cerber | hxxp://decrypt[.]mn

Resubmissions

07/03/2025, 15:28

250307-swkbgssqs3 10

07/03/2025, 15:12

250307-sk6qcassbv 8

Analysis

max time kernel
1005s
max time network
1029s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
07/03/2025, 15:28

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

http://decrypt.mn

Score

10^/10

cerber defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___SX3P45_.txt

Family

cerber

Ransom Note

Hi, I'am CRBR ENCRYPTOR ;) ----- ALL YOUR DOCUMENTS, PH0T0S, DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ----- The only one way to decrypt your files is to receive the private key and decryption program. To receive the private key and decryption program go to any decrypted folder, inside there is the special file (*_R_E_A_D___T_H_I_S_*) with complete instructions how to decrypt your files. If you cannot find any (*_R_E_A_D___T_H_I_S_*) file at your PC, follow the instructions below: ----- 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://xpcx6erilkjced3j.onion/EDE3-FFAD-D894-0098-B42A Note! This page is available via "Tor Browser" only. ----- Also you can use temporary addresses on your personal page without using "Tor Browser". ----- 1. http://xpcx6erilkjced3j.1n5mod.top/EDE3-FFAD-D894-0098-B42A 2. http://xpcx6erilkjced3j.19kdeh.top/EDE3-FFAD-D894-0098-B42A 3. http://xpcx6erilkjced3j.1mpsnr.top/EDE3-FFAD-D894-0098-B42A 4. http://xpcx6erilkjced3j.18ey8e.top/EDE3-FFAD-D894-0098-B42A 5. http://xpcx6erilkjced3j.17gcun.top/EDE3-FFAD-D894-0098-B42A ----- Note! These are temporary addresses! They will be available for a limited amount of time! -----

URLs

http://xpcx6erilkjced3j.onion/EDE3-FFAD-D894-0098-B42A

http://xpcx6erilkjced3j.1n5mod.top/EDE3-FFAD-D894-0098-B42A

http://xpcx6erilkjced3j.19kdeh.top/EDE3-FFAD-D894-0098-B42A

http://xpcx6erilkjced3j.1mpsnr.top/EDE3-FFAD-D894-0098-B42A

http://xpcx6erilkjced3j.18ey8e.top/EDE3-FFAD-D894-0098-B42A

http://xpcx6erilkjced3j.17gcun.top/EDE3-FFAD-D894-0098-B42A

Signatures

Cerber
Cerber is a widely used ransomware-as-a-service (RaaS), first seen in 2017.
ransomware cerber
Cerber family
cerber
Contacts a large (1147) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Discovery
T1046

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3092	netsh.exe
1816	netsh.exe

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\word\startup\	Cerber5.exe

Executes dropped EXE 3 IoCs

pid	Process
4268	MasonMBR-S.exe
1804	MasonGDI.exe
64	MasonRootkit.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\o:	Cerber5.exe
File opened (read-only)	\??\p:	Cerber5.exe
File opened (read-only)	\??\q:	Cerber5.exe
File opened (read-only)	\??\a:	Cerber5.exe
File opened (read-only)	\??\h:	Cerber5.exe
File opened (read-only)	\??\k:	Cerber5.exe
File opened (read-only)	\??\l:	Cerber5.exe
File opened (read-only)	\??\w:	Cerber5.exe
File opened (read-only)	\??\j:	Cerber5.exe
File opened (read-only)	\??\s:	Cerber5.exe
File opened (read-only)	\??\x:	Cerber5.exe
File opened (read-only)	\??\y:	Cerber5.exe
File opened (read-only)	\??\z:	Cerber5.exe
File opened (read-only)	\??\e:	Cerber5.exe
File opened (read-only)	\??\g:	Cerber5.exe
File opened (read-only)	\??\i:	Cerber5.exe
File opened (read-only)	\??\n:	Cerber5.exe
File opened (read-only)	\??\r:	Cerber5.exe
File opened (read-only)	\??\u:	Cerber5.exe
File opened (read-only)	\??\v:	Cerber5.exe
File opened (read-only)	\??\b:	Cerber5.exe
File opened (read-only)	\??\m:	Cerber5.exe
File opened (read-only)	\??\t:	Cerber5.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
140	camo.githubusercontent.com

Drops file in System32 directory 38 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\documents	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\SysWOW64\config\systemprofile\appdata\local\bitcoin	Cerber5.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\tmp9E5.bmp"	Cerber5.exe

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files (x86)\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\steam	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\word	Cerber5.exe
File opened for modification	\??\c:\program files\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\outlook	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\the bat!	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\thunderbird	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\	Cerber5.exe
File opened for modification	\??\c:\program files (x86)\bitcoin	Cerber5.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\word	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\documents	Cerber5.exe
File opened for modification	\??\c:\windows\	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\excel	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\thunderbird	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\desktop	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft sql server	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\office	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\steam	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\bitcoin	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\the bat!	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\documents	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\roaming\microsoft\onenote	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\appdata\local\microsoft\outlook	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\localservice\appdata\roaming\microsoft\powerpoint	Cerber5.exe
File opened for modification	\??\c:\windows\serviceprofiles\networkservice\desktop	Cerber5.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	salinewin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Cerber5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MasonGDI.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1652	cmd.exe
4504	PING.EXE

Enumerates system info in registry 2 TTPs 5 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
392	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\Software\Microsoft\Internet Explorer\Toolbar	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	Explorer.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\1	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202020202	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\2	Explorer.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 010000000200000000000000ffffffff	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A8CDFF1C-4878-43be-B5FD-F8091C1C60D0}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1161330783-2912525651-1278508834-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Explorer.EXE

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6104	NOTEPAD.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4504	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
1200	msedge.exe
1200	msedge.exe
3132	identity_helper.exe
3132	identity_helper.exe
1504	msedge.exe
1504	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2312	msedge.exe
2640	msedge.exe
2640	msedge.exe
2036	msedge.exe
2036	msedge.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe
64	MasonRootkit.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 36 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	1656	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1656	AUDIODG.EXE
Token: SeShutdownPrivilege	1220	Cerber5.exe
Token: SeCreatePagefilePrivilege	1220	Cerber5.exe
Token: SeDebugPrivilege	64	MasonRootkit.exe
Token: 33	1660	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1660	AUDIODG.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeAuditPrivilege	2736	svchost.exe
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeShutdownPrivilege	3400	Explorer.EXE
Token: SeCreatePagefilePrivilege	3400	Explorer.EXE
Token: SeAuditPrivilege	2212	svchost.exe
Token: SeAuditPrivilege	1692	svchost.exe
Token: SeAuditPrivilege	1692	svchost.exe
Token: SeAuditPrivilege	1692	svchost.exe
Token: SeAuditPrivilege	1692	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1844	svchost.exe
Token: SeIncreaseQuotaPrivilege	1844	svchost.exe
Token: SeSecurityPrivilege	1844	svchost.exe
Token: SeTakeOwnershipPrivilege	1844	svchost.exe
Token: SeLoadDriverPrivilege	1844	svchost.exe
Token: SeSystemtimePrivilege	1844	svchost.exe
Token: SeBackupPrivilege	1844	svchost.exe
Token: SeRestorePrivilege	1844	svchost.exe
Token: SeShutdownPrivilege	1844	svchost.exe
Token: SeSystemEnvironmentPrivilege	1844	svchost.exe
Token: SeUndockPrivilege	1844	svchost.exe
Token: SeManageVolumePrivilege	1844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1844	svchost.exe
Token: SeIncreaseQuotaPrivilege	1844	svchost.exe
Token: SeSecurityPrivilege	1844	svchost.exe
Token: SeTakeOwnershipPrivilege	1844	svchost.exe
Token: SeLoadDriverPrivilege	1844	svchost.exe
Token: SeSystemtimePrivilege	1844	svchost.exe
Token: SeBackupPrivilege	1844	svchost.exe
Token: SeRestorePrivilege	1844	svchost.exe
Token: SeShutdownPrivilege	1844	svchost.exe
Token: SeSystemEnvironmentPrivilege	1844	svchost.exe
Token: SeUndockPrivilege	1844	svchost.exe
Token: SeManageVolumePrivilege	1844	svchost.exe
Token: SeAssignPrimaryTokenPrivilege	1844	svchost.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
1200	msedge.exe
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE
3400	Explorer.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4916	salinewin.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 4100	1200	msedge.exe	86
PID 1200 wrote to memory of 4100	1200	msedge.exe	86
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2320	1200	msedge.exe	87
PID 1200 wrote to memory of 2328	1200	msedge.exe	88
PID 1200 wrote to memory of 2328	1200	msedge.exe	88
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89
PID 1200 wrote to memory of 5036	1200	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:616
- C:\Windows\system32\dwm.exe
  "dwm.exe"
  2⤵
  PID:340

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:672

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:960

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:1028

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1176
- C:\Windows\system32\taskhostw.exe
  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
  2⤵
  PID:2708

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1300

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1436
- C:\Windows\system32\sihost.exe
  sihost.exe
  2⤵
  - Modifies registry class
  PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1444

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1564

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1684

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1772

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1820
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x300 0x498
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1656
- C:\Windows\system32\AUDIODG.EXE
  C:\Windows\system32\AUDIODG.EXE 0x300 0x498
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1660

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1920

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1928

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1936

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1844

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:2132

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2212

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2428

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2668

C:\Windows\sysmon.exe
C:\Windows\sysmon.exe
1⤵
PID:2712

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2776

C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wbem\unsecapp.exe -Embedding
1⤵
PID:1084

