wannacry | 4fdfc2ddcff86c23da74987ac3596de288e8d295606902abd541f8e1082d0662

Analysis

max time kernel
340s
max time network
344s
platform
windows11-21h2_x64
resource
win11-20231128-en
resource tags

arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
submitted
28-11-2023 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

876KB
MD5

b5e8bb22c22ac62ed1edbb861a607a19
SHA1

6dad8605496b38c06a4cf6365ee8ea12fafbe731
SHA256

4fdfc2ddcff86c23da74987ac3596de288e8d295606902abd541f8e1082d0662
SHA512

198225c152dbd3c962bd5b364daa1f4fa0a3c53aa56925cb8dcf3b2a04c42b6ebb5eb2a5e9eb5aea3d8aa21367264fcaef06e046d444257b2543966db04338e2
SSDEEP

6144:FBqNLZNLpNL4NLTNLmNLwNLHNLd1UHKXWc+6J6+yyI92bUF6vMeh+v9C6vVO/DKT:FsNlN9NMNnNqN0NbN5I3OUUv8zerPm3b

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Downloads\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

115p7UMMngoj1pMvkpHijcRdfJNXj6LrLn

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDC97D.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDC993.tmp	WannaCry.EXE

Executes dropped EXE 36 IoCs

Processes:

WannaCry.EXEtaskdl.exeWannaCry.EXEWannaCry.EXE@[email protected]@[email protected]taskhsvc.exeWannaCry.EXEtaskse.exe@[email protected]taskdl.exetaskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe

pid	process
1496	WannaCry.EXE
4364	taskdl.exe
1664	WannaCry.EXE
1056	WannaCry.EXE
1140	@[email protected]
4564	@[email protected]
4560	taskhsvc.exe
2316	WannaCry.EXE
5012	taskse.exe
5084	@[email protected]
5060	taskdl.exe
4872	taskdl.exe
4592	taskse.exe
1176	@[email protected]
4872	taskdl.exe
4404	@[email protected]
944	taskse.exe
1344	taskse.exe
2972	@[email protected]
1644	taskdl.exe
928	taskse.exe
1636	@[email protected]
3256	taskdl.exe
2292	taskse.exe
4912	@[email protected]
3236	taskdl.exe
4300	taskse.exe
2112	@[email protected]
2792	taskdl.exe
1192	@[email protected]
3256	taskse.exe
1344	@[email protected]
2732	taskdl.exe
3628	taskse.exe
1332	@[email protected]
2428	taskdl.exe

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

4560 taskhsvc.exe
4560 taskhsvc.exe
4560 taskhsvc.exe
4560 taskhsvc.exe
4560 taskhsvc.exe
4560 taskhsvc.exe
4560 taskhsvc.exe
4560 taskhsvc.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exeicacls.exeicacls.exe

pid process

4872 icacls.exe
4540 icacls.exe
1444 icacls.exe
468 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe

pid	process
4872	icacls.exe
4540	icacls.exe
1444	icacls.exe
468	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\nfdxzssexrabcz467 = "\"C:\\Users\\Admin\\Downloads\\tasksche.exe\""	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exechrome.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies registry class 31 IoCs

Processes:

msedge.exemsedge.exeOpenWith.exeOpenWith.exeMiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3484251756-2814966285-185304317-1000\{E9F21ED2-7A94-46EF-9395-3E0D3CFC26FF}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings	OpenWith.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 84003100000000007c57899d1300444f574e4c4f7e3100006c0009000400efbe7c57b95e7c578b9d2e00000067570200000001000000000000000000420000000000d73daa0044006f0077006e006c006f00610064007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370039003800000018000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000007c57869d1100557365727300640009000400efbec5522d607c57869d2e0000006c0500000000010000000000000000003a000000000083641d0155007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000007c57869d100041646d696e003c0009000400efbe7c57b95e7c57869d2e0000005f57020000000100000000000000000000000000000083641d01410064006d0069006e00000014000000	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\NodeSlot = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3484251756-2814966285-185304317-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1056 reg.exe

pid	process
1056	reg.exe

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

chrome.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exeAcroRd32.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1400	msedge.exe
1400	msedge.exe
4932	msedge.exe
4932	msedge.exe
1512	msedge.exe
1512	msedge.exe
3868	msedge.exe
3868	msedge.exe
1392	identity_helper.exe
1392	identity_helper.exe
4020	msedge.exe
4020	msedge.exe
4056	msedge.exe
4056	msedge.exe
2460	msedge.exe
2460	msedge.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
4560	taskhsvc.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

