troldesh | fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786

max time kernel
1064s
max time network
1068s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
07-03-2024 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b28242123ed2cf6000f0aa036844bd29.dll
Size

87KB
MD5

b28242123ed2cf6000f0aa036844bd29
SHA1

915f41a6c59ed743803ea0ddde08927ffd623586
SHA256

fd563cf7c0c862ab910cf558b5a123354b616e84902d277edf09f378ff6f9786
SHA512

08e5966ca90f08c18c582e6c67d71186a6f9c025fc9f78020e1ce202814de094171111b7f3623d81f7371acdf92206446f7c0425e08e8f5f5b6fd969007d9fca
SSDEEP

1536:0A1KsVHBnVJ0T1rFTQHUPx+nVP7ZSRILMZoXyqqEbzPCAdt6rFTc:0A1rVIrFTOUsnVP7sRILgAPCvrFTc

Score

10^/10

troldesh wannacry discovery persistence ransomware trojan upx worm

Malware Config

Extracted

Path

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

12t9YDPgwueZ9NyMgw519p7AA8isjr6SMw

Signatures

Troldesh, Shade, Encoder.858
Troldesh is a ransomware spread by malspam.
ransomware trojan troldesh
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SD8D6B.tmp	[email protected]
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SD8D82.tmp	[email protected]

Executes dropped EXE 50 IoCs

pid	Process
5212	Setup.exe
4720	SetupEngine.exe
5864	diskspd.exe
6044	FastSRV.exe
4208	Fast!.exe
1168	fast!.exe
2544	nw.exe
2096	nw.exe
2588	nw.exe
2508	nw.exe
5504	nw.exe
5168	nw.exe
2108	nw.exe
5996	nw.exe
5732	nw.exe
2904	nw.exe
5024	taskdl.exe
5604	taskdl.exe
5908	@[email protected]
3036	@[email protected]
5372	taskhsvc.exe
4988	@[email protected]
668	taskse.exe
1576	@[email protected]
4040	taskdl.exe
1584	taskdl.exe
5176	taskse.exe
5312	@[email protected]
2036	taskdl.exe
3864	taskse.exe
4772	@[email protected]
4232	taskdl.exe
5608	taskse.exe
5100	@[email protected]
4608	taskdl.exe
1552	taskse.exe
3436	@[email protected]
5976	taskdl.exe
6124	taskse.exe
756	@[email protected]
3084	taskdl.exe
2312	taskse.exe
2032	@[email protected]
1940	taskdl.exe
5024	taskse.exe
3480	@[email protected]
3412	fast!.exe
5476	taskdl.exe
5320	taskse.exe
2792	@[email protected]

Loads dropped DLL 61 IoCs

pid	Process
5212	Setup.exe
5212	Setup.exe
5212	Setup.exe
5212	Setup.exe
5212	Setup.exe
5212	Setup.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2096	nw.exe
2588	nw.exe
2588	nw.exe
2588	nw.exe
2588	nw.exe
2588	nw.exe
2588	nw.exe
2588	nw.exe
2508	nw.exe
2508	nw.exe
2508	nw.exe
5504	nw.exe
5504	nw.exe
5504	nw.exe
5504	nw.exe
5168	nw.exe
5168	nw.exe
5168	nw.exe
2108	nw.exe
2108	nw.exe
2108	nw.exe
5996	nw.exe
5732	nw.exe
5996	nw.exe
5996	nw.exe
5732	nw.exe
5732	nw.exe
2904	nw.exe
2904	nw.exe
2904	nw.exe
2904	nw.exe
5372	taskhsvc.exe
5372	taskhsvc.exe
5372	taskhsvc.exe
5372	taskhsvc.exe
5372	taskhsvc.exe
5372	taskhsvc.exe
5372	taskhsvc.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4700	icacls.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3864-3896-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3864-4050-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5856-4090-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/5856-4100-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2824-4135-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3012-4136-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/2824-4142-0x0000000000400000-0x00000000005DE000-memory.dmp	upx
behavioral1/memory/3012-4147-0x0000000000400000-0x00000000005DE000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\trvtxtdctcmmeu275 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_WannaCrypt0r.zip\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Software\Microsoft\Windows\CurrentVersion\Run\Client Server Runtime Subsystem = "\"C:\\ProgramData\\Windows\\csrss.exe\""	[email protected]

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	fast!.exe
File opened (read-only)	\??\I:	fast!.exe
File opened (read-only)	\??\U:	fast!.exe
File opened (read-only)	\??\W:	fast!.exe
File opened (read-only)	\??\Y:	fast!.exe
File opened (read-only)	\??\B:	fast!.exe
File opened (read-only)	\??\J:	fast!.exe
File opened (read-only)	\??\M:	fast!.exe
File opened (read-only)	\??\O:	fast!.exe
File opened (read-only)	\??\R:	fast!.exe
File opened (read-only)	\??\A:	fast!.exe
File opened (read-only)	\??\E:	fast!.exe
File opened (read-only)	\??\H:	fast!.exe
File opened (read-only)	\??\K:	fast!.exe
File opened (read-only)	\??\L:	fast!.exe
File opened (read-only)	\??\Z:	fast!.exe
File opened (read-only)	\??\N:	fast!.exe
File opened (read-only)	\??\P:	fast!.exe
File opened (read-only)	\??\Q:	fast!.exe
File opened (read-only)	\??\S:	fast!.exe
File opened (read-only)	\??\T:	fast!.exe
File opened (read-only)	\??\V:	fast!.exe
File opened (read-only)	\??\X:	fast!.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
704	raw.githubusercontent.com
604	camo.githubusercontent.com
604	raw.githubusercontent.com
629	raw.githubusercontent.com
630	raw.githubusercontent.com
692	camo.githubusercontent.com
703	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	nw.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	nw.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	[email protected]
Set value (str)	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Fast!\nwjs\locales\bg.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\cs.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\ro.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\images\app-background.png	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\vk_swiftshader_icd.json	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\en-XA.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\id.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\nl.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\ru.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\zh-CN.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\es-419.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\lt.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\uk.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\images\notification-bg.png	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\el.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\tr.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\images\general-settings-bg.png	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\tr.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\zh-CN.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\vulkan-1.dll	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\es-419.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\it.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\sl.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\sr.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\te.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\en-GB.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\he.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\ko.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\ms.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\nb.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\swiftshader\libEGL.dll	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\ta.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\vi.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\FastSRV.exe	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\credits.html	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\bn.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\en-US.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\et.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\pl.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\icons\logo.svg	SetupEngine.exe
File opened for modification	C:\Program Files (x86)\Fast!\BigTestFile	fast!.exe
File created	C:\Program Files (x86)\Fast!\nwjs\nw_200_percent.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\snapshot_blob.bin	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\vk_swiftshader.dll	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\lv.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\css\notification.css	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\fil.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\hr.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\lt.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\uk.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\images\exit-popup-bg.png	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\da.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\icons\checkbox.svg	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\ro.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\zh-TW.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\ffmpeg.dll	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\en-GB.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\es.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\et.pak.info	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\he.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\hu.pak	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\ui\images\license-btn-bg.png	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\libGLESv2.dll	SetupEngine.exe
File created	C:\Program Files (x86)\Fast!\nwjs\locales\am.pak.info	SetupEngine.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	nw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5044	4148	WerFault.exe	90

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	nw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	nw.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	nw.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	nw.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133542907173951963"	nw.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DF7B5384-656A-413F-B3B1-18A65D99C2A7X}	fast!.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{16962D62-D79E-4CC9-A3C2-B261A337F6F3}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-647252928-2816094679-1307623958-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-647252928-2816094679-1307623958-1000\{F3E7DAEF-6212-4646-887F-BE574A65ED52}	msedge.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3020	reg.exe

NTFS ADS 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\NoMoreRansom (1).zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Setup.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\86e0eac8c5ce70c4b839ef18af5231b5f92e292b81e440193cdbdc7ed108049f.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCrypt0r.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3216	msedge.exe
3216	msedge.exe
2312	msedge.exe
2312	msedge.exe
1320	identity_helper.exe
1320	identity_helper.exe
2616	msedge.exe
2616	msedge.exe
1436	msedge.exe
1436	msedge.exe
1436	msedge.exe
1436	msedge.exe
1040	msedge.exe
1040	msedge.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
4720	SetupEngine.exe
6044	FastSRV.exe
6044	FastSRV.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe
1168	fast!.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1168	fast!.exe
4988	@[email protected]

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	5864	diskspd.exe
Token: 33	5768	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5768	AUDIODG.EXE
Token: SeDebugPrivilege	1168	fast!.exe
Token: SeDebugPrivilege	4208	Fast!.exe
Token: SeIncBasePriorityPrivilege	1168	fast!.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe
Token: SeShutdownPrivilege	2544	nw.exe
Token: SeCreatePagefilePrivilege	2544	nw.exe

Suspicious use of FindShellTrayWindow 60 IoCs

pid	Process
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of SendNotifyMessage 17 IoCs

pid	Process
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2544	nw.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of SetWindowsHookEx 20 IoCs

pid	Process
5212	Setup.exe
4720	SetupEngine.exe
5864	diskspd.exe
4208	Fast!.exe
5908	@[email protected]
5908	@[email protected]
3036	@[email protected]
3036	@[email protected]
4988	@[email protected]
4988	@[email protected]
1576	@[email protected]
5312	@[email protected]
4772	@[email protected]
5100	@[email protected]
3436	@[email protected]
756	@[email protected]
2032	@[email protected]
3480	@[email protected]
3412	fast!.exe
2792	@[email protected]