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
1⤵
PID:2664

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument http://decrypt.mn
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85c9546f8,0x7ff85c954708,0x7ff85c954718
    3⤵
    PID:4100
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:2320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2328
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
    3⤵
    PID:5036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:644
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
    3⤵
    PID:2960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
    3⤵
    PID:4228
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5400 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3132
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
    3⤵
    PID:812
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
    3⤵
    PID:4784
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
    3⤵
    PID:3412
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
    3⤵
    PID:2568
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:2284
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
    3⤵
    PID:1816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
    3⤵
    PID:4708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
    3⤵
    PID:708
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
    3⤵
    PID:2536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3656 /prefetch:8
    3⤵
    PID:1272
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5944 /prefetch:1
    3⤵
    PID:1120
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6296 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5976 /prefetch:1
    3⤵
    PID:2572
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
    3⤵
    PID:2816
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6720 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2312
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6724 /prefetch:1
    3⤵
    PID:4940
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7044 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2640
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
    3⤵
    PID:2852
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7084 /prefetch:1
    3⤵
    PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
    3⤵
    PID:5080
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
    3⤵
    PID:4780
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1816 /prefetch:1
    3⤵
    PID:4912
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
    3⤵
    PID:3776
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6560 /prefetch:1
    3⤵
    PID:3512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
    3⤵
    PID:1496
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4244 /prefetch:1
    3⤵
    PID:4476
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
    3⤵
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
    3⤵
    PID:4344
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
    3⤵
    PID:3872
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6740 /prefetch:1
    3⤵
    PID:3884
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
    3⤵
    PID:2068
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6692 /prefetch:8
    3⤵
    PID:3052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3456 /prefetch:8
    3⤵
    PID:4048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
    3⤵
    PID:4320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6192 /prefetch:1
    3⤵
    PID:4360
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,2825256539387308830,3358185594507290994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
    3⤵
    PID:2292
- C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_salinewin.zip\salinewin.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:4916
- C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Cerber5.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_The-MALWARE-Repo-master.zip\The-MALWARE-Repo-master\Ransomware\Cerber5.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  - Drops file in System32 directory
  - Sets desktop wallpaper using registry
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1220
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall set allprofiles state on
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:3092
- - C:\Windows\SysWOW64\netsh.exe
    C:\Windows\system32\netsh.exe advfirewall reset
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:1816
- - C:\Windows\SysWOW64\mshta.exe
    "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___1Z5MY76_.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
    3⤵
    PID:6060
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\_R_E_A_D___T_H_I_S___NJK3_.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:6104
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /d /c taskkill /f /im "C" > NUL & ping -n 1 127.0.0.1 > NUL & del "C" > NUL && exit
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:1652
  - - C:\WINDOWS\SysWOW64\taskkill.exe
      taskkill /f /im "C"
      4⤵
      Kills process with taskkill
      PID:392
  - - C:\WINDOWS\SysWOW64\PING.EXE
      ping -n 1 127.0.0.1
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4504
- C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\AngryVirus.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\AngryVirus.exe"
  2⤵
  PID:3648
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /F /TN "MasonMBR" /SC ONLOGON /TR "C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\\MasonMBR.exe" /RL HIGHEST
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2488
- - C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonMBR-S.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonMBR-S.exe"
    3⤵
    - Executes dropped EXE
    PID:4268
  - - C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonMBR-L.exe
      "C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonMBR-L.exe"
      4⤵
      PID:5740
- - C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonGDI.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonGDI.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1804
- - C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonRootkit.exe
    "C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonRootkit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  PID:5212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x138,0x13c,0x140,0x114,0x144,0x7ff846a8cc40,0x7ff846a8cc4c,0x7ff846a8cc58
    3⤵
    PID:5268
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2016 /prefetch:2
    3⤵
    PID:5524
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1788,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2140 /prefetch:3
    3⤵
    PID:5512
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2328,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2256 /prefetch:8
    3⤵
    PID:5624
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3188 /prefetch:1
    3⤵
    PID:5788
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3336,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3328 /prefetch:1
    3⤵
    PID:5824
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4736,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4732 /prefetch:1
    3⤵
    PID:3500
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4420,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:4236
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4724,i,994001065079002501,14177274514787309518,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4692 /prefetch:8
    3⤵
    PID:400

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3580

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3768

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3692

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:3320

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:3668

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:3372

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:4536

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:3468

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:4376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3660

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4888

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo
1⤵
PID:116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2948

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:2000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4360

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc
1⤵
PID:1948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc
1⤵
PID:1232

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {c82192ee-6cb5-4bc0-9ef0-fb818773790a} -Embedding
1⤵
PID:3776

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
1⤵
PID:1348

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3680

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
4ac2de3b5a4cf47aa6f3d8617d2434d9

SHA1
472496e37a2bce00cc84f01de4393b65d07dab0c

SHA256
53f84004c77418610b4e24562a0ccf7779055b6ef365a336f93e81c5ed0af20c

SHA512
025e04f88af37643c06ca14a608518a8c922a1b32fcb4b938cb6e34a24ac8e9577d853738d96790ff9133a6a4732e0e4db36dd7ac7e4201937e342cf9fa0bcda

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7452e05b3cd9b0c865564c034752ffc1

SHA1
42de6cb1040abd24ba53918599b8d00564f2344a

SHA256
c0bae3db82e483ef7b98e554cac82e852826b9afc738667bae3d9984d83b5bd6

SHA512
9ca99621273f630e217ac3dc3ed72fab167362a7b57887e069b22b41d593fce1fead403cbbde2c7c5586f5f4bdf1a28165702addc08b0bed5ba43ae9adb6ac36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
123KB

MD5
e14c5f8cabda9dcc6f62fc6c0b0e31d5

SHA1
7ae1aaa25175bfc5ea6b6408c39ea772dd1ac693

SHA256
5ce1e2195bfe34738afd86659b0d347f2696ca6d271b85917a29a4c6a66a1840

SHA512
ac1711136d0b91ddcd99889fcde7d2b7b58aa399ab46e33b4a8b49745c13661ef53ea0376fcb4681826c36f21956ea79ad9a695b6b3c167a35bd4302e4903d74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f5da507c2059b715761792e7106405f0

SHA1
a277fd608467c5a666cf4a4a3e16823b93c6777f

SHA256
8c1d99de087ac5f2e7b2afce66eff36a646bef46800c0c1d7737d6f0df74b7e8

SHA512
01c92729dd8061aa122b116a674c73bb78016f66d2cb8f7fb64907352758a825e87a1e345334386440699d2a6d1e17baccb400c5aee151eb64e64019cbebb870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
3c6e13dc1762aa873320bed152204f3c

SHA1
38df427d38ca5ce6ce203490a9fb8461c7444e12

SHA256
5c441148843b7c8dbff4c4a72962a532aaf0bdd484d07a03dd9a32fd461b1371

SHA512
133054cb042e11013bfdad1bd11e3407d08cf26a66d0743bea9708d261aa904a1047bb0097b187ecf8436cb6cff3bec28c89e435862cad0e0fa264799556b70c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
48KB

MD5
df1d27ed34798e62c1b48fb4d5aa4904

SHA1
2e1052b9d649a404cbf8152c47b85c6bc5edc0c9

SHA256
c344508bd16c376f827cf568ef936ad2517174d72bf7154f8b781a621250cc86

SHA512
411311be9bfdf7a890adc15fe89e6f363bc083a186bb9bcb02be13afb60df7ebb545d484c597b5eecdbfb2f86cd246c21678209aa61be3631f983c60e5d5ca94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c813a1b87f1651d642cdcad5fca7a7d8

SHA1
0e6628997674a7dfbeb321b59a6e829d0c2f4478

SHA256
df670e09f278fea1d0684afdcd0392a83d7041585ba5996f7b527974d7d98ec3

SHA512
af0d024ba1faafbd6f950c67977ed126827180a47cea9758ee51a95d13436f753eb5a7aa12a9090048a70328f6e779634c612aebde89b06740ffd770751e1c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
19KB

MD5
1bd4ae71ef8e69ad4b5ffd8dc7d2dcb5

SHA1
6dd8803e59949c985d6a9df2f26c833041a5178c

SHA256
af18b3681e8e2a1e8dc34c2aa60530dc8d8a9258c4d562cbe20c898d5de98725

SHA512
b3ff083b669aca75549396250e05344ba2f1c021468589f2bd6f1b977b7f11df00f958bbbd22f07708b5d30d0260f39d8de57e75382b3ab8e78a2c41ef428863

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
cc63ec5f8962041727f3a20d6a278329

SHA1
6cbeee84f8f648f6c2484e8934b189ba76eaeb81

SHA256
89a4d1b2e007ac49fc9677d797266268cd031f99aa0766ca2450bff84ac227d1

SHA512
107cf3499a6cf9cdcbfa3ef4c6b4f2cda2472be116f8efa51ff403c624e8001d254be52de7834b2a6ab9f4bcc1a3b19adc0bba8c496e505abbca371ef6c8f877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
26KB

MD5
1fdc7d5f60f441782b608e81738dbef2

SHA1
74f699940fb527aee9bf21e8d6172b769c549ff4

SHA256
a1538cf05238cc6c7b0ec08ccda41ca1326209b03f3942dfc49194d79942c738

SHA512
7e481bba26d4662c714b714a78e5a002f43803d50637983650b1827237dd7ca0d773fa1b8b016092424d1f7910e753993a8f04fa81d791f98425f0c5cd5c79da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

Filesize
38KB

MD5
adf2df4a8072227a229a3f8cf81dc9df

SHA1
48b588df27e0a83fa3c56d97d68700170a58bd36

SHA256
2fd56ac4d62fec83843c83054e5548834a19001c077cdb224901237f2e2c0e4c

SHA512
d18ffc9a41157ea96014a503640b3a2a3931f578293e88cc05aa61c8223221d948c05637875d8e3ee5847b6a99341ea22b6a1aee67c170e27bde5e154cf1b9ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
21KB

MD5
8e01662903be9168b6c368070e422741

SHA1
52d65becbc262c5599e90c3b50d5a0d0ce5de848

SHA256
ed502facbeb0931f103750cd14ac1eeef4d255ae7e84d95579f710a0564e017a

SHA512
42b810c5f1264f7f7937e4301ebd69d3fd05cd8a6f87883b054df28e7430966c033bab6eaee261a09fb8908d724ca2ff79ca10d9a51bd67bd26814f68bcbdb76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
37KB