@[email protected]OpenWith.exe

pid process

5084 @[email protected]
4008 OpenWith.exe

pid	process
5084	@[email protected]
4008	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exetaskse.exeWMIC.exevssvc.exetaskse.exe

description	pid	process
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeShutdownPrivilege	1808	chrome.exe
Token: SeCreatePagefilePrivilege	1808	chrome.exe
Token: SeTcbPrivilege	5012	taskse.exe
Token: SeTcbPrivilege	5012	taskse.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeBackupPrivilege	4960	vssvc.exe
Token: SeRestorePrivilege	4960	vssvc.exe
Token: SeAuditPrivilege	4960	vssvc.exe
Token: SeTcbPrivilege	4592	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1808	chrome.exe
1400	msedge.exe
1808	chrome.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

Processes:

chrome.exemsedge.exemsedge.exe

pid	process
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1808	chrome.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1400	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of SetWindowsHookEx 42 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]MiniSearchHost.exe@[email protected]@[email protected]OpenWith.exe@[email protected]@[email protected]OpenWith.exeAcroRd32.exe@[email protected]

pid	process
1140	@[email protected]
1140	@[email protected]
4564	@[email protected]
4564	@[email protected]
5084	@[email protected]
5084	@[email protected]
1176	@[email protected]
4404	@[email protected]
2972	@[email protected]
1636	@[email protected]
2032	MiniSearchHost.exe
4912	@[email protected]
2112	@[email protected]
1596	OpenWith.exe
1192	@[email protected]
1344	@[email protected]
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
4008	OpenWith.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
3444	AcroRd32.exe
1332	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exemsedge.exe

description	pid	process	target process
PID 1808 wrote to memory of 2300	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 2300	1808	chrome.exe	chrome.exe
PID 1400 wrote to memory of 2604	1400	msedge.exe	msedge.exe
PID 1400 wrote to memory of 2604	1400	msedge.exe	msedge.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1612	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4192	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 4192	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe
PID 1808 wrote to memory of 1776	1808	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1004 attrib.exe
1572 attrib.exe
1112 attrib.exe
436 attrib.exe
2208 attrib.exe

pid	process
1004	attrib.exe
1572	attrib.exe
1112	attrib.exe
436	attrib.exe
2208	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\sample.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xdc,0x104,0x108,0xe8,0x10c,0x7fff63ef9758,0x7fff63ef9768,0x7fff63ef9778
2⤵
PID:2300

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1540 --field-trial-handle=1812,i,17700048637764364832,15065051441950666318,131072 /prefetch:2
2⤵
PID:1612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=1812,i,17700048637764364832,15065051441950666318,131072 /prefetch:8
2⤵
PID:4192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1812,i,17700048637764364832,15065051441950666318,131072 /prefetch:8
2⤵
PID:1776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2940 --field-trial-handle=1812,i,17700048637764364832,15065051441950666318,131072 /prefetch:1
2⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2956 --field-trial-handle=1812,i,17700048637764364832,15065051441950666318,131072 /prefetch:1
2⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff63b83cb8,0x7fff63b83cc8,0x7fff63b83cd8
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1844,5885427031918674992,12720936194688085090,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
2⤵
PID:3732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,5885427031918674992,12720936194688085090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
2⤵
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,5885427031918674992,12720936194688085090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
2⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1844,5885427031918674992,12720936194688085090,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1844,5885427031918674992,12720936194688085090,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
2⤵
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,5885427031918674992,12720936194688085090,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
2⤵
PID:1288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1844,5885427031918674992,12720936194688085090,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
2⤵
PID:3736

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff63b83cb8,0x7fff63b83cc8,0x7fff63b83cd8
2⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2520 /prefetch:8
2⤵
PID:1020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2060 /prefetch:2
2⤵
PID:1340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
2⤵
PID:480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4896 /prefetch:1
2⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2516 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
2⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:1
2⤵
PID:1108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4840 /prefetch:1
2⤵
PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
2⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2760 /prefetch:1
2⤵
PID:4848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
2⤵
PID:1232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5728 /prefetch:1
2⤵
PID:2816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5904 /prefetch:8
2⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5228 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5920 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
2⤵
PID:3428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6340 /prefetch:8
2⤵
PID:1176

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:1496

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:1004

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4872

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4364

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 254311701200648.bat
3⤵
PID:1644

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
4⤵
PID:3260

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
3⤵
- Views/modifies file attributes
PID:1572

C:\Users\Admin\Downloads\@[email protected]
@[email protected] co
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Users\Admin\Downloads\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4560

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
3⤵
PID:2828

C:\Users\Admin\Downloads\@[email protected]
@[email protected] vs
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4564

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
5⤵
PID:4728

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3048

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nfdxzssexrabcz467" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
3⤵
PID:4540

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "nfdxzssexrabcz467" /t REG_SZ /d "\"C:\Users\Admin\Downloads\tasksche.exe\"" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:1056