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 4148	1072	regsvr32.exe	90
PID 1072 wrote to memory of 4148	1072	regsvr32.exe	90
PID 1072 wrote to memory of 4148	1072	regsvr32.exe	90
PID 5212 wrote to memory of 5824	5212	Setup.exe	172
PID 5212 wrote to memory of 5824	5212	Setup.exe	172
PID 5824 wrote to memory of 5820	5824	msedge.exe	173
PID 5824 wrote to memory of 5820	5824	msedge.exe	173
PID 5212 wrote to memory of 4720	5212	Setup.exe	179
PID 5212 wrote to memory of 4720	5212	Setup.exe	179
PID 5212 wrote to memory of 4720	5212	Setup.exe	179
PID 4720 wrote to memory of 5792	4720	SetupEngine.exe	180
PID 4720 wrote to memory of 5792	4720	SetupEngine.exe	180
PID 4720 wrote to memory of 5792	4720	SetupEngine.exe	180
PID 5792 wrote to memory of 5864	5792	cmd.exe	182
PID 5792 wrote to memory of 5864	5792	cmd.exe	182
PID 5792 wrote to memory of 5864	5792	cmd.exe	182
PID 4720 wrote to memory of 3440	4720	SetupEngine.exe	184
PID 4720 wrote to memory of 3440	4720	SetupEngine.exe	184
PID 3440 wrote to memory of 3032	3440	msedge.exe	185
PID 3440 wrote to memory of 3032	3440	msedge.exe	185
PID 4720 wrote to memory of 4208	4720	SetupEngine.exe	189
PID 4720 wrote to memory of 4208	4720	SetupEngine.exe	189
PID 4720 wrote to memory of 4208	4720	SetupEngine.exe	189
PID 6044 wrote to memory of 1168	6044	FastSRV.exe	190
PID 6044 wrote to memory of 1168	6044	FastSRV.exe	190
PID 6044 wrote to memory of 1168	6044	FastSRV.exe	190
PID 1168 wrote to memory of 2544	1168	fast!.exe	191
PID 1168 wrote to memory of 2544	1168	fast!.exe	191
PID 2544 wrote to memory of 2096	2544	nw.exe	192
PID 2544 wrote to memory of 2096	2544	nw.exe	192
PID 2544 wrote to memory of 2588	2544	nw.exe	193
PID 2544 wrote to memory of 2588	2544	nw.exe	193
PID 2544 wrote to memory of 2508	2544	nw.exe	194
PID 2544 wrote to memory of 2508	2544	nw.exe	194
PID 2544 wrote to memory of 5168	2544	nw.exe	195
PID 2544 wrote to memory of 5168	2544	nw.exe	195
PID 2544 wrote to memory of 5504	2544	nw.exe	196
PID 2544 wrote to memory of 5504	2544	nw.exe	196
PID 2544 wrote to memory of 2108	2544	nw.exe	198
PID 2544 wrote to memory of 2108	2544	nw.exe	198
PID 2544 wrote to memory of 5996	2544	nw.exe	203
PID 2544 wrote to memory of 5996	2544	nw.exe	203
PID 2544 wrote to memory of 5732	2544	nw.exe	204
PID 2544 wrote to memory of 5732	2544	nw.exe	204
PID 2544 wrote to memory of 2904	2544	nw.exe	213
PID 2544 wrote to memory of 2904	2544	nw.exe	213
PID 5424 wrote to memory of 6016	5424	[email protected]	228
PID 5424 wrote to memory of 6016	5424	[email protected]	228
PID 5424 wrote to memory of 6016	5424	[email protected]	228
PID 5424 wrote to memory of 4700	5424	[email protected]	229
PID 5424 wrote to memory of 4700	5424	[email protected]	229
PID 5424 wrote to memory of 4700	5424	[email protected]	229
PID 5424 wrote to memory of 5024	5424	[email protected]	232
PID 5424 wrote to memory of 5024	5424	[email protected]	232
PID 5424 wrote to memory of 5024	5424	[email protected]	232
PID 5424 wrote to memory of 1580	5424	[email protected]	233
PID 5424 wrote to memory of 1580	5424	[email protected]	233
PID 5424 wrote to memory of 1580	5424	[email protected]	233
PID 1580 wrote to memory of 5924	1580	cmd.exe	235
PID 1580 wrote to memory of 5924	1580	cmd.exe	235
PID 1580 wrote to memory of 5924	1580	cmd.exe	235
PID 5424 wrote to memory of 3332	5424	[email protected]	237
PID 5424 wrote to memory of 3332	5424	[email protected]	237
PID 5424 wrote to memory of 3332	5424	[email protected]	237

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3332	attrib.exe
6016	attrib.exe

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
1⤵
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\b28242123ed2cf6000f0aa036844bd29.dll
  2⤵
  PID:4148
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4148 -s 436
    3⤵
    - Program crash
    PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff74e43cb8,0x7fff74e43cc8,0x7fff74e43cd8
1⤵
PID:1640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff74e43cb8,0x7fff74e43cc8,0x7fff74e43cd8
1⤵
PID:3720

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,1656198795386031016,18242410122900599107,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1896 /prefetch:2
1⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,1656198795386031016,18242410122900599107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2064 /prefetch:2
1⤵
PID:2708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
1⤵
PID:3712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
1⤵
PID:3984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
1⤵
PID:1216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2684

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:72

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4148 -ip 4148
1⤵
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
1⤵
PID:788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
1⤵
PID:2884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1832 /prefetch:1
1⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3880 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
1⤵
PID:2824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
1⤵
PID:5088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
1⤵
PID:5072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
1⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
1⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2580 /prefetch:1
1⤵
PID:4904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2656 /prefetch:1
1⤵
PID:1220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
1⤵
PID:3292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
1⤵
PID:2468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5244 /prefetch:8
1⤵
PID:256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=2136 /prefetch:8
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2616

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
1⤵
PID:800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
1⤵
PID:3352

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6348 /prefetch:1
1⤵
PID:3520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
1⤵
PID:2632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
1⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6468 /prefetch:1
1⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6496 /prefetch:1
1⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
1⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
1⤵
PID:3248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6512 /prefetch:1
1⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
1⤵
PID:860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1232 /prefetch:1
1⤵
PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6624 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1304 /prefetch:1
1⤵
PID:2728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6516 /prefetch:1
1⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
1⤵
PID:1332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7228 /prefetch:1
1⤵
PID:4396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
1⤵
PID:3272

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
1⤵
PID:2264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:1
1⤵
PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7676 /prefetch:1
1⤵
PID:3232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
1⤵
PID:244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
1⤵
PID:4960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8240 /prefetch:1
1⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8376 /prefetch:1
1⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8372 /prefetch:1
1⤵
PID:1040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8936 /prefetch:1
1⤵
PID:3408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8800 /prefetch:1
1⤵
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9072 /prefetch:1
1⤵
PID:4700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8892 /prefetch:1
1⤵
PID:5028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8232 /prefetch:1
1⤵
PID:5320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8196 /prefetch:1
1⤵
PID:5332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9524 /prefetch:1
1⤵
PID:5524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9876 /prefetch:1
1⤵
PID:5532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10008 /prefetch:1
1⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9980 /prefetch:1
1⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10584 /prefetch:1
1⤵
PID:5860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9968 /prefetch:1
1⤵
PID:5880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10580 /prefetch:1
1⤵
PID:5888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10892 /prefetch:1
1⤵
PID:5896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11348 /prefetch:1
1⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8216 /prefetch:1
1⤵
PID:5908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7256 /prefetch:1
1⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9812 /prefetch:8
1⤵
PID:3748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=11344 /prefetch:8
1⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:1040

C:\Users\Admin\Downloads\Setup.exe
"C:\Users\Admin\Downloads\Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://veryfast.io/installing.html?guid=00000000-0000-0000-0000-000000000000&_fcid=1709816919080664
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff74e43cb8,0x7fff74e43cc8,0x7fff74e43cd8
    3⤵
    PID:5820
- C:\Users\Admin\AppData\Local\FAST!\Temp\SetupEngine.exe
  "C:\Users\Admin\AppData\Local\FAST!\Temp\SetupEngine.exe" /fcid 1709816919080664
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\Admin\AppData\Local\FAST!\Temp\testfile.temp" > C:\Users\Admin\AppData\Local\FAST!\Temp\dskres.xml
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5792
  - - C:\Users\Admin\AppData\Local\FAST!\Temp\diskspd.exe
      C:\Users\Admin\AppData\Local\FAST!\Temp\diskspd.exe -c100M -b4K -t1 -r -o32 -d10 -ag -h -Rxml C:\Users\Admin\AppData\Local\FAST!\Temp\testfile.temp
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:5864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://veryfast.io/installed.php?guid=DF7B5384-656A-413F-B3B1-18A65D99C2A7X&_fcid=1709816919080664
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7fff74e43cb8,0x7fff74e43cc8,0x7fff74e43cd8
      4⤵
      PID:3032
- - C:\Program Files (x86)\Fast!\Fast!.exe
    "C:\Program Files (x86)\Fast!\Fast!.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:4208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6812 /prefetch:1
1⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10264 /prefetch:1
1⤵
PID:4428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7184 /prefetch:1
1⤵
PID:5472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7640 /prefetch:1
1⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
1⤵
PID:5404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10960 /prefetch:1
1⤵
PID:5408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6816 /prefetch:1
1⤵
PID:5944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8424 /prefetch:1
1⤵
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=9804 /prefetch:8
1⤵
PID:2312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11244 /prefetch:1
1⤵
PID:5648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11092 /prefetch:1
1⤵
PID:3496

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x0000000000000494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5768

C:\Program Files (x86)\Fast!\FastSRV.exe
"C:\Program Files (x86)\Fast!\FastSRV.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:6044
- C:\Program Files (x86)\fast!\fast!.exe
  "C:\Program Files (x86)\fast!\fast!.exe"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Program Files (x86)\Fast!\nwjs\nw.exe
    "C:\Program Files (x86)\Fast!\nwjs\nw.exe" ui\.
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\FAST!\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\FAST!\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\FAST!\User Data" --annotation=plat=Win64 --annotation=prod=FAST! --annotation=ver= --initial-client-data=0x25c,0x260,0x264,0x258,0x268,0x7fff6393a970,0x7fff6393a980,0x7fff6393a990
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2096
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2036 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2588
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --mojo-platform-channel-handle=2136 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2508
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=2420 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5168
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --nwjs --extension-process --first-renderer-process --no-sandbox --file-url-path-alias="/gen=C:\Program Files (x86)\Fast!\nwjs\gen" --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2756 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:1
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5504
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3892 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2108
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=4364 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5996
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --mojo-platform-channel-handle=3308 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:8
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:5732
  - - C:\Program Files (x86)\Fast!\nwjs\nw.exe
      "C:\Program Files (x86)\Fast!\nwjs\nw.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Local\FAST!\User Data" --nwapp-path="ui\." --start-stack-profiler --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=556 --field-trial-handle=2040,i,7086919739898166327,14539462047899561548,262144 /prefetch:2
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7056 /prefetch:1
1⤵
PID:3836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8548 /prefetch:1
1⤵
PID:5808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10356 /prefetch:1
1⤵
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7324 /prefetch:1
1⤵
PID:1716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11432 /prefetch:1
1⤵
PID:5048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
1⤵
PID:3156

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
1⤵
PID:5676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
1⤵
PID:5112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9576 /prefetch:1
1⤵
PID:5228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
1⤵
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10636 /prefetch:1
1⤵
PID:5316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6100 /prefetch:1
1⤵
PID:2256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
1⤵
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
1⤵
PID:6136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5056 /prefetch:8
1⤵
- NTFS ADS
PID:1432