MD5
a565ccff6135e8e99abe4ad671f4d3d6

SHA1
f79a78a29fbcc81bfae7ce0a46004af6ed392225

SHA256
a17516d251532620c2fd884c19b136eb3f5510d1bf8b5f51e1b3a90930eb1a63

SHA512
e1768c90e74c37425abc324b1901471636ac011d7d1a6dc8e56098d2284c7bf463143116bb95389f591917b68f8375cfb1ce61ba3c1de36a5794051e89a692d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
21KB

MD5
59fedd41e3287d05e9b9c44352da74d4

SHA1
cb0e50d8060ecf457116c2711b1cfacc595763f0

SHA256
49b133300b409b02cad9a1f3ba3eede1da07d8c482b7b37d4d1a56b6166da721

SHA512
7f374c04f574347992d5aff304cea0828f8359e794ba4bb9572acdc026c0cdde704a2f77b8856f834d18cd65ddd092a84049dc427151b087ce97a1651e2ec0f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d

Filesize
26KB

MD5
398c110293d50515b14f6794507f6214

SHA1
4b1ef486ca6946848cb4bf90a3269eb3ee9c53bc

SHA256
04d4526dc9caa8dd4ad4b0711e929a91a3b6c07bf4a3d814e0fafeb00acc9715

SHA512
1b0f7eb26d720fbb28772915aa5318a1103d55d167bec169e62b25aa4ff59610558cf2f3947539886255f0fa919349b082158627dd87f68a81abac64ba038f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
18KB

MD5
8bd66dfc42a1353c5e996cd88dc1501f

SHA1
dc779a25ab37913f3198eb6f8c4d89e2a05635a6

SHA256
ef8772f5b2cf54057e1cfb7cb2e61f09cbd20db5ee307133caf517831a5df839

SHA512
203a46b2d09da788614b86480d81769011c7d42e833fa33a19e99c86a987a3bd8755b89906b9fd0497a80a5cf27f1c5e795a66fe3d1c4a921667ec745ccf22f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
18KB

MD5
217be7c2c2b94d492f2727a84a76a6cf

SHA1
10fd73eb330361e134f3f2c47ba0680e36c243c5

SHA256
b1641bab948ab5db030ec878e3aa76a0a94fd3a03b67f8e4ac7c53f8f4209df0

SHA512
b08ea76e5b6c4c32e081ca84f46dc1b748c33c1830c2ba11cfeb2932a9d43fbb48c4006da53f5aac264768a9eb32a408f49b8b83932d6c8694d44a1464210158

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010

Filesize
59KB

MD5
677b60e336250eeada06d8327fc60579

SHA1
42dfd2a0ce32ab65e7451f49fbca24a197678b5e

SHA256
236fb6e6ac21ee7db3076e54681bf23d9c9ce9b9131af61e946cdb05f9ed208b

SHA512
61a7cfc0e6ae0b9e98bcb6af4eeb3e3c43226260fc0b9e1c48d9197c9f0f09e3eab908f08763da99ab91549859f9ff26e06bcfe941e52337dac3f4246e26b8ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
45KB

MD5
ea776124f8557fb1a52290cbb30b8476

SHA1
2e47297940114667f5dd3bd6e084dad7723eb1ab

SHA256
342b7f8773261fd3d2069bf3b087731366bd01c908ff51d315446da2dc0104b3

SHA512
7ed1fa32ffa6a5d228264b44c03ca2e0ee3bab579be86595c11d40c0f9f7736ae399ab4e6e6aaed78b02367e2b9392c8809ad30ca753f546606c923cf45b402e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
22KB

MD5
8ab692beeb7d1ebb12c32acd00ecaca7

SHA1
14a26063f7c91e47e2d23b791b4a58b5ab9726c2

SHA256
c858d62d2370fb5ddcc9cea8cc2440586f20f7d67de20378c9461ff3118115e3

SHA512
75997eb22d1fd4ca408bb25899c407d937fd89067a32979c231c952d26b879d4c02aaef2bbede9fbf3aa2dd64c9bfa2ddcfb2a941d9bd9cbc0368f249ee5ce91

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
55KB

MD5
92e42e747b8ca4fc0482f2d337598e72

SHA1
671d883f0ea3ead2f8951dc915dacea6ec7b7feb

SHA256
18f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733

SHA512
d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
87KB

MD5
65b0f915e780d51aa0bca6313a034f32

SHA1
3dd3659cfd5d3fe3adc95e447a0d23c214a3f580

SHA256
27f0d8282b7347ae6cd6d5a980d70020b68cace0fbe53ad32048f314a86d4f16

SHA512
e5af841fd4266710d181a114a10585428c1572eb0cd4538be765f9f76019a1f3ea20e594a7ee384d219a30a1d958c482f5b1920551235941eec1bcacd01e4b6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
109KB

MD5
c4ea54408ec0f9e4fa1b5088be611555

SHA1
c4f43c099d8704d576f41c1a8768d2d9f8b5b540

SHA256
4419ca856acab73856ca62b85eb2a0ac121f40d941b95e88f77d896714b4b2ea

SHA512
1f0c6cdf5037020ded233fdb1796b06ee61e84d4a8100d4d5a11e0be7b7825b6b1dd930895152d50c8da2243582e4313335f0b3fbcdafd627c0e2bdf5907d85b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
16KB

MD5
58795165fd616e7533d2fee408040605

SHA1
577e9fb5de2152fec8f871064351a45c5333f10e

SHA256
e6f9e1b930326284938dc4e85d6fdb37e394f98e269405b9d0caa96b214de26e

SHA512
b97d15c2c5ceee748a724f60568438edf1e9d1d3857e5ca233921ec92686295a3f48d2c908ff5572f970b7203ea386cf30c69afe9b5e2f10825879cd0d06f5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000037

Filesize
245KB

MD5
e720081d3e920e4c3b0e40cfff5f2fae

SHA1
250802a50c2a2e3fa887b2f2fafd424f354100ca

SHA256
02ff85b0a2d10f5628d617e24c2d15117f6c6a1b612bacae094576c92c636028

SHA512
142a70496663222c466b5c114a6ac6d09b3e8c67d0bc7acb7f457287f1c6e8a29ef9d0ae3c657c1b9e6d4294d99c9d805de884b706d853d54b5a515d67ff5c22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003f

Filesize
50KB

MD5
d49ec70bab1620724c62f5ee15b83b1c

SHA1
e8d0c874dd65fde2a629110856d75459dac13467

SHA256
54e65f925e8ff6aaa9ad7b5de6fdedd567580b2955b280a7aa8a7c12cfa81968

SHA512
328c8572e094013ac799b1952effa69aacc9685ce98d1817a642c9c9a60f1e836cef806202e09bb8b18820855a9c6a569cab09f6d85977878f0571c8856fd2b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000040

Filesize
646KB

MD5
8e17b4ce5c0ccc59736c212ad51abe89

SHA1
b02dc730bf61814d29dc0eb3c77e700b47c30fdc

SHA256
2952a5f30593ba1e27fcece37eb2814891f6eb6a604f986428fe8666a379319a

SHA512
91629be6c57a1d5689e68575c70145f61bf72b0aadd827560b17b5142aafdad264f5032d7f925354cbad9a43945a14eae81dccb6413155737cd90ef4e0ebec39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000041

Filesize
34KB

MD5
abe88f15456620f4b525b46f7c1bdb93

SHA1
9d56c92f2ec9811e0f5058cf3448627e31d5b303

SHA256
fa3033febebc29dac8931145b25b9ee5caa571b9a2f414f9f157a0d1f9021f82

SHA512
1c8b61054b2b15df90103cd2d85e9b147db50c704b8e9122045c82ec5e7f627973cacc302c328bfe95b8808da46e859b75d5f4cb7897f2adda7654d254b2b58a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000042

Filesize
34KB

MD5
c7389516ed0087969d1a9ce874e7978f

SHA1
a375ca3fe9dbeb7dd4cabc63108f7951d3529bba

SHA256
ed5e733bd18e480e5f2877f4b8e400df060c2b0340007d55368af36d4ce8b385

SHA512
a3b34cfc9f9b23b0b3c57fdf50a2a309a94f4d76751351c895cce6286beed6d2393c9549661e94a9356652aad9d006c9874d7c966831cdeb82208fa708082979

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000051

Filesize
128KB

MD5
3a85606f2d9657fc194e3147f2a3b7da

SHA1
7a67d390aa79ae1e1de62264c2393090e80c4e4f

SHA256
9197af50c1f09a4becc2d3d4bc72af2074404ae02bde4f82a052aef8e4dd1c40

SHA512
70c69ba5b87632e1bf5645c27ad76bc90b2ddd103f197f8d637f8fad1afd66b68c86fbb7da33f73ccb3ec216017d512b35fe162097e86cd8287e9a5d93058f32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000052

Filesize
16KB

MD5
42ba6fe9f04279ec0cfec16db1dd6ebf

SHA1
2f23c21460495c5a69aded216f00cefeb78c5e2e

SHA256
8ed81a3d66d94bc6cc54f85591fc46791464316fb36500411c67a661d01bdd0a

SHA512
719c004b058c617c0eeba86470d40027b51696d92494d36e34dd94f882f02051786e850470d1b016bb1b0df384c08c38d15867a364d7ae12779d292b96a53bc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\12e2c4b18dbb728d_0

Filesize
3KB

MD5
886052d020bfad191a8640962e4bcdbe

SHA1
b9faf0563485e57a506b98680af6d1f02c1e5414

SHA256
1a961f60e8c35f863561f36dea51e0036e21d19e3240d1bb4962a68623177a30

SHA512
efa451135daab23036f14eeac7b7eba16c351f170703ab03ab4863aca640668e7089aa90bbfd42acc14eb7f75fe98627d12a6c7029320dd6fc621a97e7a1c877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\154000feacda5f15_0

Filesize
313B

MD5
2d7d152edf9b7c64ab0fb35fe7c84b8d

SHA1
fb2ec59eb53b396ceadba49c5062141f330048cf

SHA256
08e4484128b1e9f196ac83798e9a8894e06d29d4099d190b4668bebc970fc6b9

SHA512
58c7ad7d89474968c3e3487ed580ae30225c976ae3352359a3a6597b75f4c1eb9b373593ec7de31d9c75dbf0170388e1a54e48410630a005b1ce5fcb6f3f37ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\172b237bc017862d_0

