cryptolocker | hxxps://github[.]com/Da2dalus/The-MALWARE-Repo

Resubmissions

25/02/2025, 03:42

250225-d9rkdssjz5 8

25/02/2025, 03:37

250225-d6y53a1rv7 10

Analysis

max time kernel
242s
max time network
243s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
25/02/2025, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Da2dalus/The-MALWARE-Repo

Score

10^/10

cryptolocker defense_evasion discovery evasion execution impact persistence ransomware spyware stealer

Malware Config

Signatures

CryptoLocker
Ransomware family with multiple variants.
ransomware cryptolocker
Cryptolocker family
cryptolocker

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3412	cmd.exe	113

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
5032	bcdedit.exe
3060	bcdedit.exe

Downloads MZ/PE file 2 IoCs

flow	pid	Process
36	3752	msedge.exe
36	3752	msedge.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\USB6E-AAXZT-ZTRTX-HTGTR.HTML	SporaRansomware.exe

Executes dropped EXE 6 IoCs

pid	Process
2140	CryptoLocker.exe
392	{34184A33-0407-212E-3320-09040709E2C2}.exe
2568	{34184A33-0407-212E-3320-09040709E2C2}.exe
2768	SporaRansomware.exe
1692	SporaRansomware.exe
5004	SporaRansomware.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000\Software\Microsoft\Windows\CurrentVersion\Run\CryptoLocker = "C:\\Users\\Admin\\AppData\\Roaming\\{34184A33-0407-212E-3320-09040709E2C2}.exe"	{34184A33-0407-212E-3320-09040709E2C2}.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
36	raw.githubusercontent.com

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SporaRansomware.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	CryptoLocker.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	{34184A33-0407-212E-3320-09040709E2C2}.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SporaRansomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SporaRansomware.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SporaRansomware.exe

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
4108	vssadmin.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\SporaRansomware.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3752	msedge.exe
3752	msedge.exe
872	msedge.exe
872	msedge.exe
3888	identity_helper.exe
3888	identity_helper.exe
1988	msedge.exe
1988	msedge.exe
2416	msedge.exe
2416	msedge.exe
3180	msedge.exe
3180	msedge.exe
1696	msedge.exe
1696	msedge.exe
576	msedge.exe
576	msedge.exe
4212	msedge.exe
4212	msedge.exe
2504	identity_helper.exe
2504	identity_helper.exe
4000	msedge.exe
4000	msedge.exe
4488	msedge.exe
4488	msedge.exe
3972	msedge.exe
3972	msedge.exe
3740	identity_helper.exe
3740	identity_helper.exe
1840	msedge.exe
1840	msedge.exe
1936	msedge.exe
1936	msedge.exe
200	msedge.exe
200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 25 IoCs

pid	Process
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
576	msedge.exe
576	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
4488	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3816	WMIC.exe
Token: SeSecurityPrivilege	3816	WMIC.exe
Token: SeTakeOwnershipPrivilege	3816	WMIC.exe
Token: SeLoadDriverPrivilege	3816	WMIC.exe
Token: SeSystemProfilePrivilege	3816	WMIC.exe
Token: SeSystemtimePrivilege	3816	WMIC.exe
Token: SeProfSingleProcessPrivilege	3816	WMIC.exe
Token: SeIncBasePriorityPrivilege	3816	WMIC.exe
Token: SeCreatePagefilePrivilege	3816	WMIC.exe
Token: SeBackupPrivilege	3816	WMIC.exe
Token: SeRestorePrivilege	3816	WMIC.exe
Token: SeShutdownPrivilege	3816	WMIC.exe
Token: SeDebugPrivilege	3816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3816	WMIC.exe
Token: SeRemoteShutdownPrivilege	3816	WMIC.exe
Token: SeUndockPrivilege	3816	WMIC.exe
Token: SeManageVolumePrivilege	3816	WMIC.exe
Token: 33	3816	WMIC.exe
Token: 34	3816	WMIC.exe
Token: 35	3816	WMIC.exe
Token: 36	3816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3816	WMIC.exe
Token: SeSecurityPrivilege	3816	WMIC.exe
Token: SeTakeOwnershipPrivilege	3816	WMIC.exe
Token: SeLoadDriverPrivilege	3816	WMIC.exe
Token: SeSystemProfilePrivilege	3816	WMIC.exe
Token: SeSystemtimePrivilege	3816	WMIC.exe
Token: SeProfSingleProcessPrivilege	3816	WMIC.exe
Token: SeIncBasePriorityPrivilege	3816	WMIC.exe
Token: SeCreatePagefilePrivilege	3816	WMIC.exe
Token: SeBackupPrivilege	3816	WMIC.exe
Token: SeRestorePrivilege	3816	WMIC.exe
Token: SeShutdownPrivilege	3816	WMIC.exe
Token: SeDebugPrivilege	3816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3816	WMIC.exe
Token: SeRemoteShutdownPrivilege	3816	WMIC.exe
Token: SeUndockPrivilege	3816	WMIC.exe
Token: SeManageVolumePrivilege	3816	WMIC.exe
Token: 33	3816	WMIC.exe
Token: 34	3816	WMIC.exe
Token: 35	3816	WMIC.exe
Token: 36	3816	WMIC.exe
Token: SeBackupPrivilege	5016	vssvc.exe
Token: SeRestorePrivilege	5016	vssvc.exe
Token: SeAuditPrivilege	5016	vssvc.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
576	msedge.exe
576	msedge.exe
4488	msedge.exe
4488	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe
872	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 872 wrote to memory of 2520	872	msedge.exe	78
PID 872 wrote to memory of 2520	872	msedge.exe	78
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 4300	872	msedge.exe	79
PID 872 wrote to memory of 3752	872	msedge.exe	80
PID 872 wrote to memory of 3752	872	msedge.exe	80
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81
PID 872 wrote to memory of 4928	872	msedge.exe	81

