SHA1
e56824fd145e0f6d9755fca869f61919e08848a1

SHA256
c0279f0f71af8fb417f4b34ded504d261be03e04ca524d5c05186067e63de513

SHA512
9144d0658c875409080830d56c0c4b724615b7be737e78d144aa5d67ae09fcad7125bf751ea658e1d1e60f9ab5609205c2c6be0dc2ab090269862d218f06db85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
c276468a5e3d3d80ca2b77a2caa5f1c3

SHA1
77400709a297b033ca8ac5a03fcd0e7288e736e2

SHA256
286b4ab95c12ac1880c1b10647025771a8247d0ce37bc46f1ae2a2a1f2969c56

SHA512
556b753bd5cd1aaa285dd18554eafcf21805e3ca86b56314e207d3759cb100be35ba91b89fa30ae06e5f993d0ad9b61648efe6028499c7370b1e7cef156513d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
86e497d7de046b22544c07a90b5e0377

SHA1
1dbfe3eeff8ecedd690b01b2a699a7b3f97606f7

SHA256
3de2097c98bdec6eba95823af1cf9653d7927acfec3d9324b14cd6dc367ea9d9

SHA512
eba9d70efcfeea2b58366623b092adfed827eec33f5952ef4c3c644330e784d36185029be1edbdb6974b05da07710cabe162836a61e408c68b0d2abe895f01d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba418cd265405c83c70d2e16c801ab42

SHA1
8e9478257e4f06d5900bc7fb27296284a6ba2dac

SHA256
75db8b96e09f3869fbd2207667308f76c3b6f74cd01a8fded97303c6f8c3ebc3

SHA512
7ed043c9bbe6e737029865764922723b116424cf9ea16a859960a5488d0bb31ce9fe6acfc233478f9ee185c6108938a8c9b5472886ee3b7dfaab135c52295340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9ff52dbc3c0e8912b092629c878e5db7

SHA1
b397ce0b362ae57c0d28ea8b9ae51d4b87d14ce4

SHA256
9f7b57a69a98f0863e3cacbd5e3b0acd2b13c1429247c278c8c72054e5f3b9a2

SHA512
82d2dda1724fe68d4f11278fad71be9227e3b062f0ceb4b06d434edf74d8c0c0b21d5b22dbddbbfd4842dbba9b3d0db50af65ce57d8341ebc315db23c6207e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25d9b0c8d933de0fd8af68b9afda2776

SHA1
881727b4a6f44e704b525f0a0c8462c21cee4681

SHA256
4a32d200168c73dac8fc91bc712caf054a6f701dce1912189f42fc18da169be4

SHA512
a0b3d886f0d04df536098ba0d6223c4a1f21634e028196f972e92f59c4dfdc2afdc41a175e669a1440d4531d6b4716dde80d32666b34666f0067a3c52a667f91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e849e729333f294068a9c90bc0ae4598

SHA1
c8d446098af6fb81c093ec7342fbe4ac0a6c6330

SHA256
29ef37058117f6e8d649a1addc32c54a61d7a2a9cf06b1bdd23802d507897c3a

SHA512
359de6ba05cbbe92c928ae8f41c26b2bdca54efccb2b2eac7a5ae848abaef920d4ac465637abe1d20870699c548252cec4e9d718d4d0ed548403147fef87c8ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56441b07c228d22f676674a3a5d113cd

SHA1
d7f010eee2e7a9b96dadfcf0f5445ab04da13bc4

SHA256
02f177ba074849894eb71c09f694c3871a2e0fba87f3d63c2bb4d4c25a49736a

SHA512
ce65033ebc1003733b520ebe7468ad4240246c33def9d89527eccafd043443c6447f239d2809054b5cb0ca947d36a307367cb5a29793c94608e43cca289a9da9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ed5ed6da4a79f8ce28378179bc15bc35

SHA1
739a34531c37a6362e0c53a5991734b2f0a628c8

SHA256
ac8d7286be2c753ce358f610efa8bbf15a03f8636ec95bae9a28f05ee93a08f0

SHA512
3aad7f08b82a726da635d73fcc6740f98e8e2e6c37cde7238d5e0c9ce524083de4957e972a75bc4ad53c5b10e60d577188ade427ab231132d9ccfbb85e03c343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a634400b4d58e5ca40ac017a500416e0