Filesize
6KB

MD5
b1e84535cddfcd99592dfb5adbd749bc

SHA1
12c37c8f49a8668a04ba8841a11c7af40b6e0451

SHA256
69cd87e87f9581c487e358b9485b092b208aa17b3cea1e27ec05bdad3adc07f3

SHA512
d96a68e903d8562b16726cf393917dd1b1c671741fe300b927d561f36bcb34da5ba1a097aec690d68ccf1cf7377a9af1895600b76e4d243ed8f3ee1bab38eeff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\19152b7f8e8efcb9_0

Filesize
2KB

MD5
8326226cba73386e3eb6dc67c48e232e

SHA1
5cbc21c512ba0828d1252863fbc26ef29e14754e

SHA256
b78df3b4e6ca96a8e0b63042fe05e16262eac4739254bb18e615a1ec9b5f2a52

SHA512
2c28eccb43bf0607e78d5bced9fb3cbd1a95f93327359de304fe2277e33378f9a4eaca34a40aee2d10d2c0652a3fc35486c7a4eae111cdaa5cd049de08d9b076

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\224f1613c4dc69c0_0

Filesize
1KB

MD5
3bf26c51e8140cd6a87f36599c70d56a

SHA1
e7c8a1c5a371183995b6c58c8ad018d733968c27

SHA256
094fa2621917d823db3d73506399b6fe68a0b0602c058ca571a2e8475b7a224e

SHA512
1ca11128cb3fb077c25a341476025a0af20d265538279b2323792bdb2c97b7566415a14e2e9d5b479c6a440ec923cfcdda673360496d52334246e6c18f2a854c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\25d24c50d6908129_0

Filesize
2KB

MD5
d707d649a3bdf53af9f65aea7577a615

SHA1
742225c4483aff23db88814e8fee5a352755630a

SHA256
961c3243b4b1c8d7b0c80064a40c06eaf487d4e81ee4e7c059c983605fbf32f7

SHA512
5fc42efe71e798e12ee961ffc33847e186b9fa2516903b2493f785180db7b274828715b50d614cba75e35f58c3f6afba708ff1bf3b56087d77681fa786a21678

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\44d5079ad5841b25_0

Filesize
1KB

MD5
ab2a79605b081e965efb48c34efce99d

SHA1
b78a0a0b069a8c84f7183c20aa4905ae3cbdb31a

SHA256
3a13560a6304a7306e1c9ca17df4652f0f8958d48ef972808e5fbf9ad08be676

SHA512
ea00d745b06e2203a45f6cede75a1617045304042f117b6f59c58a5143ce5acf975ca81ca584072f2d44c693b29eee815ceccc2cd465efa7f23cd891c353cbcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6d0b78a7984afdac_0

Filesize
2KB

MD5
13525eb5cf8364160bae4c53ef1f2ccd

SHA1
e11ba2b4c472219c33c98db8f573a4e919f0b479

SHA256
1e3bd4981d673bd01a5722e2e66730fde0a622d45fe89334b7f3c291373c84d7

SHA512
f27f395e4fb6818858a08afeadfd2f0912fda93904b6af9db71b3d7ed0af52c962597a775722482f8465d47a660cf3a679470dbe955882b8229040ea6fa8d1ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\89db893576032902_0

Filesize
2KB

MD5
6b1bfc5ee60469ceb4484e8410db5d0f

SHA1
3066837e706030085dac6b07ddcceff743e83377

SHA256
5f13f4cf468ec8f68ecfdf941db4bff83c3bb3c0b3694c0af4bcd81c3aafb7c1

SHA512
bfd807c8e80794a038ff957ceb1f10fd354a27f7ad2ab2f45e48fd8ec8c49c79a6ee08487f6c9bb8c4f6f36895b74d0c3b818fcc6dc4e0f9d9a3364d39928f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\a69226eb7e1fcb4a_0

Filesize
1KB

MD5
31c016840b100bacd219a8877c31ce7f

SHA1
1781616a61e60ffb99e20cec479914052e8bb106

SHA256
ea9c3e34c640904ed58692b6d6865c71dd2f81589bddc2b87fd0168e99262dea

SHA512
7e15b08d2f52930cad9d9a46e81dcaf1b6c0ac08231fdc3ca7af63d3f16e1465b83e2a003c0b1e2d714afe8cb45173108b8d43687fdf11970141e492ce27d785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\bb73c6570251aa2d_0

Filesize
34KB

MD5
32915865471918f51458012b6f175954

SHA1
93399196ace02eff0d641552745a95f77e4f82d3

SHA256
9e7be8233512d1a59869a82d594e30d86fd974a653c992f383a94ddf2bbbb6ca

SHA512
a8015adb20c3845e42097538c39a418f1c352d45b53ecd55dbf9bb34efd07c8be63217a1b00263e7193190ddcafe0f13b8cf197cd475397eed5cb86be27678b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\dd6c91d63163b788_0

Filesize
70KB

MD5
f79868ea594f56ee1c343afe6e0f70e7

SHA1
dc0c264060436474d33e4e45d74b3ab7d6a7bad4

SHA256
9f31c57bead8e51b7a1ec930846968add4d84ad938fc5698b2b94a89c79dfcbe

SHA512
13121b6d4b9259b23587c7d1362485732b8df87872e648467ecfe0c818f4b6328bb17363193143fdd7bc4ee768369f2916804156b320c02606ab4cc68928d37c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\eab6493a0dbfe79f_0

Filesize
1KB

MD5
1e2140700a0f19d8fcca7d3fbebf19b3

SHA1
377f5c50cb2d4907ded254e3880ae456403ab305

SHA256
99fb208e24bb3d725bd84cba6b7e4f4de6cb4f14b4408762a4ef99d7bccfaef0

SHA512
f4a5d5ca71778e78f60aa44d81e9d9c15296834b8bf32315b19cd8d87f5dd2fb1009eb9d407c4ecedd9ae91c0bb650a154732112266ab96dcf49f519d02c2f86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\ee08c28427b16c56_0

Filesize
1KB

MD5
468d1dff513093bc2388ba53a7b7d28c

SHA1
9e8cf94d44a0e714dbae14d1f1b1e662d2ea8e39

SHA256
83ce4038421687fe8d3a7b3e1bfbe627515536c7ef995c2d512c499af9300f97

SHA512
51c079c48f187c3042d983d2907e8d3815f30e08b6c3423f6fffac4b914c11709034aac59117492777e16f06e47c8469ba1a7d4a7c3970050ecbaa5d4a14b0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f0572c9ab2f19dd1_0

Filesize
10KB

MD5
b31fdcffef6ac4f339b7685292dd2f86

SHA1
5dab2fcea9bb71f3d1eb4703d41bb95478796cbd

SHA256
6ec0af2edf54bb53034a8d6d7f2fc295b7342cb37141955e4d9f0cc15747f321

SHA512
24bca8beeec596e2dd2cb2be2aff87d9f276508879489a67efcff1da168fe07b9c5f053c18cb4e2fd41a762b82ecf25256818feaa411c9a27f5375a67a652690

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\f2508f9f774dff5a_0

Filesize
11KB

MD5
022d8b58f08e31913fe2a547632fb167

SHA1
3df989a07d6a7f690870eb7bcb318306495cebee

SHA256
38a45f8de29e11a202875a22484ffad8c3fcc130bd80acbf596cf41d24057d66

SHA512
835b67947a72662843852dd7d75e9bfe9370eb1f145832281d787f5d3af291a2bfd10c9d4c32296c68f0e98793fa7d14ec21b11f0c7054144051925a6c5a09ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
307e32452cd4bbbddaa9f3f35dd1de68

SHA1
30235939ee3e6ab3648b07f97b98ad556477e53b

SHA256
e1468f461c557dea59bf0cb4b394a02d379b2e98a4c02684970f3faae7fb1dfa

SHA512
4c4a54e9358e508521af8cbe732ce6fc4da9dee018097d90eb29d8c7a322c0c82c53e6d8c147284207a486f290d930dc6c7945ef5c8173c1bc9e3c0ca3f4a689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
54d446f7fc36ad37b205e3e2504f797b

SHA1
bb7ff714b3e741d5814f154f048c1e51e45a3b84

SHA256
a0dfe4403ed54415d5e00a6935892b7f3c223046caba2fe2aea985f1c9ce0346

SHA512
d5d6c8feab4d79fda67e21540e6ebcb303780e20ab0d7ce208a5d338e21290deba94ce1d755b2a6aee6a28987b6b5919671485cf3b5a77eb264a2ab9bb3e3b2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
dc512f17f5e3ea06ec57bced43737241

SHA1
2d455c94821dbea16847fc14c7a0167b9af2f234

SHA256
8e3e2fa441bc7b46ff0e75bbcec1e6b50a08cb1384d927d8ea077bca566073f2

SHA512
8d6a85a997f1d735167d479d81bb085537a10e91e752b51805ab497e9aebfa09894e38e213f9ef4dafa708afa7768dd18e405ab62c639e7acfb48432873e9f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
d6a292bd6da29c8121f8acc896226802

SHA1
0a01bad48b586d64276f1915a2b91370ecdfa496

SHA256
1f353e852035f49e3c748811bfe7f51d61cd3a1650dde00b339724eaaaadfaa2

SHA512
46944b5d2863896816ae5a3caf01f6341e996cea0b703515e3da8724bcf3807f0677d7747975dfa234351175a6fe10ea14ee83eed50eb8ac4f7e8d8c519d9999

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
84a70d853fc7fdcd15aedc51daf51f0b

SHA1
76073050e28c1835bb6c0056af0b4402a91117e5

SHA256
8d01dba60620a3661c73d1b14afeffb031f44334a0f3ce25fe250bdb105cbe30

SHA512
c194897c09ab4cd449fc89fc108463906c03818912ae8c2e3c0c16cdf0fba076bcffd0ece330f42abadc893733d1414f8f9aba0ed08e9b820cce61d62418f5db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
087d67644d12891bfd5f023ae6fee367