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Da2dalus/The-MALWARE-Repo
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffb7a3cb8,0x7ffffb7a3cc8,0x7ffffb7a3cd8
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2592 /prefetch:8
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5464 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6240 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4904 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1820,5621482004712700086,411642159682878411,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6544 /prefetch:8
  2⤵
  PID:1652
- C:\Users\Admin\Downloads\CryptoLocker.exe
  "C:\Users\Admin\Downloads\CryptoLocker.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2140
- - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
    "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" "/rC:\Users\Admin\Downloads\CryptoLocker.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:392
  - - C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe
      "C:\Users\Admin\AppData\Roaming\{34184A33-0407-212E-3320-09040709E2C2}.exe" /w0000023C
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2568

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1424

C:\Users\Admin\Downloads\SporaRansomware.exe
"C:\Users\Admin\Downloads\SporaRansomware.exe"
1⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2768
- C:\Windows\SysWOW64\wbem\WMIC.exe
  "C:\Windows\System32\wbem\WMIC.exe" process call create "cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\USB6E-AAXZT-ZTRTX-HTGTR.HTML
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  PID:576
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ffffb7a3cb8,0x7ffffb7a3cc8,0x7ffffb7a3cd8
    3⤵
    PID:1528
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1904 /prefetch:2
    3⤵
    PID:4596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
    3⤵
    PID:4216
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
    3⤵
    PID:1144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:836
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4212
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
    3⤵
    PID:1016
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1892,16598111995675647063,3580190082820018013,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5660 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2504

C:\Users\Admin\Downloads\SporaRansomware.exe
"C:\Users\Admin\Downloads\SporaRansomware.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1692

C:\Windows\system32\cmd.exe
cmd.exe /c vssadmin.exe delete shadows /all /quiet & bcdedit.exe /set {default} recoveryenabled no & bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
PID:2416
- C:\Windows\system32\vssadmin.exe
  vssadmin.exe delete shadows /all /quiet
  2⤵
  - Interacts with shadow copies
  PID:4108
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} recoveryenabled no
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:5032
- C:\Windows\system32\bcdedit.exe
  bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:3060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\USB6E-AAXZT-ZTRTX-HTGTR.HTML
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0x50,0x10c,0x7ffffb7a3cb8,0x7ffffb7a3cc8,0x7ffffb7a3cd8
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3132 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:2400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  PID:900
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5172 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:2832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,10330147918790144600,5064555000330569398,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\USB6E-AAXZT-ZTRTX-HTGTR.HTML
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffffb7a3cb8,0x7ffffb7a3cc8,0x7ffffb7a3cd8
  2⤵
  PID:284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2580 /prefetch:8
  2⤵
  PID:1244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5108 /prefetch:1
  2⤵
  PID:424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3664 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,16662113106343738458,5058052940417561828,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3660 /prefetch:1
  2⤵
  PID:3404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4932

C:\Users\Admin\Downloads\SporaRansomware.exe
"C:\Users\Admin\Downloads\SporaRansomware.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7863cd1aa11e7a9ee7b9d6062ae1727b

SHA1
09bbe8ca102a301da06f75a2be682c175fdc52d0

SHA256
52b656a63144f7a071fd602106ddb92f37a84e587aaa3a42a12ef2aaee90e95f

SHA512
1c26e42a4ef736712f2f0c0cbce1fce9b434f1aa9bd949ac9bf2fca132a047d13d4253fed606af0248e10b4fc3a67bfa082a199c887997a9f2edb34b82fda3b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4815ecce34e90c0f6ca91c7e35be703f

SHA1
61ec0042ccee59f6bdf6b96eb9f412cc97717702

SHA256
5db366717739338c23e07ca15aea2b48924a3b3ecacb214221239333b11ae7d6

SHA512
751dfd6eea90fc4efb557611e8afc6ef1634c4e2bdd97f3c72638def09f644ebd8bf5696b9ed8379973106524d08c67188f7f64c0f941e8f95109920120dae05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
53c68f0f93ab9a94804c00720a0bcd9a

SHA1
9009307d51e1fd60f9a90d77007e377c7f893434

SHA256
a38f0777d4ca9e777191cc924c22eb1847ae805ab79ff224860e8c70d7f49422

SHA512
a1d5b92fced821328a668fbfe9ad694b99c873ffa3ed28aa5bf1e8ef8054486289b5ddb26236cfa7c1ca0db993f306cdfc5878480b6a543aca1620075f77d670

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0298682d3de875bd80c884454c749406

SHA1
afcb48ab91419fb02bcc9551fa41baa40b7302d7

SHA256
5bff797d0275d84b43b4fb489756168ef434d17b6542018a1e7fbafedd905546

SHA512
c51f517915959eeb3f03e2f986e1f2f9efa11468e1bd5a3fd6c4038619c5aa8ed2515b16ebd1841781cb6cf07fa5b01d25f027a59f1be0f4b9eaa772dce9be05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
47ebfc103da5bfe09c5070576dce40f7