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5084

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5012

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:5060

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4872

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1176

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:4872

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4404

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:944

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:1344

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2972

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:928

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1636

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3256

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4912

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:3236

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2792

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:3256

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1344

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\Downloads\taskse.exe
taskse.exe C:\Users\Admin\Downloads\@[email protected]
3⤵
- Executes dropped EXE
PID:3628

C:\Users\Admin\Downloads\@[email protected]
@[email protected]
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1332

C:\Users\Admin\Downloads\taskdl.exe
taskdl.exe
3⤵
- Executes dropped EXE
PID:2428

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
2⤵
- Executes dropped EXE
PID:1664

C:\Windows\SysWOW64\attrib.exe
attrib +h .
3⤵
- Views/modifies file attributes
PID:1112

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
3⤵
- Modifies file permissions
PID:4540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,15207437845662773879,7270635946756831224,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=7108 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2364

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3856

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:468

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Executes dropped EXE
PID:1056

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:1444

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:436

C:\Users\Admin\Downloads\WannaCry.EXE
"C:\Users\Admin\Downloads\WannaCry.EXE"
1⤵
- Executes dropped EXE
PID:2316

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:468

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:2208

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4960

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:2432

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:2788

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:3468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Users\Public\Desktop\@[email protected]
"C:\Users\Public\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4008

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Desktop\@[email protected]"
2⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3444

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
PID:1972

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=15E38F3278FFDBB1234AC233E8373298 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3288

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F58B66405D4BE362C707781F8F017A3E --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F58B66405D4BE362C707781F8F017A3E --renderer-client-id=2 --mojo-platform-channel-handle=1784 --allow-no-sandbox-job /prefetch:1
4⤵
PID:668

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1E3F9D8AE9C30C677CC08AA3016EE2F3 --mojo-platform-channel-handle=2328 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:4804

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=720D2B605A3340A56C96068DA543C648 --mojo-platform-channel-handle=2432 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:3236

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=35DE9111568CD05FA00E24B073D174C0 --mojo-platform-channel-handle=2004 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
PID:2828

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9339E86594BE9168280F214B4345A3B8 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9339E86594BE9168280F214B4345A3B8 --renderer-client-id=8 --mojo-platform-channel-handle=2316 --allow-no-sandbox-job /prefetch:1
4⤵
PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize
585B

MD5
89c3b0929135f670fb350ca3c15c81cf

SHA1
89cf9c3e3131a5567f568ff5761d7f9135338320

SHA256
26f5158332f323614e4cc96688ac3d081076bba462456dc4e4546572fcfe7407

SHA512
66b626293ddcc4514dee7d4189bf0ec3d70c8ec63fb78b3d3e077c193120ce9dc3950bb8cce6df3220842d0bca4afd227263584c1a58cd5ef83b2f633c434541

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
1KB

MD5
ecd85460d4f6630b296979ab218a7aa5

SHA1
30eac792c892039ee59949e6a60c8733718c6405

SHA256
179209f31203518751fdea62c6ce70310bd1128e6e3a67674247590cd27b4b50

SHA512
66b1d0223fec3fc829cd925583446af9c9307dee5fe7e4ac765a6a2d6190f6756a6a941594f7fce7b656d03aeef1d4fbb225e16f12a47e0f63059523905a8231

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
086d8efc64093b52d43bdb3fceca285d

SHA1
d8b405620a414de480cc9f56196c29e728bb2250

SHA256
01a910bdd4f553ffc8df123c0c44d4e2ab9b6bef03f42072269e4d4398acb160

SHA512
0104d62bdb94cea38901c68add59ae5e4cc0d2c4cb215fe23ff4427e5336bf3983f3379e9d14e849ac887c5c9f5c53254bb227c351ff3918954858b1e15536a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
115KB

MD5
beab90c7f2bbe241489e9f7fc4021f1c

SHA1
2a2b1c451a7d99dadaa4c8695c3389970b4fce82

SHA256
7a3fc2ed9bcc8d50882267b87e09b079e4b187a4a93c419d336116ecbc90a562

SHA512
c6f7f65123d1d14a7d03bb113294fdd363b236aacac0a97d07552010b159a4daba8fdf1a79865e8968244e44b70a4e3883e069500de3d1fb000d20893c0675b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6b9543a1c167d24c0d4b0399a13a7e79

SHA1
6f58a92dc29ffc1b309ecb634fcef10030d096a5

SHA256
115b6dc809257d2f5fac27700a171c5c2e6da9d13c44f502ed104a2f3acd966e

SHA512
ee558daf3a46fc2ff1d79a1ee4cfa104d0610225080e94366bf251bba9d319b3cd6d3751ba0914d5781f2afcbb0e3c0e9fc7cfc0a48426d90c3e5c1bddc34719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2ff3173fc54a93964535b7a87f4b9aa4