SHA1
96eddb53ca25439b7fa2bb755145fda9f06a3247

SHA256
dd0c044338c4269eb23c2e82832e9d53da3e36c725861215c53df8022421e5cf

SHA512
e9a94adbe15b7f32c024e1a17b987617aa8ded7fc9f6b54d45d1319039e9b6e669088af4adc0486ab1decd00bed71503fddf1208bf5e4ef4bf17e3f1bc2df156

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ee0f00e6b0dd416a031fbbd2027e887f

SHA1
5730c59a86c154c6f3ddf0268530f7d160380d4c

SHA256
6c38b1fcdad795c76d4ee014ef2c9947fcf0c4e8c080c68c8c0f02fd15467da2

SHA512
3f629e5fac31be4cbbe723370d8d9d1ace9d62624b2a160c533fc2448f0c51d9dab28493bad258e18d458d96bfb249753c5cb4430bd81c8a3ba756d681411b57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4a78d9071cb4bf17f210c1a9f7cdccf6

SHA1
093cdf695b59e75a7e0c48a7147888e97011c8e3

SHA256
f4dfc55ec2b46dd86bbd11b9a99955bcf29c715329af13344f8908e10a68069a

SHA512
874a1c6f0b090ad6110a44c101211e9f8f9d75653acb084cf56441f0d001625192e8f02bcd926bd2ba2f03c757767f7690f8154f8b0128caddc8fd80988de345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
6fa1efe7488d14aa8cec92617e7f33a7

SHA1
ded7dba01dbe756ac720a23400e67851dd818b81

SHA256
0f78328cc1d6b8b9fde01cd66f0954109f2d36af9ac165982125dff502c768d2

SHA512
04f636394b352e12b9ef8660b688aac56eca7e70dc971caef1e668c1370cb44f694c4ea837685d547212398e3ceaa2cda763b6c6d0d01bf4fe105a4de2d337df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
934B

MD5
c526c2ed8e6e68e3ff206967c52c011b

SHA1
090d43cb8652b949a704d403ddf13935fbad1546

SHA256
378bc2facff909fa061f994f66de50679062a2ab05f0e289bd42ee022c2c9a22

SHA512
28503e808820e0196afff827f924f9929af1a1f635a9be610add922aef079b3d3fd1957fa87b17b1cd0a785af47fe3e129180f91a894938b4ba1770a10ff46f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2e8c3ee0cb8d68ea68d040a2812c4a4e

SHA1
5c1ba72aed2fbcfcb42d27eff860c6a36378f7fd

SHA256
3f700dda2917d30bb8073ca5058e38bd81fc8bb8728cbec6fde28e8959eb9753

SHA512
216971fa0b977c2384c119539696b97c5ddc5abe1c94e4ae4a9c1834fafccc166e9b0c119577437a6b8c824e98d58b2a2c15a03da52bd432a96677fc373ac108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
67e3bffe4ef5744ae5e5858cab48b66f

SHA1
67412de38ffbb0fa2ee1a3ceefbce51de5914572

SHA256
7ac075a3516c330339009954355372a9b50d24169eaf57358bc0fa4435781524

SHA512
8c5707ab024cc58110e875cdc86b7c5cefee921c0fc478bf46789815e97f5138d5e6da723e10ed62b4840b1b32648c67a9af4dd7096926a6abc626dcdf85abe3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0c628899b0e33d0ab4c3ebdda086850d

SHA1
28f34785b57ceecdb19038dd53b9aaf71e26f99c

SHA256
66734a212af2ddc08e3acff4fd219702489d70d67cac17260e0041708319936d

SHA512
de2514705ef7bbc95a26d110ca6a4a41153b664dc8937315e718bdb4989fbfe4da85a3dc05470e3c6a2494eb562cb0952fb6af394469fe03ae682fd6ee8fa3e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
0b2fa477c215bf6d9d17a5e6739213d1

SHA1
d47b49ca2698c778c67c878e3ac13a1f9eecb190

SHA256
a5c86a9d90d1126b55de32e153d68d505c91bce1209f02fa144d1fff3b51657c

SHA512
fb1d1201cc487f54379f0f3fcd3412027bd21e9d391afff68f89ff7d69a1d18e2fdcd149e26d3ce9189e870974676b48aa3bae04687fb902911e821c780cd410

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
2fb5a9a2974cbd1140d11cfc1ce6fa66

SHA1
c02a7ffc3eea8172a1ee1a0124a90af37e99dc38

SHA256
27f55e3644009afe852fc4b24be5253c5ea2e18e7adcdeeb67b43d81b067010e

SHA512
72743b6b110d6accaa0b85efa79f6955f41e01740fa49c4d2d311b33168d0b0ff6d38fd2387b750bdb878e6c91e74781b54949ef99f0dea19c125694326f4b5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4c43c37817fd83ebfd1cc655b382b325

SHA1
b89df20656bb0b4407a61056fd753bd77525eaa3

SHA256
74fd81d521ef96cc6af2dd34ba52b57f60c050b48136f0c3217ee1750c41cf63

SHA512
565eed79c939e0a675df9bf7c790af0c8525b84b2e5da05af852b4adb8bed793d1785d8ce8d79fcb3ab019fd1e7251d292bd9221910dcfdca4d807ad5c877bc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5cd7373434e68d5676dae8de7ef84a52

SHA1
09fbe56b2b4d9edfb58b07994394348e7c1256a9

SHA256
e76dd37be9755882c5b6d591757acca4c79e9aeb2bd2be95f6ae281077405170

SHA512
9e067dc8a81485a650a3771fc9f256f9bff36ccd679fc0e3f90b96849486f5e19787ffd54b6a16151a76b50c3b5d63d7349dac27f05f2c0b5ae06f394dcad9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
77dd2c9d0c6c7325cedd11fcfd377275

SHA1
a1509fa1d72a4f5feb6a26a59ffa8f3521fa9aec

SHA256
14f9fccc95a37eaf9160b31b8e0354dbe5de3f389cd255f64488bc57a2f054dc

SHA512
7b3e4db6aa22d7617313d9ce7016c033530453a580946b20193fce9d012fae88e3f950214c93b9d2f5260c0157c001617c34c1fc81993407635d15f9b869a7dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
d44051f7b8a73df0e88f4261fbd8b268

SHA1
76e14d03e3cb2fa11de73c8029841d40b0284545

SHA256
1ca464b340cbcfe25504e638c1f7b733de50eca0bcc4cb92cafcf21998cfdad3

SHA512
17a242d916d543c53d32858b760f4a5aba18db1c555126849cf2ce3e6a1d50b1f14c703054baeac0bfc5922c5cdf04e3b2c77e79331c8643047515eaad14a034

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
a810cb0044a6098ca09f8feb17fb7412

SHA1
d65af62bf1ba1de43bd67b02b2fbb7dbce5445c3

SHA256
98427e26a64874b824a8fb1d911838a3de895807ab9e184bd5da34f1ae121e3e

SHA512
6359e093d6e6121d20290144654e613578de673fcd989582c330efffb2588e5413b0ddc548abf8e719c72f7fb82b3b68fb69c6b5485f6ff9fba887876090ef98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bead5cc37848f8af710460c3a4327d61

SHA1
5e2fa1960968b0484350d6ed2268df84720bea64

SHA256
546f3366cf283770b411661300fdc33ed34de7b8e00b3ba572839df6ae6c1e3e

SHA512
601e4f7365bf04fb1eff348930741d6e590e0ba73daf6932ffd53f42af948cd1db643934817346bf329137a5b119d64768e18d0669b3c173730d1f2a896a60af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
04b1c955c68d7d00a63b1a308c28606b

SHA1
afc69bbc5ad1a8baee254f6f6ecabdd5a792983a

SHA256
e38f4daa6bd5f715ca6a621215fbbe1cc215610b7eb306ae726da4c45f6f4a07

SHA512
4185ba947173d75fa339aa91ef80cffc32688497dd8e599b9a13f9c14c0c6f23a9a8db39481b1543998ba7c44733d9ff0adba94dce835184fe6eddad4dcf9bbd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
15c2cd74f73021b62acd00f016ca16b8

SHA1
5d17bfbcccf5b689333881afdbb8a82292f5c7ee

SHA256
b8b5577c5b0ebab7fadbed90306be126c6ab4e7dfaf543cd4384c26e8d277f5f

SHA512
727659476a353fec1246b8274c04b6f824d8074e206b5705aa9603b3a7e4c5562b9899273de883f6a94373b25e6511de73d82dbdc2a22a7d112a6321f7a45b99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
e1da56629c580f5d73ae234fdec5e747

SHA1
6d07f65a2c6700c6f59bf9fb633d518bcf0ddf8e

SHA256
f62f890b28667e4b6afb24ff9830adecd764998e4165e7e74471b75a526e8180

SHA512
a3d4640c391f07de203db1275104c33defb232cb87b34661023762b62e45a874e76f36c439f9f1003d6a07877e593264ccc9f9c4d9d5a065824766c2dbc14bd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0731152380a61401f001cdf3ef55b293

SHA1
5bbb905c385f8f6f203f452246c289bc0aa181a4

SHA256
4ccc4a0ad955d314f3987b438a675c2c364ae250620d58e9e08510b378edb6c7

SHA512
0eab99b6d3841c341b3c88061ab256c2ad85ba1d97f409f3c03489cc50c169be5a4d1249da0ce72ba53c685dd301ac1761ea4123efbbc2f3457821676857848e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
40de16b81349a162128e14ad0a2ce64c

SHA1
49f40bbfc0a37f1bb1e489793242ae68c5650d78

SHA256
e9a5674ce689d2f679e3ac35efbce71a1db7fe8cba1c8212c5640a2010be9393

SHA512
e331c9b685fa421f7a9758aa6a863a3897feff1d903054afadc8fb134f067758b446aebc020b637fb3a5918cd441f1a299a9a999e111c3ef3e849fcc6df5486a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
61549aebca023290443b285ffeb60fdc