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=97 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6744 /prefetch:1
1⤵
PID:5280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8024 /prefetch:1
1⤵
PID:612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1616 /prefetch:1
1⤵
PID:5436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6128 /prefetch:1
1⤵
PID:3524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=101 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1904 /prefetch:1
1⤵
PID:2424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=102 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8388 /prefetch:1
1⤵
PID:5336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=104 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10008 /prefetch:1
1⤵
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1976,13227799598073847065,6348132386679957089,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8660 /prefetch:8
1⤵
- NTFS ADS
PID:4044

C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\[email protected]"
1⤵
- Drops startup file
- Sets desktop wallpaper using registry
- Suspicious use of WriteProcessMemory
PID:5424
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:6016
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Modifies file permissions
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 164641709817495.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1580
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:5924
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:3332
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5604
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5908
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5372
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3036
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:3808
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        
        PID:660
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:668
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1576
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4040
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "trvtxtdctcmmeu275" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
  2⤵
  PID:860
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "trvtxtdctcmmeu275" /t REG_SZ /d "\"C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3020
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1584
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5176
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5312
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3864
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4772
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4232
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5608
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5100
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4608
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1552
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3436
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5976
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:6124
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:756
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3084
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2032
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1940
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5024
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3480
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:5476
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\taskse.exe
  taskse.exe C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5320
- C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2792

C:\Users\Admin\Desktop\@[email protected]
"C:\Users\Admin\Desktop\@[email protected]"
1⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff74e43cb8,0x7fff74e43cc8,0x7fff74e43cd8
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1864 /prefetch:2
  2⤵
  PID:1384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  PID:5844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3600 /prefetch:1
  2⤵
  PID:3888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:3856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 /prefetch:8
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
  2⤵
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 /prefetch:8
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4760 /prefetch:8
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2384 /prefetch:1
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:5956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:1
  2⤵
  PID:4928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6560 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6664 /prefetch:8
  2⤵
  - NTFS ADS
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6180 /prefetch:2
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,10947042802293430514,5331452056771226727,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6268 /prefetch:1
  2⤵
  PID:1572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5620

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5412

C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp1_NoMoreRansom.zip\[email protected]"
1⤵
- Adds Run key to start application
PID:3864

C:\Users\Admin\AppData\Local\Temp\Temp2_NoMoreRansom.zip\[email protected]
"C:\Users\Admin\AppData\Local\Temp\Temp2_NoMoreRansom.zip\[email protected]"
1⤵
PID:5856

C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"
1⤵
PID:2824

C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]
"C:\Users\Admin\Downloads\NoMoreRansom (1)\[email protected]"
1⤵
PID:3012

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Documents\@[email protected]
1⤵
PID:3612

C:\Program Files (x86)\Fast!\fast!.exe
"C:\Program Files (x86)\Fast!\fast!.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Fast!\BigTestFile

Filesize
15.7MB

MD5
5bccb3167415882a36b44c2d6e230b0d

SHA1
07f7cbe0d52ff4684e0e06b7eac98ba38ad65ad9

SHA256
697fb819081a851c6eead9acfc23c691bba9409bc562584a9c269b261b4f3658

SHA512
c908ff435d4f79b27bebaedd1d153042aba00ffa8244133298127bac743eb4a14e54c933a7b8b374342105f96ae96c24831f8a8e0544ad49640b0496cc3d8bb9

Download Submit
C:\Program Files (x86)\Fast!\fast!.exe

Filesize
751KB

MD5
a2ef6c8ccfbeee722f02c9744272449a

SHA1
9b60c5d3890a8e44c16d3ca7446876e91c4223e0

SHA256
45f4752b7d517a3ff4d00c5e8ed2d475f6e5809b70dca55ea12a489544fd9e84

SHA512
3803f2741a30d69500f3cd0e66a5f99b79394ba20f5dbbb948295e597e49cf05d337d1de3b97bc0d0c7beb18d0725b260c0f7c9c04524fd94b340bdc01dfe934

Download Submit
C:\Program Files (x86)\Fast!\nwjs\locales\bg.pak.info

Filesize
978KB

MD5
e3beb49ba64cb7a3af04be34b2fb2ff4

SHA1
ddc36967b80ff1062461bf0b691736a9f8f3d57a

SHA256
e957cde29b8732cc46e61c98629cbbfaa23333776ae5db166a2b2169799c8290

SHA512
9dbc8f89809926e8b19609018f6c82bf9411a8c9690c6ebbcc93f2bfcadd194c27a8220ad581fc60d168aa06ae3d35072bb298a9619e4d6a8664ec6af6a49fdc

Download Submit
C:\Program Files (x86)\Fast!\uninstaller.exe

Filesize
467KB

MD5
2e5238feebedc51991e906da9a14e16a

SHA1
edfb5738c14f6bdfdf86ee0e17a0876c971881f6

SHA256
4c4ed8b69558b565f3b6181a70677379fa86ff869170d2edf2bd519f1162638b

SHA512
cc775b22192f6026866bb1c57056f87729944a9ea31cd8dd151d07af8a48cdddb6cd7487b6b545cd0177697d24126e7aa204e214594588950f6fa7df61ee0c14

Download Submit
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
1KB

MD5
916f11d8b7bdbf6c3bd55919ded8464d

SHA1
a87f4bbf656674b107d32b89fc7c9b183df4f927

SHA256
7be8f4a8b50abfc25172cecdfe6a80b5f0071202c6bc1a43fc59324bb6056c5e

SHA512
ec509fc3050ee8ed6c77bf6a8de6bb8e2221339f256fbab0746507a0c3dcd1ef56d1dd1f924d00f8283525d1f990044700bc82e074962efb97fd4208f32dbe3f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\79488f6db1539bc7\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
22bb0cda265bbf84589eb98d5e4c4823

SHA1
578c5b9b858da4b947e621f7ac1f2590e8dfcc6e

SHA256
c226cb68eb7d68baafce089f44ffa8e42437423dfe4a08f7f62245b79d7ce8a8

SHA512
1adae921ab13846d202fe79dd4b7b08c643aeeec7bf18b96d5bd54ad3b9282a6a2c7bbe613eb1e18485f50b72e6156ea57009bbaaf6d4d3b1c3e983a33b4c42a

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\79488f6db1539bc7\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\79488f6db1539bc7\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
976B

MD5
f9bf36470582452b98c31dc407614b50

SHA1
6a037bdf0d0b2855f800623a51218e9273693c0c

SHA256
f804f7d750b142454c88bf0c041ddc7f676d2fd9a871dad40884022a86ac2a18

SHA512
d74d281c537efba9a53cbdc472b2a4ae45632d576db52aea62424ea12bfc1abf71746b90c104a01b72524471c07ad7118eaf818dd4daa2253cd45c6649c9398c

Download Submit
C:\Users\Admin\AppData\Local\FAST!\Temp\error_mini_empty_path

Filesize
42B

MD5
d89746888da2d9510b64a9f031eaecd5

SHA1
d5fceb6532643d0d84ffe09c40c481ecdf59e15a

SHA256
ef1955ae757c8b966c83248350331bd3a30f658ced11f387f8ebf05ab3368629

SHA512
d5da26b5d496edb0221df1a4057a8b0285d15592a8f8dc7016a294df37ed335f3fde6a2252962e0df38b62847f8b771463a0124ef3f84299f262ed9d9d3cee4c

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\0ec52f2c-5659-4cdb-adea-5b0c99b5597e.tmp

Filesize
2KB

MD5
96f0aa6e68075d10107631c5cfbd2290

SHA1
a8242241012e97cdb28095c6289e35c6dde93ab3

SHA256
efc3d444307f4eaad429c562d4a5cde57d7007a54a93ef0b3b88f8a39f4b1b83

SHA512
dcc83352944583c88cbf77caf1680996dbb2ad8fb0255c1eceaf05ebfa43e8392840781c9541cd9bd578365ccdc4ad3015b3541ea906f6ac774a97943abcdcd1

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Crashpad\metadata

Filesize
114B

MD5
e2be41ce98ae859f674d45a6ffea737a

SHA1
504106643afa0ee529fc30b2b11d893ed9718ef9

SHA256
196f37673f02d8567050e14cccae33d090a17322272a588510f178314151dc6f

SHA512
0ed2b7278b858ebabd3944b694fc6d8a4905b19d0acf09d2e282b4a0519d7fa96b79893189cdb6bc31a0f34a222e9ab9650171bcb0690c006aa26d95c5126ccc

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Crashpad\reports\53966a7a-5a96-489a-a6c2-b42dc2fe4f85.dmp

Filesize
1.8MB

MD5
2f1a18ee5de1a148d9fc2db73e1fd4fc

SHA1
d2ded0619f8e63c78055aca015873eb1abe7ab53

SHA256
b631d6624ec11891c647abf2794b08b064bedbe81fa2ca515ff71025c38a8124

SHA512
49f9a4ef6201ef4e43e92205debe76c87fa17f4b3695f216f85830d711634bfb1f3ddd4b257ba50af060d948a5ad870869ba7ac0c5d2910bcbcc6ca4493c83dc

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_1

Filesize
8KB

MD5
259e7ed5fb3c6c90533b963da5b2fc1b

SHA1
df90eabda434ca50828abb039b4f80b7f051ec77

SHA256
35bb2f189c643dcf52ecf037603d104035ecdc490bf059b7736e58ef7d821a09

SHA512
9d401053ac21a73863b461b0361df1a17850f42fd5fc7a77763a124aa33f2e9493fad018c78cdff63ca10f6710e53255ce891ad6ec56ec77d770c4630f274933

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Cache\Cache_Data\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Extension Rules\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3a49bac3f16ceac0bb435f2f6cd18055

SHA1
22a13e293baac1c895b53fa19016db0e7fffcd8f

SHA256
ba65d07872a72878d5e9f35a9ec3cafe24790b7cf0457c4afce1b66ee92d5616

SHA512
0dba554d788be89459c1bdc958cc7466c7cad42705d397d5ce96cea1fe992a56d85aab8cdc1ce0e30a7cbfbca437b835fdd5b86f066ec261df61f71c97543718

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7a7c5668696c7bcd289572b2eb981b1d

SHA1
e3caf51bd5a9a68b8ea88eed0f1127289b79688b

SHA256
e9f706d97b778f76a0e273541700ba79e83ff589d990a99cadc7d0f615d12de4

SHA512
a7c3abdd2ffa3ecd70ce9c73b114963cd3e4ccbaedd83c2507b94eb5b371d7cafd163e27f23074f540633c75b92528edad697987f711cef00f03cb908cd4f9ca

