e5c2683f7a605712f83903c9272d7d4bc0b03d8399595d7ae88189b38db2ae84

Resubmissions

29/06/2023, 02:37

230629-c36v3acf8y 8

04/06/2023, 17:51

230604-we6pyadf2s 7

04/06/2023, 17:49

230604-weeapada36 7

04/06/2023, 17:36

230604-v6lcmsde5w 8

Analysis

max time kernel
160s
max time network
408s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
29/06/2023, 02:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MEMZ × ADZP 20 Complex.exe
Size

387KB
MD5

580ccf644a5efb8b9d0157ea6b0049ab
SHA1

dd4433c9c670cef10344f3d52a4397a520404a7e
SHA256

e5c2683f7a605712f83903c9272d7d4bc0b03d8399595d7ae88189b38db2ae84
SHA512

402497966cc73cb3d87d3ce72fc08372c996b790c6535253d01604b007b57d9efdcb2bf8e96f9a1418dd23632bb314d9de3c7fcc552d42fab3c11ee47fdd9136
SSDEEP

12288:actEagGmcl4gBF1BRnI6hAVebOe1gsT+tcVtQ:TR+cl7X1BRnI6hmebOe1gmLQ

Score

8^/10

bootkit discovery evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 1 TTPs 11 IoCs

evasion

Modify Existing Service

T1031

pid	Process
2248	netsh.exe
9768	netsh.exe
6220	netsh.exe
6816	netsh.exe
3244	netsh.exe
10000	netsh.exe
9884	netsh.exe
7948	netsh.exe
8848	netsh.exe
5432	netsh.exe
3532	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	MEMZ × ADZP 20 Complex.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	MEMZ-Destructive.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 7 IoCs

pid	Process
4192	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
2928	MEMZ-Destructive.exe

Modifies file permissions 1 TTPs 9 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2180	takeown.exe
6944	takeown.exe
7156	takeown.exe
9568	takeown.exe
5592	takeown.exe
6168	takeown.exe
7272	takeown.exe
9280	takeown.exe
9532	takeown.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1067

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	MEMZ-Destructive.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 9 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
5996	ipconfig.exe
7392	ipconfig.exe
6852	ipconfig.exe
2204	ipconfig.exe
5536	ipconfig.exe
3152	ipconfig.exe
1316	ipconfig.exe
5524	ipconfig.exe
10012	ipconfig.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
7712	taskkill.exe
3504	taskkill.exe
9664	taskkill.exe
3788	taskkill.exe
3244	taskkill.exe
7328	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133324798973334709"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\State = "0"	taskmgr.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\SpotifyAB.SpotifyMusic_zpdnekdrzrea0\Spotify\UserEnabledStartupOnce = "0"	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2890635272-812199704-3564780063-1000_Classes\Local Settings	MEMZ × ADZP 20 Complex.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
2552	mmc.exe
2860	taskmgr.exe
2508	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
5388	msedge.exe
3148	msedge.exe
3148	msedge.exe
3148	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	taskmgr.exe
Token: SeSystemProfilePrivilege	2860	taskmgr.exe
Token: SeCreateGlobalPrivilege	2860	taskmgr.exe
Token: 33	2552	mmc.exe
Token: SeIncBasePriorityPrivilege	2552	mmc.exe
Token: 33	2552	mmc.exe
Token: SeIncBasePriorityPrivilege	2552	mmc.exe
Token: 33	2552	mmc.exe
Token: SeIncBasePriorityPrivilege	2552	mmc.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe
Token: SeCreatePagefilePrivilege	2552	chrome.exe
Token: SeShutdownPrivilege	2552	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4192	MEMZ-Destructive.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2860	taskmgr.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe
2552	chrome.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
4192	MEMZ-Destructive.exe
1540	MEMZ-Destructive.exe
3320	MEMZ-Destructive.exe
4560	MEMZ-Destructive.exe
732	MEMZ-Destructive.exe
3780	MEMZ-Destructive.exe
2928	MEMZ-Destructive.exe
4300	mmc.exe
2552	mmc.exe
2552	mmc.exe
5632	mspaint.exe
5336	mspaint.exe
5632	mspaint.exe
5632	mspaint.exe
5632	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 4192	1452	MEMZ × ADZP 20 Complex.exe	86
PID 1452 wrote to memory of 4192	1452	MEMZ × ADZP 20 Complex.exe	86
PID 1452 wrote to memory of 4192	1452	MEMZ × ADZP 20 Complex.exe	86
PID 1452 wrote to memory of 2676	1452	MEMZ × ADZP 20 Complex.exe	88
PID 1452 wrote to memory of 2676	1452	MEMZ × ADZP 20 Complex.exe	88
PID 4192 wrote to memory of 1540	4192	MEMZ-Destructive.exe	94
PID 4192 wrote to memory of 1540	4192	MEMZ-Destructive.exe	94
PID 4192 wrote to memory of 1540	4192	MEMZ-Destructive.exe	94
PID 4192 wrote to memory of 3320	4192	MEMZ-Destructive.exe	95
PID 4192 wrote to memory of 3320	4192	MEMZ-Destructive.exe	95
PID 4192 wrote to memory of 3320	4192	MEMZ-Destructive.exe	95
PID 4192 wrote to memory of 4560	4192	MEMZ-Destructive.exe	96
PID 4192 wrote to memory of 4560	4192	MEMZ-Destructive.exe	96
PID 4192 wrote to memory of 4560	4192	MEMZ-Destructive.exe	96
PID 4192 wrote to memory of 732	4192	MEMZ-Destructive.exe	97
PID 4192 wrote to memory of 732	4192	MEMZ-Destructive.exe	97
PID 4192 wrote to memory of 732	4192	MEMZ-Destructive.exe	97
PID 4192 wrote to memory of 3780	4192	MEMZ-Destructive.exe	98
PID 4192 wrote to memory of 3780	4192	MEMZ-Destructive.exe	98
PID 4192 wrote to memory of 3780	4192	MEMZ-Destructive.exe	98
PID 4192 wrote to memory of 2928	4192	MEMZ-Destructive.exe	99
PID 4192 wrote to memory of 2928	4192	MEMZ-Destructive.exe	99
PID 4192 wrote to memory of 2928	4192	MEMZ-Destructive.exe	99
PID 2928 wrote to memory of 644	2928	MEMZ-Destructive.exe	100
PID 2928 wrote to memory of 644	2928	MEMZ-Destructive.exe	100
PID 2928 wrote to memory of 644	2928	MEMZ-Destructive.exe	100
PID 2928 wrote to memory of 4300	2928	MEMZ-Destructive.exe	106
PID 2928 wrote to memory of 4300	2928	MEMZ-Destructive.exe	106
PID 2928 wrote to memory of 4300	2928	MEMZ-Destructive.exe	106
PID 4300 wrote to memory of 2552	4300	mmc.exe	108
PID 4300 wrote to memory of 2552	4300	mmc.exe	108
PID 2552 wrote to memory of 3700	2552	chrome.exe	118
PID 2552 wrote to memory of 3700	2552	chrome.exe	118
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119
PID 2552 wrote to memory of 1620	2552	chrome.exe	119

Views/modifies file attributes 1 TTPs 6 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
2772	attrib.exe
7260	attrib.exe
7608	attrib.exe
7832	attrib.exe
2476	attrib.exe
8400	attrib.exe

C:\Users\Admin\AppData\Local\Temp\MEMZ × ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\MEMZ × ADZP 20 Complex.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
  "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1540
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3320
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:732
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /watchdog
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3780
- - C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe
    "C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe" /main
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Windows\SysWOW64\notepad.exe
      "C:\Windows\System32\notepad.exe" \note.txt
      4⤵
      PID:644
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4300
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2552
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
      4⤵
      Enumerates system info in registry
      Modifies registry class
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:5388
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0x90,0x128,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:5424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
        5⤵
        
        PID:5824
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
        5⤵
        
        PID:5840
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
        5⤵
        
        PID:5892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
        5⤵
        
        PID:3988
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
        5⤵
        
        PID:5636
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
        5⤵
        
        PID:5512
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
        5⤵
        
        PID:5940
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
        5⤵
        
        PID:5976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
        5⤵
        
        PID:5664
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3576 /prefetch:1
        5⤵
        
        PID:1504
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
        5⤵
        
        PID:5952
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3688 /prefetch:1
        5⤵
        
        PID:5804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,7113159896527671647,2311302840338280665,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
        5⤵
        
