wannacry | 707a9f323556179571bc832e34fa592066b1d5f2cac4a7426fe163597e3e618a

Analysis

max time kernel
638s
max time network
639s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
10-02-2024 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Size

3.4MB
MD5

84c82835a5d21bbcf75a61706d8ab549
SHA1

5ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA512

90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
SSDEEP

98304:QqPoBhz1aRxcSUDk36SAEdhvxWa9P593R8yAVp2g3x:QqPe1Cxcxk3ZAEUadzR8yc4gB

Score

10^/10

wannacry discovery persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Downloads MZ/PE file

Drops startup file 2 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD5665.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD569B.tmp	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe

Executes dropped EXE 63 IoCs

Processes:

taskdl.exetaskdl.exe@[email protected]@[email protected]taskhsvc.exe@[email protected]taskse.exetaskdl.exetaskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]taskse.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exe@[email protected]

pid	process
2296	taskdl.exe
5536	taskdl.exe
224	@[email protected]
3852	@[email protected]
5596	taskhsvc.exe
2324	@[email protected]
5192	taskse.exe
3812	taskdl.exe
5752	taskdl.exe
4556	taskse.exe
3316	@[email protected]
5592	taskse.exe
3536	@[email protected]
1088	taskdl.exe
3664	@[email protected]
3712	taskse.exe
5040	taskdl.exe
5804	taskse.exe
5536	@[email protected]
5944	taskdl.exe
1756	@[email protected]
4832	taskse.exe
400	taskdl.exe
5020	taskse.exe
3160	@[email protected]
2064	taskdl.exe
2456	taskse.exe
1168	@[email protected]
5516	taskdl.exe
5696	taskse.exe
916	@[email protected]
1936	taskdl.exe
5864	taskse.exe
5240	@[email protected]
5908	taskdl.exe
4600	taskse.exe
5608	@[email protected]
1680	taskdl.exe
1824	taskse.exe
4252	@[email protected]
5192	taskdl.exe
6052	taskse.exe
6044	@[email protected]
2680	taskdl.exe
3504	taskse.exe
5704	@[email protected]
1012	taskdl.exe
5604	taskse.exe
3404	@[email protected]
5672	taskdl.exe
5860	taskse.exe
5632	@[email protected]
3848	taskdl.exe
3956	taskse.exe
4440	@[email protected]
1560	taskdl.exe
640	taskse.exe
3536	@[email protected]
4860	taskdl.exe
5960	taskse.exe
5448	@[email protected]
4820	taskdl.exe
3860	@[email protected]

Loads dropped DLL 8 IoCs

Processes:

taskhsvc.exe

pid process

5596 taskhsvc.exe
5596 taskhsvc.exe
5596 taskhsvc.exe
5596 taskhsvc.exe
5596 taskhsvc.exe
5596 taskhsvc.exe
5596 taskhsvc.exe
5596 taskhsvc.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

3120 icacls.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe

pid	process
3120	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wmiprvse.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qzojkgaimeu675 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\tasksche.exe\""	wmiprvse.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

92 raw.githubusercontent.com
85 camo.githubusercontent.com
86 camo.githubusercontent.com
91 raw.githubusercontent.com

flow	ioc
92	raw.githubusercontent.com
85	camo.githubusercontent.com
86	camo.githubusercontent.com
91	raw.githubusercontent.com

Sets desktop wallpaper using registry 2 TTPs 3 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe@[email protected]@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133520015125860046"	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

5720 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 503597.crdownload:SmartScreen msedge.exe

pid	process
5720	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 503597.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

chrome.exemsedge.exemsedge.exeidentity_helper.exetaskhsvc.exemsedge.exechrome.exetaskmgr.exe

pid	process
876	chrome.exe
876	chrome.exe
4576	msedge.exe
4576	msedge.exe
2144	msedge.exe
2144	msedge.exe
6044	identity_helper.exe
6044	identity_helper.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
5588	msedge.exe
5588	msedge.exe
5596	taskhsvc.exe
5596	taskhsvc.exe
3552	chrome.exe
3552	chrome.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe
5692	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