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
b7d674df67efc31771c6e888c8642c4c

SHA1
c6051d8dfa63a9e5345ee0ab78fb1a5732e55933

SHA256
6cd8fa9b96e15dab54ab22fb0283b8fcec8cd3b73568050cdac8bddc87749085

SHA512
5c013ac21e355b60b7a791e16bc1107e04f7fe2b44646e20b96725839eeed2a4d6bc5c27d8d5adbb90b1946ec3fbfe7d693104d570bd722eda34ab947273fe48

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7a1d23ed3972e959f7f6268d789a54cd

SHA1
03a99bac5ed5d05deacf77a9b1da0b41e465beab

SHA256
77098d7baa26500aa4131401778ffeeb0ba8dd4888c4f656569b0903c3430ee5

SHA512
b71547ed026cfa4becf1221e784a14b30c70a2fb7204ddb0627201e396e8b308ccee9c6954b67e077e31d847def58bd8e226ed4c7f6dec33c1d9fd71ea66f431

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
bcce56826dcdb66df77849f36f4690f1

SHA1
a98de080a87aa23bd032da9b8ce9ddbeab836003

SHA256
f1aa0b29e13c1173d36cc075cafe00be5ba339d26df9b1d0cb90607286e76fc2

SHA512
c8ceeca09b8572a7398fe7d7fcfcff6fb6e588851bc4df5364bd5c49418b1bc62bd169225a53905cec76196163b5ccaefbfef765e230d09852e90b06c4cc5e44

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
43d60a5d4c5871f4488cc3fe544952ee

SHA1
0b17613e67821bcd3cffef6b2ac08660a8472a78

SHA256
47a714aa823d9fe6ccba2c5e05e084fddcbc826aebeedac18b5673efbf9396f3

SHA512
59a68d89c8de83a148c1e979100bd194e2d3b704386f147de6b0b66b657650786ecda3fcd66e495e4087d68b499bdc1d9a00c42b40e89ccf1f21e47919229c9c

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\Network Persistent State~RFe5e6688.TMP

Filesize
59B

MD5
78bfcecb05ed1904edce3b60cb5c7e62

SHA1
bf77a7461de9d41d12aa88fba056ba758793d9ce

SHA256
c257f929cff0e4380bf08d9f36f310753f7b1ccb5cb2ab811b52760dd8cb9572

SHA512
2420dff6eb853f5e1856cdab99561a896ea0743fcff3e04b37cb87eddf063770608a30c6ffb0319e5d353b0132c5f8135b7082488e425666b2c22b753a6a4d73

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
526d7dd0fa6bca019772c52a5225b29b

SHA1
2898b1d8a2259a298ae4ff861a65c7524e0d6453

SHA256
ca6b22e078c9369ead4a3a36295b1661e67e41a5e934f991d4d9f073dd9ba114

SHA512
3c8b385aa93da95fc1bca9622c415bb65f591ea328ece0722fa3b9d37caad7e3bec05a5c3f03ce862760075ff7cf02269dfd43112dd64fb943981485a93c6c80

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
528f6b1dc480b05fc657b9ec7593f9d7

SHA1
70fa268545d81ac36e9a4b9841527f27bb2bcd17

SHA256
3d678746a91234b5472122cb97c913729a864662bcb305685090614020f78428

SHA512
20f1fe0241038d5222494429e5530ca45b46b4a4e11ab7d752754d3ae04e3857f0f8c8525ed6ef7de46b1784b9989c7e7943294181867da1d5290a0da2a44e13

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
e2a7a285bbb3b68a4892610e44c8babf

SHA1
47c157c051e8b1cc2b5d24bb90ef73eb9bf30df9

SHA256
b25a23b0672a6764f0cfa77dd19f611d082b61b6a509483c51d59e5965354911

SHA512
032f675b880e1c742fff586e21d0a8ad8e950f6c03baa4b7aab59453d0b79d062da7deb297ad30d1d9367c225a140c0d28967b5dc97ec47e82c4de30ab341bf1

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Network\TransportSecurity~RFe5dbfa9.TMP

Filesize
523B

MD5
bde5c1624c4032307e99a8405885dff1

SHA1
e953510f1438fc4f9ad465f642c60daca9ebacdb

SHA256
099d1730b72e4130864155129ad90656207502c6047defd7df89228c8df86e57

SHA512
90c3510ddedffd634cb7d6c78d62dfbad448ead033bfe79a6064235b8d48d33b63c70c50f74b1ed002d91b654546208bf1cc5dec2f6b2361b9744faa7fe892ec

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Preferences

Filesize
4KB

MD5
2f574789f2c13c0a91a561c7634842ba

SHA1
cca8cdf98eb4d69bfa3553a2734e18c8d710e382

SHA256
ff76965f6ceca07f1bb159053a461eef10b949418c978cfc9f77abb365f2b424

SHA512
ee186ef1c696ac96fb1f2fa73e1abbbc8d46f0e7e37f75d722e57a9ff8b35378a8225ac4bc176647679ea6d3cddd04e125a18c956faa365a9ecbe8fff4bb1408

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Preferences

Filesize
4KB

MD5
d0326c1b63d121860ecd6ad1b31b4e75

SHA1
778987c0b4dbe3d51466a02ae0ebc8d4e4de1d8a

SHA256
23cd0e2a2506284e180e48cd338d4cc146e848580bb765801040900285f10548

SHA512
b094be5c36c17b1f96bd1294769ce6ddd3b006de63d70f08477eee30ada4f2f82480ce714964127b35fe4fe112ea93b1c342c5de7ac261c67deead35abe4d8a1

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Preferences

Filesize
4KB

MD5
bfe1fb5edaf16b11653e56f22fd92eee

SHA1
11bde323c78a01688dd41fc93ba1588c1a2f8636

SHA256
5f3636a3fe61c9ae173c6c4e6777cffedcdb321ad849e782ca2d61fec2553a24

SHA512
128ed3035ed3e808b733cdd2e17fe51509b102eb114efd84d70d0277e0262a4e0ac0f19c0583d5bbfe506cb42b5c117eed130de54321cada46a7a79ff89582e1

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\Preferences~RFe5dbd57.TMP

Filesize
4KB

MD5
18ee09d076e3890fd7d6c47d3888784d

SHA1
fa97bf976bfff04c1ed4a0ea7bbf9d44bbb7ee23

SHA256
a001dc24585a81178e7c8dd607acf767b4e3e2567890b5e951014aae76650d1b

SHA512
c45360fc45b6307cce26577147c8198625e6a20964bc15a9d0c5eb3ad4f743ec7adf0c1a74748f7697dd1de506d0b89506ef3c3a2fd700c3b562ea414fdfd362

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\edca5011-4437-4179-a7d5-0a2861e7b2b3.tmp

Filesize
148KB

MD5
728fe78292f104659fea5fc90570cc75

SHA1
11b623f76f31ec773b79cdb74869acb08c4052cb

SHA256
d98e226bea7a9c56bfdfab3c484a8e6a0fb173519c43216d3a1115415b166d20

SHA512
91e81b91b29d613fdde24b010b1724be74f3bae1d2fb4faa2c015178248ed6a0405e2b222f4a557a6b895663c159f0bf0dc6d64d21259299e36f53d95d7067aa

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Local State

Filesize
2KB

MD5
8d7203d1412ca63e6c59a4df81327f07

SHA1
ab6c4fdd27644b8cb780aaa8f72dc8c88a3ba664

SHA256
9953f207d9edd77e64e738582619d4348a582030019467c4b131db3b0f8edb5a

SHA512
2620cea0a35733c7a0f2f84b728f7aebdde8d6a924f118e167f63566fa0bed3fd3e4f42cdf1754142cad3c1a28b388aa702f5f2c2c5e3ae09df758ab3e8d4f23

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Local State

Filesize
2KB

MD5
4e1c8d66d3c1e18ac48c200042def374

SHA1
939070d43157371e869adaacc2f00d2135c56b38

SHA256
de01c2c081534f6b93ad71a6f003ae05db99cd64856ba7c6d4a99c62f23fdce6

SHA512
a3079bebda993a9652d24f02b35b69ef2d6a854db38abd69307706a6c8ed172648e1b62a4fdbc8e38ca3f4bbf9c7669b60a1795066485c3f620fcae18bfc07a0

Download Submit
C:\Users\Admin\AppData\Local\FAST!\User Data\Local State~RFe5d6a94.TMP

Filesize
867B

MD5
b45ac685613283e7a19d42be34392f8e

SHA1
f07f41cc7b77cfc0a1a80d06e1bd6a3a79b484ff

SHA256
189ee9de22fb872045218e730c34c3341aca95194af4e0f5e6e1b3d7101ccb01

SHA512
c28ecb93c8f69a2b8a47e1631d3c83a7d6e57b0596f45829f2ca6166fc99519106e8f5f94cbfabc6dd97bacedf16fc7b35b7906322d0573f44c48cbb1474345f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5bdb027c2c187bc940de04fcd2a4738

SHA1
279afc5f288466bd163f252ea30ec79e7e883460

SHA256
fef652cdcf911b1e18099e0c98458d1c0c16c0661f654f3c1685c294b34c3d03

SHA512
58ce364164d04e1ca117e4b5feac32b155ea76772d7cb57fa2dce96a83dd3b2827485f134d53b7cb6f75e2264bc08a14d8c16edc92a5a8a4a3d4c6c3c5622efd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62d7c25a571a1eb38f21573ea8755f94

SHA1
3e4eecf2966c21abebc3dcd428fe611ac2a890ce

SHA256
09ce18bff721083fabd3d1f2c2247ddb88a2998cb033f73a88f77f3fd785406f

SHA512
47b35a21c5057dffc80e4b8a00df9aea5b90d92a16e5143e4608aa235af379e801f7ef5fa8d2156488d6a6e501c6e111b6f9d7bad1cf6da581c96c731d3711e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
31KB

MD5
bece038422ccc92d498cdb88950ed3cc

SHA1
743ef43ca2a84ec9d7a3aafd7550c3e6b0b48798

SHA256
c8f101aaa8ced4bf4d49828c264536ce42759e1dbf926c0628377b4939eabfd2

SHA512
b11014d24aec1f37ddc3160a5e15c8d17a365ee603e267405d38dd1afeb7e1df357b7ada92559ddec72df7d6e291dfce3f2b792320ae2a4f14e34dc2815933da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
67KB