        PID:4932
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+code+a+virus+in+visual+basic
      4⤵
      PID:2460
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:5488
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+get+money
      4⤵
      Enumerates system info in registry
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      PID:3148
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf4,0x11c,0x120,0x100,0x124,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:5800
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,3939901136336515647,10588541863348218176,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
        5⤵
        
        PID:5904
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,3939901136336515647,10588541863348218176,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2544 /prefetch:3
        5⤵
        
        PID:2692
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3939901136336515647,10588541863348218176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
        5⤵
        
        PID:5836
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3939901136336515647,10588541863348218176,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
        5⤵
        
        PID:3716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,3939901136336515647,10588541863348218176,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
        5⤵
        
        PID:1588
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,3939901136336515647,10588541863348218176,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
        5⤵
        
        PID:4936
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=virus.exe
      4⤵
      PID:5996
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:2484
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
        5⤵
        
        PID:6384
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
        5⤵
        
        PID:6424
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
        5⤵
        
        PID:6416
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
        5⤵
        
        PID:6464
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3136 /prefetch:1
        5⤵
        
        PID:6452
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
        5⤵
        
        PID:6804
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
        5⤵
        
        PID:8576
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3516 /prefetch:1
        5⤵
        
        PID:8596
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:1
        5⤵
        
        PID:9068
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
        5⤵
        
        PID:9100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
        5⤵
        
        PID:10060
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1284 /prefetch:1
        5⤵
        
        PID:7196
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
        5⤵
        
        PID:6436
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:8
        5⤵
        
        PID:5768
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
        5⤵
        
        PID:5828
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5384 /prefetch:2
        5⤵
        
        PID:1892
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
        5⤵
        
        PID:8300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
        5⤵
        
        PID:9724
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
        5⤵
        
        PID:6868
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
        5⤵
        
        PID:8124
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6544 /prefetch:1
        5⤵
        
        PID:6008
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
        5⤵
        
        PID:3396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,11899881523936883979,14032608043072810891,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1864 /prefetch:1
        5⤵
        
        PID:5164
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\System32\devmgmt.msc"
      4⤵
      PID:7320
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\System32\devmgmt.msc" "C:\Windows\System32\devmgmt.msc"
        5⤵
        
        PID:7424
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
      4⤵
      PID:9152
  - - C:\Windows\SysWOW64\mmc.exe
      "C:\Windows\System32\mmc.exe"
      4⤵
      PID:788
    - - C:\Windows\system32\mmc.exe
        
        "C:\Windows\system32\mmc.exe"
        5⤵
        
        PID:2196
  - - C:\Windows\SysWOW64\mspaint.exe
      "C:\Windows\System32\mspaint.exe"
      4⤵
      PID:9124
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=internet+explorer+is+the+best+browser
      4⤵
      PID:8884
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:9472
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+create+your+own+ransomware
      4⤵
      PID:10000
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0xf4,0x130,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:8440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://google.co.ck/search?q=how+to+send+a+virus+to+my+friend
      4⤵
      PID:8784
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:7140
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://pcoptimizerpro.com/
      4⤵
      PID:9244
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
        5⤵
        
        PID:6880
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe"
      4⤵
      PID:7504
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex-Destructive.vbs"
  2⤵
  - Checks computer location settings
  PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempShingapi.sk.bat" "
    3⤵
    - Checks computer location settings
    - Drops autorun.inf file
    - Modifies registry class
    PID:5712
  - - C:\Windows\system32\certutil.exe
      certutil -decode x.bin ADZP-20-Complex.bat
      4⤵
      PID:4996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:2604
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        5⤵
        Adds Run key to start application
        
        PID:2520
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set publicprofile state off
      4⤵
      Modifies Windows Firewall
      PID:3532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:5040
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      PID:5812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:492
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Modifies file permissions
        
        PID:2180
  - - C:\Windows\system32\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:6044
  - - C:\Windows\system32\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:5356
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:5996
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      Kills process with taskkill
      PID:3788
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      Views/modifies file attributes
      PID:2772
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:5852
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3316
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5076
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:6052
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1516
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5672
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3224
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5316
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:1872
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:4728
  - - C:\Windows\system32\msg.exe
      msg * Has Sido Hackeado!
      4⤵
      PID:2804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:5008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5584
      - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        6⤵
        
        PID:6996
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:6816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:7060
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:1004
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:6168
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:6432
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:1316
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3152
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:7328
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:7608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:7316
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4524
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7376
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8388
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8556
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8764
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8888
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9028
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:9116
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:8268
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:4468
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:8824
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:5660
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:8848
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:8744
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:10128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:10052
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9084
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9180
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:9024
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:2248
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:8128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:9908
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:7464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:9164
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:7156
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:7180
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:5916
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:6852
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6736
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6632
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:9036
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8052
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:8864
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:1960
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:5432
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9140
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7300
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3976
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6496
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9468
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2068
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4568
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2616
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5180
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:1756
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:5632
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Modifies registry class
      PID:500
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:6776
      - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        6⤵
        
        PID:7016
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:3244
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2580
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5680
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6560
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:6944
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:6744
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:6980
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:1316
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:3244
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:7260
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:7624
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7640
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:7696
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7772
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:7824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7864
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:7904
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7940
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:7956
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7972
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:8024
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:8060
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:8076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:8104
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:9708
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        7⤵
        
        PID:9940
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:10000
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:9200
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        7⤵
        
        PID:9312
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:9836
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:9324
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:9280
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:9768
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:4476
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:5524
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:3504
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:2476
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8160
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7240
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7444
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6584
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:7508
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:10068
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:9768
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:8032
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:9088
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:5224
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:5592
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:1388
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:10192
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:10012
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7532
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:7556
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:9776
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:9884
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:1296
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:8380
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:9568
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:7604
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:4596
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:2204
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:9664
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:8400
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7560
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1796
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7552
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7712
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7848
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7816
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8232
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7292
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8760
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9132
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:7936
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9248
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:1452
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5360
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5600
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:7116
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        5⤵
        Modifies Windows Firewall
        
        PID:6220
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:6912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6744
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:7272
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:7284
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:7320
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:7392
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:7712
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:7832
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7476
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8420
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8584
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8792
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8936
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9072
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:9144
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8200
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:8304
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:8468
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:9184
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:8528
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:8908
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:7948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:5696
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:6444
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:9532
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:4344
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:6908
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:5536
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9156
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:9256
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9336
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:9412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:9492
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9624
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:9728
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9836
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:9920
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
        5⤵
        
        PID:10036
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:10216
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6504
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6956
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:5544
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8076
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:6028
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:5212
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8676
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:9632
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:6024
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6044
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:2900
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4920
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:1828
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:7088
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:7108
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:7144
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:6244
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:6564
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2860
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /1
  2⤵
  PID:8144

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84fab9758,0x7ff84fab9768,0x7ff84fab9778
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1820 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:3484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3140 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:1
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3268 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:1
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4536 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:1
  2⤵
  PID:5312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1776 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:5384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4448 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:5392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4980 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:5680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5092 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:5820
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x238,0x23c,0x240,0x214,0x244,0x7ff6db967688,0x7ff6db967698,0x7ff6db9676a8
    3⤵
    PID:5836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5088 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:5904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5188 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:1
  2⤵
  PID:6004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5256 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:1
  2⤵
  PID:6092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5320 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:1
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 --field-trial-handle=1876,i,9858051233008695788,4951247545090187930,131072 /prefetch:8
  2⤵
  PID:6128

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5160

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5572

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\MEMZ × ADZP 20 Complex.exe"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2508

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5832

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\ADZP 20 Complex-Destructive.vbs
1⤵
PID:4612

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:3248

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:5832

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x470 0x294
1⤵
PID:6040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ADZP 20 Complex-Destructive.vbs"
1⤵
PID:5256
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempShingapi.sk.bat" "
  2⤵
  PID:10136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:844

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5168

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6180

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6740

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
PID:7688

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6632

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8124

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84d5246f8,0x7ff84d524708,0x7ff84d524718
1⤵
PID:4716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9404

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Command-Line Interface

T1059

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hidden Files and Directories

T1158

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Comms\UnistoreDB\store.jfm

Filesize
16KB

MD5
359c26c5d005c11b44c98e43b29d0b72

SHA1
b8f20e54091de6d56dbded3476e4a53495947db0

SHA256
c48fa3e4bcb615a8c226fc04a8abd36148408cc95b293e7a217af5467ebb1aef

SHA512
462d1d0372d693eb4159901770d32319ea7f64283ff5eae6dcc31446374a39fa8f9275d2d4e16ecd6d2733cb4c44f25c825ff1d7d72d64a99403df3be5f9c247