SHA1
f0e4528cdbf71d527ffc3ec98fa192c0d62b3e46

SHA256
42ec7228bceade112008d4491e7d43cc9ec299d7e60d5563d33ad72c72038be8

SHA512
494e4f22d3e59f3b6b7f46ec56d37bf1224c5cc5d88853580de3b1936e62af56c2b5f2afab087c57c532ef8c8f81e33eb3cf1064eac578b96eda499acaccb2ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
98323ba65d969ae5a9f6a4bf3878a5e5

SHA1
07e6767aa65d18bdd89ab6dc7a1ae51c590e8fea

SHA256
9b8b6dbac1b3d25957841fdc9ae55b7ca03aada81413e67cc83908b624f410b2

SHA512
783e1d65210cac7ad5837c24bebbe444a236e2396d609bf1f410ca7c11f9f9b53922089db597ab0133fa20599272249c990adadda965ccb8c9a83946551da0ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\410104ae-142d-44a0-9d78-d37380080034.tmp

Filesize
6KB

MD5
d87771fe05525dd5e32c76a9c4d392c6

SHA1
1f965eff5fb77e590ee79bd59acba2d0662398d0

SHA256
c6a39d14b79affe990d92a33063d1c1f7632e4a6c0aafaf9d67d315f1dc01eb9

SHA512
f655f7b50184d53fec03fa480b7f97189769e1382a7e301db6f062e841636f134e19138c88544f81f45cf5fd82421861491e27456cd1dc13748f70d00ddff518

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\44e23508-a15c-4db3-8a88-ea068d26f712.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
3KB

MD5
6bc6319c943f0aa4e1e366224a6b6c19

SHA1
1ede4c68b7dbfa2b15c7e3591dae3099f878fad7

SHA256
c72d400500616f61018b0a631a47083a8871128f9a9ce1e402111a59145757cf

SHA512
dca635dd8bdcadb052e8fb11a7b5613552847eeefd8e351af189d521831101bf7d6ad0d5765ecc77a41acb022ddbbdc5b7acf5dae719eb746f95fb3be213241f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
3afe00d015e2b8c44bdbc04da71c311c

SHA1
2a98693c98193cb51be4e07186482965db8860e7

SHA256
37f53b3635e554c126012782505be1b50911eac04c6cd732a2a73b4808bbf8e7

SHA512
448b9f3afdb38e2ecd81e4d21cba0eaa9d80e42751752c8dcd1459d577b68f062aac2d28387a3a233900a63b63dbfa4914a76ff7e213fc9a0d2c2b69d3d37690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
20KB

MD5
89f1b20dd9011e58f8674910b7deacc9

SHA1
ee04f0d1396f07ba934fb5b709e8e8073a57aa01

SHA256
647805a001fcbd81f5e6630d1145492ab6b99f83b7c8b42ccafcb59f7d9c2c41

SHA512
f9c885f218e905a8fda8cb15072bb9f7a60f9eb0f4a384b3a523dbac7a9ac915799651c93c1e56dea3b244ad8b2f7d3049b57051eab73818efec51b5ddf5be26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
6521adc20b35bc7673f9c310194574ff

SHA1
1dc28d895e337a4c306e1c519682cdc35919b3da

SHA256
9469c5a4c900077aa0323c552f5ae6b075819cf516a5439c0f9bd695b32c1b9b

SHA512
ea5f319248ab87ee8094b55553066a05c5a4550d1eb585342dd6831d6f369fd8e316c224581055c841e7891ab9d9b5d1064122911e359ef90c8a1043b010fc45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
116KB

MD5
061c6d67f453f80e5f00c45574b9c873

SHA1
ccb3f914b765b9d0fe8859ac8ec6041da6cd1c76

SHA256
41ede5750618023714601804dc9c26aeb2ae459d312aee140659b54a1fef54f5

SHA512
dab9b21eb07626e0bba89ea608e177809be4e8de937560c69cd2ffc3e7b91a7cf221f0053167affce561fae81d8ef56c9f40033cb64e8ab0c347c5087a4b5450

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
1KB

MD5
d22d70bac64cea8e47e983347e9d325a

SHA1
69df4a007b4dd4d906f738fa9ac8e2c6407060e6

SHA256
911e81c2a7be664340e639f827a2df738d1ecff13734538c587103e5152641b7

SHA512
8246045d41790cd6aee72b764eedb9cb8110e3f74734aa5024f0dc25cc1749a129c196b92cc2c78c4d5d4b0431c2396e33437b0ec61773df4628842178a28a9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History-journal

Filesize
28KB

MD5
82aa6c227dc7129ccba27ee0e78c4fff

SHA1
c766cd5c3f82c1c808a622fb824275f10a6ceb55

SHA256
63ebc0ac8c1e56e1ad6808757259fd727b7c5767792175cc5eb43ef022ed851f

SHA512
8580798e7b4da17bf80482b70ad12b86f28809446e7bc06a7cff41a1b90db479137f92511d8b54dea357b1834fccbe89cb718b75d2647a6236754be065a50a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

Filesize
11KB

MD5
bd28b15ad3d73258c2082939eaf8cb70

SHA1
d383159e4795595653503d44f928eddea20ea5c3

SHA256
74699e1f1813135941147ad211b6c3857632e45f4a20b0bd8c84d30b5d2cbad6

SHA512
301597390002349275db05848b6a2f796201f6643035f10113b62ef1fcf9bf85420c64e1afbedc01858187630e9efe917586a6d6a57b6bb7f662122f7800a6b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
d84310f3bec17b51ac4a32553f883be5

SHA1
f66f823af973ec354c71712f42d3abd14587f3a8

SHA256
6bc702d4c6d32e80a026b98c56ad67de7771beabd5f2045d77879a20d85af59f

SHA512
a5fca1027090065d7d57c6116103c6818ca9943a966e1746a635f898c3f975220b6389f738decc6fd812cb5dce105b82eb0f2b1ab7eb5ea1f77fba3e93051991

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
579B

MD5
0170c30b0f125bede7f88c82edc2b0af

SHA1
f6e5afbb5d657f6882b0e285c0cdfeee31c24d76

SHA256
aa9109d46652bfd48f41db8cc18992144b90580d93b2d111f0c6b5954ad71311

SHA512
02b0a5fb22290cd840a416139235128afdea2d612c1266a2813c0e122ba18bd398f3b8bc04f4cf789d5b3a68b26f957c34fa31746c916557f40260c819b42b98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
655B

MD5
8bba7ff8152b212d9459fdd3b0f07f5a

SHA1
48016a19a5d758e73339438049a92ebeae428a1a

SHA256
0974222d6bf5bdac71f499d32b458be12abb089c524e51a74ac897ae7d2a703f

SHA512
163fa5ebe008b4a7cdfd8985b81f3b3e7a83398de37d26ab08863571269e87c15f64596bb46b32151d4876a664599eda5ffa37109dfa6ba7da3625caf59e752c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3e0d1b60f614d630871bc8198c86a79f

SHA1
9938749ff08bd720b394d06c68e99f201823c161

SHA256
d575b251a8e7ac9d10cde80cf3918a928e095090596b904d3cfd056bcac2f382

SHA512
88d25374dfa564108260788dd1abe825b1c63cbf4994824453cfd51f6ebe79a25ef2267be3d6572130b0e48e5540aaaa2e0510706e1e1c82138805add659c799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d9a05eaf1f8b807e3845aab7a1dc2931

SHA1
90f2d15ce0f83b1d75ea868e8ad33bb0b4f79407

SHA256
e5f8cbb15a576fb7be429745e1f2ab3aeeff8052eb3b9c1fe338777047d11b16

SHA512
f69f961a6a5cbb4734d98d13c6de8e485a5077641b363ac659ff82cae21509b69c3bc2c0fffcf777413189c6248c825729f7f1d5904046c6ffdd5a5f1d718b01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e3b48a854ea6657e733012789ac0ea3f

SHA1
0fe5a07e15066ea4b958661f86821707cf828eef

SHA256
8f03fa3c5b3b3e6d3e39e63e0d0c4d47c31c507d1c27b41e2a8402eb852fdc70

SHA512
f47e4e3580c9d9dfbc44bf3a81b91d469c04173262a319725771c978ab903b992a009bcf331018fe58eed0c65e8a72e3e1009530a21adf7253dd2ce2b9345813

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a7f4e3a7d09bd1fe9a1b400621a2bec8

SHA1
a1ac21fbc719b2c5e1d94d37045b906fb2513ec0

SHA256
75611fc9cadedd3be04dbb02ac4d30281ab18264e73ce3aec38ce503bba036f9

SHA512
1d678aa83351433add5cb11644fbd7bdbba2beae3b16bb447e82b8979d7c2d212b72f7b64e56aed8cfb65df6e63ce2dc91c410fa03bb68f1989f9f0fa5ab68ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7506e1aa945a54fa24b159ddfa872501

SHA1
6d196c6b163207edce3d85b4d26623dae5ede66d

SHA256
413c83f8e6cc02230cfeab39bf87e441aaf5942bf07e484a3f055a7aeb17232d

SHA512
256c3f704a96d1d786260473f9fe306470b45f6a7daf09062dabd40548996e3f18482f5fecdc8c11efc75b4385f1b90938b9507ebbe61b63e0277549e83e9743

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a805b5eda36ebb1e289cccbfdce5266b

SHA1
c494885fbf7dc1c6eec198ae9fb85d5a1f554275

SHA256
c57373ee497b8796f3531770f61889990079970c00d6f5494355a6f514bf230a

SHA512
7e80e15d1d830bcbd78dc660c1faa8f9d1347091bcce6ffcf6dbd8315f2e8a6607ce9861184cea17341c8082e26fda0bc1fea0540bb763b8ac85907a35b56e22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
31c462313a4d84aad68abf5c180d5adb

SHA1
96bc3ad1693ee2f211e62e53a0d12708dd8788e1

SHA256
b70e0940e048d4d5f347543033e179f6fb5e35e7ff94f73e2e319cb2453a95fb

SHA512
3f808b372508341ad7f7cf9662a428def1671f6a93e9ad23d237cb9e6d6dca489d50adc49cca224d907595d40b33b1d11f32f6b841c89b7a089243ced5bb53be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
98af6ac0505a266be32dbb49d64dfeb4

SHA1
5ecc3a52994aec135fa818fb3f8c9392c100a6ef

SHA256
01344a3441d2c8f6047e7f10fcb2aa405a00311c056153dcb16abca07b7f449b

SHA512
8a629aa6f83fd7e6bc682c12bc2d009491f630743e1ceb2446dbae19273d1d6e144c6acef9b38ee64c14671fece71002d01387a233eb5efc56beed039a04d370

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b200c186bf0fde856d6a42e01af5b9f0

SHA1
41708cc78621b002254f3680010ff7d0a6454136

SHA256
05adbf259497551b01e55a73ef59ff36637d474cc42b648bcb2f7ff79fc21268

SHA512
b2d1efc2f7d0eac3323bcfa0a1fea0e7a84f9524a1b277fd004669af594f1e2e409b8aef9c85f283d1ee6a346bb56f2eda5580d475a0bf32ace2e657d3bbe4e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ec207c19f84506c95a689287f924240e

SHA1
88824d7c7fd0a1b9b687d6555d2b0b64de173411

SHA256
5a5f2f6f5538c0a6d93160d04849d51be9865cec35bd2a56fbc9a9503d66ff5f

SHA512
252e545daa44c40aee097a099a9dcd59796e4ba49a543d3b0aeb98f9e01cdc487ab9ab1a12756e16a014a959d192431b2ea32fc51cb261b76965d64ce79867c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
8d992a52c6fb911b3011a928065a288e

SHA1
f499a1310c7f43f642d5a515fb6a1203c73d3557

SHA256
99b3a545f11ebc07b721f9b03417e6d3ca80299de7977b527ea983bea6709d41

SHA512
1fbe7e87560087833d5b66679012b8428532b33510263eb16b45e08cd29e23603355bdcca53f5cfd02aec8882a7bc17f7929e0c578dd60a72f71ad2691261866

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
25f36f1d328b98d14af0109cf8a4f90d

SHA1
995ffad406eb7c9e26519f9b29f80121a4280873

SHA256
0d6a49f80071b7e6c6d3ac6bf1185df6ad210cf65128a83a6b36857cff1e5777

SHA512
95dc68cdb06baf298653975485a1acb1f1176245647b8ad31617af25a6dc4a01b0448821a05d767839600f20084ac132d96cba15723a9fac81bff8f7eae5a322

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
841c59eaf166dbafcecb064e7a13434f

SHA1
660c2ba77133503d285131c8ce40f1bccdfa8b12

SHA256
e5d39266f9a91f5cc2edbe1610168d9372cd93b4bf332000f79d8bac16b0ae77

SHA512
033989847a58376d0e6811ac85893da45b0a45db0a494a6b540c92806578fce6419545532de247ffea8eb085cac3c9dbb2d2c5ee868653f64488922f76f16714

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f0b9030a9d2d5ce0495200618952b238

SHA1
bbe3961e382f1162be15d39693a5a595f76859b5

SHA256
d34db72be09b18489d8d03afbfe06f26db03b6b5184164b6d38c2353ad383b9e

SHA512
409aa7af35e725d5e0696e01ccc191a9867fb0eb9958e4cbeca5721f72941cd17c751af53bded052084e5ddad0cd1344b680d86c23de8f61d67cc280800f8c55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
869B

MD5
e76b8f3564855d3d6c808ba8d7f817bd

SHA1
ed2b15b350e06bd8f3ecdb23205933d773c49745

SHA256
a17811cf197951eb2b4a5f546c0599ba87da4ec54521803021b330c91f654900

SHA512
7aaa1ed63ad2b7b94695176b4fe5027ef6b4a3f47421c687603e08c2fdd7d36fbc63599b548377a28d26245b782d7ea804beb4dc7d935da2454b314d94cd05b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
cc13b3e00bf0573ebad5ac259a0cd01a

SHA1
651b0c0a12879b1d0689fffd6a601bba52b64df8

SHA256
29a6f6efda7712f0017a45bb01964b23871cfb4965621356180dd311a8598f87

SHA512
4c0e57352975d4a6fec504c27b9c16dafd053c06ff4ff82f8505164bd46ce51801c51d8606322b580653e6c07d2552856bada34464d36d328b86d876688325f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13384928292425231

Filesize
8KB

MD5
ccd0b19263ad239b942f451308ce8b92

SHA1
450de8080e3f29e3c22853e0230c955bd70e88c9

SHA256
b4dc679d1fdc52e4a784cfc885a00153dd09f1e67d33835e30ebcf87c8208380

SHA512
a93588b4e6a348769c102df42d5e7a86142530d86f7ef2a5888f0bf3c909759d13c9159880fc7baef73e33e3e631c7ab2482084921905949e4caf83add0c1df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
112B

MD5
8cdcb3c61563012032dd9a66af816ac2

SHA1
4ef9003789d713356522c7a5b107ef4c8b930fed

SHA256
07c14a725f2c52a9f5b9335ae0b894cf60f3afbdb62abb50e5d1c0b42d39c954

SHA512
c21a9d701197d86d6883e904fcb054d4ab9a6675bb08052960e1dcde1007fb2830c24ab9414a2fb387da5c68f5b6938544bcd66866cea34fcb66d9686370f727

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
f3b0402223bf68fc3477a4dd5c8c128a

SHA1
d947f01ff08d7d9c055fcb3f3d4b45ff60845629

SHA256
9d860169adc8a2984d8662a4ee6bee3ef48722234d277470ae87a47b31d817eb

SHA512
5ff6a23c68c61081d011ee2bf226732f8f6a598df6eef7a9e091454197dbefba7a8d709b9e61a18129467aa5824092fb8c19701539d3bf25f4a986442b015620

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
b21f7684b8eb62d3d9cae47a30fb2f6b

SHA1
69748d87084647be215d88fa813b1aabee46ddb4

SHA256
388a7dd3eb1264480dcf447dcfd43e5ec486f4d26dea2becf890e3aa5745dd49

SHA512
e629be74f852b9630676323889e9c846f24b2e60423d6f5ce509ae01b409c2e050f8da967b83e7600a9ba353e5a50e2b633a73c50505527771737f0e069ec116

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
5f6980df5c1db146869d4bf80a834cbe