SHA1
61bd3298a38e550011928acbc72181ebd7027121

SHA256
da2da18239f92a534ee33a0aa5869575ed9cc5594905f03c54f1663ad21037f2

SHA512
d25f64a404456a07c5ba869f6582c3297064a8905f123490c4aa3c8ed8f769a2347942c7b2564dbbb216ffd18896fde8355c33f381c7b3391a41f5fddc592365

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4ee43ae2ad5e06541907a2f8fc04472c

SHA1
ce1a8eba69efd025d85e2f96beb611c58de27979

SHA256
65859e769ac5e156bb0e35df49bfffda8650ef0f2ddb5d12a2fde73578aea8ad

SHA512
34ea48a16ee682c8889db2a6c873aefd7cc77d7b21cd837bb783deae2c793ddf2a6e8c234c23cab028dbf9155bbd2bd8103a4d81ced4c8984673c1b83a2769db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
6b9543a1c167d24c0d4b0399a13a7e79

SHA1
6f58a92dc29ffc1b309ecb634fcef10030d096a5

SHA256
115b6dc809257d2f5fac27700a171c5c2e6da9d13c44f502ed104a2f3acd966e

SHA512
ee558daf3a46fc2ff1d79a1ee4cfa104d0610225080e94366bf251bba9d319b3cd6d3751ba0914d5781f2afcbb0e3c0e9fc7cfc0a48426d90c3e5c1bddc34719

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\168cd314-a07f-4c2c-ae12-656b5d9e82be.tmp
Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0
Filesize
44KB

MD5
740f1c26c39128765b6332dc0e0161b4

SHA1
a4a0565b3301773404f303007ac018c27c0d598c

SHA256
796c80fbabcaf13361ba23755b7fe428d0c90dcb396ef47ee35be95f4ea2881b

SHA512
c361ebfeea5316db4298e5642f8ae805f1b5a058f3888f93e393607a3665ce0dcf43ac3205d1d92c341b664d3d38dc9aafbf266a79bab57b1ea1e38eab4bec61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1
Filesize
264KB

MD5
d66fb27b1ce4afc66a2ac8c591b2c5db

SHA1
ad3edb1ffc0fd6df8128afde869381d59d4ce31a

SHA256
022e1519f8f276c9f858f8a9d7f1c1d822fed2aa63e2448371060b726183958c

SHA512
502bc68034ee4052b71ecd5384e4a0f716d854c0324bf0f96fc88f3220c86b179a65e2fa29401de6cc0bdb677c9aa10f1e04163876e961fe9753caa41e4f06e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
3KB

MD5
1e7aa733e89717b5ca86d5b917f5660c

SHA1
8d6376cc9e1cd4c708987abdf41d2c1fb2688bdf

SHA256
c62c1a0c48c764dfcd9d6551d930bb2bfc06c059efedd5c64d590739714653b8

SHA512
b095ea5b953199f16412bc21ca429bc5e6274b046df8f7622c8274121cf34a2e30c0a698214718764de9d68d732f099478276755fa57ec42a8323dd9df1644f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache
Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG
Filesize
331B

MD5
ab8a477558bcbdd246a7962ce70d5f33

SHA1
8360fd4ac5d6392323555f3843b306bd199f3c2c

SHA256
880730dcea370a08b0f2e3bd955c40bfcd8ddad0c5284e663e74f4325913ddf2

SHA512
960f55e79be99034d7a5656ec69dc91fae601deada87dc8901c07b97c3f7756ba1e48059a29350cf9dc89906b7f97f7272cbf4398f13088748f9f886855a1360

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
865B

MD5
c5a48d5f8ecbe87ab1c4eaaf7a36835b

SHA1
af85fe21fa1c090607a7612a2ac916a36da1a9f7

SHA256
b3d496cded5f9f2f84340eeb25e771781a93280a6bd07020f7008bbc9e94debd

SHA512
dd95dd95763dcace9a1215fa51c6c521548ef4a4910bfdadec534355835236244785fe13bac1ef420706b8b369747a332db8c53d1cbea874d82c35b3b08a1db8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
effb18228fe80d1767d5bfe8edc3dd74

SHA1
b6d4eccfeaa134423145a565ee1ff65ec41ea1e6

SHA256
76bd5b765fbdcf6f3bcfb39e8551ef050459bc7b4300f12856c682abb774e563

SHA512
6814116bdfe2ba82191249622a8812fa9731179f0a73fdd2ceb4eb1042f10bd1461732a544a3a1e8182114a137aacf84e4eb60a30221592ea93306b88b66d209

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
54fa5f588ec005fd3b1803e175711347

SHA1
157454a964b5b7140e11408e06238f7ade38a3f7

SHA256
f682488af62f6aa13c20c5e67303a863ac548592ae5a6c28348b2029519a10bd

SHA512
84d8dd56220c2b1f7b60c2a5a64f7c8a9ad182d247e493aab8bfafc5d70f53135946a605af08cfe91c52d69258829b4b574ebf693bd5a81e4f1a3a802a0ca6f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8f457a002e1a91ece7629ff487daeb46

SHA1
8bff389817f9eb5ae0236a9b9953c6f94b7e1443

SHA256
0fc10b6e6c246750496bdbeaf084efc4ebbdb3c991f7f39ec49e620c3621fced

SHA512
74c6490c0649d33a7157ffff1078814ebae9ad8911e4fe1c8a5b8766f96ea348ea81797855d6da6136824c231bb7a6e06b69fbe5e9ab88afe560e6d5eb3155ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
f208c92b1babd9f2d872de788b3680c7

SHA1
a77214d53212c72a94088256dc20ced44f7d5a95

SHA256
ba0cad427a65aea4d975ee5c5ae84b7e1f5a76a04d3d0ed17cbea609b6be016e

SHA512
729d78d40aa5ebafc7e1accbb95fbe154fe16365a77056b52a6c3eeb81ce8a58ad3a94495d547650a0bb5c5c2058aad267549d4c078c6497e9ed66d1904aad36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
add0984704853a4b8b9f236a1f0442f9

SHA1
9ea680e8bf94772495c588f4807e425bb18ba91f

SHA256
cd84918e9337ea3e0a17e814260adec325b3792520fcfe32a8fcf1359dd65736

SHA512
6aa1f8f21c875b843e3bbb1bb14e0fd0648b2d9b79c5ca25f34ca3ec50862e8d68b950e6a7cda0409a32e18b266d0910e5bec198f257f3fac706f84eef6f2477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
add0984704853a4b8b9f236a1f0442f9

SHA1
9ea680e8bf94772495c588f4807e425bb18ba91f

SHA256
cd84918e9337ea3e0a17e814260adec325b3792520fcfe32a8fcf1359dd65736

SHA512
6aa1f8f21c875b843e3bbb1bb14e0fd0648b2d9b79c5ca25f34ca3ec50862e8d68b950e6a7cda0409a32e18b266d0910e5bec198f257f3fac706f84eef6f2477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
f37fae392eb4aad1e5820d4eebe823f6

SHA1
904c11535fdf1df57f6e7592cada1bd96bab4361

SHA256
81b74bccf8671fb5bb4751afb54324f51d1cd44c28fd2b489ed2a229aa47f1a4

SHA512
5ec482355d5ad491f3479ff3a5eff6ad2f2ca3a64fa565f2e2c0c8bb4f86905fba55426aac8d716cbc7149f324294dee18770b0331e79d5ae689ea6c9d50cc22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
22cea2ad8515b028cb1ce733911db8a2

SHA1
6efbe149f26c16a45d550beeaf596fab62877b4e

SHA256
c542075f43ba974ba953a4f134aeed38566fd8c1f21b85e1c31c7cf299cda4a0

SHA512
f145ffda647aad3b9c4083a2571c9eeac1657a0c5a68bdb6a5aa0de166a6650399e56605aa9e24da0aed57114bb0c3845d073d617681541d9e078824651f2136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
25KB

MD5
22cea2ad8515b028cb1ce733911db8a2

SHA1
6efbe149f26c16a45d550beeaf596fab62877b4e

SHA256
c542075f43ba974ba953a4f134aeed38566fd8c1f21b85e1c31c7cf299cda4a0

SHA512
f145ffda647aad3b9c4083a2571c9eeac1657a0c5a68bdb6a5aa0de166a6650399e56605aa9e24da0aed57114bb0c3845d073d617681541d9e078824651f2136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG
Filesize
319B

MD5
434c9f1e43507eb8a201c65bcc038282

SHA1
dfce2e6747a67ec4aeee38ed6048cdb0ddd2f853

SHA256
db3c95b3b20160270e94f7b2b0f22507a9579ee9ed3afddf680be47f5638d344

SHA512
2369397327b192ee19819ee2846708c7f568266f4cfea54a7b715fe6dfe3e2d3ca665ff64a0b876b902899803e06fa8775b83ec7ab391fb427d8d7b60d9ad5da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13345674184607534
Filesize
1KB

MD5
9b16f1702f04ae39e3420d9eb858001d

SHA1
3453e8a1e97b4d6808a3cb0278b0f977d492ec17

SHA256
c226b75a4ade0be8a9a624804e46c71e2cae8d79fca29a3aa499183480d633c7

SHA512
6c13c870283ec4db2111da2f67a168bfd136c1362c36277d0dc2b33f84a7eb63695e6dbcba0a602d5f5e175dd4dd5d9db0a658115e222efed224836fe121195f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13345674185026534
Filesize
1KB