SHA1
e53e9970b6ce23016a6db279ed27fc2468ff7923

SHA256
eb29b960762c8d8e8dc18a216f0ed1720d0c3abf1d179b966f7b40d32ca21847

SHA512
9d6fa5817872e366bdf8bbb4e3ebc38b005eacf092ba51e372916e27c6f787aefc4223ea57705b5764241c202e24f62b179301ed5d8ddb8b3f6852eb3dd27f65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
9a5796b9e5b473db191222c00b546b2f

SHA1
77a01d021feab103d421e435acfbbba4152525fe

SHA256
6776be13d994b85ae338f2bf6513e4b856979f38b46e2391af7e302eba6d7449

SHA512
2c9eab44f1566e635e3e9f73de002c7202f4aabe3a808615115c67de40abc10f2f3395060c798baf787a0ec3a2e2efe58ec1cc641b697a6059b4ed035d76bb0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2c7b02f7697fe00b0a51575b9a6e4e23

SHA1
80527ac074a906667bcfdaa1991a9eed59e18b3f

SHA256
62372a7dd3913cecb0c745311507a70fc1c4e4478e9be55b86d5e451ebf511f4

SHA512
ea8f2a7619370a9046b679ee6e40b9d21041ab557e97ab5be1b67ed80f678b3382e64ac7854aed45a5e7bdd916d38a33ea9f97f7bfc5be362bba0e4afb7c95a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0e260f5d21142d913c4880bf856c2b38

SHA1
24a3b8aac17f5a8925bb53905ce2bfb1929d951f

SHA256
020860f09a7ffa61a1e77c8565722be4f8cac27af6d8ba8cf6290654bf84ec4c

SHA512
91c9206d8a6cda791ea2f1c28b95aa5f48149aa6f37b834ddf93cb5d3f0e4e643eaa83eeae84008c9554298f524a0f2d576c2e62fa79292e85da0ddfb260a9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\049a878f-4de0-425f-b6b4-c9e6f09fbd38\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\302b729f-17b2-4fd0-a782-378200675cab\index-dir\the-real-index

Filesize
2KB

MD5
10928ec13bb0b4a6c4796fa32f5c756e

SHA1
ee84b6f8428243f3bbe5da38aad61fb75b04e8ea

SHA256
454714540fb3ff0a369fa9798afeeb852e76fc916537c392346354dbf6f83fa4

SHA512
813473a78941e8f463db78f5c6f3714b0c012487d104fed5363914052d8c3750f8945cd00a837971f34da905faf578abd56508ff15c3419a22303efdd07226f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\302b729f-17b2-4fd0-a782-378200675cab\index-dir\the-real-index

Filesize
2KB

MD5
f78ee1faed7d853fb6f4b19b2f2eeaeb

SHA1
5921bece821d0031ec99ec091925c560c5208ce1

SHA256
c5efc935ecb43335e76d92630d957e0190272d7c8b81f5c50505ccfdb92b3741

SHA512
f089e40a1c80f3529ac4b0b09c5c9eb95a9c1355968e2676f7fbce069af9cea597da3cd6fa133be6956c58a117d034e511bb0a455203d203e4e51016b643d40d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\302b729f-17b2-4fd0-a782-378200675cab\index-dir\the-real-index~RFe5ee359.TMP

Filesize
48B

MD5
c1f87716c2904cf3044945f9f91a23e3

SHA1
566a986977b21b4d5720da33479282284ea6a8ae

SHA256
f07000863d77b486e41f80d5fcad62c83490be8161f10fbca8b994b7a37f5c25

SHA512
72476b948d18c8968d128f1250ecd3b5d2ad8ff38d1056dc1faab994b489de6914036689b298a46fc8b9a9000f8b8ec4d622c01bb2303eeb99616e6a4fe946fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\68c8f799-4e0b-4884-9a75-91b831a6b18f\index-dir\the-real-index

Filesize
576B

MD5
1549db33ff8337be13869ee4e2502cd9

SHA1
0e0fc00dc8135ef0e945cb001ca7ffb87ee6bc0b

SHA256
70709ee1fb638a88d09bdaf75a2f0315bc5a72d5aff5ad70cc342add04cac582

SHA512
70f38cdbadcc3deca6f35d0ccd61c8c53e1205683bc1db37b045ff6387dea802a9d3294ddb525001c8b374089a43110cdb475e8b42b5f8993dc6627159923fea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\68c8f799-4e0b-4884-9a75-91b831a6b18f\index-dir\the-real-index~RFe5f3f44.TMP

Filesize
48B

MD5
593bea773fe31d89640545274e3fb3a0

SHA1
586beb385121a860d67ed40d976c2ffcb1ad3555

SHA256
e7330bc85b10bfcab4dbc1b19232d56235a9c8d9f948a676f0e72c504b133fc8

SHA512
e51bbfc3f92e8c7ee5206b7e580e0f3f10c0ce0c094e782a6c33125fdfe185452c44b79fb21f703f1c1c3a2e2215498de366e01919d41e71fe645b69c3cd89cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
89B

MD5
b4e859597abc9530380de02cc0eeb27c

SHA1
277247a8bf00104d40026b8fdda7632faf8e04c5

SHA256
1683f09d3c1166dfc8b76e91fc27990e9a368f21a15bf4bfb40f964bf1d3ef7f

SHA512
bcaee7e3c1d262adca650be5ce08fd8e284163265185ea616b31e2f9e7f7b64d2e69547347a2a8fe104596a4435695ede9f76b570e74a724de976d57a3af5787

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
1bcd7959cbcc41193f301fa4b49f269e

SHA1
47f9b053b6beb4b9b336fdf305a5dc03600a4fc8

SHA256
10bec5e953d05e3ea9eee8c43ba9e3e7f183b8aca1344d4027bfe32af15cd978

SHA512
85f8e5f5a951f3a0365267f9622e8e0ff1c12b22fa0965b00b6680c18cd33a758f1b853c26db97f1f53ae65934be8340e3c55345240b3c04a2c95083d1681afa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
c5ae6f565b1316f5d0a81aa93807de08

SHA1
7b39578ccbcef79052397341f13ccfa5203f95c4

SHA256
c7a72679c70f401d64364a01636644755d08dce98d72bc8cd89a5905b612147c

SHA512
97bb2b68d2965e951037b40c9c56452091057a4ab5ff0a6635fbbb82327e35bab2d535e9853663a2d0754082da2e9a53c2fba0bcae62b9b245dbb625c38baa2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
416ad2fb8e127f880b5c54f9cd2c99df

SHA1
6df49dbf78f4ff4b4e10d84bddea4b274d73facd

SHA256
f652712291fdc63ab82664141289b97d309e6c6976c8f5cefa75133550142776

SHA512
35d098100846b1b219070bc86a99d3f434baa93934d18ce901fa0633d99df8f0ff5a210279d38eb586fc188d5f0b93bc34a0147e6e2b1121139fe90052943465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
81d6a2a2d50e4ad4dec1c9cde9257377

SHA1
c0c82897aec4efeb97642b482c282e468971947b

SHA256
8771cbd4966eab258275368fb6bf3d28986e996f5767f80ce029078bb391cd80

SHA512
307f9cfeded254d622e27749fe51798f440af72ccb02262ab3ee8142fba410aab950cdd8b03c1ea8ea8130741aebb91a65636e57035cf10f7e1382029785e274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
4014da5d8bc140a8963d667be224095a

SHA1
eebfdc987548500001345502546bbb6ca80f4122

SHA256
84cbc9ed527849e41512592225fed6624cdffb8ab5d23f1f96a3af34efc22b8d

SHA512
4a9b7e2911a14d2cb411fae6d277dff4c113e45daecbdfb486f3c6cab3562732527b9f65a6742504deb7ab652fe31ac171310cbd9dd3e2ab7d091eb5b352633e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
a7e3c537d91c8a6fd90ee669b573dd2f

SHA1
531ca2bda84b95cfb7e45e1f011ceae107de1313

SHA256
0fcb312b689e5c75226452010046026d1247177c75ae1725982f3df0c13a6ef1

SHA512
cce709c0a6944f7dd0d023897d616c48c62bccac3cee2d17305af16cf83d9c181549742fde651630c9db0097032593eabcef35ebe4cce0e4ef004b3f106ef6e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_0

Filesize
17KB

MD5
7788060be133f91dd2b38047db522368

SHA1
fa442ddb63f3ed0aa92a73994ff7806a551d0fe9

SHA256
770c6a0f01e9e98b1c307ab95469303c4cfe44b05d8cd3b09c4e269e2643222e

SHA512
89f75f4b618774e2844ff71f1fb4713f880b429281f7b40f82a1cf4521c58e10ac000de5b839c7b536cea3e1b5cb9eb7a5372e4604151996df0eacc27a3b13be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\4cb013792b196a35_1

Filesize
11KB

MD5
d3697a11a491bf1585a28ce5f41f3c9a

SHA1
dafacb5c1f8d55b52820b342aa738823daac607f

SHA256
5f8c125ba83a2bc269bbc0c8d09bf2fdbd83effce9d18d13c4702eb34d0b036c

SHA512
09f20697928f12158c24569d08acf4429223a0eb3a7485881fed4e68f3d634d9de986f031c9aed0bcb85bc5c06877f3f707909f3426e5db45141fc19c5535bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_0

Filesize
162KB

MD5
2ee0962cae5262e4e3d7bd190c2a93f6

SHA1
dcf82f2e9a588a8c077fe5ad525a8dbceff0bb6e

SHA256
2c1bd9e266b12760d5845c1855c59b6c2cf3700e3bedfd32a1957d205dd51be4

SHA512
21cc9d325630f59d6931c646d3e2337e4644aa4ee8491e208e6528385dc4bfde2b18e8b97496b6ebb0f1b79d021b9c46b7d7e59ed1fcadcb6b2b2036096e56ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\f1cdccba37924bda_1