@[email protected]

pid process

2324 @[email protected]

pid	process
2324	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

chrome.exemsedge.exe

pid	process
876	chrome.exe
876	chrome.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
876	chrome.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
876	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe
Token: SeShutdownPrivilege	876	chrome.exe
Token: SeCreatePagefilePrivilege	876	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
876	chrome.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exemsedge.exe

pid	process
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
2144	msedge.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe
876	chrome.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	process
224	@[email protected]
224	@[email protected]
3852	@[email protected]
3852	@[email protected]
2324	@[email protected]
2324	@[email protected]
3316	@[email protected]
3536	@[email protected]
3664	@[email protected]
5536	@[email protected]
1756	@[email protected]
3160	@[email protected]
1168	@[email protected]
916	@[email protected]
5240	@[email protected]
5608	@[email protected]
4252	@[email protected]
6044	@[email protected]
5704	@[email protected]
3404	@[email protected]
5632	@[email protected]
4440	@[email protected]
3536	@[email protected]
5448	@[email protected]
5448	@[email protected]
3860	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exechrome.exemsedge.execmd.exe

description	pid	process	target process
PID 2572 wrote to memory of 3788	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2572 wrote to memory of 3788	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2572 wrote to memory of 3788	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	attrib.exe
PID 2572 wrote to memory of 3120	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 2572 wrote to memory of 3120	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 2572 wrote to memory of 3120	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	icacls.exe
PID 2572 wrote to memory of 2296	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2572 wrote to memory of 2296	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2572 wrote to memory of 2296	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	taskdl.exe
PID 2572 wrote to memory of 4080	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2572 wrote to memory of 4080	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 2572 wrote to memory of 4080	2572	ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe	cmd.exe
PID 876 wrote to memory of 1508	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1508	876	chrome.exe	chrome.exe
PID 2144 wrote to memory of 4084	2144	msedge.exe	msedge.exe
PID 2144 wrote to memory of 4084	2144	msedge.exe	msedge.exe
PID 4080 wrote to memory of 4856	4080	cmd.exe	cscript.exe
PID 4080 wrote to memory of 4856	4080	cmd.exe	cscript.exe
PID 4080 wrote to memory of 4856	4080	cmd.exe	cscript.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 1696	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 3680	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 3680	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 3676	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 3676	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 3676	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 3676	876	chrome.exe	chrome.exe
PID 876 wrote to memory of 3676	876	chrome.exe	chrome.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3788 attrib.exe
4216 attrib.exe

pid	process
3788	attrib.exe
4216	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe
"C:\Users\Admin\AppData\Local\Temp\ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.exe"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:2572

C:\Windows\SysWOW64\attrib.exe
attrib +h .
2⤵
- Views/modifies file attributes
PID:3788

C:\Windows\SysWOW64\icacls.exe
icacls . /grant Everyone:F /T /C /Q
2⤵
- Modifies file permissions
PID:3120

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2296

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c 251131707527726.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:4080

C:\Windows\SysWOW64\cscript.exe
cscript.exe //nologo m.vbs
3⤵
PID:4856

C:\Windows\SysWOW64\attrib.exe
attrib +h +s F:\$RECYCLE
2⤵
- Views/modifies file attributes
PID:4216

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5536

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] co
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:224

C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\taskhsvc.exe
TaskData\Tor\taskhsvc.exe
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5596

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c start /b @[email protected] vs
2⤵
PID:636

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected] vs
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3852

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
4⤵
PID:2176

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic shadowcopy delete
5⤵
PID:5576

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2324

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qzojkgaimeu675" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
2⤵
PID:5752

C:\Windows\SysWOW64\reg.exe
reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "qzojkgaimeu675" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\tasksche.exe\"" /f
3⤵
- Modifies registry key
PID:5720

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5192

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3812

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5752

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3316

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:4556

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5592

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1088

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:3712

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3664

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5804

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5536

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5944

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:4832

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1756

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:400

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5020

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3160

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2064

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:2456

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1168

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5516

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5696

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:916

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5864

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5240

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5908

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:4600

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5608

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1680

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:1824

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4252

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5192

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:6052

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6044

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:2680

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:3504

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5704

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1012

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5604

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:5672

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5860

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5632

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:3848

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4440

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:3956

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:1560

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:640

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3536

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4860

C:\Users\Admin\AppData\Local\Temp\taskse.exe
taskse.exe C:\Users\Admin\AppData\Local\Temp\@[email protected]
2⤵
- Executes dropped EXE
PID:5960

C:\Users\Admin\AppData\Local\Temp\@[email protected]
@[email protected]
2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:5448

C:\Users\Admin\AppData\Local\Temp\taskdl.exe
taskdl.exe
2⤵
- Executes dropped EXE
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xbc,0x120,0x124,0xfc,0x128,0x7ffca8cb46f8,0x7ffca8cb4708,0x7ffca8cb4718
2⤵
PID:4084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:3788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
2⤵
PID:3560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
2⤵
PID:1552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
2⤵
PID:3528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
2⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:3140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3544 /prefetch:1
2⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
2⤵
PID:5844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5988 /prefetch:1
2⤵
PID:5916

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
PID:6028

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6152 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:6044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
2⤵
PID:5292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5696 /prefetch:1
2⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
2⤵
PID:5348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
2⤵
PID:5312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
2⤵
PID:560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5340 /prefetch:8
2⤵
PID:5360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3460 /prefetch:8
2⤵
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
2⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=248 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,15473907125348134891,12039627755521511354,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2220 /prefetch:1
2⤵
PID:5676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:876

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcb7e99758,0x7ffcb7e99768,0x7ffcb7e99778
2⤵
PID:1508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:8
2⤵
PID:3680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:2
2⤵
PID:1696

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2248 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:8
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3036 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:1
2⤵
PID:2288

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:1
2⤵
PID:4448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4604 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:1
2⤵
PID:4356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2716 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1124 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:8
2⤵
PID:5844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:8
2⤵
PID:3432

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4620 --field-trial-handle=1984,i,18173416631747753364,12365932831139285644,131072 /prefetch:1
2⤵
PID:764

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4044

C:\Windows\sysWOW64\wbem\wmiprvse.exe
C:\Windows\sysWOW64\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Adds Run key to start application
PID:5720

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4468

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Downloads\ClearRename.shtml
1⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffca8cb46f8,0x7ffca8cb4708,0x7ffca8cb4718
2⤵
PID:5152

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
PID:5692

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:6016

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:3576

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\010444de858243d09dcc7a68428c5c1d /t 5552 /p 2324
1⤵
PID:1420

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\@[email protected]
1⤵
PID:4316

C:\Users\Admin\Downloads\@[email protected]
"C:\Users\Admin\Downloads\@[email protected]"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
94aade1950c63868adebfdb34d071742

SHA1
b1c1a6276a238ff989e2a6bbfdf79a7da8912fd7

SHA256
e1ec60b06e5a413f0196aeaee08b9c387b5924b2de5f7317254f5eacc18d5d28

SHA512
6604cbe9f9f45e5ebd1773419f5ef563f28cd6fe9c8e84ff09178b02a8fdd7db6237157661e3120778b608305cbf6a1c6ae087d38f7cd2f08289f28f5e1f784b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
dbca694b223bf688c5704c60b09d9da4

SHA1
ce2ce09f8bcfc61aa49168c534e6aabaf8e91818

SHA256
6c72165bf5ccb7d9b03aa8fa0dc133c26dd83fe2add68dbeb3e2d1fb1873cad9

SHA512
caff2fc8699d7a040a5cbeb22a7d7e2c28b06d241374989765811972025859ea38c4934e7b114679fda43b50352be536e40b463de401a6e1dade039380c45c93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
778B

MD5
3703e1a31d7057f2c624672efb582261

SHA1
6c4caf504acfbbf395473b0d27d7740c77614f04

SHA256
712c6c2a61673021026b35a5c5b2a64446ba050cd4d761ed6de7558e33d3dfab

SHA512
57656811a98c4a1f11674fb020ff61b780893fd38edbdee74b36877ff0b3c30daee8b63cbe55f53af22c2c61f68b8693de07a36393ad34ea541a0a21f6806fd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
abcba3dee861e53b8ea67eb05b60b53b

SHA1
f28a275e0dc8fabc5c2aa4ec64a02e99fa81ce94

SHA256
02d1f132b918b5b95918b5e6f5e23da52b48f49766b77ada2355a3aa06a79ed4

SHA512
cc6b52177d6fc67e38355e1541673bb9d6c09ae8654be47a6f0381ced63d9b3f3381955c262e7db601d66deeedcea9a856ca0c4176032d32b264784865ab13ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
974B

MD5
1ddcc5a94d81d413a0a6aa8a2e1744c9

SHA1
7a555c87978aaac293434e871d0129d2a075056e

SHA256
b04fa885d392afc3304fb8b476ed44c954dd8d5493ba2ed4f43eb7c880a162ba

SHA512
d322e6ce95604afba4ee0e56f7272c1e0db70cf2683e38b53959b16f43a42a34471b2071bcfed8680ddf529d036e2598374c46ee0bf91c4f6f7c53f29df499bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
06f0f379e3812ff3c59018d4e8a6b7fa

SHA1
654a4a770c02ff48d2e73aab83861a88c9001031

SHA256
9df18df18e7de0a0d22811148a4b3a88a08cb944dfa340245f601f60df1b3638

SHA512
72682a0cc0b82ee0cd2c0ed4abd4fbec20c21f69485a28e3419b2db9b3b59cda453b405c5b45f167eaed06a439b8b6ae9614e3d23df4f20933e1bf41a8efc681

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
e05cca7146c76c04e8f09a1f62f26cf1

SHA1
eb862480957c58aa573d39aff6a6a730db30f3eb

SHA256
f7c90c20a7bf95ea78d6587d3c6188d48cb7d828435ef67307b3fa7236e9875d

SHA512
fc52f6976acce6b801ae2fb625decf73af11b1fe744198d188a6736356fa7c67b526cec15d74b46f53449db744f8f8466a838fc06d3f08fb7bcdf846eef563a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
0be88c1ba0f0063b948243073146f7eb

SHA1
3025c3e3fc9ad87b4f8f9b06a0fae4f12198e9b4

SHA256
9dd3be7c445e5ffeb0d9c02d7d1a38012eeea7ed1603e85c790b1b529823223c

SHA512
72adb1278268f8e3634ed19928e54ff312012a518eeef728c156d2f81147e81378c4e08eac4cfe6e9a53437d77ca42a1ada6ae8d3f3f537bde3260589131e7ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ed213c187a12131aa9e2d103e55f718c

SHA1
7583b1de426256280c596def85aa748761371c43

SHA256
25c68ce29f09f96dcd4eb1368545bab59e37b80781a60c3e21395a778f509b7c

SHA512
a8537ff1923b24119b0260737f4e97b01319c8e4df057ec263aae6ce1088ae19411a00a44d9e8162599398b181506d44008c823c7fa52597815852ba13cdf0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0f012a403439e9498bfbf0a65eefe44f

SHA1
2cb0f6ced72c14d8e2b36f7b1a755ef8d4812585

SHA256
f0cd349ade133e9f17c69dffcbd6815d2ac423b40df9f636400f4efcd6b336d2

SHA512
f74e5482596b51f88e2da1137221c260fbabebba10d312d202e80738943be07d35f6f3d60cf2e90b3522f35e99822605f24feea347e713386c8e4ba80215a1d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f6e3d79f85480362638453a319294716

SHA1
53ee9279423300fb3cf93a9bb6ae988b98e073ea

SHA256
366de123804874fe0dd62019687229eefdc6da33ce2a3b117067d9f7ec448cfe

SHA512
ffcd44c0a9abac721f1a66d896e19ed1dbbafc40d37de465729f9bec4bc16488f304bb6629741e281fbfce5729aa893067468a85928ec1868764fc63d7e7d170

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f5d9410dc2167f06657ec66d327fdf8f

SHA1
b5f1ff90f66d9ba1abded5021b119f29df3c037a

SHA256
c7a3c72a4be004639e50fa46cf71dadd19b9f365a3e3e37c5037821c98a4b3aa

SHA512
cda4837745acef67a5fd3111cad819bc00d8e07bd3c44f56ef16faa0846ef482134604de3436ab2e6096287ccf00a7cdea99a1558800518efee71bf602f108f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
ee249c458c669e3bb3247aa6f4f5ce9b

SHA1
6694ee93ecdcab6df340fc4e2f01b9935f961cd7

SHA256
464e90ec87ae35424e2ac4c0be9d71c685bef0584ccacc85f144a111f534e661

SHA512
cbef6f67292f3631591f9b0e50c9a50b91dd4ab2091b6ca74b71d45db3eab34813bd8764bcd960dca4e40811dde272b0af8b796f364dd8cf290ece3d3d51f4c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
687b3b4917928ff7372f0d909997be59

SHA1
ceeb6aead3d2aba81356a7b3f3eb2fa72fda0ff3

SHA256
4a775d07600d06e7c192f2d96a88c9b86609436dc3044e6207eea5055a590c2c

SHA512
5dbab99e1f8185bbadafd701d8128358f49717c6d29783762a0971de0b1490a4c95fbf253729edbe35ab2f29b35ad84ee7da99c6ecad0c88a975b25ab0669ea1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
1fe84d41c603a1fcafb393d4238e0fe9

SHA1
1d561e7843fb9f712faa59331b1dd7a3b36d5a4e

SHA256
72e41571a397b9d22d1b91426dbe842fb3d5804d7a061c154b85d8e9001d6eeb

SHA512
b620449b971312b4a231bb1e93ff84deb2e2b7ae64280623de4c67c7173609ac97d39dcca979abd510ad3a519203771336cf466e0642226f6385259183fab190

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
744792f2329545ddd38b33128e9169ac

SHA1
7ea84d558ec201a6cd7bf5700beb695746eedf58

SHA256
4d85a3e1d2925f6fc62076b96a2d2e6326a047cde020b0db6d1597ea35c82d3b

SHA512
af7578c172c727f8bc731ec67b78fbdff0a1a7599acad3d10ced267ff3b33ec9c93fce0a81fcf14326bde3f7cb8941658d4cf9e062b4e6c25108138a00ad744e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
238KB

MD5
2ec1a628ce46d8c75bb3998e649ba632

SHA1
a6e8cb7f9071eb19fcadb1edd6bfab17045e79d8

SHA256
612277515c243c8337a27f4aa712605f1b3212e2ead20d1a1ccd47ef9d29a6b5

SHA512
8470a77ff837a7fba1ab3be09fa588a29bb1485575cf821be8151324d0b6a1317cf492135fdabb2d71a3879d6077285cea2b7b1fa937588eb5530a9bde10f4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\78619cad-d5e3-4010-bb19-e03bf429bbf6.tmp

Filesize
11KB

MD5
29454a2175a4ac5ef6c9a284de2cb749

SHA1
06fa7f12897e8747edf00bf951502186f4ee60fc

SHA256
3a36dd3bf265ab1d8d8e7feb88f578fa3d4e7ca5aae6d5948a84847f4e304832

SHA512
ee43e94b496eb07d0c31175b576d2311334236cc02b96671ddd2cfc258e1cb16c831439c012de93a35a274d00e3fa866bf25be0c6b63aeea9dd6c2d80781dc70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
efc9c7501d0a6db520763baad1e05ce8

SHA1
60b5e190124b54ff7234bb2e36071d9c8db8545f

SHA256
7af7b56e2f0a84ae008785726f3404eb9001baa4b5531d0d618c6bdcb05a3a7a

SHA512
bda611ddba56513a30295ea5ca8bc59e552154f860d13fed97201cdb81814dd6d1bca7deca6f8f58c9ae585d91e450f4383a365f80560f4b8e59a4c8b53c327d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
c2ace3014ec6e90b8ec170b1d2c9519f

SHA1
fdf93b5a8f5f501c1a8874b6a08fb7445e2ceca2

SHA256
d1f9f732b42dbaf51cc2f932ceef7e048b979e335274790743d1c15aaa068952

SHA512
a65a58b497586c499553cd7af7f0c6930389ec70b3308a83981daba99e33e23034e39088baabf9e7e5f7ff0850f5580eb4bc5b62b3fc02b21d53e47a1f2919d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
801B

MD5
27fe79554eb0f029bee974bb6f6ac502

SHA1
d158ca875a66ba795b2dc1f23c2d62cd561995a3

SHA256
766be41583b49de18cea3cd6c09cfdcc878313d1ea098f038d8dde02850a9d5f

SHA512
858946c5a17895c82f4d78d7b1b677c8c3c9756954d0c02916c9268ad83378cbf0674d6d17a9dc79143b760c9eb0a560c48741384edbc7ec86e114484b37a6a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
801B

MD5
a3dc7b8656bdca2a7a3a98ccc5d96b3b

SHA1
ac86c0188e626a954e739ccbb38771f2b303c35e

SHA256
1ddc69cc8ce3c509dcca14927131e493f60db27ce54b5244b5ffd5710fef6484

SHA512
036b812b3744883abd2227e18c6b963bf8ffb887ef591a763c8170909dd7b8ae6c30a41e2cfe54372dd1d8c91f5cf97543c1ee83511c2b35432515c7d6ea9795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4d4103e0c7e98baf30733c885c7b603

SHA1
0577b125785b94c820d0e9ed97ce5b9e05c6690a

SHA256
22b802c0f0923d24a433e5ae2b445483f3884b87e28b546715cd32e62d72c59a

SHA512
2e47c81d467ed9354bdc07f658e6413c983a266acb59a23c44d0118aa246609d10e7cf21384055bd314cb8fdaf020ae3e673215e010ea7b8415cf6187acf2549

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
fb441ea9e3b6f3533c06a7ff2f6a3a6a

SHA1
b8c8d73ace8ee31f45e0adc1e0ce0709c03db271

SHA256
333a3773957aeac4a45272f3310e3944bf5fbac2992a25b3364a5c1f01199936

SHA512
893b0f06901051d631cb49da062c06a788fcf7cbfc9b3571e28a6c91757a3d951b1b5d5a81d5fbb17081cc3b8da807f48c1b566d38a3f0e50859b8f5c7da8e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25fdef94af30a0a3eea77565c0f01faa

SHA1
ba07df773ca8e80d1a8ab585cc1cf300cfbe0453

SHA256
b74f9835485555723658ca8fe8999444158dcc842fcdc1b46dec17e616298645

SHA512
a5a815c84238957a0ae3111d2bb4673e76edc2be16d5b60c7754aceec9c8ac02532e6d2b9d5a5d748908f380f3f822cf6a2fd63fe11a8cb5c773298813e5c641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6a1035225c38deb5ed5d7bd53c0d5419

SHA1
1afd85272ad5c5b2c00f43c6bb97b24a23df0241

SHA256
ed884abd5cd655ea3b9ce1e81bbe57002b100e82cdcf0c11fa38d530d750947a

SHA512
33442cf342d77040facf7d1e19579d2e3d4057a07399e497a1a35caedd0e035a327a1b549cac81d0db84be258db1d844be88cdd58527f80a0a1f73153441741f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c473b7e066763635f5e2df8e9271ee8b

SHA1
ab12ca205a7eca2532667e058307f774a0f9aec3

SHA256
75502e228d19134ac21462a442253c6654ff25918e507d4920a1a1b6f46f8a26

SHA512
6f458d426a7403939b11543eb65e838466871c08e7fa606eed246cd4b9af98e2b029bcc944ab5b4715b730ce1a6554a90752834dfc04e5be26d167f8301700ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7fd5d3d12c1c6329ba7d1106796d0dac

SHA1
ae9615c315b7f8210e891459a19c1028f8789b2b

SHA256
544f97afc0ad56eae133f31839dd1beef570c60bfe916ddc7cb8f9328e0e91ba

SHA512
ff700f6a442fb4ecb4a1a91d6f55703715e29f69f910a6d2a711ce09a3ff01918f026ac2d28d396f4a072da8aa48626752cb40aab0d88f822bf0cb0b6ceff569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c70a18c34ab6bdf42acd0670bb9514b3

SHA1
899fab6a0e31b505b5b04b4cd80afef3adf4e94b

SHA256
e56c22afd5d94c744e867e6888fbbf7c7ddc2a999faa639691c8a85715adc3f5

SHA512
d4fda4a16ca424513bcaee27fef6599642dc7b10cb0abcda2e46e915154b222c44ee04200fb3184383b2f2a3cb3c2735b3306cfa66e766c0b6debd660771c039

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
121510c1483c9de9fdb590c20526ec0a

SHA1
96443a812fe4d3c522cfdbc9c95155e11939f4e2

SHA256
cf5d26bc399d0200a32080741e12f77d784a3117e6d58e07106e913f257aa46c

SHA512
b367741da9ab4e9a621ad663762bd9c459676e0fb1412e60f7068834cbd5c83b050608e33d5320e1b191be1d809fef48831e0f42b3ecabd38b24ec222576fa81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
73f096cebcad009a8f571415e8f7bf7d

SHA1
5c464f5fef399d58ea9a9deea04ba6867fc1bb13

SHA256
a5f72b5e605c66c7ccac3b7736593b8edecf40441547f65a1a814da83d28b628

SHA512
2252f7501e366e3e2b9e7a09d83951c8349721016d1309286581a348acbd7c2310d82d3b3f1065d507bb4e15c3361ca2ad2d239c2de575c87339d5810c3651fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d565f77fb270838a6125fcd4b32eb94d

SHA1
6f2823caa6b8e53a69ccfbb33e10748e27c9c6dd

SHA256
2f6340b39dda28b206d63b8300fd57229091991d9b09fed7fd1d356bef07a735

SHA512
230715864745c9e83c224d20c223a3af64689d754b96e83dd90f317df642fd196781ff0b6cefae84eca1755a556007edd1add2d568bc3a288633c518e39162fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
0d9fbdb3cf651fa1a643900e1ce4a7b3

SHA1
a0410905514433251363eafbe712f3c4bf296023

SHA256
1113dfcbf6859928f9a2ca33f2dbc336790c8bd1411f01d56fab7b0090e05bbb

SHA512
2bdf4512f5bbc7af4fe5c59900e15f9cc8d1c15949a71fa32481f776d1fa91535bf0fb6279b212e7a969fb78a57ef7091fae20448b1cfe622700314b3c27a75a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58bf73.TMP

Filesize
534B

MD5
540feb4b5fde82464984f76b6d4480c7

SHA1
3b1b5d0220da454d5113e46919a2a31ff6b04fc1

SHA256
82ce87208f97fccdfc2886c4fa8fc54e2c24140dcc7a7257a2b7e0fc60523545

SHA512
18a4c02d860c3fab628c5e1fe0a636c0251d92e7d46ee765844ec2cf6d3de2786e9539b52fc6ac9cbd07566500ca745411f85422e6f4cb9823c3d4395662bf46

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2f2600a458e06a41e92150fc8a7db7d6

SHA1
d7a5773359bf2d39ded7b20e8a9f22f4758de33d

SHA256
b90676180940b1372ab0b97cfd69a0de9796f605600b5451f7a7376329debb19

SHA512
a2aac9470b755620ce024f2c118d0edc66544ed4e1bda8e83121bbfb19515c8efaf25555fbb2bb31dc6e0d7cdd2ece79971f5c2eb94558d373515ac217860aed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
667def77ff82fb6c7ba2c2ef12637da4

SHA1
d75571cdc971197133cc97a7a06b84f0ccd54afe

SHA256
6785bfbf28ec6eadcc704e9c29337b8c26b5ea03a722c711d0d26b16adfc28ec

SHA512
0b91f8d1dba1a42d8812316baf8955bb12a7f95e7b287474cf4fb0482b26317a4954be0893cc43829bd2f6fbca1e99ff0d503ba30678cef25791ce2606198817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
df33c29b352fcfb2ff9b51baf619c845

SHA1
25a329ee3426df81542691595cbda1d22beb7c4f

SHA256
b4462525fdeec24a365a1be7393ec32a60cb3322ddbbbdb49c1a4ccc9e0558ec

SHA512
c1936dd0570e00a1120f251bc73a5621c2f8acb1b76c669e41d8e1e046833c286ce39d64add08cc75cea3be584de8cdba3c2ba39caf30cd30f3d7fcf42668353

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c0de9029a6ea9a7085e3a264e77da099

SHA1
5538da98fd34c85b4c67e894f1f2f31dbe5043f2

SHA256
2da4c05b85fb392c0846ac9b4fedd540293b18e923ee4eac221edd09fdf0804b

SHA512
fe3e256b81e1fafca6227ac255520c8758fa1c50237c3f1272b582d6e48b9acfe3d799ac81a82c22950ec11c7b62ba9eb25d0bf70af10e0314857b4d4c0fab09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4d755adb729f96deb4f45d2af437e300

SHA1
41bc07e398b902b86dbfe4ad297f49ca0963aebb

SHA256
ccf452e98ca38d841443fabac59117aea690e0d40ed8742769fe66b68023df5c

SHA512
a69b7542a30c75461bb5dbe7f5772c2f3630f01dcbe286913789acebe8d625472b5a2ad21663ce83109af8e180db43d5a5095f89e288911ed79a0d0d60ff98a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\251131707527726.bat

Filesize
340B

MD5
3867f2ec82a7d77c9ffefb1aac8b7903

SHA1
06fccf19b9c498b5afa2b35da00e3ab28d56f785

SHA256
4e25c23aa5babc853889d3e1e79bb01ca7650837b250314a8d50f2e2c4b6730f

SHA512
b413994e5b9f0ecb956055c7befff14845b56bb658fd8280d3213fdfa175ff76bc56e082174f2475fdf2d1f9eff618ebfd80ee2b67c091eaf1fd9c94697da5aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\@[email protected]

Filesize
1KB

MD5
add5fd6bb5afa384b9e1a743782948a7

SHA1
c3bff0fdf5b4e34e21f06eda37d286298e68e6d3

SHA256
30c6b97eff5edf05bf22a58e535b373b7cbd7dca481361d3600bb88f785f0082

SHA512
4398d1ccfb2c76bfcac526804f01cf7243dc9e6a6c16743c19ce92f9ca4bb9e6dedd6acc330e51aa5d90c929e4feff7849abb2f44aa39dc3e697627999ca8129

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\c.wnry

Filesize
780B

MD5
8124a611153cd3aceb85a7ac58eaa25d

SHA1
c1d5cd8774261d810dca9b6a8e478d01cd4995d6

SHA256
0ceb451c1dbefaa8231eeb462e8ce639863eb5b8ae4fa63a353eb6e86173119e

SHA512
b9c8dfb5d58c95628528cc729d2394367c5e205328645ca6ef78a3552d9ad9f824ae20611a43a6e01daaffeffdc9094f80d772620c731e4192eb0835b8ed0f17

Download Submit
C:\Users\Admin\AppData\Local\Temp\m.vbs

Filesize
219B

MD5
82a1fc4089755cb0b5a498ffdd52f20f

SHA1
0a8c0da8ef0354f37241e2901cf82ec9ce6474aa

SHA256
7fbdc49f4b4ba21949eca0b16c534b4882da97e94e5ca131cec1629e60439dfa

SHA512
1573a0c7333accef2695efefe1b57cba8f8d66a0061c24420ee0a183343a9a319995267d306ee85084c95580f9855bcdf9dee559b28a200b27fc3cc353315e78

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\AppData\Local\Temp\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\AppData\Local\Temp\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
3.9MB

MD5
3fe8ed5554da37b7f0fa2b033c55b31b

SHA1
f7c7f4c3570a92152849ea6c82682f609308effd

SHA256
643e71ada08a09f71f202452f2a0673917def93f3f349eb8205ca13e853d1022

SHA512
3266e6f2c9a55f9bc72cb4d2d1d50a7a1f9a8d2f3c621d5615c77a12241ac94aa72a0ae75605302f8aec355e09af6c48adcf2650cd61695610fd902d53552717

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 503597.crdownload

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
\??\pipe\crashpad_876_RYIHGMQYHTDZZDOT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2572-75-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/5596-1940-0x00000000742F0000-0x0000000074312000-memory.dmp

Filesize
136KB

Download
memory/5596-2058-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-2064-0x0000000073FC0000-0x00000000741DC000-memory.dmp

Filesize
2.1MB

Download
memory/5596-2066-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-2081-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-2036-0x0000000073FC0000-0x00000000741DC000-memory.dmp

Filesize
2.1MB

Download
memory/5596-2030-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-2029-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-2213-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-1976-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-2229-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-1942-0x00000000741E0000-0x0000000074257000-memory.dmp

Filesize
476KB

Download
memory/5596-1943-0x0000000073FC0000-0x00000000741DC000-memory.dmp

Filesize
2.1MB

Download
memory/5596-1941-0x0000000074260000-0x00000000742E2000-memory.dmp

Filesize
520KB

Download
memory/5596-1939-0x0000000074320000-0x00000000743A2000-memory.dmp

Filesize
520KB

Download
memory/5596-1938-0x00000000743B0000-0x00000000743CC000-memory.dmp

Filesize
112KB

Download
memory/5596-1937-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-1895-0x0000000074320000-0x00000000743A2000-memory.dmp

Filesize
520KB

Download
memory/5596-1896-0x0000000000390000-0x000000000068E000-memory.dmp

Filesize
3.0MB

Download
memory/5596-1894-0x00000000742F0000-0x0000000074312000-memory.dmp

Filesize
136KB

Download
memory/5596-1893-0x0000000073FC0000-0x00000000741DC000-memory.dmp

Filesize
2.1MB

Download
memory/5596-1892-0x0000000074320000-0x00000000743A2000-memory.dmp

Filesize
520KB

Download
memory/5596-1890-0x0000000074260000-0x00000000742E2000-memory.dmp

Filesize
520KB

Download