MD5
28cfd33075896d8e10e6d802e4fac949

SHA1
321777d5a9fd9664afe71e538aeab078684f90e2

SHA256
df22e1949dbbaa3936d1e5e7743016f197f223a49848ca5f4a3f27e3e3276af3

SHA512
ae33d7db6750c940601a1bbf1ba9eb946bc3c7ca02c039223154469f2f3165d38d043ceae5ea2d3fbe6b54dcafde240a97482c743b4baf41d622319993e5e5fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG
Filesize
347B

MD5
ebdb5e5b65700166a28c3782cb5c9149

SHA1
86197d8f8b732fd53ff1111ef8335a2209efac85

SHA256
a024f61c6dd888e917758e2aae89cd26f7adbd0707df74106e6a1bb1e533c31c

SHA512
d20018a9ccedfe13a3ea8d876cb0ca43116a263689c68c05f7a4cdc60f150be59f64495204ca53743ade98632a081059605ca3dcbf5dce8f2fa23595217e4a69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG
Filesize
323B

MD5
3c2410d761cf922f99c2241328b2abfa

SHA1
1b1a014b46c256224b874fa93f0fc23052c53d0d

SHA256
2b5b7e0eb7da4998903dff3cfad0f90888658be37bdf3c7adf46b2d877f5e482

SHA512
7353f319979d076c82cb9a63c21d2f3259e6d762fa10fbb0252536d9c9bdca156453dfcad6201deceafc056c86ce79773b4d891070961ff4bdd83032abde1d55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
abad8bc776adf6765c8203bb2f34acf5

SHA1
b367b0324ec8ed4e54e4f9685290238f724b06fe

SHA256
e64c8c2bc8469837e7e615883e88db0f6dc47cd66dc112d1ccc0cbcc12a70f1c

SHA512
e4ce427e8bdbbc9a6576841273443e3e753573bafc1c587819a2dbac7d7fde44045bc6f0dc4c6d5d50ce0b5f0f01b847faafedbcb7982589fa4648ff93a4f598

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
34f4163264a91aca346c964faf7d3f2d

SHA1
b4cd21fb4ab85fd6223c3b8d9c9d35e596152224

SHA256
e03f4fc8371e7a920c90cdf6d10fbe0062e65578424c8ad4cd1f3d866ac49afb

SHA512
7b45d45d4971ae38d9013efea1595f8354a69dcb1113351fc18b03c382d9b99d29319a0a3c90573e0ce3b9430d97787b5cdb9dfcdad91f86effea8b8c1028d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589cc8.TMP
Filesize
1KB

MD5
421b461b03b8d8d4686c2b1265964d71

SHA1
360b42d9c8963020f1f7cc040822f7e8464279a7

SHA256
0a74be1b5f17fb5c19f3ade2dee1e3ef5e67567e49c35173e2766fc095c7b166

SHA512
02b2fd4a325be97a69783bd4a0320781d00719eabfda4f31307cc6775483b93c8c9197d0f15d9f9300a44d29e5c02a116c6c529274574471fa5e3fc221fd4a10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db
Filesize
44KB

MD5
4d5ba7a0506c6aadd5747ec0bbf066ef

SHA1
81b13c1fc96a174fe73dbad2452c55821d9f95b6

SHA256
a8c9c3f53b264a87a02a965af4cc6c440137c8a6f034f8fd530325caed34a5a2

SHA512
4d385ebbcc9a9ede1755cb5962f2b5ea39d8155a8e045a9bdd2ce85d9077ebdba3421411e43de7e3bcfd643c052ec0701b4bebbd0c2c83dafbd8a83261e82f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG
Filesize
319B

MD5
a2099f614191fe296b3cecf60372c306

SHA1
7a64104827b0dd65f70fd1685090a878e37ce0c8

SHA256
35f1fc58b1cea117510d8137c0ade9766ada76dcbb9bcddc53a539acdd08c9d3

SHA512
0d469e8d48e2aac24c9d887a580ddcaef48c4a51a59f0f8828d65e8a6c97299dc0f9a049f45714107ee0172a6efbaa17ee34816019d708dba51b5e59e9e83799

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG
Filesize
337B

MD5
bd38002c7e33ace706fff7efae10f419

SHA1
a603163c77ecfac4001df0dea1c986650145bcce

SHA256
95a2399a5e6a804bcf26e04004efeb6be6d61e4f8e712e466ce32b406ab1e849

SHA512
d5eb6bdd39f1a1bcb9c137b39a6be433306d72291d3295c426e4b50bd43fb32fdeec07e5797354614c24a45ec1838a7845f3e44d34f823d485282d2ecf8ef478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0
Filesize
44KB

MD5
4a3d95d35f0c997faa01e23ba571aa46

SHA1
c67d95aee1839aa7c298973518059a10c16b9183

SHA256
e575fa2b0d8badfa38c7f529c5b83af95dac9f070b8bb35bee78ac2d7d7f1c52

SHA512
a581b39139cfe704cf23ec59b8620d4403ca13bf689bef63b8b66b6152fb342551b41ae1a17a61208b6b054ead23be1012ed2becfc5202a1da952120665463bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
15337a13f9b7f76675a73d1fffce0df1

SHA1
9e253c5b9ba7a79ec19d5331fbe0f81cfc54a718

SHA256
fb3e5889a3ac5fa993858c37fae1c4c201f57386fab56a810b7385b107aa9b70

SHA512
a1bf2bae4f85f7bbe4d3190ab132d3a6789b164777275b1f737eae5e314838b617a9538319265e15e14af9b1d2f6bda17c8a12410de140a9d3152c48d4f94f87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3
Filesize
4.0MB

MD5
5c12f1399da5d391933d2955de0d276d

SHA1
516b514ba629cf32de41d7c479aa36ed882a638e

SHA256
58eb9086615e2bcf055b4236cdf24708d75a9c25cbbe6fb6f08870086b8de2b6

SHA512
5360226a875df923727e12d7ef3a7a8a287d0eb91a28629c29b2227ee54bbafecc61f5edda78ddf718d3853cbdf636efa0203f55023532d5d1651ba26b43d39e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version
Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c4326623dcad97c87eca8fe484c87eab

SHA1
b3505fd96b360813dbc4f313f0958098b2924eb9

SHA256
7065c7d22701811f677d5968cad6d148e8eea6db90f346195b2b9b9893427d54

SHA512
9df19baf91b8ce9c1781241170826c1f803866708c2f0f326e63f856f1f850a5cb46045b47788544eb0a1133bd96388c1a1e5d8cf3a6b998d32bfb4afb7e2fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
66dcd41b7a4c8037aa6e993c96d81a10

SHA1
e337bbeffd302b632b73c8a7f5df310f592713cc

SHA256
e76a62ffb94f54f049c2f8ce84095f9ea39dccc525ac192ea2a12c992776a459

SHA512
2a1ef220878b9be0bca829173ffd305ea3d1466a2c72f36ae8075262100d3ed77c4966e1f7d096152b9f1d2d1ede804101d8233dae040c00e6e6f90020c0989a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
c4326623dcad97c87eca8fe484c87eab

SHA1
b3505fd96b360813dbc4f313f0958098b2924eb9

SHA256
7065c7d22701811f677d5968cad6d148e8eea6db90f346195b2b9b9893427d54

SHA512
9df19baf91b8ce9c1781241170826c1f803866708c2f0f326e63f856f1f850a5cb46045b47788544eb0a1133bd96388c1a1e5d8cf3a6b998d32bfb4afb7e2fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
261cfee54313d75c64ed38d57ddab609

SHA1
08e8e4cf32e3672cef77b5a123346e648e5f4a14

SHA256
6a13626c37ed67cf0b79084d1d85541a4477a6875a973a5ebcc6e5aaa691e984

SHA512
911b87cceeb9232df445187f63b7bb33045386d0c15575518cc9578c0871da215ae898fde5ece5ca0c04b65fbfab2df5e240392c1e780b35c352ab7d0446c115

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt
Filesize
4B

MD5
00a5182b4fba5252b72cbe52ae70a754

SHA1
ddb06f946f6f18df673e0dbc9e4833e9d39a1c92

SHA256
ffd33f2cca130db5c3cb2c4f33535d38365b530de55505d3330294ca639a3450

SHA512
aba81b6e39b7c11cd82bed5d2f58cde6763b68daf176bc1dd4a0cd7cc9bcb912877bf7314224ea9b8313c548911c157cb51cbb486fb87106d51aa6d22ccde32d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\fb0a270c-4d6e-4489-beaf-9e023f40b614.tmp
Filesize
11KB

MD5
4a9b624dd27077b6514793dfab656e78

SHA1
4031f4db5c2a6dc960a3c8f140ae2ffd64d8e606

SHA256
ae35ba691d6efdee286ca2ff7427df79c096211cfbd43c2722b9700dd94f933c

SHA512
4bc051e4fc3b817649dee8d6e53e03321062b8bf41f163cd7507f0a89781e3cf50574d775ce6b7398964aaa381aa2abff6feb6e6d1896f654529cfd0d93616d2

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
fe6a3b39038f7211e2f24f931c5b600e

SHA1
8d7cf96c3e8a7d3c0c098962351cfd8ed6c394f8

SHA256
6434366d993de7598e5d28d81e92e82b83176d9c860bea6e47820e1abd479553

SHA512
d76734e4f7d8b46e4433005286a3fd55b6f7430d31efdd2546f568b34263ac808721e69a816a88dc1c5079a2dfdc4d2c36dc77ec3cc638283e112aa831ff9b5c

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
10KB

MD5
5da743026a9c47e88f0c8b8beb12ac9e

SHA1
45e1cd6893686283a220815846e1e44fb098d5fa

SHA256
2dbe1697948df50862fbd2932402ddb124d4697ce1ddd50ad380d97e5b7ced7a

SHA512
37de52ecd5e8a45864ba9135b4754cba4d4b3ffc24bbcb6cf80e6ebf0fdd1beaad6a89b05abdfa9d1f079ca3eedbb0eb58cdc5832aef6da95de927914b9fbf7a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt
Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new
Filesize
20.3MB

MD5
b91e32019934c35e0cf618520cc22217

SHA1
506a586ef4f02c5ec10cdf8ff1f9b8013479c130

SHA256
67a80d8c2376067ac7cd55a64ab9ed58527c9cba42546f27ad78d10462df1c78

SHA512
a31e734156f0fbbdc47a95e0df39fc49a94a86e3de35cc4fb3e46ddcf27880c669d2530ec83efc441af00f914e14731d5b1334bb0b1bd9b7a5f3aba7f384407e

Download Submit
C:\Users\Admin\Downloads\@[email protected]
Filesize
933B

MD5
f97d2e6f8d820dbd3b66f21137de4f09

SHA1
596799b75b5d60aa9cd45646f68e9c0bd06df252

SHA256
0e5ece918132a2b1a190906e74becb8e4ced36eec9f9d1c70f5da72ac4c6b92a

SHA512
efda21d83464a6a32fdeef93152ffd32a648130754fdd3635f7ff61cc1664f7fc050900f0f871b0ddd3a3846222bf62ab5df8eed42610a76be66fff5f7b4c4c0

Download Submit
C:\Users\Admin\Downloads\@[email protected]
Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Downloads\TaskData\Tor\tor.exe
Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE
Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\b.wnry
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Downloads\c.wnry
Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\c.wnry
Filesize
780B

MD5
383a85eab6ecda319bfddd82416fc6c2

SHA1
2a9324e1d02c3e41582bf5370043d8afeb02ba6f

SHA256
079ce1041cbffe18ff62a2b4a33711eda40f680d0b1d3b551db47e39a6390b21

SHA512
c661e0b3c175d31b365362e52d7b152267a15d59517a4bcc493329be20b23d0e4eb62d1ba80bb96447eeaf91a6901f4b34bf173b4ab6f90d4111ea97c87c1252

Download Submit
C:\Users\Admin\Downloads\msg\m_bulgarian.wnry
Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (simplified).wnry
Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Downloads\msg\m_chinese (traditional).wnry
Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Downloads\msg\m_filipino.wnry
Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Downloads\msg\m_finnish.wnry
Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Downloads\t.wnry
Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Public\Desktop\@[email protected]
Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
\??\pipe\LOCAL\crashpad_1400_JUZHRFGHSPVMLBEL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\LOCAL\crashpad_1512_OZMDWLWNPATLYAKI
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\pipe\crashpad_1808_BDRZWCRSRMIYXRMO
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1496-653-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4560-2213-0x0000000074240000-0x00000000742B7000-memory.dmp

Filesize
476KB

Download
memory/4560-2298-0x0000000074020000-0x000000007423C000-memory.dmp

Filesize
2.1MB

Download
memory/4560-2212-0x00000000742C0000-0x00000000742E2000-memory.dmp

Filesize
136KB

Download
memory/4560-2211-0x00000000742F0000-0x0000000074372000-memory.dmp

Filesize
520KB

Download
memory/4560-2214-0x0000000074020000-0x000000007423C000-memory.dmp

Filesize
2.1MB

Download
memory/4560-2209-0x0000000074410000-0x000000007442C000-memory.dmp

Filesize
112KB

Download
memory/4560-2231-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2237-0x0000000074020000-0x000000007423C000-memory.dmp

Filesize
2.1MB

Download
memory/4560-2239-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2240-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2292-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2210-0x0000000074380000-0x0000000074402000-memory.dmp

Filesize
520KB

Download
memory/4560-2302-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2311-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2327-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2208-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2184-0x00000000742C0000-0x00000000742E2000-memory.dmp

Filesize
136KB

Download
memory/4560-2187-0x0000000000310000-0x000000000060E000-memory.dmp

Filesize
3.0MB

Download
memory/4560-2181-0x00000000742F0000-0x0000000074372000-memory.dmp

Filesize
520KB

Download
memory/4560-2178-0x0000000074020000-0x000000007423C000-memory.dmp

Filesize
2.1MB

Download
memory/4560-2169-0x0000000074380000-0x0000000074402000-memory.dmp

Filesize
520KB

Download