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000012

Filesize
171KB

MD5
bd9fabb2e7434eb9ebab7b28e33ec6e3

SHA1
a1cac8dd06b30bbec8c1f4c7348dd25ad4849cf3

SHA256
f6711de5a380979c740e0e42170aa58a07e1ed63b31a606b77844fc8461a31ff

SHA512
2395c72fb091a739f132ea2fcf8a34c85d5dd7935a9bdb0803df900b108085e79689f240acce0174b89e14387d21f8ac9bc1de6e3e85a13da7e96a47b05c830d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7ad8d54fd9643b26a7fbc9f5f4f038a0

SHA1
c18bb0dfe073e36740f43512c7e346e0e139634b

SHA256
e486720bdc032727ae7e1a393c9d96aa6e1a54e7644dcf0fdda69199709bf2ae

SHA512
618eaf72aa89b60200bf8935b400b1cb4d44c20d464b50ce0642fd96f3471a3cc33f1b099a24bf330994dea19710629313c6ec1364f0076ba244ef0ccc139fa7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
65223c6c8a2d7fc23c75cf2bf2bc8004

SHA1
b9b1e81a2414fa0799b3f9f1e4e82db60dc1fd22

SHA256
198883cc96354c71bff8db6d9cc70d30673dfa1b3bda8a4430934150de7a7c66

SHA512
06e0e17bfc6da3d99cec4389874c4592c14371e3de17790577604e6aa8bef2509aefd9a5e44e6002098941f895741ada28c9016225176d5ab7c96c444ba502d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
705B

MD5
4a2e779dadba1d15deb3e59e3b94e69c

SHA1
49ef088f19e5327c667379fe4b7eb6342e4b52e2

SHA256
fec0115cc930b05d4befdc431a8bb473a1b4d0f07613247685d1ac53e1a81377

SHA512
addf42fc0f6a0702cd26c9b67e0d5c6289e280afdb419f0db5fcba4919fe69b4bc6e5df72eda0555a1890e63c358c1cf4be4e63abf0718436ff5662eb1c36b0b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
872bded09e5b4ff2c7dba0e17475a029

SHA1
52b07e7794231b870f83de2a95c18f45ca38e948

SHA256
667e57c4f32ef3792d532ff950359946f35d53a3201ff2b9fdd369d2bde03dcc

SHA512
8f7679b7857a3539d400d4fd707bc2a26148078e8ea1219cb13556f901f7aafb8d48fecaff8ff25fa17fc16f17adafe1ac80722fa8106f3258557fe824232861

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
040a77a231426169d9024573287e48f2

SHA1
35574ea9d8f625b719ee8017a72d1ff84605b433

SHA256
ac41a4742914597ee45095dbe1750c4ffed3992ba55c03e3457e4be61d550bb2

SHA512
30a142636fb5500309e860fb1197251efc0965853b141501790e1346b6cef672f482e66cc121cbb1de1578f157a315270432b891359fa9ab58e1ccf10cf7dad0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
489f7a770adb3bbd82a0441120b8de1a

SHA1
4f6624a2b06f0bca176a627ca98c19639232c882

SHA256
f7665e8710e791625423bfd98de9aa4b94fc5686ff4e7b2eea3cac1fd399169b

SHA512
ed217bd10b3d3bdde83f99e8eb0cb1d0a17999fd5daf2e07bf374c74d11ba804543a306230ff737412151c024512158fdcd09eb00457c174d1b22925900a4712

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
ae9facc6f445478dd81af69df80bceae

SHA1
6cffc2739cced62adfa80218287023dd11eb3c27

SHA256
fe82b4e978a5454035685abe810f21f975ac93ffa253e9e4cba2bc08498cb37f

SHA512
6f3fd5e5a88020f39a84e4f0218d3063afae29ea2d87eb308eec1ffeba7060982b5b9d218468cd03dcb84af4d24db5dc6b79ca1eeb15845ca4705b681989edeb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
8d6cc2e93f2af59b74b9c84fd9297b45

SHA1
83ce46aefa87dbdf6a92f030a434535bc78f4e2d

SHA256
2d12b81b99fa13d5b7ccfc3fe3c8f413c4d7c9b916140fdd73dae587931fdfbe

SHA512
67c056136671894466f5b15f8091b0ed8fc9be2461c590c29370d196e75a93378cb8873fa463e16295c0d8caf7c43a76b114327392080bc74210ea85c63e8b21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57cdc0.TMP

Filesize
48B

MD5
49f795af4bc6cca3764585b2da5c8b02

SHA1
724f233fa532f2f029e69b0cfc2028df9478fea2

SHA256
db5c6952e30aa5e6f25d0af0a6cf7675a876e88a3c3c7a99870f1f1c9ef08722

SHA512
fb399991b38501d080e6e87eed78d70f9353f792df9561db9d5a661795f79d46d6b1f9cbf4981b2d5d3dbb39f196d9aff344e273628eb821ecdfc03f0c06388e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
5d988056ac1f802e3fa2a136715ec564

SHA1
043043b0613e065b9ee7c4572dff1bee5a217517

SHA256
7d704f08436287ffda0fa1018de9ac36a18b3f86a9644598e26b5c8811c7dbe2

SHA512
5ae3e77bfc1f5d7b083ea40b351a0f8e2ea13f6077fb40fc7d9af0386ba2098addba44ce02c45f3bb0cbd2a82bc8f057573d35759846b6aad7522eb24a79e536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
5d988056ac1f802e3fa2a136715ec564

SHA1
043043b0613e065b9ee7c4572dff1bee5a217517

SHA256
7d704f08436287ffda0fa1018de9ac36a18b3f86a9644598e26b5c8811c7dbe2

SHA512
5ae3e77bfc1f5d7b083ea40b351a0f8e2ea13f6077fb40fc7d9af0386ba2098addba44ce02c45f3bb0cbd2a82bc8f057573d35759846b6aad7522eb24a79e536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
174KB

MD5
ed49c2e33e353bb4fa637867230ce3c0

SHA1
f491e5b7e49fca35ecd962343b2f4a2882be09ce

SHA256
64aeef86e12b924f227d5f03713a0b6ad7ed4520209ebe27beb2eabbd4922fd7

SHA512
8270117ae6b00188c7d33260ac9346bb659449219699deb156c198221e02a7d30b4099c98c9aed0d79131dcd847901f584b6ab0a1f9c037e5ef4322dd7b4258d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
c2e896b867767975f1971d711d145165

SHA1
cdccc0fee295d161244d3cc5ba61ad37c09d0275

SHA256
d586f83edc2987c3de87437b560a5fc7b2541874098cb82f82b32625053d0bb9

SHA512
3a0a1b88a312df295487e5fc99b04744cee3d795446136da299d85b8a0af049779c4afd8c20a5ffc09ef19ae15acf5b5ea2bfceb0e81ee18e535f814e1b3a029

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ac5b2455c0fbd55cbc2cf7a185f6fbf

SHA1
b76bbbd1265ccf5ea07e682c35430ab2a0e5dcc9

SHA256
d11900a7b4bfcce0cfbf9d48fd5099d02142b9db54951b22e001adf077f7fb82

SHA512
0c174d555a16bb4f874e15585b2c3c1109b7e52b0fd8021e18212d0e9ca3e09ebe570f9878b452882ef4d685787bde0a1bc9726d658a82caa677d88fd9bd7588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a4f88daebad08ec9ff7d9eb1eb96c2c6

SHA1
bba3c17c41398f5582c20c85550ddc023c647a2d

SHA256
671918d59d8750b8e66d344df95f863b65eec9554e223ecb59dc05172e00d55c

SHA512
e4232ebb8e9f28c2c7bfd83249a5197a534959a095e2f26020ff1dbdd79f785d2a1ee4a7757f87ea6b4ee757d475614907875c8c53906c741f03a1c84e2869f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5b0c4f57de2b08734af3109417d9dd2b

SHA1
997f370ec147f0fbc8bf97db99f5424bc32db23f

SHA256
8a7db7beeedeae2bbb4cba05febf27d1d619f3499e7c3a0a2ff04af41abe3a65

SHA512
ee51973c89ea784144afb1bd4426971bc74d3fcd27ab723a76ccaa0a92dd2b9d022083cdec2f247f7cce25844f1c4342c707d8cafd1f786964f3eb7e3183842f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60cc5670bb0da71fe563978e6c7d9e50