SHA1
a72e62c5ad4a9433d077fa84b2e10f0f2c01d59d

SHA256
1b32e64e284aa29dd6c09f91e2a53c5f61d1273420fb1ec69e4bf9a65898c389

SHA512
66b6a4064097eff3e7b5967ad7f2c2187f0a1e5d4e37feb940ecbb138bdd06b86e509717b2af6dfd7dd62687535dac654f5c4a8f24b68e40d7839f1544b18a06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cc8e320e42027fefeb40877fc939dce6

SHA1
74765a7419ebd7ee5836e7ea2f611b10da818820

SHA256
b4b97aa44d90900dafae18c6d901fb88f09629e94c30d180dbac172e6262f5ca

SHA512
bdcb962853ebd9d4dea1bd2fd62ab97870d2cc756f0c609b3f0452b7bcc076955fde666b92d80bcca456aefbd5c68f38ed44f39ae3001c42b472d04cba6130fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
da606465abb89dabb8ecdf7bc7fd12cd

SHA1
79acbddb34c6d74c3826117bf0180abbe59e8906

SHA256
ea941f868ee3b24c361ec15f8cac800c03faf474626a0cf8f0769b5fe5b13a6a

SHA512
50bc51fd99c64837577eb0496f4e526da370aa33911b0dc7df4fe94d4cb4f2a80cc444715150b501d6e8016d65c9fa3243691e8eb2c73e2cbb9c9f25dafd1a38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e828d9e8fa1f15abbef126b08bb86ea8

SHA1
0cd26e715312df8863578586611fc8fc70766db5

SHA256
4666a2bfeda3fdd9bef6e7d9cae515b63b82c9af246a66bdb13eac537a86aa37

SHA512
f0569f246354b044f682602837c46b6da4d05000390a6f48d7dd324b3fddb33c3feca740d26215ddbf31e92f9026ac07a6e9b6ad445a5836bb7c6ac74368753a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e79d2f1b5f884c60af4dce59ef3d920f

SHA1
8b36702334c14df55dd77915425ffe3a2524e69a

SHA256
aca2a20ae9297b0c9158b82376fce4e4558cee2d9d4b7d2145142d24530d151a

SHA512
e3314599afe14cc7f102625278edfb5203ab7f9c467db6b7f1249ab90fac14f6c09dc95219ee45f9d7c1ef01b18c35be731575a0f550f387d47e22dbbda4e7ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
57ed6d18194f40cae4c0f746e8bb61d5

SHA1
2e1491ab2fa76c111a2e85be5f95c672483f8a63

SHA256
e5d1beaa987ac3c14b639e26866e6a170eae28749feb90276b93b3aeb418f57a

SHA512
56ef3ace5546560ea2a45f082c4cc0644490ee732545366473b14842ff236df7710c3c5eadd68039f3b2b99601a73a070be655c47a4cba155eb781f54085fa6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e203.TMP

Filesize
874B

MD5
8c6f13ec9e0366225e16d34848f64e00

SHA1
2ae54de4365ece06af3a33c8e1b1d5246e40d049

SHA256
5676e28b71a94b662eed3938859edab5d887417014fe5089e396b428f07fc89a

SHA512
f88e1ca61c0c51627547da63b17a5fad21ad92791f47a0dba3426166702be43525c70f03d34ed6f26ea3407baef8e1fab9231a5113ba6285f02cce22234eb6be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
d74028412bd09d3a94bb6153a7095ce4

SHA1
ec3b6a886908efcc7c5d5b36f513fdbca53347f4

SHA256
70550d1f618090c10c9883dc98c19f7285fed3d3083eed0f86767b8c418fb925

SHA512
4836f867c0f8aae9ecec8dba5e292191ec91b05c682573c7ad029f6301352f00573db759fa443ffb86a4a02355c5eff140e1a014123b264f7d004117d5722638

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a779c09d-513e-45e6-a4ed-f46c7f5a2735.tmp

Filesize
6KB

MD5
201958242746d83745d141491ae19a04

SHA1
8e85c9d2f0aba1a73a62f6a2ea7b260090d87272

SHA256
b41c42e99a741f3f7f41dd21dd335aa760780087dac25509a8fbaf28e3aa4299

SHA512
0ef2f116fb7360c8a6e9c35cfe5ef5d5119ec2f6c80a535067706fca93fea918ffaf1cb0a3a26239a1f29eb92775a5abb515b6aae0223dbdea619c988f65988c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
72KB

MD5
0811cbd28f68631db0630d10cb62f1f3

SHA1
942a14221ae8a2575e24060c32adbf5bee849a29

SHA256
8b9cfb99d650bbf3f7f90b2267f60563f4a15c77bf42c619e14ba99f975d4ce6

SHA512
741102e74fe875f692a4815df9dd476aef5405f210dc12d504a0eea66ef343e04f2683fe1f0bfd5fe13b676c3701d0c8bf08bf5b97bc9e3f5ee766a635a93f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
8KB

MD5
4d12001774151ac556abdc931ceeb617

SHA1
0ccb2fd61efc8a8e5a723e0a3f24844fb3f7e5d3

SHA256
371e556a9031f9e9ce300da06b55d21db8a68d16d0be2d6cec3a4498a405c920

SHA512
b06ff2bc0307b8af8905c59e3aea090c084023740cb7ac9ad95862e316d8492d16cf78f06dd601d5564b1152dac6c3fac4eab0a14cd78e0e8a2186178387c244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
a9a736af0a145591ebba238039e068ff

SHA1
33cf1f01c66476b3155be23ff853eeaded46c008

SHA256
a067a4b8022484a0fb42704a5caaa659dbaebeadf7193cabbfbc398d2f721d0e

SHA512
93db0cd6060f6255a6b669ce7c03438ecfdc65d19e82872e3b8007aa93c6878623110c396bdc8ebe8df7f671b1c14ac567a0af08f4c124628adbbd8e90a94949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
92eda2615473ea54c2041d30bc8dc754