SHA1
08a4b5440dbf6c8f13cc68c2363df1460cf2a913

SHA256
4022f26b78ff1e8741f3dfaffa7c8daa3fc5bec2937003640b68d9e37944c04a

SHA512
690f99569c19b63383632fdc902aa41c839f821e8214415d3672c582687e431934983b4f77cf473636353da6c0a22be89fabb4d6d1f2ebcdfbd9ebc0037b6bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b4fb3de67f06b166ef1cd649e2372c5b

SHA1
28c4299878b94edec4b5149e0f731be6a990d165

SHA256
ca365712340dc9b86bfcc93ec7eaf3de92840faafdd8db6a55629725d33578b7

SHA512
00f4268be102e9111d898040c1ba48fe547bfacc5aa5139dd71dbddd9c4fb8e28123b82debddd58f26d5f0ce83d2d2cf4f99e5097052c3272de7f9c32ac62606

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Reporting and NEL

Filesize
36KB

MD5
d0816f5b0be435d57813f9347424f45c

SHA1
d9ba1bdebfcf6ec856e930837e9a66b8ed3c79ba

SHA256
24ece33a0ea3fbbbffe1bca70ec4c5b6a9a8fee694193f2bcbfc8dfb6fbb6230

SHA512
ccec8c83cdfbbfa4575946d1232439151a932277ab9bfd9cc082d7478b2452d0c2423db48495fb48faed25d70b95b87d9d2f12f1bea198c26171d0797303f969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
156B

MD5
fa1af62bdaf3c63591454d2631d5dd6d

SHA1
14fc1fc51a9b7ccab8f04c45d84442ed02eb9466

SHA256
00dd3c8077c2cca17ea9b94804490326ae6f43e6070d06b1516dfd5c4736d94d

SHA512
2c3184f563b9a9bff088114f0547f204ee1e0b864115366c86506215f42d7dbf161bc2534ccaee783e62cc01105edffc5f5dabf229da5ebd839c96af1d45de77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
531d50dde44fc95a24ffb68f1373104b

SHA1
538364c846071961613f27cc5bbf6a70c91726dc

SHA256
87d3a4b20cfea278748e5e7a4b952d52699f2c39b6aaa4b632124807d6c7b1f2

SHA512
a2538dbac4872c5fba55e9803b0e9ce6db9232620fc1ecb2ae4255dcbb2d15d41d1266802cc2d42230bfe58ddaa6ed96c9ecc5589718faab846e2fb76ed9caab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13382532918099717

Filesize
1KB

MD5
76b365be7d196931faa3acba4865e8bb

SHA1
4ad958b9d206ef83c1a587dd4326c80dfb24eb77

SHA256
dc261a5d60aa74e5220bbafa9f43c1080b0bcade5181a4aecaeca2b322d484b8

SHA512
aeeba37bc1e660b91a8f282170de45a4804c43f9b54b53ec42e2b89a259e4751e55d307c8ba3130b6c66a2a5d86f89127d0b3c1dbabe704660525d9d921aa917

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13382532918365717

Filesize
1KB

MD5
f1e6ed9d9cbb3135df7bd4559aea9957

SHA1
8720ff7b43511cc91c41c7993e63aa21864e7774

SHA256
65f6e29c010835493e9a78641ff49ac23d9b5b80e70a197d0a25322f61c4b6e1

SHA512
aafa95e8678f5f26b3d8fc78f215ee554fe05bdd841a47c5a63d9d81c3dcb8393b5ca647615b2c24e4febc7211988a23369879e2a3a65e6ff4faa3fd19b7c711

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
8be985ece811ba0a3f10087f5f4e6fd4

SHA1
c87c84d4fe182ffb8362f3cabd33349af94e9b55

SHA256
da78d36c765d3248b1a72ead5f83b7a58cba7d361f17a6831332ee994cee939a

SHA512
901932baea8712e89188cfce00a6b2388ba38697bcbfeebcf8b83b88b0cb26c7323b098ba6983c312ded1041f6e297412010113a32e99a9350aa4492ca40efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
f025b837f10b795fb807cc281e4b8c01

SHA1
4090aa03d7bda72306ad6cb6c582fa4591700c8a

SHA256
db5359f61159f6a490c06fd74020084e4f89accd8f7163d455f66ed429562ccb

SHA512
cdea7a0c921b3ebd1023f85494e3344502f5763acce81c68f62930c5cbe3cf65b040b5d67350cb895888d7169ea933c48c4671dc33581132c0888c4c0f857742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
d8ba739b8c52190f1db8a7ccd1e2580b

SHA1
960f56b603e707ed270f63f8807be4599beb80d7

SHA256
ab33ef4f98c47413fddee2d272615e76f22fb321fbf45234fb78898a781647fc

SHA512
c5d0cc41ab6dda42289b70d113d48152cc71cb402b18f830acebc97587c4c6058a71a5dd7665b4f413ecd9a75b86fcc6ef8dfce399c98beb84d26a173ad33992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
272110d57123c50b96007fbaefdb53cc

SHA1
5bd7a6490646dac2ae6eda5e600b3ca95458c146

SHA256
113cbd46e99c318a2ad195620295fb6f57151f1b09ee54213ad217e6c3f7fd35

SHA512
68c8eb565d2003a808946bdcfead69c35e0250c43c4c3fa081e1790fab374c5c2d959b3b8e980eff0dfe6ba6d5bb4f58832460fa58b991f8ee98dc5167e4d3f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ac771821e9e95922bc2b7cb5a392c761

SHA1
1618644b5f6f8f38777164ef7efadb6ae4017730

SHA256
a14e4eaa1377810a409d8384c045edfeb98f3c9d1e3257714a42a937ca598f84

SHA512
7dde27cf5ad13d819a60c51309805d6c13d7a0eef265866da07619a1e33c1395fada6272c566ad829aa7375424fe58534012b9dd597944b5b966c340e34cec79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
120a6d398ba44b20cddd66233523ca1d

SHA1
28ffd5c1bb27c11766d7c2a4def2b1dc181a32e5

SHA256
2478495aca9327577298cc88b916f718087f510c38a803820e76120e88141adb

SHA512
425142dab07d7b5a489fe87e0e9fa01922d1ed6ce67ba2c36a5cb76e6fc5731a03424a503bcfe594d795b2d37138c29c80ac2a6265f58f0bac093d5f3431e94b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
7d6a4d50fe08a5a10e35a818c0ada90f

SHA1
f2b229b4a9a9008e42b86090c02f6711631c931e

SHA256
9eea08551a449afb7edf72547cc1fecdd11fe0731f456535103d6146cd218acc

SHA512
aef9db285dcaba2f6fc64ded5f161ab2f5efb984da28c2059a990bc76e4936bb5ab1f94b50f4dd913a4911a8c6f12a79c03e5745a12581579637f8de5e67cf34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
3eb071b0fccb0175b8b5fa7e6658a2ea

SHA1
97c2ac5993bb480150ee06ac417bebee234e061a

SHA256
b7ac4835ead48e304e741055387f133182b8ba2c46fcc212e0eee21e1c692216

SHA512
6c95035abb1fddccdcb638eb6fd4aa67b8b728f22a57ac035993127dae429d9b8904c2cded18b298a672f7956cabfaef0da41878fd118deafd0eec13af774bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b06b4c41d99cb04ee24c2e80ccdc8ae0

SHA1
72b7b177f91cf0d7170a3f5ef550746b129f165e

SHA256
734fecf64b8f415bfaf59328ce8ca5005aeb5910fea3535723a7c89a43ee0ec9

SHA512
0f5cf477da17cc9b5a0d684cc9d74e2fe02e176a78b4873d61903fc591828ffa619002f3283381da01c075f4f563ef012ddb39924dcfa4cd51ad03fff1e714a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d04df44c5d4336dc36551546eb475a94

SHA1
f53694973df59161451bda8dc61c12b198aa97e4

SHA256
44ec46aceb0b11e3a5af3aa052ab871f08fb869b1fdc53a45da822fa57391d62

SHA512
fe9a739d3d2b77642dcec14cdc429ae01dec4d35f07eb0d592ebd5877ac61ef31fe9cabfd9f594b1e591a520b6c59be1328ba820e9c59d9f50cdad20ae507505

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59a956.TMP

Filesize
1KB

MD5
366c92e0b98b95d28a1588d5c068b5f8

SHA1
ce42758156d9b965de77518296eb3b8078f63c8b

SHA256
ff60f2cf8550da0fcd27aca9d1b44f518a76ced5510889a1758a16b275bf6ade

SHA512
80cf4203a9d82b5409f246e3cdf81becdbbdf2fa1cf4e0d4599287dad36c85246d3a1a55ca7be96c41062182a53c5387dfe2877927e0002894a6a40e68ba0f03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
264185ae6515e05b29ad541301cca613

SHA1
626679587f09de174ecbba602a3c330147037d93

SHA256
448712751ac258f59524b4706a7e3d47b109c103a04ff6a247d35c15fff68ea5

SHA512
bda94585b9b2df016e0c678d8921095469da032c8f93c3e9542350eda2b23c7fbb86a4d882f814281ac69795baded1f206529ca482b4a5d1d9ae2b65dda6171e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
4a038c8a25fe4e637be576476cda20a7

SHA1
2c006efbf199b494cdc11bda2f22900e5a41f5ad

SHA256
acf0fedb8fc1b6353969e5fbcb549530d3f380aec6c6122922d7a848a32c501e

SHA512
c7890eedfee3ebe6784c8720320456b86bc304d2c113ea0206dd48fd843c84781da646af75bc656c5f8f1a3b4e23d0e4682e082eaaec8429922fb3b6784e9912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\heavy_ad_intervention_opt_out.db

Filesize
16KB

MD5
9a8e0fb6cf4941534771c38bb54a76be

SHA1
92d45ac2cc921f6733e68b454dc171426ec43c1c

SHA256
9ee9211a57c3f6fa211fe0323fa8cd521e7cbffcd8ff0896645a45795dc472be

SHA512
12ed22537dcc79d53f6c7d39e92a38f8fea076d793198928f5b7a5dd1234d50a3c0b4815632f3fadf8bc4ef0499773d22bd83f961d2d0ffd8afacf471bd3a5ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
225KB

MD5
ba885ca3701228d6c1adc08747f00197

SHA1
3cfcca2810c33d113a1a59eaf6faecc6bee81ee1

SHA256
492300f4a5838ee4a8f2323d0cc5c35dc5d08c7f9467a3f9640a0782c190bcc0

SHA512
062a1cdb89ac0b12cb499afc8d24078e7189ed5f374eb9ae3979683ab53a5c858eddfc47e90ca4236e0b183a34fb834c41afc27e9cbec4ae8b163c241c5988f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
322B

MD5
9724b8da8bd5b05e8f4a0052c4a0d778

SHA1
8e600dbd30710d5addf0c59dc587e101518363de

SHA256
9acec400e5936edd9c1c79df7980ffa3aa22bb50e4b45012ffdfbfa5cb4e703a

SHA512
834a3e11f0c271971e184ececba9aef273cf285665097c9a0a92bf130e86538c74a61345b83acbe4c85654543e9e090f5c2e95f20e3694ac3beb56cc3c4d4865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
057e1a78e9dd249ab0d3be84883bd0b6

SHA1
5d7294a53d43edc07fe2507029f47dfd0be70efa

SHA256
cfb984cc7a31422165fd191cf9873fe6c89cf329bfd5bd806a828fd22e75f368

SHA512
b34d1125bedb3dbee9ad0dac9de4341ec9c360d5881849197fa79181dc7f80eb7bd18cec85c30c816ffec5264f70aaaf02889e325856056330ee8f8386d18192

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
340B

MD5
17c453cc75b3c69767211fa015bbcc18

SHA1
6a4558b7ff117cb41f1764447bab9a487687ae5b

SHA256
e473a8a47ad33c190a0662900bb2c6ea2ffb2bc4b6ef42dde0155da49d6db3c7

SHA512
35c1c1e25fc271ea09eafbf6a37d6aa770b649e7619765dc0a6b94ea2fff52c1a164090ebf31433ba21ae4515ccb653720f3606ca1a1b26466d2a017d7343a44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
6022d265c86d6b5d18c177d7f5a6fece

SHA1
3585901c34bbaa1d03521afa7092135fff160d0e

SHA256
4df619c8b9b110dd7e94cc46493346fe129a07ca19bd09a6ab551d8346bfa70a

SHA512
3ceaed5f1aefa529236968b71e13d03ff912d6594881a723d670ee27ea7987fc179fcc37ef5858149af8b71e3e1053b080aef3fd4083acb84dd22a6a2d67ab98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a1a13feb0f6e1282d1075e83dadad145

SHA1
100985427e9fce7b3f9d256b79812e0190c00fb6

SHA256
a535b85bc385a185f4aefcf7d541abd1be0987a684e3f0c06a703411fd8d185d

SHA512
681bc574c3dbc5636d9a754c24551b2c4e8b1f6bd0de61e1f0b64003c29785849c56d8b6da4e927d6c01e2863989747570e77c020f851f6ae6d9afbc2579fbe9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
513e18c939f1c16da3bde49fb32ac9ef

SHA1
7d5ed510b39b1d22114a16ced53662cdb52f6790

SHA256
4c6f9ab29deb34964882b8389cb3a59fbbd76b6157869c75d01e0663a7b8ec88

SHA512
a196184cb88cc95d7c96503d3ab3ee8eb87711a6ae9b32533671164272d83d190c5b2aeb60d100e6ae77bd8bb1f4e18d81db872fba6be234378fe2c7404e29b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
7e86d5c1bf2ff36b15bfbd8fcf748b16

SHA1
59a1515ddff8caec85c4f27ffb17b69a42ec6226

SHA256
82f03e141e82546b261c1a24cd9ae3cfd4b19a7b4f343a296428deeda88cf856

SHA512
943fdf966d2ca4bfb35e01431e7bae1611e86d4bbf9c27524ba4502a9a93b8c0bb39e7760a8ee76993c4099da1ff49febe0b48468f134d4121f22a0ffb41bf2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000002

Filesize
20KB

MD5
2a029687e73114ebcb4fad10c0114e8a

SHA1
f09cbbed46b9f8c731568bdcee13024e89bda397

SHA256
fe6e92a5b020858bbdd8089533c6f22703bc5927e22f689c384164096705b11b

SHA512
211dc45e2bb5739bcf863c44ca8132f92e895b3c95d074929aa4338698d53c6ccb3a8e2f23180260d9226073f4f5cd21a200010a7a224de7c8ac2e1cc853730d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6b6c8fc7555880941025ff2a6db1c33a

SHA1
fb94682bab18da280a5f404d9602b34b2f9c5abb

SHA256
ed832d12be33bc22cd362e2926de07dda8e5777e76d15aa11105e6fbff55a35e

SHA512
9eeeabb3754de0eaf5389066cb6e5edd7f04bbf2cc6592e1388e23d8c58f2fa5082186946263f8d6b420ccf354aceafc17bd081aa316da977378834445d0ac9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
529db6cee9d39c0688cad26872c749b8

SHA1
e9fafabd93750bae8f2525f5f10be007d0077b82

SHA256
44a2afce90856f04ec873f8cccd2e31f289a27272c49d56e5de6f3d077fda665

SHA512
c1ce00600bb8350d45fda3a7fe1a316d22c8074d4c1d72a7eb55f5d57eb794e6929d3e36ced0c2fd2c005d7bd727ac24a39310b11f60c9113daefccbed2b4d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
63dc2cf817697db8c229591b6ce1a2f0

SHA1
3d804358a87a59f91b6b87f9c44bd021da38476a

SHA256
d44107e7686664f7bcc73278f540b14682f12d8b8c5db2737f984c5c7292bd5c

SHA512
d59be2c7c91c8eff9d958ec646778d4f30e0d37fec9ff0ab363f617de65bf6b98a43b7bc991e71f572d2bf0f7fefe54b583a227df4ca6f35b650650fe3f3915b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
24c3cbfc63a16d9cc72618df16d23119

SHA1
6f88d2c881cfa8b592793968bc694c568694ab61

SHA256
7de0b096b7d03eb25cf1c1b7760da8e6d93e1644743222f45697152c174d2a4d

SHA512
35a498763f1d8fcb188d2db16f9e9a7a5602aae55af4ae903edbeec4dc1c63c41132105cb96282510fc5f2cce8dc4aa9137f7110ee70096fd9fa6413ff7c8818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
32360750c710da760728cb2ec4512c8e

SHA1
c6e062b801b30111983369522eb8ca30b735ff4b

SHA256
c8c048ae23b53c491108b192565a5b32284c035b2fda4922b48c332c55c3bae3

SHA512
2f99d5278c5d358243ab8739ac688a93a61841f4809ae98a7294d62b1499fc75bc5964cf0ec9f60886d3e6437e0974ce8b7798b8c82e03e52809f4ddb7458141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e34b9c797f7d015c159660b2775d80a2

SHA1
dba71800058fb520a431e002f38a4a1981e9a059

SHA256
7b2203b5a9e2006a67603687bface60014ae15e89fe5b6055d1d3bed3038d0b5

SHA512
57acf208e685ba1b3a88946ec9c55d773de508239651e00829f760f85f2ddf1126de5d50ae630aff7a567f6e562636cc57cfcc632005a3fcc169ff489eadda63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a8f402967268c2bf27e2b79939706b42

SHA1
763bd3e2ce520fc6fe592fea6ba2e1a4ae152b1f

SHA256
2733b73cea18b8843f2b74501444f333a8bdc11defb29694d3793c2212855786

SHA512
cc137fcea1d9a4a464350cbead8a23673e70e4693bcc02ca26c1ef24bd57070fc4e5acf4fdb0be1e81b0fbf53630990af283e42b2847e0a127e5f67d6883bd84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ea23e78b45c6bda08cad30231ec4210e

SHA1
ecd18e79d79d7ecb5df1c28bd6e4717b7d32a31f

SHA256
58df2891de4a9930bb22b3b3d27f8e8b25ea0ed4936f9a27cb3d20abe8c3162c

SHA512
aadcbaaf76ee3ebc80756fd30b7cc6f52ebd395888f370736c8c676200870247017678261bf57ed8c97ce1c7f422a1f5ede51e758188b54a56841e0aa301ebc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
3B

MD5
41563a94efd4f412673d8a0dc764860f

SHA1
3bd55300d9bb082153323de9aaef44be54efe57b

SHA256
fb702c5522372edf1dfd0b8dc3dd4ae73c5fe12d7279caaea0f82f30df839ec0

SHA512
5dedff2127ad59f4d9bae67d29f47236a227ea10cab0f8e1498cc9d6e6ca63d0652515352a21fcfe4face1eb3c3af1dd0084933263dc479cc6766c09ff4b3059

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\516a4c89-c9dc-495f-85a9-4fcb06313dd1.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\Downloads\Fantom.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 10467.crdownload

Filesize
116KB

MD5
41789c704a0eecfdd0048b4b4193e752

SHA1
fb1e8385691fa3293b7cbfb9b2656cf09f20e722

SHA256
b2dcfdf9e7b09f2aa5004668370e77982963ace820e7285b2e264a294441da23

SHA512
76391ac85fdc3be75441fcd6e19bed08b807d3946c7281c647f16a3be5388f7be307e6323fac8502430a4a6d800d52a88709592a49011ecc89de4f19102435ea

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 149132.crdownload

Filesize
132KB

MD5
919034c8efb9678f96b47a20fa6199f2

SHA1
747070c74d0400cffeb28fbea17b64297f14cfbd

SHA256
e036d68b8f8b7afc6c8b6252876e1e290f11a26d4ad18ac6f310662845b2c734

SHA512
745a81c50bbfd62234edb9788c83a22e0588c5d25c00881901923a02d7096c71ef5f0cd5b73f92ad974e5174de064b0c5ea8044509039aab14b2aed83735a7c4

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 524608.crdownload

Filesize
261KB

MD5
7d80230df68ccba871815d68f016c282

SHA1
e10874c6108a26ceedfc84f50881824462b5b6b6

SHA256
f4234a501edcd30d3bc15c983692c9450383b73bdd310059405c5e3a43cc730b

SHA512
64d02b3e7ed82a64aaac1f74c34d6b6e6feaac665ca9c08911b93eddcec66595687024ec576e74ea09a1193ace3923969c75de8733859835fef45335cf265540

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 832565.crdownload:SmartScreen

Filesize
7B

MD5
4047530ecbc0170039e76fe1657bdb01

SHA1
32db7d5e662ebccdd1d71de285f907e3a1c68ac5

SHA256
82254025d1b98d60044d3aeb7c56eed7c61c07c3e30534d6e05dab9d6c326750

SHA512
8f002af3f4ed2b3dfb4ed8273318d160152da50ee4842c9f5d9915f50a3e643952494699c4258e6af993dc6e1695d0dc3db6d23f4d93c26b0bc6a20f4b4f336e

Download Submit
memory/1420-977-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/1420-971-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/1420-964-0x0000000002640000-0x00000000026A8000-memory.dmp

Filesize
416KB

Download
memory/2312-1159-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/2312-1152-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/2312-1161-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/2312-1149-0x0000000002530000-0x0000000002562000-memory.dmp

Filesize
200KB

Download
memory/2312-1157-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/2312-1155-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/2312-1153-0x0000000002590000-0x00000000025BB000-memory.dmp

Filesize
172KB

Download
memory/2312-1151-0x0000000002590000-0x00000000025C2000-memory.dmp

Filesize
200KB

Download
memory/2312-1276-0x0000000004DC0000-0x0000000005366000-memory.dmp

Filesize
5.6MB

Download
memory/2312-1277-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/2312-1278-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/4900-1056-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4900-1055-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/4900-1058-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download