SHA1
46664a7d0b2af934109c6dab802a1b94758fc15c

SHA256
582c1b40e2c1c25564861520230b5804af6e6d316bce06fe2ced9d7f755de3c4

SHA512
134d3aee32bfe22799db55acc5023506f10dcc2535eadb53aef515f9e39c50e6a7dd09e1770637f8f9dfbdc20f1e673d59db28a2b2a65a7990a5d8b9991ddd3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5577898093952163e585fc1356275cf9

SHA1
d46e9241b7e8e0b97598907a260c3c6ad7229b6a

SHA256
275315a835f78d1d40d3425488d1ed277924ddf5200cfc9635bf24afdf083cf5

SHA512
00a66c6a214f0a35144217c7738a237e41e7b9b5f66ecf9a94baf487e2b90533070092eb6930247532a7907f5415cc842d51758d3a76a48568f476ef30f1cb01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b092647394f1376f80bf2d4e8797d7b5

SHA1
1809389720e213a4733352f838cd1f16bd20d3db

SHA256
fa55709e752681e7d9f38d74a3376c06d31bd333fbf94f7aca17468f9d8fc85b

SHA512
9d70333ced82fa5ffcff47d6a25b3051916e8f5a069450dd86676315a15a94fd131a0d7973f19562e4807589249213dbf64ac374cd688e1ea17dd190f8e3761e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ac5b2455c0fbd55cbc2cf7a185f6fbf

SHA1
b76bbbd1265ccf5ea07e682c35430ab2a0e5dcc9

SHA256
d11900a7b4bfcce0cfbf9d48fd5099d02142b9db54951b22e001adf077f7fb82

SHA512
0c174d555a16bb4f874e15585b2c3c1109b7e52b0fd8021e18212d0e9ca3e09ebe570f9878b452882ef4d685787bde0a1bc9726d658a82caa677d88fd9bd7588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ac5b2455c0fbd55cbc2cf7a185f6fbf

SHA1
b76bbbd1265ccf5ea07e682c35430ab2a0e5dcc9

SHA256
d11900a7b4bfcce0cfbf9d48fd5099d02142b9db54951b22e001adf077f7fb82

SHA512
0c174d555a16bb4f874e15585b2c3c1109b7e52b0fd8021e18212d0e9ca3e09ebe570f9878b452882ef4d685787bde0a1bc9726d658a82caa677d88fd9bd7588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ac5b2455c0fbd55cbc2cf7a185f6fbf

SHA1
b76bbbd1265ccf5ea07e682c35430ab2a0e5dcc9

SHA256
d11900a7b4bfcce0cfbf9d48fd5099d02142b9db54951b22e001adf077f7fb82

SHA512
0c174d555a16bb4f874e15585b2c3c1109b7e52b0fd8021e18212d0e9ca3e09ebe570f9878b452882ef4d685787bde0a1bc9726d658a82caa677d88fd9bd7588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
69KB

MD5
987edae1041cf0d45c2887f6455cb66a

SHA1
8c467f6d7b8c761acaa50ddf4d30b3c7eac6e0ae

SHA256
b18d4fb20951e267ed35ba9b72a16e300bdfe7286077acb9afbf2e97a4deefe4

SHA512
4d4b2a72f0b25113b079935a186994e9d2cbda85497acb555b7073e395a8eed5eb85743f22cda2c9f6bf6877408d3950da1d15aa6f3ee3a72c23c9b1fc10a76e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
39KB

MD5
8877fbc3201048f22d98ad32e400ca4a

SHA1
993343bbecb3479a01a76d4bd3594d5b73a129bd

SHA256
22f8221159c3f919338da3a842d9a50171ddc5ac805be6239bd63e0db78046af

SHA512
3dfb36cd2d15347eaa3c7ae29bfa6aa61638e9739174f0559a3a0c676108ccc1a6028f58dad093d6b90cac72b4468eb1d88b6414339555c9f872a5638271d9c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
118KB

MD5
ba090306658edefb74f8d8f96e69ee3c

SHA1
3fb918407e2473d4a82895bcfb02ea246acf63f8

SHA256
d7828dfd5f060b44f19f2c0e8ecbf765a9d7d07d4fd3e421ae5999a9aebd953e

SHA512
9f806942e5a5c2be20be3e4d8e58c61639d0138f0fb084b06dbec5905705c03b719af263de4d536b856a4924ae975830cbcfa26c29658329d38c8d6947a59c4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
e7d6d7fd7f8df48aac4afb4b200dc85e

SHA1
e06198ca4a2862f21d975860aea38d41eaa4726e

SHA256
97ba1b844aa28cdce1c734e2c6ad6ded739025527a706d573ba67629e546b6e3

SHA512
7a5a5a206714a6b11a14acebe44e1ea4117c2d558cbf974ac0d79c09384139760e6f50b73a7ad07d27c30814272c5c691b6a09491c7aed96274117bb09227a60

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cb3043b6f4ab24136b910301f2ec5bf7

SHA1
4826503aaef8f3de8ec6009a1d2a500527b8e1c6

SHA256
68c094d710e16c0606485da14257f17dd3f23fc5da2c524ca414e1ecb4564ba9

SHA512
1bd9ec657a0600a3d5acad5dd209a228ce2f43012daa9e217f5c99e6338110fa6774f2fe140839fd3bc643f400cfc15d53825c7d73cf6578371acf239d2a905c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
d3f86ffaf40ade47f8936fa061bcf9da

SHA1
144b47d7236d8ae803a8327d39a1cc5662727d49

SHA256
3c61f96074c9ac8b00b60b837694813c364c0f83f58031e640b34582f8f9eaa3

SHA512
2a3b2634e25cc3c0f38b4dcc3d76a58dc6341594e1d200a4986827ada3f29ff97fec8359bfb26a075a7ac90d8bc590c86c4ffd63161a880da8804f90c1935c46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe580d59.TMP

Filesize
48B

MD5
3a305c4afef922b97762d1d66c50dab4

SHA1
5399ad59079f7109958acf23c4cf77ab683d4c07

SHA256
12c2379cb16dc058ab2a2b36a63044d1c77c5737f3f2406bdc6390ab99890c4a

SHA512
8555c3cc026b1986c264add0394528acc469a333881cfc36a93908b4be0ee1b0a557fb87733716fc81758899a89e31d1c148dc1aa9bc860e3f5a220ac66b7c56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Favicons

Filesize
24KB

MD5
a465f6beffb3708fa4e204bfa2c84f18

SHA1
d30d20b56534834f8b4245206a701ad3eef5561e

SHA256
f96f1fc5bb59562573bde8648b673ac3241a8ee46d972c097fcfbfbc844bfc10

SHA512
c632a2f2a92db2ed0d1eb5e8f24032c8c9fcf6b256fd6579c1f6d89ec4a3b4e733a8be4a4ad30d9c914083450fb6ac9d8b23ceb037c612e721daa69b8cb646a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\index

Filesize
256KB

MD5
212b594bbf9da615d2324b2e065c8e2a

SHA1
6f9161d3d13f12f293c2e4b35a4455b77fdedd00

SHA256
349f09ec6249b8233232fc151ac02ff25f2f8561ce0ad99af1b329185f513a19

SHA512
f8c413ef7a4ce1368a87844b49b876c39167e214752208bd0973c0287df377de686d75fbffa6dda151356de5a7c178f4a93e4fae28d7004a85ea4321febfa7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

Filesize
124KB

MD5
de76f8f44f8c50fef11ca8fe8bb69799

SHA1
cb691161b24444aad03f9534c1bb9598aef085ad

SHA256
e74a9e2c6cc66fed85592400957e8219ff632a81ddae22399b4f639e6c23a01a

SHA512
0fd58b8d28617c3489dc49505c825e964dd286515edfe8722fea30b99ba3c3391afcbe4c4427b23bf387c70ebcb5d8820d4710ab4a51516ff3ec8d3bcbf6c025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
2KB

MD5
18df0da54262a462356bcbca7eadc6b5

SHA1
7c2638dc0f557895dcc25290110f1dce8bb3291b

SHA256
70cd5d92c776059b19e44eae9f647f596b5e26708180bebffc0b790eeb46460f

SHA512
b42c741d8427987959b5fa31be44011197f5c93ff7a76488f8bd9b63ba49e36fa751794530d913062a26f773c97fade3a5e7cc19d49d2c18a7a2b741c91fcc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk

Filesize
2KB

MD5
cd99b09e142491bb63890251e1c40bdf

SHA1
59da881f3e2deb68cb88c257a564875a5ef2a4c1

SHA256
422c89d9f5ddb0d0c37978f46cce937a8432326e2084d860d30193fda280b621

SHA512
94b0b94ea5fd074ed148aecf10078d99645b83b8a6764a6ba2a7550e8277262c5f5af212a1ffce0c4f1641294851b68df1d0b660c235a31929dac7201aa6225e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
8775e5261f24d99cdc65d45b63ffd3de

SHA1
5e04431d8e1a33d18bbfb1810fff4a50f5ef2ca9

SHA256
2b9e9b0ead758e82d0bb2a799af0c806e0ee81eea8049974d1e2aa793ce6adfe

SHA512
642c2a64d0b956f3d5aa61771f0469fa81df1ac4a5937ad26b5710b6588fc107728e4afb5cd367ba0972d13591a49278006fe554cf4bf9e2a16f6998cd421604

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
f44bb4127f20593c91b99c16568fafac

SHA1
3d39d73e9cc98de3ed0000edf60985047b46b75a

SHA256
3065977ab48d752e3dce22ed07edcaafe2ddb3ce9c3a3e41cd089974f43a68b8

SHA512
fa8c4cbcc16ad5fa09c3c04e72ba26fc723dc0c250f3c9cdad5f5fd1f6fb135b71377f963dc1709947eb3d179c1cb91a97cc44a00c06f0b5f0c8535c33787814

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
6dfb73804000322aa2f44831e37314a0

SHA1
fb3da3a928d11c4aacc250eba855ae919d5d346c

SHA256
5e8b36d760e3fbdf683f5b308696628eebf9e2d17348efa267e664219d79a439

SHA512
bddc6637f4c17b94cc90b524bffa4ae0a4a06a386d397a0572fe9f75500b834f57f3c9d19212e252def227df8089efe30f34ed3b0d1e2779baa7fc8c8d348276

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
005a1e9e8bba72022c63c8c8ca9445f7

SHA1
b851a50a4fe551909869030abf25ebde6824c359

SHA256
11bbb6ca8f3f0bae8122e816a8b74e1a0c9d096a160f15ad0c8f68bb5bf476a5

SHA512
c2ad82f5d6cb1d9da95294f65e6e7e8d91e3d71cb7c5836df43ec42ab0bc10a938a7993bd518be1c18e7f8b241f00afc3e4096ba7bbff2b25ee2d757022dc6ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
5KB

MD5
7b1abf87a9271a615760a628ef19dd92

SHA1
3b65039b77c6403864fd76e6ec1b83d13eaa16e6

SHA256
a41ec6c42b9c44cdebf2db525699bf0b67222950c4e245f7cb4ac5b265ec482a

SHA512
3244e608a448406ae67f1ab4576a1f553c6189c521e5fda02d3f3f679117a6d1703e57dce214aaec3678e52119196cdf2a5e3ee915e6464a237d6621a685c143

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
897dfd0521a9c6ad28666bc56331f889

SHA1
5052adf37ab017e56efcf82824db1d6d4bc8f0e7

SHA256
60833b6628e8e4508221067532c9b5b9dff9b14c51d4fae3ddec7ee493a62e50

SHA512
d4e31b5a02a13cff71f6c459d95727298f7ef71df7e5b0177e1e74dfe56d068b64a702110cd7481f0af0aeb1192443c50336c3af622c2c7ae35fd23bb21eee6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
2e064338abfa3a18fa40a2dab98c0fe1

SHA1
c389864819ea1c02885bc725897c04f5276fd536

SHA256
7204709f5fae76eb93d3e9c00e9ef99331e68b9c13d40d668d1b340126c92bb6

SHA512
b09cdab8a62785dca2b37446d1c012f100395028cf53e5e41af875823b90ea15f6d24e9f3b5d25d7df45aefc73700fdd02a5fbbdddb63fea16305c57c7653c8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
40824b0ca52001a216ba0dbbefc0fc1c

SHA1
4bec0f5fcdd6271d2779df635e403e7ea614e164

SHA256
6bf24d53d75c87a4875b63f6495ab9685354f7e104ac131dd33858f517690ceb

SHA512
42954a1dbbc913abced6b83d5cb000a71c77f617c7b509c19967a9f686cd35598db5b7496ab37346edb7a3a539a1f97edb9e18115a94f351a66948706c412964

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
ce444ddb80f746e35c1dee43f35cac60

SHA1
544ba1009ad925f09d8aca0658f488b4780b9156

SHA256
2354cf08303221cd982c83f6a6a843a812dd48d53bbb4217e71a43054dbf96fe

SHA512
040311cb39f74ff6d4e81580230f32aa6a8911d96a972679be286daaad04b27eb87ca362fb7fc32b433d4260f2e415b1ba7b139ec599db0b214f81d580a5c80d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
b01574900b3083699e450c3834341c9f

SHA1
468a67bdac356d2f94af6efbf724b02f7a32d01f

SHA256
09695557458692078a44bb34fe337bad9d97c9b28cea79669c66a86a809bf078

SHA512
5afd36120aaad42e270371727fefe742f6ecaa53e8ffa05593019619c08560608761ad0ffaf4ef823c742198be7ecda93f06c2f7ceef544ab9c1734e21d4fa0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
a3ecabf6962f023cbe88816b258ff2e8

SHA1
0d74e6cda40668296c2248723697143f48258c38

SHA256
0493afb1bc175d52c329ef1e275262787c35704761b8ec861b0efcc45105f6a4

SHA512
f767228bbf9241e4d1cbbc91f4f20553ecb4477e7d07c10cff0dddcdff8738ad420011a974b614ffa75b182877be3a33616419fa6cea389f34fcf0fbb66d40d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6b66983a0d4b3f038dc7b39950172e65

SHA1
01488fd11ac909ec50305b81fad922ad7ec110f3

SHA256
6c7dd8f5d8cc821f8748e7c3f9a766d908e8024f3dcb8fcfaeda3e4379165e80

SHA512
14dc1d5c79d2d6558475132a6619d78ea436b9fd42b9eb98aeae08cef36373bc0cc9f0e7774c7e8650ae8e8ee0018d8f894cd3b554cc05755f6d70be8ac51884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4569ff92f1801ea53e258e14585d3c4

SHA1
7f1ccc76e89d852e16952ca79f90a70157c49866

SHA256
313585b2a701c4205e298f6eea9223f52a6cebe57c41b3822411a6fb4bf72adc

SHA512
5cd85bd3de9fbdbbbe6f352abbafea7824db77846de07e2fce3b84c3d527e20019c019aa462a9f1d08051302b4271732864007e5af134eac1052ffa37fb8b79e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
be7e11da19269523b1440df7af24b146

SHA1
0d0661737da609dc27c806a7090a153af0441892

SHA256
3dd581ed944846a8aac9eebb5d38f0c033870914b42f21b972e5ef51c955e8c8

SHA512
9a231da334abbacac63eb07b909b6479b3b3206b0cca6bda65be15756b9c624234c349590f1f577a762f550e56bf195b74cfc0359acda3608c39149383ae84ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
26211a86d5c142cfd28cdcc96dc407bf

SHA1
3b94d0d7f24148f0d9f9918d5284f286a5b89793

SHA256
26a91c61d42958ed7b68d5d9beea515a63a922e219ca196d40a9c3a61ee06fb8

SHA512
6386c9969cf4d6f5283b6715d629f9316569d1dafb53fbf2cfa7bd99a5f53a6d5d03b1eef327afef121ca76e5886afaae71c03b8677e4fb64d88c02882d5ca8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
408ae3a7c1be64891ce06c2e8e9d09ef

SHA1
83f7692b2f31fa9a7a70af83f089da05ea4ecbb3

SHA256
d2dd4e70dec0b1fc516f37a41c8b5aab719a6eacf4bb661ea8604f1c98b7ef7c

SHA512
a258bed97edd2ef04044cfcb56b4ba188c9c0a6869f8bfcde7319b2dc4d449428b5708abc41e423fd159abcdeaa8d5463aa83278ae1a454bdfa830005b1790a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
17bda5ccdea25ef9ff05643bd0feef45

SHA1
875b48c560aa672d12ae56aaa80a9c2b1ffb111c

SHA256
163f17d31b8adb9088c618e547c892f42096c8eafae2fd5a4d2953bb4450ed25

SHA512
2aaf1071110eebe154836e3489bf7eba1633ba6e7357a4c461bbb0988687a185d95abc8eff98819921361ae45497593d20a80c223126853800a47a586efc0ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
11a395ea67f7ddc122a2e0ee4b72963b

SHA1
678bc1fd7d0bb73d4be3b4815108dd6d4d068770

SHA256
ce74ff459d06c6477b08366754ae6f733ca72b1b8624b6d3151a850b6b24ef59

SHA512
ac828059418b3ffff8ecd6f39543154fc00f209b869335f6ef1c6ec972fbb73686cf91aea16959cd891cfd56d927e9ab9111854ba663d751cbbf8eda18c79531

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53d79a63173ef593b68bc287cf2bc502

SHA1
4ad329801fbe21c5e2bb3e5a8c0f38260fe3395d

SHA256
bee140001ff75dc27d6caae4f305fd12f376b4259355e4e9b653e93925146b09

SHA512
55917b78a1955e04d1c390cb2bb8208af2599dae7ff526e28df5d1197c50c87a414b801c9a5abc61cda6673b2875f16522921997de72490942ba9f114c14577f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
53d79a63173ef593b68bc287cf2bc502

SHA1
4ad329801fbe21c5e2bb3e5a8c0f38260fe3395d

SHA256
bee140001ff75dc27d6caae4f305fd12f376b4259355e4e9b653e93925146b09

SHA512
55917b78a1955e04d1c390cb2bb8208af2599dae7ff526e28df5d1197c50c87a414b801c9a5abc61cda6673b2875f16522921997de72490942ba9f114c14577f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
bfb396f724d87b5dc03bf360219fa3b0

SHA1
5c110515ef78880ca230a1d418b6ee92a3565e4d

SHA256
4a0f5896f8b14c1d99f37e76192d6d84c433000d50a7b5ec831d1ebecfbf2264

SHA512
8bdc70b2413a4e8ddc1b72fe4628106f76e7a5246c113575aca817ff6dce051f945016eac9e8bf342716c1a0862a737c015cc933c13e44a013555ddfff6f527f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
aefc5ee3f7d446e4f589d384871089fa

SHA1
f473772b9fad6deed5ac5ab67e21e80a32beea15

SHA256
cafbd5930c58521f476407f52bc923d7ad33b37e5dbff9be9b1d6b28249d0ad8

SHA512
697ff96fe24ee7016dcfead1ed557b89f2123306749939ac0bf8bc09eae97fbb040314d59991482dad192006a278343cd1176cecdd79a0cb98138611e81bb02f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
049359a5acc348e165be950d43074bbb

SHA1
e98161054f46dd343d437b99788fbfcd20bdea50

SHA256
7fcb73e5f8e53cf430ea358048978c748bc5fd5fe1d14714d78c153d98a280d1

SHA512
97881bffa767ef1317541faec8c0e808169701a22abe163e937c61be8ce62cffbcaf8443259d4f5b991f40ca577a6823c4bdea0ecf40be69519adbac07d26ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
5d8d164575df48c8eb642fedf8f5aade

SHA1
7b11cd7cc62921cb15da8feb0448632df08bda7b

SHA256
6816d4d6e4fc704890beab63dcc75553807515b5361ddb67360b5e493ddd5ca3

SHA512
e412b9ee69f807e76380263f66f804d288638418baa34acac9d276ae6292c5e3a168f698346f80615cbeaffbcda41cc5c0bb6164e20ab0ef05432db24268d307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
55fcf59ee0e4977a3a16710ab830a433

SHA1
70117f076eb14442df57d11b32a96bc37a0eb38b

SHA256
0d5b70a7d25f57ee2f8bdb231331f4889c22a564bc34e44a5236955956f8c48c

SHA512
b43a165acde7b5e5e37acef73c2fbaf45cfef0536ad84ba3dbf17bd165b629ed677b45d04d111b6d4d7271a49744b97b34964f7a930f8be51a5099c7b99b894f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
26B

MD5
2892eee3e20e19a9ba77be6913508a54

SHA1
7c4ef82faa28393c739c517d706ac6919a8ffc49

SHA256
4f110831bb434c728a6895190323d159df6d531be8c4bb7109864eeb7c989ff2

SHA512
b13a336db33299ab3405e13811e3ed9e5a18542e5d835f2b7130a6ff4c22f74272002fc43e7d9f94ac3aa6a4d53518f87f25d90c29e0d286b6470667ea9336ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
90B

MD5
14f14c33208a23981332af6a29f75aeb

SHA1
d0ee980c502f34ee1f962f8dcd21b144bd886e79

SHA256
deb45d9a064f224a2d13e9453f714f5e05158aeac078b3b2669160f4853e69c7

SHA512
d9dc20a4d38b31e6ef2059bfeb0beb0daa3c1e2a5b8e8afb4270a8c13d0bf9d12ca99ccaae78b0e3eceb03654d2adb01740e032ef4cad6e266e38e5f1398ebbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13332479944842216

Filesize
10KB

MD5
4a5ec32a3f6f89ed10d158462bf0f0ab

SHA1
82b8946288a32966b2be249bb3e51331d8176c1e

SHA256
533326dc522c031636e6e8775db3c6979cd3f9bdc426ef1b6a73d53e8f8773aa

SHA512
f67d0bd16990a3c64c463bb02413f0c7d9dfea8764700bceea97c087a40436c1c2233c7a1c875b9f997af3ec181e7ea309408ea7128161de9aec0d6f84919aa4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\000003.log

Filesize
184B

MD5
7a749d88bf7611c6fdc1600ba0914d7d

SHA1
20797e98ef91436161bfe17f9409a01f52986b57

SHA256
e9f3ccfee66aae1c61ee1bfd9269ea2935b6f87a906c2874233ff1a4639e09da

SHA512
1b6d7975734ad1422f14c0f427bf382e2cc77bbad8849aa9f0b92e5c659de9cb0a76a4d28545f78c269569718dd43cafd48d084befa4492456beb5eeb763eea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
858e748f8513c6b9a777952a3acad4e9

SHA1
8aaa887eca89275ef3251d8748a2ff7144f11297

SHA256
76f6d2f298a86a60b83f6c868d179c8b3f6e9e3eb11d8706dc24b3886cfc38ac

SHA512
67cdeb314cef71dd41e4e43d98741220d1cd14fb9e77c12a06b9e6e87f6bcf2cfe9ebb9a4b163043d23361d74f40b0cad9b319e3c9a8de7acd7a8b76dba82a07

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
07f7f5b6e3cc3d12216f84267010ebb4

SHA1
e71e8d404cbd835a69dfdb26cc8a91aa8e468499

SHA256
7aab3bca9408f23370577f17bec07dd0aef9870986ebd799374021b6e031089c

SHA512
590063cafb8a3bd0f264c335a14e5d919904e5a5923b218efb08b060836cc15335085d9fc04094cbea8040f36372901d2f650791949ff55cf041ec5732818376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Top Sites

Filesize
20KB

MD5
f44dc73f9788d3313e3e25140002587c

SHA1
5aec4edc356bc673cba64ff31148b934a41d44c4

SHA256
2002c1e5693dd638d840bb9fb04d765482d06ba3106623ce90f6e8e42067a983

SHA512
e556e3c32c0bc142b08e5c479bf31b6101c9200896dd7fcd74fdd39b2daeac8f6dc9ba4f09f3c6715998015af7317211082d9c811e5f9e32493c9ecd888875d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
6e4f04050b1b64ec111af04076356d0e

SHA1
9c7810c3858bf7c67f1b5d25395faf6b4f33d9cf

SHA256
c05f9edb8277af33b616ed5fbeaee66ca8bfce54ed50a4b54c3b5da99848b481

SHA512
a77a97ad9fcb2a0f8ed6bf7596a68047588782bd659a027e37cc899a2d279e89855ffcdba617a41c63e946d3389170ae23843e5a4200316504a1b8fddb7d4c87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
f004f9adbb576888ffc3343909bc6592

SHA1
d6c43c88622d9e789380ef8a23fcae7454fd1b6d

SHA256
72f49e248237d7ecf7d000a4d63eaee5764cfd4cef821897d234a6ede223708e

SHA512
8d6553760a062387ac79a409cc5b0676ee1cc3a5f2b4cf70256778f0b9db412ecdeaf3411d3e8872fddc5028fe69e8a1694d0f32184c74b09fb5a1ab1f82d18a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
d3a029bb51c682d95fabe451fca7624a

SHA1
f4fb44c204ed64e1a7cdeff519cf2e5b0b00dbf7

SHA256
5961f01274328891b6fa7aece23d3368c7b3872358d51d7fff57143c62c05b31

SHA512
02c3458bd79e46b5b9fcf18daf6509218cdbebee56864d9e2e69c61b1a0d1cf77baa2d96317555355872051fdee73d9cd7cd7d7dfa3aede4f0e89267ec603268

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
6f09fea85fb80bd9038506459b79ab6d

SHA1
240be88d2fea818d5e7a6187f47c65a931c81775

SHA256
8d354e765963dd5501044d84a2afa65ac28343325bcbd4ded0584b7740b54b03

SHA512
4f9a7e825b3909ed71d0a0de4448793b70e0165cd8968ad6e922459639529075ab6e411db33fa66ffc0bf4efaca5b02ca6dd5da960be7e414e79c9785356123c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
7710be53ee9f1dc0cabd52b007e24f28

SHA1
5529c65ec7a6b9cffff9ed9c0a42114ab333f3c5

SHA256
249fa828afd4efdc1ceeca40907b767670c50f033d6f71f912137f0e0268000a

SHA512
e07ce0c854ae8b924aa4384a2425c7fab0ce28c440bad55ac1eefc04a1ecc944e48e549cf8b904026e6ee0de480401f1cd0a6871a57b11e23185c0bd05bcb001

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
368B

MD5
5fa2ffc7ff256dc88114530bbac2c885

SHA1
2122a8c4009736ab9cfcddc18e3bc0a133aef0e0

SHA256
541541371cb3dfbf1056e7bacb5920d8e753dbfe8a81a6e2ea20554e6e6fceb6

SHA512
fada0f7246eb99a135b15764ba5e9b7a6feee5368ea8272dc8cc0e34a03b5aa32068eb41ad010284042fd34e4489e79a772a72e1edbbde305c8b258f26993cea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
d062dd2165c7b0eb3b2144afa3442d80

SHA1
e751a81ca81436aa22d00766a7c822aa561d6799

SHA256
e4e0a6c0a118ff73ec633fc77e2f1930f8aeeec5be1e5be3c5df891499591132

SHA512
bf0dee532b763a1a3b053cc73ac86518934f9c2414e882c1b2136dd98b6d53f1899afaadb49e1ed955a9b09580e12335f380df36a20df2bc53b68f5a1663bd11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
868B

MD5
92b7dddf21dcb5e4b12e2c9b41736fb6

SHA1
1593ad4e5569db90c5fdc63b7228d1abe36cf60f

SHA256
6295d89c01486816d9f75426f7ca8ac20f3b1479f5f65e37d251f4bcaa8bcf94

SHA512
6df8eab18c915f80803caacd22b9875b143300b517133849bbdde038e3ef1d05f5272981aeeb655c04df29f38a64956e83cd0be5ed780b57a79cb47022358015

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
d49d5080d96ca2b76a2da2d21b90ac12

SHA1
6e5fdcee53767d6fa31ee54756c920cef1266eed

SHA256
0649e69d766ae20d2d3753cdf49c68cb72c779575df44a870821b4a9baae49be

SHA512
5afcadeadcb2de292d7f3724c0cbe8d12a14a8f56c8c18b3c299c5384b0d87e4b12a72fba9b45612d97839b3462b705f765863ba5a3ee456b7a9a6f25d57a3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e649.TMP

Filesize
204B

MD5
a71ff417229b1adb3c3560a289cad138

SHA1
cafa39128dc2cada8ccb6db4c41ed04ed51c7bbe

SHA256
83873e7c9ef5615e7b2270b532438eb5d2a108585d27aabb6076ee7bfa275fc6

SHA512
9d24933f9e3c104d1fb5b90c2f541db9bf6f0b9d1e834cea516d0586b9b7a3c933df9e1e5a480614ce2fc6016116a8fd0cbe9a3e20d9da17af76e0eedce171f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Visited Links

Filesize
128KB

MD5
18ce9dd8be1185f6b777b5cd83bebe9e

SHA1
4073f55cb09b2d10f4182486a2add9614dd2a665

SHA256
159a8dbefc7209c93718e95eebfb0891f090a0dc52d49abb1ffc8e55874321ab

SHA512
7cafaa60061cd145f4bfaf6b48da00f0f5d5ed5c1657a33842f1f53dad12d9182306ab8d3103d8897f4e5a6dd7c80d0c6979876a5e7ed8a4786e8ef4a1d0a7c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Web Data

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\cde8efbe-3b82-467f-b417-1bdcfbd00ef2.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
4KB

MD5
d9f84c8cf73422f2ca07d7e7462b9534

SHA1
cff6e092bf5bf1f3f47b7074847e204042a881ae

SHA256
5bf7b14dde109f722782628bbcf3011a23cd2416e7621a62b49ee0333cdec6c2

SHA512
1ea893c62d64304c35b9086e2c7e760716ea5ce220bafb76632670fcd2f97eca5c6693ff98004a861b190060c47c9d97ac92b41e3b1da1a4e8f89d9638548c38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db-wal

Filesize
3.8MB

MD5
4064a9122095d503d04695da644eb202

SHA1
612233b1d88209868655c1b0e17d09cd44c8062d

SHA256
262eddb4db89f8a6d5137c6adc99acba7daf0088e86241219ff11970c96958b3

SHA512
e4e2a64ead720474c5b20612901ba62d19a1fadd05c2b4c16b8699ba99acbed3556377d6d3bb1b0ef24dfa22ca8588ae55b55a660f40791fd4419e777487999e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
838a7b32aefb618130392bc7d006aa2e

SHA1
5159e0f18c9e68f0e75e2239875aa994847b8290

SHA256
ac3dd2221d90b09b795f1f72e72e4860342a4508fe336c4b822476eb25a55eaa

SHA512
9e350f0565cc726f66146838f9cebaaa38dd01892ffab9a45fe4f72e5be5459c0442e99107293a7c6f2412c71f668242c5e5a502124bc57cbf3b6ad8940cb3e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
14KB

MD5
eb3b3a25996db053fcced5c8d70fcb4b

SHA1
1bc3a65c66a7abe6b1add6345c7ba5396913ade9

SHA256
55b2521f04e45936dc70e51db4deba00e28b8f9a7db15648381d55790961cf34

SHA512
563cc3fb1165a8d4ca2c3f348b2f9496e6a437e58106bb7eaff0b8a46c38de9d1f48eda0348031e03aea640526bf7b5b6ff786a62f5d1402ffe456cbba2a66cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
14KB

MD5
a4077b1fb3880a29e35d119b626da586

SHA1
1978511db1b7bfb9aced31900a4339a9cf1e2cc8

SHA256
b994be2ad7d10443a64fd70e926b4214d9bab71374b8d57b1d368762dc9f9fff

SHA512
754002cf4cfcd4cb1cfee38534a40e589fd12a28a6fce8ff241eca9595a8720ffb08ad549e4ff8cc73655f834c4127ca744d2dd54eea513d4fc73d4c2f81c83a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
14KB

MD5
9ce1a2dab8a80e343451d80e8ac4b280

SHA1
1d6feabb0a8db615b8561ca6e17fc0f43fd00888

SHA256
2779b95656a1caf05e38191b7d50e0b060b4282fa63f2203400f3d3dfebb724d

SHA512
62687d396f871ebfa1db32b5bb4a01b3b4aa794dbadf14da831a8b88f202ab16d8bd9729273306107a960d123a41d8ca27f0f3f44c4abf95ec8860ed2fd842ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
9KB

MD5
d7f6c799a90d38ed0546fa5deddcb6a3

SHA1
a0b05d0f2ae72e7d7bb06a97d268fa7ff51c12e9

SHA256
8dcc91369a24fb8e702b06c849d555e8acc186be9a396cc541f447284209b9dc

SHA512
39d125e67db492b2e7ff75bfbd5b9102804bdf53b516fe854e17ecd0db23431d8f5c39bd5ca946e7eca5d3cd190b3bbc79e699e960998b87132937e7efa0d0cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
7515fd02cf2594524bcd0c6a02781d24

SHA1
7313b8f904696a5905584d353f2de3a53774f2dc

SHA256
02b006343ba7581e846c5922b2983dd206ffef6a073c70196e7db33f19e91e93

SHA512
c1cb15d28110437e2f7416ce484b7d7d1e7a2e429f06ea831a9468ce738717d5c96c4aeb2594c30bc6e23b120c08dac9ff3c7ecbcf964759eecd3bdd37c90966