SHA1
6dbf9a28e460183c48580a0232175dcb8f07aee0

SHA256
fb2eeaebc03bc2daef7709ce490f3d3a9a8c95c70cfac6f3017bcb19aa04f06a

SHA512
993eeb58f708de89372d2b7796220064c4e84a97f0587a618ed90f2ff6b6e972ebd60d16bca37403a797c9ba897806001ba9443d17b8d8f66b830eea2f12f7a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
00e0bd2dc566d1edeb9c7d9d652c8fbb

SHA1
cc6e1d543f551a0b28bcfc1a7f5fa94c13c869a2

SHA256
4eda71e25e505de0520e0f54026375540fdbb8ad661d1b91c62c6f72986112be

SHA512
86771a289f9451b0d5393cfdbaaa9d457cbbd3203b2765d03d5d2e74ec603010b7d496d0dff14d38ae330688c13f82c33e6223b7b6fb28756523091d5a1a759a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
30ae41939605a1fd0529855ba35dbce1

SHA1
7c5b52465412099c2d71e9eec977665c2b66ddfb

SHA256
8b8d6d8801e2cdace8ef7135bde743b609e993e08bd3b5f0590f194784da9f41

SHA512
d1d05e5acd17c8227474605ec8ae6abe6e74d58570875bbacaacded4d64e9806947870a86c266b1e1545a6f8012b960dcb29c590fa8a72da8ed87b41776e7608

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4b4241b9f7743a8716832d9220f3ade5

SHA1
b2c6cd8f2ed1e16d453f16a1a926f14c4c44d7d5

SHA256
9635d0f7c6763d9018731955709f52805071e98965524c5478bf72b8bf81d6b0

SHA512
54c9a7c115a0c43974cd05752fa6385fec8be41306184d7dd119c1a0f3eeeaf89a078ead776b372321b5bf5540a9b912895e7ad8ad1f9762b33e0fdfad1119a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c29de14025d933145e56430a335cdeeb

SHA1
77bba7da22576446b8a2196395dbbb875d47f575

SHA256
bd7f1d6d48a8af03ece852ec45b80d1e7d9670aa20ae9c014a528c8ccf5d9f75

SHA512
56d708590947b15fd4e6f1cdaaff440a8420545eebc7f00adbb2c46c2113c0f6b6fa43a81138f67e9f1f140b67483dfb3bc97f65cefc15108d74e551b41a59cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
39c8dbab8700fa7e7ae287d240c3506a

SHA1
26d4358582add229b3759988ead58f9c5622a7c7

SHA256
9086de487b9fd5dcac181d3397cf25a0a91ec5e1824f70c4bade678882266389

SHA512
165e2869f9f92cd5ea8a875665c521a1f5f6336ea400d7249c80569322e2c7d7d7aa879c3635f5bdf45d5ac599dc884b2897a8d1ab1bfcd2ed88d5fa9e256723

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b83e01524f735f4ba6b11d77c700282c

SHA1
12797288522a87718733a96e5509efe551c83e58

SHA256
f8339a2f3f78f0437bc24c3cecb6858d3936572b8e735453b444fd9664085b45

SHA512
d2767150cc1bee34a18dba78b451e166a022bc303016e16166c774401c16a9b9edeb21d4d7a791b0af9b99a1ccb6f99472c781da33229e8d539955185de21c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f12eceb7d07c5ee68cba2d2af0ba19d9

SHA1
5b84a3045f66dc76995e1829d6ca4e36279ce355

SHA256
b3c035e3f47aa7b6b39fd7926e5b25de99ba44429138b2e6bc59221c04b6c766

SHA512
1ed155a741dc85ee2231f1dacb649cefee7161513f973d75e7ce1fe232d3348eb8b379df51da431917d1c9198b2f4a63f1e11d5e28e0c24ff37d023abcac207e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
685b30a5d75a2c723a22ae63f45e3293

SHA1
c1374345702f36bf7c991e13d03eeabf9eae7e4a

SHA256
1659f4f54c5585cfb3ced597e9bb1d883f203512bfe82c05b7c2642c0d762dd6

SHA512
6f6413dadc14236480084d48cb69eeb86deac070a8e3e899359b5d260438ba84e5a70210e89170b5e44c0b9756ee262c238081e512f4325bb3a67976e5fb6ab5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings

Filesize
81B

MD5
f222079e71469c4d129b335b7c91355e

SHA1
0056c3003874efef229a5875742559c8c59887dc

SHA256
e713c1b13a849d759ebaa6256773f4f1d6dfc0c6a4247edaa726e0206ecacb00

SHA512
e5a49275e056b6628709cf6509a5f33f8d1d1e93125eaa6ec1c7f51be589fd3d8ea7a59b9639db586d76a994ad3dc452c7826e4ac0c8c689dd67ff90e33f0b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\edgeSettings_2.0-2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

Filesize
126KB

MD5
6698422bea0359f6d385a4d059c47301

SHA1
b1107d1f8cc1ef600531ed87cea1c41b7be474f6

SHA256
2f9188b68640dbf72295f9083a21d674a314721ef06f82db281cbcb052ff8ec1

SHA512
d0cdb3fa21e03f950dbe732832e0939a4c57edc3b82adb7a556ebd3a81d219431a440357654dfea94d415ba00fd7dcbd76f49287d85978d12c224cbfa8c1ad8d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris

Filesize
40B

MD5
6a3a60a3f78299444aacaa89710a64b6

SHA1
2a052bf5cf54f980475085eef459d94c3ce5ef55

SHA256
61597278d681774efd8eb92f5836eb6362975a74cef807ce548e50a7ec38e11f

SHA512
c5d0419869a43d712b29a5a11dc590690b5876d1d95c1f1380c2f773ca0cb07b173474ee16fe66a6af633b04cc84e58924a62f00dcc171b2656d554864bf57a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\synchronousLookupUris_638343870221005468

Filesize
57B

MD5
3a05eaea94307f8c57bac69c3df64e59

SHA1
9b852b902b72b9d5f7b9158e306e1a2c5f6112c8

SHA256
a8ef112df7dad4b09aaa48c3e53272a2eec139e86590fd80e2b7cbd23d14c09e

SHA512
6080aef2339031fafdcfb00d3179285e09b707a846fd2ea03921467df5930b3f9c629d37400d625a8571b900bc46021047770bac238f6bac544b48fb3d522fb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic

Filesize
29B

MD5
52e2839549e67ce774547c9f07740500

SHA1
b172e16d7756483df0ca0a8d4f7640dd5d557201

SHA256
f81b7b9ce24f5a2b94182e817037b5f1089dc764bc7e55a9b0a6227a7e121f32

SHA512
d80e7351e4d83463255c002d3fdce7e5274177c24c4c728d7b7932d0be3ebcfeb68e1e65697ed5e162e1b423bb8cdfa0864981c4b466d6ad8b5e724d84b4203b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\SmartScreen\remote\topTraffic_638004170464094982

Filesize
450KB

MD5
e9c502db957cdb977e7f5745b34c32e6

SHA1
dbd72b0d3f46fa35a9fe2527c25271aec08e3933

SHA256
5a6b49358772db0b5c682575f02e8630083568542b984d6d00727740506569d4

SHA512
b846e682427cf144a440619258f5aa5c94caee7612127a60e4bd3c712f8ff614da232d9a488e27fc2b0d53fd6acf05409958aea3b21ea2c1127821bd8e87a5ca

Download Submit
C:\Users\Admin\AppData\Roaming\USB6E-AAXZT-ZTRTX-HTGTR.HTML

Filesize
8KB

MD5
22c3b62e5f8b1eb076cce0832be3e6b9

SHA1
253a5382062c076b1d9e73a64f8f75cac20b1070

SHA256
24cd3270760a4f6d8727d3fcf4bbeff451b846f3265b6b00e60b620533a177e3

SHA512
d86a0e5f96876780a747a214251fdd4fba31556811c17017489c859c6c1e2b41b1360be2e9c9a2c5a23517c8e4c967338312dbb229b130cfec72e14015b5d502

Download Submit
C:\Users\Admin\AppData\Roaming\USB6E-AAXZT-ZTRTX-HTGTR.KEY

Filesize
1KB

MD5
8d514a9ea47540899f832e2375b90a15

SHA1
24850f90fee8900a4c85fa83a9813658fb9b1804

SHA256
0bb6761aeb074fd77bf8ffa5d028557f82b1bed0da5328eb3b00981aa8c8693d

SHA512
3ca59f2b96e6b82bbe9c14e64975ab65e2b4014e5444d845f74da3a1307eb377fd98b48e9cd79a7c1df7821286097c0c494a88305aec400574fedca584312a0e

Download Submit
C:\Users\Admin\AppData\Roaming\USB6E-AAXZT-ZTRTX-HTGTR.LST

Filesize
2KB

MD5
b5deead3b32164fe570be889991b4455

SHA1
bede641d07e58291797233edd4d46c18deebb8b0

SHA256
e841d20504fc911b82f230999f8478168a5fc8be9557692ca949bf5a85c4282f

SHA512
481a0989f6db6448d3bed47c42c67a56acfd2e88747927be28ba5d34de84f260bef4bd822b87301b272e17d213e734ce7819629cef573c22f3814dd0df7dfcce

Download Submit
C:\Users\Admin\Downloads\CryptoLocker.exe:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
C:\Users\Admin\Downloads\SporaRansomware.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 444020.crdownload

Filesize
338KB

MD5
04fb36199787f2e3e2135611a38321eb

SHA1
65559245709fe98052eb284577f1fd61c01ad20d

SHA256
d765e722e295969c0a5c2d90f549db8b89ab617900bf4698db41c7cdad993bb9

SHA512
533d6603f6e2a77bd1b2c6591a135c4717753d53317c1be06e43774e896d9543bcd0ea6904a0688aa84b2d8424641d68994b1e7dc4aa46d66c36feecb6145444

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 932349.crdownload

Filesize
24KB

MD5
4a4a6d26e6c8a7df0779b00a42240e7b

SHA1
8072bada086040e07fa46ce8c12bf7c453c0e286

SHA256
7ad9ed23a91643b517e82ad5740d24eca16bcae21cfe1c0da78ee80e0d1d3f02

SHA512
c7a7b15d8dbf8e8f8346a4dab083bb03565050281683820319906da4d23b97b39e88f841b30fc8bd690c179a8a54870238506ca60c0f533d34ac11850cdc1a95

Download Submit
memory/1692-570-0x0000000000400000-0x0000000000407200-memory.dmp

Filesize
28KB

Download
memory/2768-661-0x0000000000400000-0x0000000000407200-memory.dmp

Filesize
28KB

Download
memory/2768-487-0x0000000000400000-0x0000000000407200-memory.dmp

Filesize
28KB

Download