Filesize
380KB

MD5
7abf31b29f710801a1665e2eabe595f9

SHA1
ba61675a24afba0cc0e3c8f329924403ad604abc

SHA256
18524e7fcdc0f2c39e22c1f299e90b674e9b70f65757b28619b3fdd8f7fd9e3d

SHA512
267a83dc192b5a3c83299f29bb1eb362b8bb772b9383a8fe3717b9e0b0ba4928809f906b301124f36df01db8c25db93814406dea987366b2e7319966ef624b52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
e6f971952dbf53d86bccd6da8e6ad417

SHA1
e74c6005e59db055cfa2839e5113474c07af102a

SHA256
986e8fd2e80a5cb3e866baf4f411da4dcbf4bdeae4061af44c445f052d01a528

SHA512
c634024e17b92a3d646d5598219672158c4f7ddecea3bfb3defa89146bda7f7ddd8ca13d2ac49097d0dbdce5d567c9d6ac85cc3e77268c26d8d6ccd67cd5a167

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5f3949.TMP

Filesize
48B

MD5
73d1e4087f037793907c9452814a761d

SHA1
33091816057585f47eb454863013e1ef788ef17f

SHA256
56d4df41c18b2452b67f5ac8d01ad27885ebf210c153a8f3cedc3e731a134385

SHA512
1e22161095c3d16cad417090d9776950c987c1a30f5fbce44662e0958deeeb84d5d96cd212217af5755113b7921cc67791aa0f58ef2426521bc1d4e0b79584b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
384b202aab22d00575bddc44587bda75

SHA1
ff7dee829a65b40b9061d94c28831a0bca56bf6c

SHA256
3bdd9a83ddcbec73338ec01b0a8282b2017f3a2621279269543d091709910c3b

SHA512
4b5cd563e9636aaac678d08a15b08e9bf25a53610fe8d5b99dc9ead911b1cd8ee19de4902f9b0d260d3d0b64cd25de68b11977a32d8f87ab474ebb4eafa796a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
51df2a1beee1f1a34eb125097618aaeb

SHA1
4880e088008df4bf48502d95f3490b993414ee0c

SHA256
df13329f79c90f3e0a0a5e52af1c2713935f1af8651f2ff3e7f559e37662f768

SHA512
b19b93afab153cc34f2b1f1d61db56b92cdbaba7739d45e59cdb80bf714efae6c316fd340eb6a8aa7203e52ed1916624e8b9cad99335dfd091813e92d0386dc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
cde5835adb2ff8ba59d33699bbc8a4f5

SHA1
5c4ac1c3e725048455a2df63acb69c53f2b75d59

SHA256
3bfcd2de8f5696299f0847615561a32e8da5646b8215a8d28bf8b80d02e9cfd2

SHA512
1cfec8d9e7809e3353693f05c9cdb26e3f855b542c5c29877409daa0c12eb58ff3b81f560ce0ed4b3f9ab982d343ef23de7c1808fc9d131bc9b5884b7700fcb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0c990090f34266d644ac0b3883a05a3e

SHA1
db89b8cd2dcd0286b6e0d9fca1ad3e27b8f514cc

SHA256
dc8d83eea125aba590e4c89c37e9ad8db4ef569dc57f423d2e5b5f78c76b8d09

SHA512
abeda4d5e616d9cc4aafc9fbb98a93f8390a2b3e833dd723fdb496d3b1d9ff2824cf345a4c2fa3713361e040f4c3cf02a177a3dd437b9b1c967926a9ebbf6d82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
27e3e27ec268549dc82e04d7454333d2

SHA1
70f5029cd4896b9d2d926907a51183c41f042ff9

SHA256
e0440414beebcf6de321cc681fb0cf242f2f06e6625cdf6f143242c9fc2df57b

SHA512
367d6b54bbf1b55abc91345e07fb486cc4e2c7293ce9d7ee9932f0eb203e1a8642ea0aca8c64268467830d685c3ee3cd1200f41dc54fccc24728b4098089520e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ec9126ad8737537e6e98eb1d63bb6271

SHA1
bc7709ce8fdedb66e1420936c32c7d9742ac2a92

SHA256
d79ed53f82f2b7872b304e3a681ebea20672baa2ff2caa7296ba85a65bc6f79f

SHA512
80c59d0bcbf4b10bcd7aaee600c594cc1deb77b862210e45616a43ce258143a68f9f53057eb6f15bf937e3612fd18475a3fbd30081cf4b09b8b1e0104dd3792f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
eebcbf6ea05974e0d660f498a775aaf6

SHA1
882f65f8363c9f0cba7f8dd6748d7cabf8324c65

SHA256
615a45aa38357401ac77abde509c4140f5800717ba07ec2a10b9fe077bcc14fb

SHA512
b40a10e996dc6f0292c8e56bff3606946b7912bc970029b3f41014e659e602258d8adfc9f60f34a13af0917447a94575d0bc1ad67b911cbea8de92a6a551e911

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
9772dcda34b63babefd7cdaedd7f45c1

SHA1
3a6430ceb367ae0ff217f5ee03042f7d72e2b0d1

SHA256
3f859310127d0c2f36cb0a4b5095a4c9399bf3dd066634f5895bbeff666c0a5e

SHA512
1b0fe77de850ba32457cf7f1084a66311141887ec863af7f8718c7858bdcbf2765a00bdd48082b5bf5734c3ed1d3a23fdb06aa51069d43b205e12009b1007989

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fb88775cffcf5a671dec2d3c0fec5030

SHA1
725bdec0467f630767745fb72db017ed5f4f45a6

SHA256
db6a4b0f42beda923dccb4e9dc755da2c0aded517a026349d179fe9d3dc38add

SHA512
dc20e65a1727e3f0fd1a6e1754029ad8662a73ceb8c5bab23b854dc9910493daf208ef9c65addc3e163daf3b102f114345205c9f154282e3bfcd7b74188934d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4ff1287bc3734883d4cb2c14af00f0fa

SHA1
75235f5dcee44401246e9343220ec8577ab81ca8

SHA256
279542bf20bb0c5ebfd1a52dd6dd49ea04aa58b57e273879a08a6573eb6dda3e

SHA512
c9a81a42071b12b98fa94fc8d22a34069f72cf9702a6ba2d2ff32ab81481d82bc67ec7957e3fc0df70aa2d39630ea64a47673fd125a5eee0cfad96d88012a211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f071ed254a2fffa27c0d2b0a8bbd9f87

SHA1
6761eb001363ccf1b734246f63063b7049b78467

SHA256
cf682a8f4e67f2091644b3f3dff9e59c47f224ab7f8c7649d2bb00dae36ba93d

SHA512
85ba082dd03fba7f0c529a8c0c6d2d0897b370646bc009da03cb08f27879d9220b819272ea58dcfb0f6890985dd9c992568efa46a618ab039ab8085127b38d2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
32e377fb066a4548c80e385a463f12bf

SHA1
304f46f9c460af8050d8b8c4f75f1feabf497baa

SHA256
fc230d79c773e5cb83835f93894d588f9614fd8830195cd3e843b108fa57004b

SHA512
08fe0a8bc720452be2c683ad1b2ad94d1f32cb89b1085a9297bc26b720c4795da555700c8b0fe6f729137834f4a1c51d3c3f0208bbf29d829a3595f8e8c9a048

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
c5fa0267cab9be79f5738f6beb65d66e

SHA1
a016596742d8adc7fe99e74620d218348d296200

SHA256
d1e1d3716664fee71a644706b627e8ed8243ab78d1691ece1897abc789ea4f22

SHA512
efd66d9ea27fba846d6b8c374922ba2948be2195fcd1d1f8b82be9cd2da00068d1ef68a1cc4bb952304ec4b1999be7e78594b013d8e080239f44c4411b538f78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
f29c7a9dc747e81ef911e0985fcd36f5

SHA1
b6da0ef3c24d24a90b1bb0e9b3a2a50efe07529c

SHA256
8b4f823542d01d075e5d8d6f50e5d9c57a9a0e0a7a402f7bdd97b0083fa25403

SHA512
8a6383a709bca4a579dd14c819bed6d4a39935888bf95c03bfef5fa665579dbceae0a8ea6a12909eef684eed034819a55dee3de3d3b4b34c8b0669960dab6d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
546134d5cb106dc9addff073a6da4ccd

SHA1
8ffdea55f93e7b2d55d320f2f53d0d4d63e691d4

SHA256
33ea078263e7ebac43a738460372dc8c511133749f3b91aa7e6ac32bec7dd4e3

SHA512
119e6ff276387681833502d5abfd657d79927715b9a492fa07b9ae5a328339abd1bef5e95c0713740051a0d8e14388ccc072d72d41132c46a02ff5bb52169f4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
52c3f1e7cf6fdeceec8e38c2029c80df

SHA1
88dacd2d9f244d12f6e90caed09a27e29634d5f5

SHA256
0b6ef265082c949729d16faa11fcab9a750d1adf64a497385d9fd24010e66fa6

SHA512
f7de255e705aa9a52b13d4912753886783baba61c2f928e7900b08ebc0036768b012eb35f68c47d32536e6324d63b2081bf03b1fda43e34c78bfc2200f829c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58c270.TMP

Filesize
1KB

MD5
241d7f2dd36c1b2eb0b7197e8a3dddce

SHA1
067cc11cf4fb212861392eae740ce0796eea20f0

SHA256
0c6bc5e596868cf700a6e375d778d769b17dc9764d79b1cc651eb02f85b93458

SHA512
e0e15c243b5c9d459dbf4a394e74486b8edbe5c261b863ac976cb3b155e8eefa13d918839bb918a4bfaca4b6dd5939cbdc7443f441bdf01a98d272c04cafce05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
93b9e8eece0279bac06ea939fee47c0e

SHA1
a8870ebd627cb213ae410fd9e6027d4ddd71d021

SHA256
1eb8305e8540a803ed93ebf1472cb95fca13e053b27cdcdc4b9e53658834d7b8

SHA512
6e97ebf59a368bec64059a36982139d4fdd66253aa95772a192d027a7300194532e1bc133df6fa1e48d4ebe2bc22bb574930d0d051bd115c1dbb9b93ede60bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
79a8506057a194c7157bc490b262f164