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ae0f35943866fb730c00fe41fa5f78e0

SHA1
33fb162df5f181f202497adb04243cbe7ab65210

SHA256
38ec96f5af47283eb022dff6c58499a9cba4ee0d3aa3574568b0f3967b0d3637

SHA512
fbb21333e90cef48e513688a2b587b6da40272a49f517a1b4f4dc340a053c35c6dd09c0d4e025701e04cf9633326a1785ce04c38a0cdf1bf45cbf18d73ea99e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
ae0f35943866fb730c00fe41fa5f78e0

SHA1
33fb162df5f181f202497adb04243cbe7ab65210

SHA256
38ec96f5af47283eb022dff6c58499a9cba4ee0d3aa3574568b0f3967b0d3637

SHA512
fbb21333e90cef48e513688a2b587b6da40272a49f517a1b4f4dc340a053c35c6dd09c0d4e025701e04cf9633326a1785ce04c38a0cdf1bf45cbf18d73ea99e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1da07ecf5f20d9fa34bfcf797625a8cf

SHA1
d74a244950f6ce3992ee88c14dba79d5fa665927

SHA256
4c5210ef016fe51461571d3aafff8b3921f0a5a13139b0812b2f746afa55e233

SHA512
4c1f37b44c398778018990e0f049e3adce8f9ab0fec7a58b6c8f7e73324406ccb95a441d3bceeceb89465abe294fe3d8d15902a3ce982321e4e6e803e06be087

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
13KB

MD5
7018efd39ecd71346645855a3da61b39

SHA1
8a2a7be7cab0052ff38fb59ae82b6c29fc405859

SHA256
394a7cf22e352074ffb8026ee5d6ed9b37001b26127cd41296b44a9ba21094d5

SHA512
e563b39f21849375d67525f56465d5e64e08e986c56e1e52a69970408d905c8e330d598f7fa618dedf16ca532f4c39b568b9bca2d8e0db7223d6c6c894cea503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
ed08cb344d3d9764ce773272c5aa1377

SHA1
5bd7c0295f317e2703c74f11562ac1dddc7e1918

SHA256
121b9f737b7887b5c42725725fbab6974175fe260a6dcc40e431395e9e284a1f

SHA512
37fc2fdc6be7013fc5ec2107d65e9d0d622c56b2d38fa67f4568e22fa1c804d524ac3a697b54822fef0b30b831c21f7ed9ae4941f7cfc5af0e012e03a00e6be1

Download Submit
C:\Users\Admin\AppData\Local\TempShingapi.sk.bat

Filesize
26KB

MD5
977b003963e42262994223bfb827d610

SHA1
c357ccea26f64da9ad5c3bf96b83e12ccaeb916e

SHA256
d7a449acbcb78e0fb137a868d2c8b4e86f32d643cde7e7f291f77e5480ae2bb8

SHA512
99e3dadeebc8c35c6a47a0c7de4e82dbd558f5c23df910ff6899537f3ae370c4c5ea125353cb22ae469a332dfec14577a06ae651309405ef2e69ea000ff18e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zECC9B2638\ADZP 20 Complex-Destructive.vbs

Filesize
32KB

MD5
268ad0d0582547195a60ebe86948e93a

SHA1
7bbf897816101572fc0111a94b7f36ed59bd1ff2

SHA256
59bbca836c4db770d30c3be2713733629709ac3f573e2037bfc6507820284589

SHA512
93493ddc7cb360f3a02ea53d1c1efa5d9c86d37163ea13f2e9c172e9158a8e51026ed0554b05d13a7039f6ab0f3f485e4fa4515797eaa32e5141ef4ee6326d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex-Destructive.vbs

Filesize
32KB

MD5
268ad0d0582547195a60ebe86948e93a

SHA1
7bbf897816101572fc0111a94b7f36ed59bd1ff2

SHA256
59bbca836c4db770d30c3be2713733629709ac3f573e2037bfc6507820284589

SHA512
93493ddc7cb360f3a02ea53d1c1efa5d9c86d37163ea13f2e9c172e9158a8e51026ed0554b05d13a7039f6ab0f3f485e4fa4515797eaa32e5141ef4ee6326d68

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MEMZ-Destructive.exe

Filesize
14KB

MD5
19dbec50735b5f2a72d4199c4e184960

SHA1
6fed7732f7cb6f59743795b2ab154a3676f4c822

SHA256
a3d5715a81f2fbeb5f76c88c9c21eeee87142909716472f911ff6950c790c24d

SHA512
aa8a6bbb1ec516d5d5acf8be6863a4c6c5d754cee12b3d374c3a6acb393376806edc422f0ffb661c210e5b9485da88521e4a0956a4b7b08a5467cfaacd90591d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
225f834285d8389a6f9c7e9dc67c34a4

SHA1
754bd23cab961c590df0ef28ce6ab6e588b28897

SHA256
4075cfac6990e1c8b345b9e694c597b98cecb7d514785c5011c73cc49349e3ab

SHA512
8ca61c07862b2863cff80ef333a9b4d8d54dabf006844c1b60c5e88bd9d36d2e51ec9ce047f5bf80391e9d30f164277f7e1b5becdd93af2ebc013a1b0a230917

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
5KB

MD5
4c2078bb0e680c59bc40dbb932f256ad

SHA1
4e677e766b1000076375f67ac8971cb2243d5e29

SHA256
30287f1994fcab83fe360f2e20e417eae9f9a8f74d4244bd676bef847fe29b61

SHA512
594775c7391e3e49f58e13574ab58d457b145764575879dfa1092b14f9abc64a03e0620c1eade87cdb08159c4be30dff79c44f5de6aab02304fcc1913ebae0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
22B

MD5
fe669e0a3a56961fba38ef9b7f7d01dd

SHA1
338b6f4a3ec71587d53aec450ca5448928f966a1

SHA256
138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64

SHA512
ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\note.txt

Filesize
218B

MD5
afa6955439b8d516721231029fb9ca1b

SHA1
087a043cc123c0c0df2ffadcf8e71e3ac86bbae9

SHA256
8e9f20f6864c66576536c0b866c6ffdcf11397db67fe120e972e244c3c022270

SHA512
5da21a31fbc4e8250dffed30f66b896bdf007ac91948140334fe36a3f010e1bac3e70a07e9f3eb9da8633189091fd5cadcabbaacd3e01da0fe7ae28a11b3dddf

Download Submit
memory/2860-161-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-157-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-155-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-167-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-165-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-156-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-166-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-163-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-162-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/2860-164-0x000001DFAE2D0000-0x000001DFAE2D1000-memory.dmp

Filesize
4KB

Download
memory/5832-1296-0x0000023D2D720000-0x0000023D2D721000-memory.dmp

Filesize
4KB

Download
memory/5832-1284-0x0000023D2D520000-0x0000023D2D521000-memory.dmp

Filesize
4KB

Download
memory/5832-1281-0x0000023D2D5E0000-0x0000023D2D5E1000-memory.dmp

Filesize
4KB

Download
memory/5832-1298-0x0000023D2D730000-0x0000023D2D731000-memory.dmp

Filesize
4KB

Download
memory/5832-1278-0x0000023D2D5F0000-0x0000023D2D5F1000-memory.dmp

Filesize
4KB

Download
memory/5832-1300-0x0000023D2D840000-0x0000023D2D841000-memory.dmp

Filesize
4KB

Download
memory/5832-1299-0x0000023D2D730000-0x0000023D2D731000-memory.dmp

Filesize
4KB

Download
memory/5832-1276-0x0000023D2D5E0000-0x0000023D2D5E1000-memory.dmp

Filesize
4KB

Download
memory/5832-1275-0x0000023D2D5F0000-0x0000023D2D5F1000-memory.dmp

Filesize
4KB

Download
memory/5832-1274-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1273-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1272-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1271-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1270-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1269-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1268-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1267-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1265-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1266-0x0000023D2D9C0000-0x0000023D2D9C1000-memory.dmp

Filesize
4KB

Download
memory/5832-1264-0x0000023D2D9A0000-0x0000023D2D9A1000-memory.dmp

Filesize
4KB

Download
memory/5832-1248-0x0000023D253B0000-0x0000023D253C0000-memory.dmp

Filesize
64KB

Download
memory/5832-1232-0x0000023D252B0000-0x0000023D252C0000-memory.dmp

Filesize
64KB

Download