MD5
88a552e6be1ac3978c49143983276b3a

SHA1
dbf4f4dc62a3da564b1a87b5191dc9a72a9b9423

SHA256
927121d8118a41fa3460b9ad84daeae59ea60dc9607e462b7e1341bea60da8d5

SHA512
125b13be3d209ff5cc12d8f9f12d01d271cd50c2800059241ebb419167c21adfa9d979ff6b8d88052f5d302e98090b7c8ceff4894b397168d8ba6d8a6204fb9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

Filesize
1.1MB

MD5
ae6fba4a8a4923ae8fb23bbe54365bb4

SHA1
fb04d11d5f8433a5149dbbf05323cdbcbdfaf3c5

SHA256
d3effbeee1babe87697c39dab95237973aef8f4755a273b3a04b6585d927f7f3

SHA512
275b997c5819b5c360b1f5f1a8239e6f7e1631a0c75677a4d428c8a25e03400314e8eca58f54af524fb93c3b609b7c47e60ae05a7ba874651ed58b54281a2ed5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e

Filesize
33KB

MD5
3cd0f2f60ab620c7be0c2c3dbf2cda97

SHA1
47fad82bfa9a32d578c0c84aed2840c55bd27bfb

SHA256
29a3b99e23b07099e1d2a3c0b4cff458a2eba2519f4654c26cf22d03f149e36b

SHA512
ef6e3bbd7e03be8e514936bcb0b5a59b4cf4e677ad24d6d2dfca8c1ec95f134ae37f2042d8bf9a0e343b68bff98a0fd748503f35d5e9d42cdaa1dc283dec89fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f

Filesize
74KB

MD5
bc9faa8bb6aae687766b2db2e055a494

SHA1
34b2395d1b6908afcd60f92cdd8e7153939191e4

SHA256
4a725d21a3c98f0b9c5763b0a0796818d341579817af762448e1be522bc574ed

SHA512
621386935230595c3a00b9c53ea25daa78c2823d32085e22363dc438150f1cb6b3d50be5c58665886fac2286ae63bf1f62c8803cb38a0cac201c82ee2db975c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
40KB

MD5
3051c1e179d84292d3f84a1a0a112c80

SHA1
c11a63236373abfe574f2935a0e7024688b71ccb

SHA256
992cbdc768319cbd64c1ec740134deccbb990d29d7dccd5ecd5c49672fa98ea3

SHA512
df64e0f8c59b50bcffb523b6eab8fabf5f0c5c3d1abbfc6aa4831b4f6ce008320c66121dcedd124533867a9d5de83c424c5e9390bf0a95c8e641af6de74dabff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
53KB

MD5
68f0a51fa86985999964ee43de12cdd5

SHA1
bbfc7666be00c560b7394fa0b82b864237a99d8c

SHA256
f230c691e1525fac0191e2f4a1db36046306eb7d19808b7bf8227b7ed75e5a0f

SHA512
3049b9bd4160bfa702f2e2b6c1714c960d2c422e3481d3b6dd7006e65aa5075eed1dc9b8a2337e0501e9a7780a38718d298b2415cf30ec9e115a9360df5fa2a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003a

Filesize
62KB

MD5
47953bcd62e93772ee22d834d1438f17

SHA1
5d1dd3b5dcb3e1fd32d552eaf0e583ef02f2acd2

SHA256
f17878d7c848d8cdc3652e58692f7636a9d19a48e94030d64009dfd66b0e8425

SHA512
5590afbb8a596d3b4f329458f05c5be230048a1e65aa9559aa18ba5e46a14362788e61e728dbe0ecf9fea6caae8b455dd6e29cb50b497f85eafd0f89c5b5910c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00003b

Filesize
31KB

MD5
e22be493da1dc48a98d8d6f0178cd1f6

SHA1
8c9b7faba91939dd36b502417d1a9eb35714314d

SHA256
ac73feacde76fe096b76b0e319ffd553366a25e73b326c4bfd0d565e0babc845

SHA512
b471700ab86108c321ede5c805bf043be8b13fd1e7073ab072a99f45a417eec3b627501a5d996eb0665303397f99b59c4270993c54e613e7d9438c74ca494257

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00007e

Filesize
194KB

MD5
f5b4137b040ec6bd884feee514f7c176

SHA1
7897677377a9ced759be35a66fdee34b391ab0ff

SHA256
845aa24ba38524f33f097b0d9bae7d9112b01fa35c443be5ec1f7b0da23513e6

SHA512
813b764a5650e4e3d1574172dd5d6a26f72c0ba5c8af7b0d676c62bc1b245e4563952bf33663bffc02089127b76a67f9977b0a8f18eaef22d9b4aa3abaaa7c40

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009d

Filesize
24KB

MD5
43dac252d21bddd2477439e023621c6c

SHA1
a7a81cd955811fd15dad91f443e0880d7aa08d79

SHA256
fedd9610bd4c2237de2d9eebba3143424967690767ba25ca7ab369f7aab3bb4a

SHA512
cc5aac6a7e47a0548ebc9a606eff04d175e1c76844160069bf4787349be6fe897cffd1444f9c00dddc214502ebd5a8ab97a1527d219679af894a28858de40fc3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009e

Filesize
49KB

MD5
93ab4cf70b3aa1641a4b258c3fe03f24

SHA1
cba2ddecb8e019e6e5a91dcf867c6d6094f39b63

SHA256
d6c2f9f2bb35841cdb53abb660544e6e6f44e39d6542323992cc1c63e998fa16

SHA512
70fa907afd9b52ed54a3cf755e394c40a3ff7a83041540b435cba47d889c1c9401afc9fb23a5e879d85bed42fd5df40cd7540d428b3ee7a9cdc278a314770884

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00009f

Filesize
44KB

MD5
d54871d4472a6fd4e0302d751e31cde0

SHA1
3c11f58b5eb557ab4513aea4f3e7ffdd8edfc28d

SHA256
946ab533721e56ce6cf80e14356997f4d067f929083c15ed6651a7acb083a08d

SHA512
f1382c0cb5663d5b5e87c1e8001ff521eeebe32ac2517c013345a64d466a19927b97a5d0e0e2d09579146363569fb43e67cfb4884d4d19fc5f60878eae3b1be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a0

Filesize
27KB

MD5
492f13a58f85cf63f9749a63c0abc928

SHA1
51a735ae1c2991faf216aabf805441396c55cbf1

SHA256
7143a11d13b27fc07b7b410b29ae0d8c0e9ef781287f001d4597d3c400faa121

SHA512
af2742385e84012ac58d44742b9e850ccc18f22bfda669d7ee5e465a952319bbea7c2a06f850e5edda872abbe5177b6ad90f08c2f472ca63f124985e3e822234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a1

Filesize
20KB

MD5
8b2813296f6e3577e9ac2eb518ac437e

SHA1
6c8066353b4d463018aa1e4e9bb9bf2e9a7d9a86

SHA256
befb3b0471067ac66b93fcdba75c11d743f70a02bb9f5eef7501fa874686319d

SHA512
a1ed4d23dfbe981bf749c2008ab55a3d76e8f41801a09475e7e0109600f288aa20036273940e8ba70a172dec57eec56fe7c567cb941ba71edae080f2fdcc1e0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a2

Filesize
63KB

MD5
b0940510c20a1c6f75589834d2964a53

SHA1
f7b35cdafed42ee8925146d2433f214bf414b97f

SHA256
ebb4fd0c9cb7e2d08aa6a434feefe986ec7d11f51e7c5ebb4b58362d2f8823aa

SHA512
6c9bb3ab61b4e537a4a7ce266ca01f9a4d6a62e3e03fd7650199bba50ea65ed92e157f95696277dc15e413109af38d63f975794bf26de7d77ec4fac4dd73e7e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a3

Filesize
19KB

MD5
03884ae475b588939b9d8700841ec35c

SHA1
10993d72f304e9dd794d9e81b941e90531b3e52f

SHA256
a9c59977f187119ea233834a4b999502cc0a8f4897187fe159d61592bb6c88f3

SHA512
628b4a8830d7460efe1d4493776ecdf1a421ca5fba75ce0e07417d5b4a3edd44abed0b95a382e8272c512616d1fa74c0dce31afc59c294b3c05a35ed4cd7592c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a4

Filesize
59KB

MD5
063fe934b18300c766e7279114db4b67

SHA1
d7e71855cf6e8d1e7fbaa763223857f50cd1d4bd

SHA256
8745914e0214bcd9d2e6a841f0679a81084ef3fc3d99125876bee26653f4253e

SHA512
9d0dfc21306b3a56c2ecdf1265392271969e3765e161e117c8765125b34793e24458217cf6514b364f351f47e65baaaf5856be0d13406a789f844d6ba8c7075f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a5

Filesize
153KB

MD5
ce9fe310a8b8ed92ae2c8472ff3b59ca

SHA1
59b1ef50b9181ea7b2ff15c6b3aee5b5b9d1e637

SHA256
886630a4fffcd5467a13460abee5fe70b262befa51b6353ea902a02e8ce112a1

SHA512
31c68e2fd65c6bad73ec409e6ddd9b1593bd3ad92ed5af979752ab4cd41bcc2f896a9be992c6ceeb232db9687c57c0abd3e35185c1e84199e6e87aeae84d099b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a6

Filesize
23KB

MD5
77a781823d1c1a1f70513ffeda9e996d

SHA1
60776ceeb79ed41e7cd49b1ee07b1e09ff846f25

SHA256
b093599957b103def2cc82ffd2d42d57a98292ace5a6596e3e4439a6cce063b2

SHA512
9aa66273ad419e1fc4ee825ec9e9fea4297139eca060572d3f59ed9bccbf2e1dbd03a006a0a35c6d37196e8297ec9a49fb787f0a31c3772b17911603eca62aac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a7

Filesize
19KB

MD5
9d4c559e9a0a90e4338e60f6fc3326a5

SHA1
a85357021ecc43b2d4177ebf38aa479658834d93

SHA256
0953de3eb43366b2c47ba9d452324480f0bb573b1f1592ae8480e71e907fe6ea

SHA512
f4bf0cf70010935281db567cf39d5b96ebdffca4cfa2fe5a7040b1538ed71e3a042b6386e1cdb19d810fa747161930fcf29904acb04f305a3ad94c403b02972f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_0000a8

Filesize
20KB

MD5
bbe01e232d15a15dab2f342d4581b6b5

SHA1
7798b9534e120c8992540b43ad145821f6ea37c2

SHA256
9fc32a525b7279d87cc960bea29ce2021a338719293ce4c53f614f19ddeb8d80

SHA512
b87fc2a5e6f6c78fc3afa8225e844dcdf3c24731fafa4f0fe2f4f91b64d4b5446c5013a675dcb438cffda5b369e7e9c0e8877fe4f22769d1a99c5d60849f70c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
5603e0a8d540f63c1e1aa82bfd8e5634

SHA1
35613db60e51fc97d7ef9dee0b74fcf0be7b593a

SHA256
9953295c2ec5e1e6943122d24e9a0b093bcc61cbc2405f96f6c628c6b61bb65c

SHA512
589785feb2c9a274c7010050cc4398e5021223f61b88d614020a303de815d478dcba6c620e0c0deb697731009497c9d97024062807e830bbc302fe68649d8ed7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe64ddaf.TMP

Filesize
7KB

MD5
d3f4e00b6332b88e89da85bfe5ab908f

SHA1
d510e1c170450616aa43cfc95e75b4b903110870

SHA256
1cd531e668fced11887141d56756bcff7b82a6e49e9c88f03d8b233bd74d11ed

SHA512
746cbc0298841b5d86a844275a03415cce88d5d679a749c02e8f84d4620a9e8345d2804618465a2cbac6954695c6db334a76047bc736d9fe28e0b6bbad369cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
481B

MD5
1345c1981bd800b7676c76a1de3c0f1a

SHA1
91a857a730825981b317222b63ff655fb6b134c1

SHA256
c166a3047cfe78695d25f789ce0666d95e6f6e3b94f5125ab13a219ae2736b61

SHA512
02749c60e387eafe7b52d5c64255be6fcf12363d2e4cf3544d200b6032e0b929e05345bf4b6c68daffdbc0f126407f80398f030a684f5711972f64c8dd49f890

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
12KB

MD5
7fe521e4417e1ee7c206fde0c6bf8d40

SHA1
9c97a098c89f6675acb1cc43132b662c0f04a4d0

SHA256
c252386722ea1af1cf1f2185a79bfd57ee57739667befb7ddafc2375ece0ccef

SHA512
1bd7f29fd2b88cc0ae839ca2ae1c130504972ed86db04ca21241a2f309fca91b15afe2b31602fac7d21c3fa0eb55fba10e332c976bbf5c0cac50633ead44983e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
15KB

MD5
93ef58c298c2917b1f61df73d2a1f9e8

SHA1
b46ab4b912ed234cb43f20a4e80802434b844aa7

SHA256
8a81fd9b6949d025c2a3ed00ff28fa71c39c2ab08bc0fd7c7c3f97a483bbe190

SHA512
7938b6d02423dee52e7d6c31fd0ce9fe208595f3cb4fd73f16297e892226c84476b7c5ce8736f16f2bddd3d956b53a27793018681d59d7bf92565119c88b7db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
7KB

MD5
5ae56f0ff1f8b1d38d8552ca1750568d

SHA1
184fb014cdea4ab45e090482614639b403e8eeff

SHA256
913c9d4bccbbb85027805cc4e99f8165f98da40d6af145b365dbf65d61604800

SHA512
ded9f7157d10961f823f853c43070783de739ca40249f94b334d2c5c627b1559b07e5753d947426bed8a6a984a5d67a4a30ed5ee3263a7ab6a46f9a5a7e0bee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
14KB

MD5
187701e1dea6c3a99c342d1e28989004

SHA1
a2e50772114eea531c16fa2dbd6021b8aa6529f0

SHA256
ab900bc446be041e68adcb030f9537c98b08244b790cc5a95ee66141d2e60120

SHA512
10d5ec2a10c4c09338eb792c25f26e925526380371712d854d385401911356e5a5990481fd83a449f5b1f2e0e8bd28af762d59d5d32a235df8951b7d3e80d64d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
bcb1795c8e0b5867570dfdfef4345138

SHA1
e0c00a0370c3e6c827af591ca95ad594b3a8a380

SHA256
911e836a382c8e8a5b1cd055ccb784ef5bfdd221e823aeacf22f35f82973c2ca

SHA512
3858b67687c980baf5246dad01f5c05354fd36d9038db6516c90fcb03cdd572d404c10a9544169f1d0467e235a31692f91a97b8afaa483d870380280c99314bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
6c3fd755cd6537a8f271b6996ad8dc16

SHA1
b76054bb1ae942d7fa964041521675599daf591d

SHA256
61f3d1ab202a262223496be42af5815a2bde78fb26f2c23e7b77820a6db5691f

SHA512
e0ebab1799fa5488fa76647fe4ac7328f108dd91cfd202ae24e3251b0591eb3f7e33b1fafe62764b52a44cde9ab7b583d9d8775a25c6df229209c118a5e88241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
974a1edbc9abf30f218db6e86a578398

SHA1
391e17391e3e78d779adf0073652814df4053990

SHA256
d41f85257e020817e022f53656778155cebe184973381996adf1b1af0949f75f

SHA512
1601d5b14a0cfa3a5de5fc5327dd3877d73f6dad7b5ed107b002217641ce85be8059e694641f5ffe642eaafd2151f92491b875addb58869763c3f71e798d45aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
f687db73675c662884291c317f6ea3a5

SHA1
fe4a5e790c9784fc04a5a5edfe39b9652b5c00d3

SHA256
7676efc3668f113391a688421619d2f8d65c602bacbee8febb341b5a553e08b7

SHA512
93902beb1521edc8330f56b415aa52b1603ff5fde99789aa943a052f86d9ea1394afd422a785c1dee221c59601b4213a0198a727ae7b2d4f87764f15930ab2bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
b848006b63b9ac73a0c2873ea3f78f1b

SHA1
bd5901136bae8247c3831e88b1c171d4b26e71f6

SHA256
d3fb5722ef05f7147b1ab947fd77e0f618876fc98394c2055b73b1d7ab13d2a9

SHA512
8108457935a9d4a9fae32f2417fe7191695a5e2240a61f74c9a926071aa0eb497812ca299ec6fb5802edf1bd288191fa31dc2ff2fd6d1dbfa690015045044bb6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
21KB

MD5
d0c7f5dd41f55b86632ee35e53fcc626

SHA1
d356700dc38e06e53699e7953569a729b0dfce52

SHA256
68294904bd34ac91d33af8fdc00eaa7112455b5ec183716d27abd4fc49c9b688

SHA512
179f17b714766505e0f8188952ad2105b1b0297bdbcc0c7593721db799b580def0550f6710e939446e5ee6845d425e59475f63527043743d2e4dd17a0c531ce1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
865c877cef226b7c66147583efadfd63

SHA1
f1777ab081bb16a2df4559b2c3790f5fbdd5e88c

SHA256
c4c5f6a461ffdd212bbda0f0e91a2e050fca99c26ef7717b648faa57c5b3b20d

SHA512
517c4777cb1196f56ee7d4fc1429212c778afae7ace5147e59647eb36273a7d0810ad484639059f2def3323c1805c6d7d90541a86abdb49014040d0b3ce43560

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
90a5e3422cccf1d475d36205f35f8bbf

SHA1
ccbcf2b9a79cda2d828d2c4083781593567f5350

SHA256
7e77db6fed2e43968eb370d66f3aa4e3d8a876a5cfc7d2f83987a3a921928350

SHA512
9119e02f1403da3f04a3b7fa097553499940ab049e06dfc20a013bb0df26f477515984d469a04e32e2e055cbb973a8864e3145429af0b85870ac20ca440e73d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
2KB

MD5
fb165cda55b094901de37c48869475ac

SHA1
bab6fb925bcf4e3125598cf7a97d762c169fc7fc

SHA256
6c709f7d371d9a7afc8bdefef84b0c6a343a0f7549c386c000a7cfcd48e0b45c

SHA512
d2ffd5186fe12a1332dff3a507e8eda9b1cf415826ac07bad64555c9efa67e6dd10e40597cced6153a4a456bb82635e898de31a9888d7832b6d15eefe7d6cccd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
c212052b3b887932844e5a2716d1f6b4

SHA1
bc3bee2b814dc7918f36f71c94a3ca01f02c68a8

SHA256
ca22659c702e22f8034f4278266f2e3dd15046c602796b3cda3f728229b39f95

SHA512
b878fb3f13630d04a28044d0955c30123e13320e81567a30085cd7e219e1c74285160209d42d4a67d848a5b1586b2d37e85ff5ff6a567686664584499130e1a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
6KB

MD5
f3fbece8a4245449ee6feab8a09dcd8d

SHA1
018601569f273bf4e5a30a26c2754d09ff62ec7e

SHA256
a32cca91aae09ce43adb841dcd09a491ef559f354aa399f28a588d15b8888bea

SHA512
6889ae537d42508af7ea572c4f44491eeaffe5378c0d6ddab53babc47fcf1615f4d16ec6f5869df8477d717c10fc7dd57add99ce9faf532c133b05e2ea48ba2a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
6d92cb901c10d2aab3f70f16c5ba4b19

SHA1
bf951c14498e703b2873b0809cf8b976a404cd7b

SHA256
658b545710706411b58f38464cc8941be77e22c25697d5cb55cc759f678cff87

SHA512
1e1bceb9702f76cca42e43586fbc8e4d2ae0965307957d6c5cd028fad60a5e00e0e07711af72d90d60f65595c8c5af41fa5497edcfded82525682be75e627ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
cda351439af279252a16b475d0f941b6

SHA1
2131674ab9181b8d02523aa1994c4c5aa5fa6600

SHA256
5d372af72b4667a9409ba87ae366e3f60de3d335265818a7d93ee7ada6feea21

SHA512
9c1e5634190a9ac07b04780c85fa058652d8e524ed4b2fdbd99887bc5a58682707830fcac014cde4fd26f778b313677db6cfa6854c4fa4504f7cf0a138a1fcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
c5283d4c3cd91c4a312b9665c0bdd91d

SHA1
3d885705d2877de2d42a227e0b9132c034ad690e

SHA256
f1f4e8991a0cfeb605dacb7587f11670939066879fb0d6131c155394d0618392

SHA512
f07d76761a478adf53b6e15290f383f3fbc0cbb8d29862b10ef323fcd7e72126f329d8cd8793508c00a45414fba8da1a2d1419f6067b0a19817f261afccb76da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
5695a17014ffa48a2ff86af8527fcf51

SHA1
445b341abf6389dcaccac847ce41d506816880a8

SHA256
729d53c9d2e9dbe29bf8254e82ed90c7e559026897bead9e68740c37443bfa67

SHA512
a080535fb32c5bbffb103c800f9d0f4d6b4c9db6b1ffc0e78876b909f53cd3cfa382bddeda8ae32ebb9744711c9a070ec82446786e417ed7a47c698960517e62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
be2c5c7138eac5fe366154618cb254d4

SHA1
721630c14ae5131a0d48fb5113a581f50b4a4f21

SHA256
2b620f450b00d5c30f85887aa2b4764da001710e16c90454e33f5adaa72cc969

SHA512
1ac9cbc1b2fead3afcab7b507ad108d33cf8aad4ea580f1dbb5d92949f7117b6f8d78cbba8b36e56472bc528381d32d0011370c8760270fa232e9009bded6d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
112f426f686b3884ce62ac2e61374634

SHA1
bfd2eba4e35c5d3b11e40e75e34981b4ddb67276

SHA256
f1e9482df8ac1ee39228a208c059f4d3dadeb37465ee6c227d5a4cc9b6991aea

SHA512
ca75a00fcc1c890f8efc3795347052fef3903c716245c5214f005b6f946c4ef112ea37f78b22c78403a5864b2e86d0daa08b7b64146e7b4dba14491b76ba9d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
d4bf80a44349fd42a104546a4b40f54a

SHA1
bd5e70f8fb9a7f33a95e3d0631e9371fa5530198

SHA256
e7c28187ada327a924202a3f15378906a99469df57b1ea3def76c7158e2af57c

SHA512
b479eedf6736177942b7ce4115e32dfca7c37e5abda7cec08e81bc9ce421b1de96e48efc5d0a536019089f9be77b1597322a70544c49f389f2821731c11c839b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
86de78a6739ae17256e2ae3509cce5cc

SHA1
6fac58342a14bebeb600e6f737a917b6c702b1ba

SHA256
66b7e06d125aa6e5baa94fd46e1b6e11591194749160ff688f06f44710d371b1

SHA512
710340c150e5c35415c3b4db8c3e678d8ad64c63d829aa4ee4816145c8a14a46b84d4d1f096ec19a583e374a7d1992a0127345e5d97f237ddf5422e3c1abec68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
aa376a11e2e4ec1b30420b6c682f3bba

SHA1
cb0e18da840f0a7139d7a26037fb5d1ceec5dcdd

SHA256
84aa8c0c2e65836cc730ff6d30d813880f131031b596b999743e29d300cc9400

SHA512
fb1a4a28d2451c1ec688c9e2089efd94fc7de8f6c5cc9e727a54d00d84e6b22019361bf2f33410634abf20f2e3e091bb128b2866f7df4673f4ececb9a1e224b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
a6eff6e84e3ea6ec056256df59174b88

SHA1
a8c99e380f458c3651aa43c5331820606c630e67

SHA256
2eb2a02ab9bdd138321adf5395de8e691c496578b4e062c67e29d4081377495d

SHA512
bc9c77dfedfb9de8cb23ac906903cf8b9918fcba5a026c4722a1322097c1aa9ea61d7fc47d11f30a2a552cf99efb75ec5262e5b5ed98972feb0576cebf95f0f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
5KB

MD5
5e35270cc84e699349a2b2c30885d2dc

SHA1
559b644e8db3a207ad1d75f9535d17cc275baccc

SHA256
896ab8c9a2d8e25cfc595b0a5958b767f3ee145385d29468d5bdfa21f1342441

SHA512
8b12a989ab61cd14243098fa07a287f9fbc258a2a049f21391c1b923f398c0b7fbacf3603e892d06c862c25c7c8f47224f7a1af600076bc26ceee6ec81e7553d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
e15ad1f8c18d57f932801f39fb4656da

SHA1
fa27a0bf30480de0cca51075b475cff52a321ae1

SHA256
0cd1e60a673bb59c819f51bbae95bae198eb8bcfecfaf9fcc3d719e41520b03a

SHA512
9fc2a09e5be0d1f36f833c8cc225f867cbb9c1102961839426a675a0700a09353b38fa638df75283ac9a529247ecdea212b0b8c9214f1f4afe70c2290e8a1110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
4d284ff2cb2db5bd94ae88848c319995

SHA1
883eb500c95d16f17ce835b09809989ccdaef673

SHA256
240ca1dd46f3b868d2376f9a179f200c22fe26f40c5f33ca0c8f2eed45139e14

SHA512
0a1f8af650ab7ed797005afaffa2750ce16ff6bac293d24a8d4b9da2ce27ba0c15645b976ae13519ad81bd89859370fc42c35785009cb67c8c94c80fafec0c4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
c8b1116b141d84c7bfe1d4ee6a3dae63

SHA1
10069a98d6359d5752653a717af1b78ccc492065

SHA256
e4a3ab6919d40c1577e09702f215aac790c3abd3414364c825af39148d2d346c

SHA512
ae363983732fe2c3b58e4e5e26265043bd47b7ad0f5150621ff6715edf483c0500b729607d77f164554b22978acd055322def12dca527395aab842e126a6a9f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
8db534b05f386512530083637679a030

SHA1
c31c2ecaf99043225187e1e200965a26a4b63c21

SHA256
fab422c7f7d003d2a30e0f5836228f4ffaafdbb8c60186cbd8ef5b6073afdcfb

SHA512
51eea42f4f890f9aad2d061c42b9f72cf319567b7d0a3a634570875b5932fce8df58a0cfd3a9a61a76f80e0e2d3c8506ea544c8b25ad84570e42b05ae3e3c4e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
7c90e3b9acabf138e75608d102b221d9

SHA1
db3eb4dc9140d65ac215fa662feb55e6b3e99969

SHA256
6f9533691b77fd8c799b79417cf9a11ae33dba4e80af3d72a0d15f0177dcef4b

SHA512
228a97a33ae021c53ff365b48b37a0b62a5546effd5d20e4da9e4e46ac6b6baf477b1344a8e1a8d525b97b103b0830b5b5be058f98c93600cdab78d5e63fecc8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
df365596abc4ca5eac1e4c445084f3d1

SHA1
02a88994a6b1a3a35ef96a0104928752cdfa5f37

SHA256
5e1566bf2d15838f100df89fb1bedae9dfa029da923a929a7a3712559e8f9363

SHA512
f728e100589a37932da25ce30d88d5dcfd1b1f48885783b548d50ee3858ab9b85775490f89985ee9db0ab410e0b6a7a655a89eb70cabeddfea07e196a9f7c345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
7KB

MD5
b219eeaa360fa377683cf19e83e38de1

SHA1
601d89d2f9dec47be6c08ffa220156d9998d46d1

SHA256
24a4508f67821488d2b6f16d440b2c5d4f7e59513af5165eef050f93036b8b6f

SHA512
4dbfb758f6e62cd3964dd4c4e8392ef37fc6291d5c3d8af96b52f4f19ec6f70695479cdcb788b5eeac393dc8c5340cd4f5026983bb9e232c144478c962b4892f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
6f15de206c2b0bce673d4fb43993b133

SHA1
128ab146acad363a05c0a27b57d3cb07ade0cb61

SHA256
3aace909a0482bfb438529a24d827f26b52f8f41fc4c265373625b2946b763e1

SHA512
042c92e6cee3549988927f1327aaee2706933d4289dffd3b698c28f0dc137dfd6eef9e8346397d089972dd0c13363abfc26dc92e1838e5f2a2b9c382482f4959

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
08d67c5cdda2aafa58f4a6e4bc232dce

SHA1
dc0e64a9aa35ed4ebce22999da9bfbb4e3dbcca2

SHA256
283bc17dc6534295db6b91c1fb0e24946b3a50b4ce23c7ec5c0fcc6511a75cac

SHA512
f509c8895edf27da56502b51526077f111f2b988075bb03356cf3329b93c7319d88fd662b26c9ec140cc63e0b2587c4336f454f3dc671dc97ae7862119da49a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
e1b718efbb26ffe5af9383820ff9c710

SHA1
44ac2ce79d335a2caad813e60531b31befb88346

SHA256
5d948b263b97bed7d5115665cc04e4355cf9b633a40d36a29a5551c90738bdbf

SHA512
3aa900f2ccb0e2f3e5af862ebdec123b9589df0ec677f757118feb7dbad1c2f6b2bd5b5723118c937b13f0a6e94dbe004f7e89fff5aa91e4873b53ad6ae979a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
b80380d5e398e1464c822d6f12ba26f7

SHA1
f3ecc22b301d27baea0f51a8835e6364372de7af

SHA256
467c7ee0ba17ccd3efe7839f59769d3fb9b667ae955fd246d5aa204a0aced1af

SHA512
f17c8e402c51fdf84445a77179c16dcec38a5bec27d89de27ec1ea9bd5f3a9a86e0722272f7ab504ffd2e2d425b77f5a855050417a34268753e0e60e0ea9a388

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
706B

MD5
f8d1d09ac0c83c81183b6e41accfe9df

SHA1
ae72c30a0ff083bdaea6d561f5d568777a41f626

SHA256
e9d6e08125428d1c463ad44610712eeca6cfadcb72e86ab818e910cfad7376d5

SHA512
37002504e5a59805d079b6f9bcad90661adb8907ac4565519cfdbe731d357b19f265b4ce31c3a610f4ab28d69cf5b5720491464875361c1834a5971a88d1ebe8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
8328b93cad36cbd01b7a7806b0f691b3

SHA1
c367daa41e46f0eca7d19f98d777398a0eea8ec9

SHA256
ed3e4d173ed7a3b3e054b5e32f842e0f4bb686d18f782964b6156d0de12bb63d

SHA512
922fd836242019ca404d0d8c41f9379f1626c72ff08dc8edf07cf63e8a00a350fe69036fbe209082be539ab93fe68037b299c0e3de505e09494dd2cbc69ecf2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
11650841d087845e83c084f2e8700314

SHA1
262b23109b856b32f38f0137fa6e195ce86ffb12

SHA256
1ee69523c082aa33701f65e1ab7bd24dc4c420224b94f0cb20eeabafa4646312

SHA512
18aff6bfde1793fa952847f59e6bc303cc90bf8ed6cacce01632d41e5d78a9894cc57b6aa094702080ee19f3ff32d4b1acc2b3e4bb43293752fe5531c860036a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
0dd3e32b7c7d5a73dcaa493723eb1abd

SHA1
2097053aeda09db007b590a0e87b0a5f9eaef0b1

SHA256
32ed8dd46d10fa5947de8ae1c81f4f5e41f16c8c0d75f188e37ac4148691ac36

SHA512
a7f6c8323eda1e7709f868573cc4179a7ff8eb304cc81c5e4fa64db937a5f7549e5622d0264611903d023994cb91b355f9d2793fde821144a8909dfbc2dd6acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
8c2e67848b66d0fc14cdc29277922e39

SHA1
a8d624932aec231d88f155f48b6de955965c89ef

SHA256
00e8b89711d86faa0a84c5ae868d256bd1fbbb976ab247bcadcec2a094ba0cce

SHA512
a10e334d370347af57e83d135c65117aeac6b41b6009b32404e81c1d13f4b6a0d78665f552bdcfc78ebc7b8218fe3c8f2bb63b3b26f4b738ec7f46aa4c15b22b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
8KB

MD5
f8dc0e7b28eba44ecf0a309e9d12c03b

SHA1
8f9f5fac2b85bbab49173908841cfcb37abca787

SHA256
c8a26bdb9c9d43c61b6f5fe2eb8873d74619f348c649bb7ee6da71cf0d87d4c8

SHA512
cc824e4ff864591b80e29e508e9187dfd5d79b25597967795c1e4e6cbb93948e1499e50c1e96598224eb9f2cad0a608940b15662a17855c1519a0f5563a6092d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58eb36.TMP

Filesize
203B

MD5
fa11d818ce6c6d22909b341e824bead6

SHA1
d477225bf896f52221a2dc6cfeaec1bea9834acb

SHA256
3d28ee2b7e2ec1730bef93a5f70da2ffb5a1f54d30ecc8f2302939a051bb2721

SHA512
42254ff0a3e9ae091bf6d48bed1544cad7b04295f28777e17920938a12252438948bcab4de4414eb954baee3798fedc71e25590a887af64a63757389f3491839

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
d9a1fb3011d5300714a5f80e8373676c

SHA1
d92cd8b3ba6aad31fa6498686ed1f606a0cb8301

SHA256
be6ff7865b0020498116c8541e18a34ea854f147310cd86fda8f5c95062a806f

SHA512
9a7bd0df03a9dcb3022e0cc84276b5130e41758fe661def0be56c217626f646df097e822c94c2d16b5ab2897d32e7d4cf89e37d81dba6350fcc87f8dd0f62a45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
71700d28efcd2dd92e09b67bedd26ebf

SHA1
a9f051ca5ba4d6f0f5a9847f06e70c5f35b3fb7b

SHA256
ee621cc763aefa4c82e46fef2e3d648f004af94262925e985b9d90916075b9ce

SHA512
c2b84cf8f3204ea5b26df9a519afc21c4341a6c971ce3b8218a0cfe306a7e90be7e783b8e11b2341667b4741cbaa2ae7b0f3edda4b8850913bb9f4b3d3bd486b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
92ec48e889ea663df49fa226cc82a88a

SHA1
bb3e266bef751174ec8650bf43842a454c97cd09

SHA256
3e39783eff4c437e37269d5ca9223c75fd900cf580cc81a2ce78b059f669c2ce

SHA512
845425f880b72b35e6c8ec7f5b9801d2b386fedb810b4df4ed50badb93d2f6854088763192807907cb39f48d814d579176e68b70f0c5a5e62c878fbc9642968f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a94b46fc-376f-416b-9b3b-83282049b24f.tmp

Filesize
12KB

MD5
75c2fd678ed1b94450ea85c05b4c5a97

SHA1
33d3b8b77b1ab046e0c098b3960d798328cf2530

SHA256
ab67183bc04c9b5a60d66d2b434031df41ccf5a07c4415d7adc255c201794166

SHA512
2b16da3833463c3029ce27a03e1746e4e982e92ccebf4e2751e254069c0ce63a9535ae6ac1cb28ca0f2e8fd0a9a0e876a847a233d9b6b60622bbdeace2fe8aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
933B

MD5
7a2726bb6e6a79fb1d092b7f2b688af0

SHA1
b3effadce8b76aee8cd6ce2eccbb8701797468a2

SHA256
840ab19c411c918ea3e7526d0df4b9cb002de5ea15e854389285df0d1ea9a8e5

SHA512
4e107f661e6be183659fdd265e131a64cce2112d842226305f6b111d00109a970fda0b5abfb1daa9f64428e445e3b472332392435707c9aebbfe94c480c72e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\@[email protected]

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Temp1_WannaCrypt0r.zip\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb58F6.tmp\SimpleSC.dll

Filesize
1.1MB

MD5
7b89329c6d8693fb2f6a4330100490a0

SHA1
851b605cdc1c390c4244db56659b6b9aa8abd22c

SHA256
1620cdf739f459d1d83411f93648f29dcf947a910cc761e85ac79a69639d127d

SHA512
ac07972987ee610a677ea049a8ec521a720f7352d8b93411a95fd4b35ec29bfd1d6ccf55b48f32cc84c3dceef05855f723a88708eb4cf23caec77e7f6596786a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb58F6.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsb58F6.tmp\nsExec.dll

Filesize
7KB

MD5
675c4948e1efc929edcabfe67148eddd

SHA1
f5bdd2c4329ed2732ecfe3423c3cc482606eb28e

SHA256
1076ca39c449ed1a968021b76ef31f22a5692dfafeea29460e8d970a63c59906

SHA512
61737021f86f54279d0a4e35db0d0808e9a55d89784a31d597f2e4b65b7bbeec99aa6c79d65258259130eeda2e5b2820f4f1247777a3010f2dc53e30c612a683

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdD582.tmp\Banner.dll

Filesize
4KB

MD5
a1b9bdee9fc87d11676605bd79037646

SHA1
8d6879f63048eb93b9657d0b78f534869d1fff64

SHA256
39e3108e0a4ccfb9fe4d8caf4fb40baa39bdd797f3a4c1fa886086226e00f465

SHA512
cd65d18eca885807c7c810286cebef75555d13889a4847bb30dc1a08d8948893899cc411728097641a8c07a8dcc59e1c1efa0e860e93dada871d5b7acc61b1e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdD582.tmp\inetc.dll

Filesize
38KB

MD5
a35cdc9cf1d17216c0ab8c5282488ead

SHA1
ed8e8091a924343ad8791d85e2733c14839f0d36

SHA256
a793929232afb78b1c5b2f45d82094098bcf01523159fad1032147d8d5f9c4df

SHA512
0f15b00d0bf2aabd194302e599d69962147b4b3ef99e5a5f8d5797a7a56fd75dd9db0a667cfba9c758e6f0dab9ced126a9b43948935fe37fc31d96278a842bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdD582.tmp\nsDialogs.dll

Filesize
9KB

MD5
6c3f8c94d0727894d706940a8a980543

SHA1
0d1bcad901be377f38d579aafc0c41c0ef8dcefd

SHA256
56b96add1978b1abba286f7f8982b0efbe007d4a48b3ded6a4d408e01d753fe2

SHA512
2094f0e4bb7c806a5ff27f83a1d572a5512d979eefda3345baff27d2c89e828f68466d08c3ca250da11b01fc0407a21743037c25e94fbe688566dd7deaebd355

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsdD582.tmp\nsJSON.dll

Filesize
23KB

MD5
f4d89d9a2a3e2f164aea3e93864905c9

SHA1
4d4e05ee5e4e77a0631a3dd064c171ba2e227d4a

SHA256
64b3efdf3de54e338d4db96b549a7bdb7237bb88a82a0a63aef570327a78a6fb

SHA512
dbda3fe7ca22c23d2d0f2a5d9d415a96112e2965081582c7a42c139a55c5d861a27f0bd919504de4f82c59cf7d1b97f95ed5a55e87d574635afdb7eb2d8cadf2

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
4.8MB

MD5
9c7a964b422ded08eba41c515fe68619

SHA1
eb3128c9480908d65ab16e792524a23fccd373f8

SHA256
ee4cacdc4e4c7142295846b5d5c88a045d5e1f7efdda52270a873fea76c98a17

SHA512
78b54a709090edc0d139658356ce75c923fec461e568925fce33de8d05fd653cdfe80c5636e3cc03c618c6b65eb35d96a642c83364118f0ee22958a09518e4c6

Download Submit
C:\Users\Admin\Downloads\NoMoreRansom.zip

Filesize
916KB

MD5
f315e49d46914e3989a160bbcfc5de85

SHA1
99654bfeaad090d95deef3a2e9d5d021d2dc5f63

SHA256
5cbb6442c47708558da29588e0d8ef0b34c4716be4a47e7c715ea844fbcf60d7

SHA512
224747b15d0713afcb2641f8f3aa1687516d42e045d456b3ed096a42757a6c10c6626672366c9b632349cf6ffe41011724e6f4b684837de9b719d0f351dfd22e

Download Submit
C:\Users\Default\Desktop\@[email protected]

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
memory/2824-4142-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2824-4135-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2904-1525-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1522-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1516-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1520-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1514-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1526-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1521-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1515-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1524-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/2904-1523-0x000001F547040000-0x000001F547041000-memory.dmp

Filesize
4KB

Download
memory/3012-4136-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3012-4147-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3864-4050-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3864-3896-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/3864-3895-0x0000000002360000-0x000000000242E000-memory.dmp

Filesize
824KB

Download
memory/4148-1-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/4720-991-0x0000000004980000-0x0000000004A9C000-memory.dmp

Filesize
1.1MB

Download
memory/4720-798-0x00000000033D0000-0x00000000034EC000-memory.dmp

Filesize
1.1MB

Download
memory/4720-976-0x0000000003100000-0x000000000321C000-memory.dmp

Filesize
1.1MB

Download
memory/5372-3331-0x0000000072E80000-0x0000000072EA2000-memory.dmp

Filesize
136KB

Download
memory/5372-3394-0x0000000072F50000-0x0000000072FD2000-memory.dmp

Filesize
520KB

Download
memory/5372-3332-0x00000000000B0000-0x00000000003AE000-memory.dmp

Filesize
3.0MB

Download
memory/5372-3328-0x0000000072DF0000-0x0000000072E72000-memory.dmp

Filesize
520KB

Download
memory/5372-3435-0x00000000000B0000-0x00000000003AE000-memory.dmp

Filesize
3.0MB

Download
memory/5372-3327-0x0000000072BD0000-0x0000000072DEC000-memory.dmp

Filesize
2.1MB

Download
memory/5372-3325-0x0000000072F50000-0x0000000072FD2000-memory.dmp

Filesize
520KB

Download
memory/5372-3395-0x0000000072BD0000-0x0000000072DEC000-memory.dmp

Filesize
2.1MB

Download
memory/5372-3403-0x0000000072DF0000-0x0000000072E72000-memory.dmp

Filesize
520KB

Download
memory/5856-4090-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/5856-4100-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download