SHA1
81a878bee03a9c5486b3365209fd4e40d224315b

SHA256
1a50d16505b3178e5c22fc37bd3885f468181f5a1ed3d883625aaebc38064dd0

SHA512
88fd5c272eb01cfe36e1bf8968561aa1f16b1456c1723ca65cbb60e214ba107cbf98ae09592bebb8ca39b930567277494b4a0720f061ff5f609ef5d07b79c488

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8a6213ed420fbaa9f6cf4737325ce2f2

SHA1
d472903d8ea171e3d34032b3be3f522c226bd2f4

SHA256
72104047bb00559575d9a1a86ef81a6eab772661eb6baeaf0f9c38db431d8f98

SHA512
ec6a640d5a50c0e8f5f3a673df28f9d3ba64024b26fa93477badc26d50e7265a40c7680d45dfc884ba49a1d9fd7b1d99696e8ed5df2fdb27bcf4a78b10771b66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b8fd3891511b3aad0ce75f48ea176e16

SHA1
be04b0dbb7d543a96ddf73af3c633275386523eb

SHA256
b10f8a1fcd943ad03c9bbf21c4f2673239981990105d179832ae3b544c420873

SHA512
e532d5b554a706d348fac4031b9de877292e9e3f951e95cd59f52e262536c61becf955655bf04caa531a20bdc3faa4d338cd00c938dee387a9f4e03aa47107da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneNote\16.0\cache\_R_E_A_D___T_H_I_S___J4GGM6O_.hta

Filesize
76KB

MD5
59e296e60a7b2586d8e2bed4528aaedd

SHA1
62ca5548031be86feb153195f097e4e53e92646b

SHA256
52d708b12e01eb69dcb0072a2288d7df7a3bab8d745817986a9bf6641f66be59

SHA512
0a8f88a01f708e89c0658ff376b89462e811776551c174f9581e79a147ac049361f151f1bf72251b2373db430d0a74cdffa990e56e1437ee3c2c1fe1e4d28f13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonGDI.exe

Filesize
147KB

MD5
fd138f51961f3071e135dae4e279ca7d

SHA1
63a107425ab4b3515b4c6545076ac6721a459717

SHA256
24f189af6d0c0af7dbdbf230183423d34d9cc3c06f55fa911145dcc19e3a6eb6

SHA512
f0d596ebe25c89907018f4d5ca4635df28c7f7095c81bd4d6f6b0819301bd113fb2469d643c02b5d41f2ce523e8539c1a97a817160ee0074d6e1f0a7951e7804

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonMBR-L.exe

Filesize
93KB

MD5
b92a9c7baa9414d17e93112f621734b8

SHA1
f8f74b452bf78fd0dda4601d219d99d000d57606

SHA256
b9177dd0173b676408b79085e0a18a4bf35356b76acf79aa6039a36911796e3c

SHA512
0ab4781877b788acdf0c8ac9fd18e71fcf8a42f960e4b12ae0b81dbbe8abc25092ff4119c877863814e97180a6ade73ec567809e21ca5e8f543f7e7690c7d9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonMBR-S.exe

Filesize
58KB

MD5
1b120dcde4b7be948179d53257c71423

SHA1
efd894e18d8d9eb8b0af9e8eeaa0d44be04a7b62

SHA256
34c657218a5d7702de283691e868f61c1f50ffcd9e6c6bd3f0336bda904975aa

SHA512
fb5ac3cdc836926919710edb15f0e4cb54a72f74122566ac2a965efb1b36daa94cdf01b4b984203d0d4c0deb0791f65d20d675029b40fa7e1baafd3194e4dbfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_AngryVirus-main.zip\AngryVirus-main\MasonRootkit.exe

Filesize
161KB

MD5
94f1ab3a068f83b32639579ec9c5d025

SHA1
38f3d5bc5de46feb8de093d11329766b8e2054ae

SHA256
879cc20b41635709bb304e315aaa5ca4708b480a1bfc2f4935fcf2215188efb0

SHA512
44d5236a804d63302b21ca25ebc148a64605508d03c990a244c44ceb8630849da0510b7b2d0bee72e01ca6681e2d86d7e6aee8847674a26f0028d149b9abee0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9E5.bmp

Filesize
3.5MB

MD5
3800673ea70dcc86c30e75b693305c45

SHA1
6af051a9318a5c3670d0ea69f992203e7d955de4

SHA256
c9ab55e83ea689adade9ed0742afb091850e54a2c934705ee949f8f2d5344478

SHA512
fad0ed2c6133a95609d65e2e3bd9f557c60a939b30bcad02039a528724838851b89f16dff9a4963bfa654373c9c96a70faa752879b00541e07d8d375eca33cc2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\OneNote\16.0\_R_E_A_D___T_H_I_S___SX3P45_.txt

Filesize
1KB

MD5
6a275102632def750dc3ecb09b413cd5

SHA1
f0edb528a5260d127fcabab47ba8b33ad96baa2e

SHA256
73dfe6d32543ed9264a5df30c49de660ba1f5b3163529563a8c468d4b3324339

SHA512
b85360f2236fc1010a6d94fce2c05cb9beeb72265861525a0fdeb175247bb3cc44daffa7efb80368496438a4fde79098a819ad3b6f7439081d7ea868914cf9a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Filesize
7KB

MD5
628d77bcffc04124803767fd9685f3aa

SHA1
73517142cd1fe3055d0fb95eb7b28db2c0cd7207

SHA256
1dc13dbefa218080a99d54ede93c64001ddf740dfb6c9d39b5e164453e4048eb

SHA512
9eb0b029cdc509334090546586c2a288091170e7c84a44483fc9b307679d92134512500737e2628bc53c5132dc59348468ef94353b09f7c53a27b6ab9fb3aeec

Download Submit
C:\Users\Admin\Downloads\AngryVirus-main.zip

Filesize
474KB

MD5
9135f7fd26ef4b583584cba00d523118

SHA1
830e29fe7b47f6c6ece5caae203c9d28914c1834

SHA256
09a18e0f7d627a9e082a14fa5147112ad28c02fb6ac4db173a7261292092f818

SHA512
52895a83da94839e2df5d45c006844b36565a6544769f6dd5bb71ccad77a06b99d182806afe5c928096e7dabbe287dcaa885b83b42b022fed8c05a402122d4ce

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 302791.crdownload

Filesize
12.1MB

MD5
c8bf514a334eaa148cb3c6135c2fb394

SHA1
0e47a89c3729db5a6f195c6abb04e5129d788df8

SHA256
9127560918eaefe69f1959bcb7f7e13b7e3a7ac156b564922829faaec9b96f67

SHA512
9879a258f429ef492cf495dbddd4f2b9c9fbc061e325aa8ad870ed05049b7ad595b26d223d20c55fc99f403fc9b5d0235353d71bf5d9a39ee4462838feb247ff

Download Submit
memory/64-2614-0x00007FF86AD70000-0x00007FF86AE2E000-memory.dmp

Filesize
760KB

Download
memory/64-2613-0x00007FF86AFB0000-0x00007FF86B1A5000-memory.dmp

Filesize
2.0MB

Download
memory/340-2626-0x000002BE52610000-0x000002BE5263B000-memory.dmp

Filesize
172KB

Download
memory/340-2627-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/616-2616-0x000002092A3D0000-0x000002092A3F5000-memory.dmp

Filesize
148KB

Download
memory/616-2618-0x000002092A400000-0x000002092A42B000-memory.dmp

Filesize
172KB

Download
memory/616-2619-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/672-2622-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/672-2621-0x000002636C4B0000-0x000002636C4DB000-memory.dmp

Filesize
172KB

Download
memory/960-2630-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/960-2629-0x000001F6D4DA0000-0x000001F6D4DCB000-memory.dmp

Filesize
172KB

Download
memory/1028-2638-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1028-2637-0x00000209FDE00000-0x00000209FDE2B000-memory.dmp

Filesize
172KB

Download
memory/1112-2641-0x00000202A5C90000-0x00000202A5CBB000-memory.dmp

Filesize
172KB

Download
memory/1112-2642-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1136-2648-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1136-2647-0x0000013EF7F40000-0x0000013EF7F6B000-memory.dmp

Filesize
172KB

Download
memory/1176-2650-0x000001E3972D0000-0x000001E3972FB000-memory.dmp

Filesize
172KB

Download
memory/1176-2651-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1188-2653-0x0000024085630000-0x000002408565B000-memory.dmp

Filesize
172KB

Download
memory/1188-2654-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1220-2575-0x0000000000400000-0x0000000000433000-memory.dmp

Filesize
204KB

Download
memory/1300-2657-0x000002691DD30000-0x000002691DD5B000-memory.dmp

Filesize
172KB

Download
memory/1300-2658-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1328-2662-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1328-2661-0x000001F2E2C60000-0x000001F2E2C8B000-memory.dmp

Filesize
172KB

Download
memory/1340-2671-0x0000020196C90000-0x0000020196CBB000-memory.dmp

Filesize
172KB

Download
memory/1340-2672-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1436-2674-0x0000015811D80000-0x0000015811DAB000-memory.dmp

Filesize
172KB

Download
memory/1436-2675-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1444-2678-0x00007FF82B030000-0x00007FF82B040000-memory.dmp

Filesize
64KB

Download
memory/1444-2677-0x0000023C263D0000-0x0000023C263FB000-memory.dmp

Filesize
172KB

Download
memory/1564-2680-0x0000024442770000-0x000002444279B000-memory.dmp

Filesize
172KB

Download
memory/1804-2632-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/1804-2615-0x0000000000020000-0x000000000004A000-memory.dmp

Filesize
168KB

Download
memory/3648-2574-0x0000000002710000-0x0000000002766000-memory.dmp

Filesize
344KB

Download
memory/3648-2573-0x0000000000420000-0x000000000049E000-memory.dmp

Filesize
504KB

Download
memory/4268-2605-0x0000000000370000-0x0000000000384000-memory.dmp

Filesize
80KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads